summer2008.zip

We just received a new worm spreading via MSN from a friend. The file name is “summer2008.zip”. In the zip file, it contains a .scr file “summer2008.scr”. This worm also can send out different messages with multiple languages. It also adds the Chinese language pronunciation this time. Kaspersky detects it as Backdoor.Win32.IRCBot.acd (old name: IRC-Worm.Win32.Agent.a)

This worm sends out the following messages:

English version:

Look how wasted Paris Hilton is, after she got jailed :(
You and Me !!! …. look :p
Look at my photos hihi :p
Hey please accept my photos :o !!
A photo with me and my best friend :$ !!
This is me totaly naked :o please dont send to anyone else
Look what i found on the NET :o
Jessica Alba NUDE !!

Chinese version:

kAN BA LI XI ER DUN JIN JIANYU HOU SHI DUO ME QIAOCUI :(
NI HE WO !!! …. QING KAN :p
KAN WO DE ZHAOPIAN :p
JIESHOU WO DE ZHAO PIAN :o !!
YI ZHANG WO GEN WO PENGYOU ZUI HAO DE ZHAOPIAN :$ !!
KAN WO DE ZHAOPIAN :p
ZHE SHI WO DE LUOZHAO :o QING BU YAO FA GEI BIEREN !!

Other version:

bak sana Paris Hilton ne hale gelmis hapiste :(
Sen ve Ben !!! …. BAK :p
Baksana benim fotograflara hihi :p
Hey benim fotolarimi kabul et :o !!
Iyi arkadasimla fotorafdayim :$ !!
benim bu ciplak fotoda :o ama baskasina yollama
bak ne buldum :o Jessica alba ciplak !!

Regarde comment Paris Hilton parait efondr?apr qu’elle ai ?jeter en prison :(
Toi et moi !!! …. regarde :p
Regarde mes photos :p
Hey s’il te plait accepte mes photos :o !!
Une photo de moi et mon meilleur ami :$ !!
C’est moi totalement nu :o
s’il te plait ne l’envoie a personne d’autre
Regarde ce que j’ai trouv?sur le net :o Jessica Alba NU !!

Kijk hoe erg Paris Hilton er aan toe is na gevangenschap :(
Jij en Ik !!!! …. kijk :p
Kijk eens naar mijn fotos hihi :p
HEY !! accepteer mn fotos dan !
met mijn beste vriend op de foto !! :$
Dit ben ik naakt op de foto, stuur alsjeblieft niet door.
Kijk wat ik gevonden heb :o Jessica Alba naakt !!

guck wie scheisse Paris Hilton aussieht, seitdem sie wieder aus dem knast ist :(
du und ich !!! ….guck :p
siehe meine fotos hihi :p
hey bitte nimm meine fotos an :o !!
ein foto mit meinem besten freund und mir :$ !!
das bin ich total nackt :o bitte sende es niemand anderem
guck was ich im internet gefunden habe :o jessica Alba NACKT !!

Guarda come Paris Hilton sprecato ? dopo che era imprijonata :(
Tu ed io !!! …. guarda :p
Guardi le mie foto hihi :p
Mairee photos accept karo :o !!
Una foto con me ed il mio amico migliore :$ !!
Questa e me totaly nudo :o prego non trasmette a chiunque
Osservi che cosa ho trovato sul internet :o Jessica alba NUDA !!

Veja como Paris Hilton est?acabada depois de ter sido presa :(
Voc?e eu !!!! …. Veja :p
Veja as minhas fotos hehehe :p
Por favor aceite as minhas fotos :o !!
Uma foto com o meu melhor amigo e eu :$ !!
Esta sou eu totalmente nua :o por favor nmande isso pra ningu
Olha o que eu achei na NET :o Jessica Alba NUA !!

Kolla hur fstd Paris Hilton, efter att hon fgslades :(
Du och jag !! …. Kolla ;)
Kolla p?min bilder, hihi :p
Hey, acceptera mina bilder, snla :o
En bild p?mig och min bta v :$ !!!
Detta jag HELT naken.. :o Skicka inte till non annan, snla…
Kolla vad jag hittade p?net :o Jessica Alba NAKEN !!

Mira co Paris Hilton es perdida despu de ser encarcelada :(
Usted e yo !!! …. Mira :p
Mira mis fotos jejeje :p
Ha aceptado mis fotos por favor :o !!
Una foto con mi mejor amigo e yo :$ !!
Esta soy yo totalmente desnuda :o
por favor no env para nadie Mira lo que encontr?en la WEB :o Jessica Alba DESNUDA !!

Lede hvor spild Paris Hilton er efter hun fik fgsel :(
Jer og Mig !!! … se :p
Se p?min fotos :p
Hej behage optage min foto :o !!
EN foto hos mig og min bedst ven :$ !!
denne er mig hele bar behage vage vendlig og sende den ikk til nogle :o
Lede hvad jeg fandt oven p?den net :o Jessica Alba bar !!

Upon execution, this worm drops random file name in the %WINDOWS% directory as the following:

images0XX.zip
photos0XX.zip
albumXX.zip
photoXX.zip
pictures0XX.zip
pictureXX.zip (XX is random digitals, such as album39.zip, images091.zip.)

The size is 120,832 bytes, packed with NTKrnl, MD5 hash is e1d1e9e2b1882f2c99c6a131341dea21.

How to remove this worm:

Step 1.
“Start”->”Run”, type “REGEDIT”, open the reistry editor.

Step 2.
Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
delete “printers”=”{CLSID}” in right panel
( please copy the {CLSID} before deleting it )

Step 3.
Go to
HKEY_CLASSES_ROOT\CLSID

delete the {CLSID} in Step 2.

Step 4.
Restart your computer

Step 5.
Delete the following files:
%System%\notiffy.dll
%System%\printers.exe
%userprofile%\new.txt
%Windows%\{string1}{random number}.zip (file size:119KB)

{string1} is one of the following:
images0
photos0
album
photo
pictures0
picture

For example:
images047.zip (images047.scr)
photo92.zip (photo92.scr)

Alias:

W32.Mubla.B [Symantec]