Warezov.si Began Spreading via MSN
krackin.exe, Storm Worm New Variant
We just received a new variant of MSN worm. It's similar to the earlier variant.
The filename is "imageXX.zip" (XX is random digitals, such as image09.zip). In the .zip file, it's include a .com file "imageXX.JPG-www.photobucket.com" (XX is random digitals, such as image09.JPG-www.photobucket.com).
If anyone receives it, don't run it please.
Details:
Filename: imageXX.zip (imageXX.JPG-www.photobucket.com)
Size: 10,752 bytes
MD5 hash: 0e404cb8b010273ef085afe9c90e8de1
Detection: Backdoor.Win32.IRCBot.akr (Kaspersky)
Details:
(1)Drops the following files.
(2) Adds the following registry keys.
(3) Sends out the messages.
How to remove?
STEP 1
Delete registry entry:
STEP 2
Restart WINDOWS
STEP 3
Delete virus files:
Update 8:23 p.m. Oct.29,2007:
Add two variants: nvbsvc.exe & abgsvc.exe
Last modified by smallmo onOctober 29, 2007 21:30
The filename is "imageXX.zip" (XX is random digitals, such as image09.zip). In the .zip file, it's include a .com file "imageXX.JPG-www.photobucket.com" (XX is random digitals, such as image09.JPG-www.photobucket.com).
If anyone receives it, don't run it please.
Details:
Filename: imageXX.zip (imageXX.JPG-www.photobucket.com)
Size: 10,752 bytes
MD5 hash: 0e404cb8b010273ef085afe9c90e8de1
Detection: Backdoor.Win32.IRCBot.akr (Kaspersky)
Details:
(1)Drops the following files.
%system%\rpmsvc.exe (Read-only, System, Hide attribute)
%temp%\imageXX.zip (XX is random digitals, e.g. "image09.zip")
%temp%\imageXX.zip (XX is random digitals, e.g. "image09.zip")
(2) Adds the following registry keys.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Remote Terminal Service" = "rpmsvc.exe "
"Remote Terminal Service" = "rpmsvc.exe "
(3) Sends out the messages.
This picture isnt you... right?
newest pics for ya :)
hey did i ever show you this picture of me?
is it ok if I add this pic to my new slideshow?
can i up some of these pics of ya to my myspace profile?
Wow i think i found your pic on myspace!
hah I think I found an old pic of us!
haha lets hope your parents dont see this picture of you :D
you care if i put this pictuer of you in my new album?
OMFG!!!!!!!! :D
wow! look at this old picture i found
sorry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
wow I just dyed my hair... You will never believe the color it is now. lol And dont laugh
my crazy sister wants u to see these pics for some reason... take a look
Can i put this pic of you into my new myspace album?
Take a look at the new pics already! :p
I cant believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Lmfao hey im sending my new pictures! Check em out!
I've been editing some pics you should def see em lol!
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
Hey accept my pictures, i got a bunch from when i was like a toddler :X
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey just finished new myspace album! :) theres a few kinky ones in there!
OMG, i found ur pic on cuteornot.com! Check it out
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.
hey man accept my pics. :( i just edited it to look maad funny..
Dude i found your picture on hotornot.com! Take a look!
newest pics for ya :)
hey did i ever show you this picture of me?
is it ok if I add this pic to my new slideshow?
can i up some of these pics of ya to my myspace profile?
Wow i think i found your pic on myspace!
hah I think I found an old pic of us!
haha lets hope your parents dont see this picture of you :D
you care if i put this pictuer of you in my new album?
OMFG!!!!!!!! :D
wow! look at this old picture i found
sorry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
wow I just dyed my hair... You will never believe the color it is now. lol And dont laugh
my crazy sister wants u to see these pics for some reason... take a look
Can i put this pic of you into my new myspace album?
Take a look at the new pics already! :p
I cant believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Lmfao hey im sending my new pictures! Check em out!
I've been editing some pics you should def see em lol!
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
Hey accept my pictures, i got a bunch from when i was like a toddler :X
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey just finished new myspace album! :) theres a few kinky ones in there!
OMG, i found ur pic on cuteornot.com! Check it out
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.
hey man accept my pics. :( i just edited it to look maad funny..
Dude i found your picture on hotornot.com! Take a look!
How to remove?
STEP 1
Delete registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Remote Terminal Service" = "rpmsvc.exe "
"Remote Terminal Service" = "rpmsvc.exe "
STEP 2
Restart WINDOWS
STEP 3
Delete virus files:
%System%\rpmsvc.exe (Read-only, System, Hide attribute)
%temp%\imageXX.zip
%temp%\imageXX.zip
Update 8:23 p.m. Oct.29,2007:
Add two variants: nvbsvc.exe & abgsvc.exe
Last modified by smallmo onOctober 29, 2007 21:30
Georgie Says : 
October 18, 2008 03:47
I have a CRISISS!!!!!
I went to the registry thingy, I got as far as "Run." But then I couldn't find rpmsvc.exe?? I just deleted them all and restarted! (Not the brightest thing to do - but oh well.)
What's all this %system% stuff? Could someone like explain it in baby terms for me? :}
It would be soooooooooo much appreciated xxxxxxxxxxx
:)
I went to the registry thingy, I got as far as "Run." But then I couldn't find rpmsvc.exe?? I just deleted them all and restarted! (Not the brightest thing to do - but oh well.)
What's all this %system% stuff? Could someone like explain it in baby terms for me? :}
It would be soooooooooo much appreciated xxxxxxxxxxx
:)
huskymale Says :
September 30, 2008 05:05
I have picked up something from msn messenger and now my msn messenger is doing the same.
I just read through all these comments but have no idea where to start to get rid of this virus.
Is this the right site to find something like this?
Thanx in advance for any help getting rid of this annoying virus.
Cheers Andy
I just read through all these comments but have no idea where to start to get rid of this virus.
Is this the right site to find something like this?
Thanx in advance for any help getting rid of this annoying virus.
Cheers Andy
damo Says :
June 13, 2008 16:03
how do i get rid of this stupid thing?
RIch Says :
April 1, 2008 21:24
To get into the registry, just go Start > Run > Regedit
crazychick Says :
March 29, 2008 01:26
I need step by step help badly, i got this stupid worm/virus or whatever it is from msn. It keep on disabling my anti virus software and my pc is mega mega slow, i have no clue where to look or how to get rid of it, please someone help a damsel in utter distress 
wattamess Says :
March 5, 2008 12:51
can someone please help me im a pc dummie and i need to get rid of a virus that i picked up from a friends pc.the thing is i first need to find the registry key.what the hell is that and how doi get rid of this thing
urac Says :
February 9, 2008 06:15
@Wyverness:
Go to http://www.msnvirusremoval.com in the downloads section you will find MSN Photo Virus Remover, Download that and run it. If you still have problems then Download and Run MSN Virus Info Gatherer. Remember to enter your emaill address into MVIG so that you get an email letting you know that an update is available
Go to http://www.msnvirusremoval.com in the downloads section you will find MSN Photo Virus Remover, Download that and run it. If you still have problems then Download and Run MSN Virus Info Gatherer. Remember to enter your emaill address into MVIG so that you get an email letting you know that an update is available
Wyverness Says :
February 4, 2008 17:54
Hi,
My daughter received a file yesterday and I am trying to get rid of this file. I have no idea how to find the registry entry to delete it!
Please someone help me. I have warned everyone on my list, so that I am not spreading this while I am trying to get rid of it.
My daughter received a file yesterday and I am trying to get rid of this file. I have no idea how to find the registry entry to delete it!
Please someone help me. I have warned everyone on my list, so that I am not spreading this while I am trying to get rid of it.
anonymous Says :
February 3, 2008 15:58
Hi, I got this virus but I need step by step instructions to deleting registry entries (no idea where to begin) and anything that may cause a problem.
Kim Says :
January 18, 2008 19:52
Hey I got something simmilair and I live in Holland, but this one has given me trojan horses and also isn't going by the name imageXX.zip but facebookpictures or something.
I've done all the steps but can't remove the pos....temp files because some programs are using them according to my windows version.
Please help me out.
I'm desperate and I really need help.
Thanks
I've done all the steps but can't remove the pos....temp files because some programs are using them according to my windows version.
Please help me out.
I'm desperate and I really need help.
Thanks
Jon Says :
November 18, 2007 11:57
thx a million for all the help guys!
sonic_champ Says :
November 14, 2007 07:31
i think i have deleted the registry key it was zu.exe the file on system32 fitted the exact date and time but i cant delete the file. HELP!!!!!!!
sonic_champ Says :
November 14, 2007 06:50
Hi i cant seem to find the registry key for any of the variations but i do have the virus can u help
Xdemon Says : 
November 8, 2007 11:16
er nvm thx for the help i found the file and deleted it .....just to inform you that there is a new variant on the virus and the name is mdesvc.exe
Hello,Xdemon. We posted a new article about this variant: http://www.cisrt.org/enblog/read.php?191
smallmo replied on November 8, 2007 13:04
Pages: 1/4 
1 2 3 4 
1 2 3 4
