http://tusfbfotos.com, http://twittersphoto.com – spread an IRC bot!

A new virus, spreaded through Yahoo messenger, sends you a kink to: http://tusfbfotos.com (/image.php) or http://twittersphoto.com/image.php. If you click it, it downloads an “image” , in fact an executable (IM56245.JPG-www.myspace.com.exe) that will infect you computer with this IRC bot, at this moment known only by 4 AntiViruses, Kaspersky, Sophos, Komodo and Prevx.

I have Kaspersky 6 and this did not indentify the trojan, though, even manually fed, only Kaspersky 7 does. Who knows what Kaspersky 7 is, please let me know.

To get rid of this, sign out of Yahooo Messenger to stop the spread, download and install Malwarebytes from malwarebytes.org or any major download site, run it and allow it to cleaneverything it finds.

There was an registry key and an executable file infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firewall administrating (Backdoor.IRCBot) -> Quarantined and deleted successfully.

C:\Users\Public\infocard.exe (Backdoor.IRCBot) -> Delete on reboot.

As infocard.exe was running, I preffered to kill the tread and then delete manually the infected file, piece of cake.

Trying to access now any of these 2 sites shows an Yahoo error :”

Sorry, Service Temporarily Unavailable.

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Additionally, a 410 Gone error was encountered while trying to use an ErrorDocument to handle the request.” from Yahoo.

Either someone got the ideea of what is spreading from these sites, or they reached their traffic limit and been suspended automatically.

The idea is that even really new, this irc bot is for now gone.

Advertisements