The Media Guru

Dec 6, 2007

Tags:


Yesterday, I was infected with the above virus, but I didn’t know I was infected until Windows Live Messenger tried to send a file to one of my contacts.
Hey i been doing photo album!
Should see em loL! accept please mate :)

[Sending file Photo Album.zip]
Fortunately my contact didn’t accept it...

I knew immediately that WLM had a virus but I was more baffled by the fact that KIS 7 didn’t detect it at all!?!?!
I immediately turned off WLM & ran a Critical Areas scan…

Virus was found in C:\Windows\photo album.zip
At last KIS 7 found it & deleted it.
But one hour later, KIS 7 (avp.exe) went crazy as my CPU usage shot to 100%!!! It continued on for a few minutes until I decided that I better restart my PC than having a processor meltdown!
After the restart, I didn’t start up WLM, so the virus didn’t appear at all…

But today, when I started WLM, I got a new contact (igroweeds@msn.com or something like that). I immediately deleted that contact but it reappeared again – the virus was still there!!! A few minutes later, KIS 7(avp.exe) went into battle against explorer.exe (again 100% CPU usage) while my Internet bandwidth was completely taken over & all my downloads stopped. I knew that this wasn’t an ordinary virus – it was using my PC as a zombie or trying to download more viruses from a server.
I restarted my PC & logged onto another Windows installation & I searched the Internet to find removal instructions. KIS 7 has completely failed me – it had removed the virus but it hadn’t disinfected WLM & other processes. It kept trying (that’s why the 100% CPU usage) but it couldn’t do the job. That’s what happens when you open your bunker windows…(I had disabled Windows Defender, KIS ProActive Defense & lowered the security settings…)

Here’s what I found on the Internet:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=120541

Virus Profile: BackDoor-AZX
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 1/26/2005
Date Added: 4/21/2004
Origin: N/A
Length: Varies
Type: Trojan
SubType: Remote Access
DAT Required: 4298

Virus Characteristics
This is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine.
The characteristics of this backdoor with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description. Upon execution, this backdoor copies itself to
•%Windir%\photo album.zip
and
drops the following file:
•%Windir%\System32\rdihost.dll (BackDoor-AZX.dll)
(%Windir% is the Windows folder; e.g. C:\Windows)
Once completed, the backdoor terminates. The DLL is injected into Windows Explorer (explorer.exe) and other running processes; and continues execution from other processes.
It follows that the DLL component connects to a remote server on TCP port 8080 at the following site(s):
•cc.xerhosts.net
BackDoor-AZX can send these instant messsages via MSN as below:
•hey im sending my new photo album, Some bare funny pictures!
•lol my sister wants me to send you this photo album looooook :p
•Hey i been doing photo album!
•Should see em loL! accept please mate :)
•HEY lol i've done a new photo album !:) Second ill find file and send you it
•Hey wanna see my new photo album?
•OMG just accept please its only my photo album!!
•Hey accept my photo album, Nice new pics of me and my friends and stuff and when i was young lol
•Hey just finished new photo album! :) might be a few nudes ;) lol...
•hey you got a photo album? anyways heres my new photo album :) accept k?
•hey man accept my new photo album.. :( made it for yah, been doing picture story of my life lol..
A file attachment is sent together in the MSN instant message named "photo album.zip".

Indications of Infection
•Presence of the files mentioned.
•Presence of the following registry key(s):
o HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{RANDOM_CLASSID}
\Inprocserver32="rdihost.dll"
o HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\rdshost="{RANDOM_CLASSID}"
•Unexpected network connection to the mentioned site(s) from running processes.

Method of Infection
This is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine. It can propagate by sending MSN instant messages containing a malicious file attachment.

Removal Instructions
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system
Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations

Aliases
Backdoor.Win32.IRCBot.aaq (Kaspersky), WORM_SDBOT.EEY (Trend)


Don’t go for that “LOW” level threat… it’s a backdoor, meaning it just makes your PC easier for other (HIGH level) viruses to infect! Fortunately, I was able to cut off the Internet connection before the virus could do any more damage!

& it’s not easy to remove it either…
1. Run regedit (by clicking Start -> Run -> Type “regedit”)
2. Expand HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Windows -> CurrentVersion
3. Select ShellServiceObjectDelayLoad
4. Delete "rdfhost" or "rdihost" or "rdshost"
5. Restart computer
6. Go to your C:\Windows directory. Delete “photo album.zip”
7. Go to your C:\Windows\system32 directory. Delete “rdfhost.dll” or “rdihost.dll” or “rdshost.dll”
8. That’s it! (Don’t forget to turn off System Restore before deleting the files & then turn it back on after deleting.)

Finally, that stupid virus has been removed from my system…
Lesson of the day: NEVER let down your defences when you are on the Internet! (& NEVER accept suspicious files from IM friends!)
But the big question is that how did I get that virus? I’m completely sure that I didn’t get it via WLM, so it’s bound to be from some file I downloaded…
Anyway, I’ve learnt my lesson & I’ve just beefed up the security – Windows Defender updated, KIS 7 Proactive Defence enabled, max protection level everywhere, Spybot Immunisation… ;-)

More info:
http://talkback.stomp.com.sg/forums/showthread.php?t=15400
http://www.cisrt.org/enblog/read.php?62
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=120541
http://britishinside.com/archive/2006/10/20/Windows-Live-Messenger-Virus.aspx

PS: I’ve found this remover tool but I don’t know if it works?
http://yandao.com/2007/08/30/impfix-3-fixing-more-msn-viruses-worms/

Blog Widget by LinkWithin
Comments 5 comments
Do you have any suggestions? Ideas? Add your comment.
Please don't spam & don't swear!
Subscribe to my feed
InF said...

Thanks for warning. Some people were actually sending me infected files like those, sometimes with more "tempting" titles. I DL'd only one titled "My new PC" and AVG warned me.

Even WLM is not being spared from viruses. Time to move to Linux again? :P

carrotmadman6 said...

So far i've never received any of these infected files via WLM... (i guess this virus was included in some crack/warez i downloaded)

Linux? Not yet... but it's time to move to a new antivirus (BitDefender!) :P

InF said...

AVG works fine for me, although people say it's not reliable. Else, for payers, there's Nod32 which is excellent (a bit too much sometimes), and Kapersky. Norton is no-no due to resource hog.

Yashvin said...

lol, i remember getting ur virus invitation :P

n warning u btw about u being infected :P

carrotmadman6 said...

:P

Post a Comment

Some html tags like <b>, <i>, <a> are allowed & emos can be used. ;)
Copy your comment before posting in case something fails.
Comments are moderated, may take a while to appear.

The Photoblog carrotmadman6.blogspot.com

Posts on Photoblog

Posts rss feed
Featured Posts

Recent Posts

Categories

Blog Archive