Kitty Card Spams Began Active Again
A New Round of .PDF Spams Attack
We just received two variants of MSN worm from a friend. We have analyzed these two variants, they are similar to the old variant.
The file name of these two variants is "imageXX.zip" (XX is random digitals, such as image14.zip, image22.zip). In the .zip file, it's include a .com file "imageXX.JPG-www.photobucket.com" (XX is random digitals, such as image14.JPG-www.photobucket.com, image22.JPG-www.photobucket.com).
We will post some details about these two variants:
1. File name: imageXX.zip(imageXX.JPG-www.photobucket.com)
Size:10,752 bytes
MD5:8fdb1cc56c2d9a801c843946e0840482
Detection: Backdoor.Win32.IRCBot.ane (Kaspersky)
Details: nvbsvc.exe
2. File name: imageXX.zip(imageXX.JPG-www.photobucket.com)
Size:10,752 bytes
MD5: fc086c2123ce97006ddf8513ecb171d4
Detection: Backdoor.Win32.IRCBot.anl (Kaspersky)
Details: abgsvc.exe
Last modified by smallmo onOctober 30, 2007 19:57
The file name of these two variants is "imageXX.zip" (XX is random digitals, such as image14.zip, image22.zip). In the .zip file, it's include a .com file "imageXX.JPG-www.photobucket.com" (XX is random digitals, such as image14.JPG-www.photobucket.com, image22.JPG-www.photobucket.com).
We will post some details about these two variants:
1. File name: imageXX.zip(imageXX.JPG-www.photobucket.com)
Size:10,752 bytes
MD5:8fdb1cc56c2d9a801c843946e0840482
Detection: Backdoor.Win32.IRCBot.ane (Kaspersky)
Details: nvbsvc.exe
2. File name: imageXX.zip(imageXX.JPG-www.photobucket.com)
Size:10,752 bytes
MD5: fc086c2123ce97006ddf8513ecb171d4
Detection: Backdoor.Win32.IRCBot.anl (Kaspersky)
Details: abgsvc.exe
Pages: [1] Last modified by smallmo onOctober 30, 2007 19:57
IZSBHR Says : 
December 14, 2007 10:36
I got this virus and was sent this link. I read it. This isn't working. I don't HAVE these files on my laptop AT ALL and I still have the virus.
cloony Says :
November 22, 2007 07:28
hey trubbleguy your so called link is a zip file
why?
i need help my problem is i have a newer virus came out like a week ago sends a message to all my contacts and changes the message every day or so
why?
i need help my problem is i have a newer virus came out like a week ago sends a message to all my contacts and changes the message every day or so
Ching Says :
November 13, 2007 19:04
IS MCRSVC.EXE NORMAL?
Look this: http://www.cisrt.org/enblog/read.php?196
smallmo replied on November 14, 2007 20:05
Gavin Says :
November 13, 2007 12:58
I couldnt find the registry file nvbsvc.exe in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run but i found it in HKEY_USERS\S-1-5-21-4218495192-3426919847-2803549229-1006\Software\Microsoft\Search Assistant\ACMru\5603 should i delete this file?
I wrote a remover for most of the variants of Msn worm its link is at
http://www.trubbleguy.com/msnwormremover.zip
After running it, reboot. your friends will soon tell you if it was removed. it doesnt remove the trojan files in system32 but removes the links in registry that run them. i figure that antivirus progs will soon catch up and remove them properly later.
http://www.trubbleguy.com/msnwormremover.zip
After running it, reboot. your friends will soon tell you if it was removed. it doesnt remove the trojan files in system32 but removes the links in registry that run them. i figure that antivirus progs will soon catch up and remove them properly later.
ANY Says :
November 6, 2007 18:00
Help Please, i got the stupid worm, got files deleted from Registry, zip file deleted from msn download folder, also from temp folder in docs & settings.
BUT i still see the file in Sistem32. Can only see it in DOS mode, file is abgsvc.exe, size 10752. Still in DOS mode i type del abgsvc.exe but i get File Not Found !!
How can i get rid of it ???
BUT i still see the file in Sistem32. Can only see it in DOS mode, file is abgsvc.exe, size 10752. Still in DOS mode i type del abgsvc.exe but i get File Not Found !!
How can i get rid of it ???
jolyn Says :
November 5, 2007 13:23
yes, i have the same problem too..can anyone pls guide me step-by-step?
nickgzzjr Says :
November 4, 2007 04:38
Ok I deleted it from the registry files and the system 32, and everything seems to be back to normal.
nickgzzjr Says :
November 4, 2007 04:18
Hello, Today I was infected with this worm, this was because my little brother opened "photo.zip" which contained "foto_073.jpeg-www.myspace.com"
The only problem is that i didnt find anything in the registery file. The only thing i found that was out of the ordinary was a file named "fydrzldzq" and its located in the system32 folder. Should i delete this???
The only problem is that i didnt find anything in the registery file. The only thing i found that was out of the ordinary was a file named "fydrzldzq" and its located in the system32 folder. Should i delete this???
Jes Says :
November 3, 2007 15:01
For those of you that cant find this in windows/system32, go into command and from there go into the folder then type dir /AH to see it, i couldnt see it from explorer even though it had display hidden files activated......
Jes Says :
November 3, 2007 01:22
Thanks for this, i was able to delete the virus in registry but it had the name rndsvc.exe however i cannot find this in windows32 or temp. Which antivirus program can tell me for sure if its still there ? AVG cant find it.......
the dude Says :
November 2, 2007 01:50
Thanks for this information, I was able to delete all the necessary files.
the dude Says :
November 2, 2007 01:49
Also note, the zip file needs to be deleted from the My Received Files folder used by MSN.
nik Says :
October 31, 2007 22:47
how do you delete this? I dont understand the codes.Can you simplify for me? thanks!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Application Layer Browser"="abgsvc.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Application Layer Browser"="abgsvc.exe"
1. click on "start"
2. click on "run"
3. type "regedit" in "run" box
2. click on "run"
3. type "regedit" in "run" box
smallmo replied on November 1, 2007 10:29
Si Says :
October 30, 2007 22:33
The only file I can find which is similar is called nvsvc32.exe in the system 32?
But i can't find anything in the temporary? I did delete the file from my recieved as soon as I recieved it? Would that automatically remove these two files?
PLease Help.
Thanks SI
But i can't find anything in the temporary? I did delete the file from my recieved as soon as I recieved it? Would that automatically remove these two files?
PLease Help.
Thanks SI
Pages: 1/2 
1 2 
1 2
