Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Date Added: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 5096
Virus Characteristics
-- Update August 12, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This variant of W32/Checkout may be detected as W32/Generic.Delphi.a in earlier versions of the DAT.
This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:
* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.
* Security Center
* winvnc4
Adds the following values to the registry:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"
The worm connects to an IRC channel on {blocked}.basecase.info.
Indications of Infection
* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.
Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .
Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142934