i2c
February 17th, 2005, 12:42 PM
just had a few people get infected with what I think is a new MSN worm with the file name "handcuffs.pif"
Apparently It shows a picture of a girl wearing handcuffs (raahhh...), and then transmitts its link to all people on your MSN messenger contact list.
Ive got the file, disasm'ed it and with my limited knowledge of ASM, ive been able to see that it makes calls to the RPC libary, its written by a german I think or a german speaker, becuase the function is called ficken - which me "**** u/ screw u...(u get the idea)" in german.
The image is displayed with GDI, which isnt surprising..
I think there might be some form of encryption or something funny going on, becuase the PE head is all messed up - although is a pif file a PE? im not sure would be gratefully if someone could tell me.
it looks new becuase last night google only indexed 2 sites talking about "handcuffs.pif" and then this morning theres 118 listed,
Damn, I wanna mess with this thing more! but ive gotta go and sit in a lecture and listern to 2hrs worth of CMOS theory - great :(
i2c
Apparently It shows a picture of a girl wearing handcuffs (raahhh...), and then transmitts its link to all people on your MSN messenger contact list.
Ive got the file, disasm'ed it and with my limited knowledge of ASM, ive been able to see that it makes calls to the RPC libary, its written by a german I think or a german speaker, becuase the function is called ficken - which me "**** u/ screw u...(u get the idea)" in german.
The image is displayed with GDI, which isnt surprising..
I think there might be some form of encryption or something funny going on, becuase the PE head is all messed up - although is a pif file a PE? im not sure would be gratefully if someone could tell me.
it looks new becuase last night google only indexed 2 sites talking about "handcuffs.pif" and then this morning theres 118 listed,
Damn, I wanna mess with this thing more! but ive gotta go and sit in a lecture and listern to 2hrs worth of CMOS theory - great :(
i2c