1

Bot on the loose — careful with images

We continue to see lots of triggers from files that appear to have names resembling image files. Be very careful with these sorts of files, here is an example filename that is causing problems in-the-wild (on users’ systems, or ITW):
PHOTO3.JPEG-WWW.IMGUPLOAD.COM.

It’s nice to see the av vendors catching up with this worm:

File PUSHBHOST.EXE received on 11.21.2007 03:26:30 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.21.0 2007.11.20 -
AntiVir 7.6.0.34 2007.11.20 TR/Drop.IRC.TKB.15
Authentium 4.93.8 2007.11.21 -
Avast 4.7.1074.0 2007.11.20 Win32:Delf-GNA
AVG 7.5.0.503 2007.11.20 IRC/BackDoor.SdBot3.VOF
BitDefender 7.2 2007.11.21 Trojan.Dropper.IRC.TKB
CAT-QuickHeal 9.00 2007.11.20 Backdoor.SdBot.cib
ClamAV 0.91.2 2007.11.21 -
DrWeb 4.44.0.09170 2007.11.20 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.3.5312 2007.11.20 Win32/Pushbot.AT
Ewido 4.0 2007.11.20 -
FileAdvisor 1 2007.11.21 -
Fortinet 3.14.0.0 2007.11.21 W32/SDBot.CIB!tr.bdr
F-Prot 4.4.2.54 2007.11.21 W32/Sdbot.AEEP
F-Secure 6.70.13030.0 2007.11.21 Backdoor.Win32.SdBot.cib
Ikarus T3.1.1.12 2007.11.21 Backdoor.Win32.Agent.LA
Kaspersky 7.0.0.125 2007.11.21 Backdoor.Win32.SdBot.cib
McAfee 5167 2007.11.20 -
Microsoft 1.3007 2007.11.21 VirTool:Win32/DelfInject.gen!D
NOD32v2 2674 2007.11.21 Win32/IRCBot.AAU
Norman 5.80.02 2007.11.20 W32/Malware.BGLP
Panda 9.0.0.4 2007.11.21 W32/MSNWorm.BB.worm
Prevx1 V2 2007.11.21 MSNLive-Image:Worm-a
Rising 20.19.11.00 2007.11.21 -
Sophos 4.23.0 2007.11.21 -
Sunbelt 2.2.907.0 2007.11.21 -
Symantec 10 2007.11.21 -
TheHacker 6.2.9.135 2007.11.20 Backdoor/SdBot.cib
VBA32 3.12.2.5 2007.11.20 -
VirusBuster 4.3.26:9 2007.11.20 -
Webwasher-Gateway 6.0.1 2007.11.21 Trojan.Drop.IRC.TKB.15
Additional information
File size: 63488 bytes
MD5: 1dc5b5977ea11bc63a57c6c464021f3b
SHA1: fd86ab861f8e40943b4e4615d1fc581ae35c404f

You always can scan your files prior to opening them at our ThreatExpert site.

Btw, ThreatFire will identify some variants as Worm.MsnBot, and it will prevent the outbound internet connection activity, the file copy activity, and the remote thread injection performed by this family.

Quarantine what you think are images acting in bizarre ways on your system.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>