Hello,
I have been working with several customer pc’s who got infected by clicking on msn bot links
The malware installs itself to c:\windows with the name rndll.exe
As soon as rndll.exe runs it will check for G:\ (usb stick) and if present it will install an autorun.inf script and download a virus to it.
Avast does not report rndll.exe as malware/virus
Avast recognize the virus itself as being VBS:Malware-gen but cannot delete it because rndll.exe keeps replacing it.
Detailed info:
rndll.exe logs in msn accounts and sends a message to all contacts
“check your pictures haha http://www-photos***.com/photo.php?=xxxxx@hotmail.com” (address is edited to prevent accidents)
After the victim clicks the link rndll.exe is downloaded to c:\windows, it is hidden as a system file so you have to enable view system files in explorer
rndll.exe adds the following reg keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
@=“”
“Firevall Administrating”=“rndll.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Firevall Administrating]
“key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run”
“item”=“rndll”
“hkey”=“HKLM”
“command”=“rndll.exe”
“inimapping”=“0”
the address http://www-photos***.com/photo.php?=xxxxx@hotmail.com points to 68.180.151.76
Detailed info about 68.180.151.76:
ip is recorded for escrow fraud:
http://escrow-fraud.com/search.php?&all=&dir=desc&start=50&sf=i
http://escrow-fraud.com/index.php?page=gallery&layout=99
other sites hosted on this ip:
http://onsamehost.com/68.180.151.76/
ip listed as malware by malwareurl.com team:
http://www.malwareurl.com/listing.php?domain=designaccents.biz
siteadvisor.com notes about the ip:
http://www.siteadvisor.com/sites/webbanker-cua-au.com/postid/?p=2464957
I do have the complete virus in a rar file including the reg keys
(rndll.exe, autorun.inf, –¼‡‘Š•†‘Í€ŒŽ)
I can upload it if requested by an avast representative
Greets