Please BE CAREFUL about opening attachments in WLM

[Philip]

As reported in this thread the photo album.zip worm is still making its rounds through Windows Live Messenger. If you receive a file attachment in your WLM purportedly from a contact, and especially if it contains images, DO NOT open it immediately. Instead, call or email the contact first. This is how photo album.zip "worms" its way through the internet. If you have any doubts, then don't open the file! And pass this info to anyone else who uses your computer.

This worm is also very smart. When I received the images.zip file from a contact, I didn't accept the transfer. After a while, another message popped up in my chat window: "OMG just accept please its only some pics!!" I refused and closed the window. You have been warned.

Additional info here at Sophos, but I'll repeat it here:

Quote:

W32/IRCBot-VR is an IM worm for the Windows platform.

W32/IRCBot-VR attempts to spread via MSN, and may send the following itself as "photo album.zip" to open chat windows with one or more of the following messages:

"Lmfao hey im sending my new photo album, Some bare funny pictures!"
"lol my sister wants me to send you this photo album"
"Hey i been doing photo album! Should see em loL! accept please mate "
"HEY lol i've done a new photo album ! Second ill find file and send you it."
"Hey wanna see my new photo album?"
"looooooooooooooooooooooooooooooooooooooo!! "
"OMG just accept please its only my photo album!!"
"Hey accept my photo album, Nice new pics of me and my friend's and stuff and when i was young lol..."
"Hey just finished new photo album! might be a few nudes lol..."
"hey you got a photo album? anyways heres my new photo album accept k?"
"hey man accept my new photo album.. made it for yah, been doing picture story of my life lol.."

W32/IRCBot-VR has functionality to:
- connect to IRC
- setup a backdoor for remote access
- download remote code
- steal passwords

[patndoris]

If you have an add-on program, with the option to "auto-accept requests", I'd go check and make sure you[re settings don't leave you vulnerable!

I don't use the feature, but Plus! has it. However, they do give the options to "auto-accept every request", "auto-accept file transfers only" or "auto-accept everything but files." It's probably better with this kind of worm, not to auto-accept anything, but certainly you don't want to have accepting files automatically enabled.

Just thought it might be worth a mention. I'm sure other add-ons out there offer simiar options, and it's up to the individual user to decide what features they want or don't. Be smart and protect yourself - err on the side of caution!!

-Doris-

[Philip]

Hey thanks for reminding me of that auto-request thing, Doris! In Messenger Plus! Live, it's in the Conversations tab > Main. Make doubly sure that Automatically accept requests by default is NOT checked.

[detn8r]

I'm having issues downloading that antivirus suggested. I tried twice, both times it was corrupted.

Either way, my current (but outdated) Symantec (finally) detected the virus. It told me it couldn't delete it, but gave the location of it.

Check here:

C:\Documents and Settings\(**user**)\Local Settings\Temporary Internet Files\Content.IE5\EXCNALST

You can just flush the folder, or look for any .exe's specifically. The one I found was called s4p[1].exe.

W32.Spybot.Worm - Symantec.com

[rcweb]

thanks i read before about that.

[Philip]

As reported here in eweek, there is yet another trojan spreading via MSN/WLM purportedly sending users pictures from their other contacts. As has been said before, be VERY CAREFUL about opening pictures and other attachments in your WLM. If you have the slightest doubt, DON'T.

Make it a point to always update your antivirus and antispyware scanners, and do periodic scans of your systems. Let's be safe out there.

[detn8r]

It was suggested to me to try an antivirus called NOD32. I didn't have any issues downloading, or installing it. Plus it actually found 8 variants of that virus/worm on my computer.

Just one piece of advice -- if you have any other antivirus installed REMOVE it before installing this one! You have no idea the hell I went through with that little mistake!

[VvWolverinevV]

Does this virus infect your computer without you even opening the archive? This is painfully reminiscent of Microsoft's other failure: Internet Explorer 6

[Philip]

Graham, nice to know you've rid yourself of that virus. And NOD32 is supposed to be a very good AV too (pity it's not free, but maybe it's worth the money).