84.99.215.18 (talk) No edit summary |
84.99.215.18 (talk) No edit summary |
||
Line 14: | Line 14: | ||
*hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol.. |
*hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol.. |
||
Inside is a pif file called photo album2007.It connects you to one of the following IRC Channels: |
Inside is a pif file called photo album2007 or photos-webcam2007.It connects you to one of the following IRC Channels: |
||
*darkjester.xplosionirc.net |
*darkjester.xplosionirc.net |
||
*cc.xerhosts.net |
*cc.xerhosts.net |
Revision as of 00:25, 30 July 2007
Backdoor.Win32.IRCBot is a worm/backdoor that is spread through MSN and Windows Live Messenger by downloading photo album.zip from someone. It can be recognised because the person says one of the following:
- Lmfao hey im sending my new photo album, Some bare funny pictures!
- lol my sister wants me to send you this photo album
- Hey i been doing photo album! Should see em loL! accept please mate :)
- HEY lol i've done a new photo album !:) Second ill find file and send you it.
- Hey wanna see my new photo album?
- looooooooooooooooooooooooooooooooooooooo!! :p
- OMG just accept please its only my photo album!!
- Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol...
- Hey just finished new photo album! :) might be a few nudes ;) lol...
- hey you got a photo album? anyways heres my new photo album :) accept k?
- hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
Inside is a pif file called photo album2007 or photos-webcam2007.It connects you to one of the following IRC Channels:
- darkjester.xplosionirc.net
- cc.xerhosts.net
- free8.bis:8080
- john.free4people.net:80
and posts a message: IMStart. which is an invitation to connect to the victims computer.when connected, the attacker can send the worm to more people and control the victims pc. However, there is a flaw: as MSN Messenger does not allow you to send whole files, instead of spreading, The victim will get a lot of dialogue boxes saying: "you cannot send a folder, please send one file at a time." Thefore you must have Windows Live Messenger to spread it.
Removal
Go to the start menu, then run, and type regedit.exe and when the system registry opens up, go to:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad], and delete either rdihost, rdshost or rdfhost and restart your computer. Then search in %windows% for photo album.zip, and delete it. Then, search in %system% for rdshost.dll, if you have it, delete it. Search in %system% again for rdfhost.dll and rdihost.dll. Once you have done that, restart your computer. The worm should now be gone.