McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Checkout!68249FC8

This page shows details and results of our analysis on the malware W32/Checkout!68249FC8

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2007-09-21

Next Steps:

Overview

This detection is for a worm which is capable of spreading through MSN.


Minimum DAT

5124 (2007-09-20)

Updated DAT

5124 (2007-09-20)

 Minimum Engine

5.1.00

File Length

Varies

 Description Added

2007-09-21

Description Modified

2007-09-21

Malware Proliferation

Characteristics

This worm spreads via MSN Messenger. When installed, it sends one or more of the below messages to contact list recipients and send a malicious zip file named img-[random number].zip.

This worm attempts to detect the infected system's language settings and send instant messages with the corresponding language, and zip attachment.

English:

  • Here are my private pictures for you
  • Here are my very secret pictures for you.
  • Here are my pictures from my vacation
  • hmm is this you on the photo ?
  • Check out my pics from my workplace.
  • Nice new photos of me and my friends and stuff...
  • ahh look this is my greatest picture made on vacation 2007, take a look
  • Check out my nice photo album. :D
  • My friend took nice photos of me.you Should see em loL!
  • its only my photos!
  • Nice new photos of me!! :p
  • Check out my sexy boobs :D

 

French:

  • hey regarde les tof de notre bande de fous. :p
  • hey c'est toi dans ces tof!!???
  • hey regarde les tof, c'est moi et mes copains entrain de.... :D
  • j'ai fais pour toi cet album de photos tu dois le voire :p
  • stp regarde cet album de photos je lai fais specialement pour toi et mes amis...
  • mes photos chaudes :D
  • t'as pas encore vu ces tof???

Belarusian:

  • hey bekijk eens mijn nieuwe foto album
  • hey kijk eens naar mijn nieuwe foto alb
  • hmm ben jij dit op de foto ?
  • hey kijk ! dit is een lijst van mijn nieuwste fotos !!
  • ahh kijk mijn mooiste foto album van vakantie 2007 bekijk ze eens :p
  • kijk dit zijn fotos van mij werkplek! :)
  • hmm ben jij dit op de foto ?

 

German:

  • meine hei en Fotos ! :p

Italian:

  • le mie foto calde :p

Spanish:

  • mis fotos calientes
  • mi fotograf
  • Mi amigo tom
  • las fotos agradables de m
  • mis fotos calientes
  • el lol mi hermana quisiera que le enviara este
  • lbum de foto

 

Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:

    • %WINDIR%\img4840.zip (W32/Checkout zipped)
    • %WINDIR%\img5938.zip (W32/Checkout zipped)
    • Windows\System\explorer.exe (W32/Checkout)

    (Where %WINDIR% is the Windows folder , eg C:\Windows;)

    Adds the following values to the registry:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Explorer Key" = "explorer.exe"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List  = C:\WINDOWS\system\explorer.exe:*:Enabled:Windows Sharing

     

    The worm connects to an IRC channel on the vnc[removed].com domain.

    Symptoms

    • Presence of the files/registry keys mentioned.
    • Unexpected network connection to the associated site(s).
    • MSN contacts receiving one of the messages with zip attachment.

    Method of Infection

    This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file .

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    United States - English