Antiy Ghostbusters completely detects and cleans MSN Worm (Sexy Chicken)
20050203 9:30 3rd update
Antiy Cert
Antiy Cert captured a MSN Worm in Feb 3rd, 2005, and we named the worm IM-Worm.Win32.Webcam.a. The number of nodes which the worm infected increase rapidly and the fashion trend is extremely obvious.

  1. Basic features:
    Name: IM-Worm.Win32.Webcam.a
    Original size: 188,928 byte
    Compressed format: PESpin
    Compile Language: Microsoft Visual Basic 6.0
    After the worm ran, it will crazily send messages and send itself to the MSN friends. When transporting, it will adopt random files name, and the extension name may be .SCR/.EXE/.PIF, etc.
    It is as followed:
    LMAO.pif
    LOL.scr
    naked_drunk.pif
    hot.pif
    underware.pif
  2. Behavioral analysis
  1. After running, the worm will release a file named CZ.EXE to the root directory of C disc, copy it under %system%, and named: winhost.exe. It set the file attribute as hiding, read-only, system, and at the same time, changed the file establishing time into systematic file date, which used to cheat and confuse the customers. CZ.EXE is not a simple copy of IM-Worm.Win32.Webcam.a, and it is a variant of IRCBOT family.
  2. The worm will random produce a file in the root directory of C disc, the file is itself copy, with the extension name PIF/SCR, etc., and it used to spread to the MSN friends.
    At the same time, it will produce msnus.exe in % system%, the file is itself copy, and the copy will be executed.
  3. The worm add itself to Registry start item so as to guarantee itself to be loaded when system restarting.
    Software\Microsoft\Windows\CurrentVersion\Run
    key name:win32
    key value:winhost.exe

Software\Microsoft\Windows\CurrentVersion\RunServices
key name:win32
key value:winhost.exe

Software\Microsoft\OLE
key name:win32
key value:winhost.exe
4) The worm will produce a picture file in a root catalogue of C disc, with the name: Sexy.jpg, and transfer the related program to open it, the result is as Pic.
http://antiy.com/resource/cert/alarm/1.jpg

  1. Set up the main sound channel value of system sound as 0, the purpose to judge it is that it can make the user unknown when MSN received the spreading information.
  2. Monitor MSN window, send the messages and propagate itself to the friends list.

Cz.exe that the worm released, substantially, is an IRC backdoor program, copies itself to %system%\winhost.exe after executed. At the same time, executes the copy, and connect the goal 8080 ports of freeupdate.homeip.net frequently after executing.

Virus name: IM-Worm.Win32.Webcam.a (sexy chicken)
Original size: 124,416 byte
Compressed format: PESpin
Compile Language: Microsoft Visual C++
3. Solution
Remove the worm manually according to the behavioral analysis above, and stop and delete the relevant process files, restore registry.

The users of Antiy Ghostbusters please update your database at once, and it will remove the MSN Worm completely.

The free download link of the popular worm special kill tools of Antiy Labs:
http://www.antiy.com/resource/freetolls/avlpk.exe
The trial edition download link of Antiy Ghostbusters:
http:// www.antiy.net/download/agb4p.exe

Antiy Ghostbusters:
Antiy Ghostbusters (AGB) is an advanced information security utility. It consists of an anti-hacker utility and an information security configuration toolkit. AGB can detect and kill Trojans, backdoors and worms, which may hide in your system like ghost and damage your system, steal your secret information. There are many excellent tools in AGB. The toolkit helps you manage the information security configuration of your system.

About Antiy Labs:
Antiy Information Technology Co.,Ltd (Antiy Labs) is a comprehensive research enterprise, taking information technology and network security as main fields. Antiy explores actively in the advanced fields of anti-virus, information watermark, and etc., have successively developed many excellent products, such as Antiy Ghostbusters, Anti-Virus engine AV Leach SDK, VDS, etc., by their own kernel technology. As an advanced technology output enterprise, Antiy always regards technology as guide, creation as soul, and works untiringly in the backstage. In the past few years, with the status of technology / resource supplier, Antiy has offered related technologies or products for domestic and international security enterprises, key systems, relevant universities, etc.

nice work jane

Hi Jane,

Good piece, the worm is also known as Bropia, this is the pic below…

polonus

Man what a Coooool Chick—en Brazilian Wax and all - well plucked 8)

great advice Jane thanks