January 20th, 2005, 11:49 AM
Heads Up: sexy_bedroom.pif
Well the title is as much as I know about this piece of malware, this and the fact that it auto-sends itself to everybody in the infected user's MSN contact list.
My girlfriend noticed this behaviour when her MSN Plus! asked her repeatedly if she would like to zip the file to be sent [a feature of the plug-in]. The file was in the process list and could only be deleted after a boot in safe mode [so as to not get loaded again].
HouseCall and Symantec online AV scans did not report anything after this deletion, so I'd assume deleting the file was enough [no registry key or anything of the sort]. However either because of the scanners' limitations [not checking .pif files or not checking certain folders] the file was not detected inside the Recycle Bin either [although it was still present when the AV scans were run].
Somebody else on my contact list had gotten the same thing since I had a request for a file transfer when I got home, but the person wasn't online so I couldn't inquire further.
When she got infected, my S.O. said the file was called love_me.pif, which makes me think it is possible for the virus to randomly change its name from a list. The transfer request I had received had the same filename as the title - sexy_bedroom.pif.
I forgot to ask whether she was running her AV at the time but I think not [and since the file requires user interaction to infect the computer it would not be detected by anything less than an active AV].
I assume people would be duped into opening the file because .pif is an old extension from DOS IIRC and its close resemblance to .pic could trick many into opening it.
Symantec has no entry about this, neither does Google at large return anything.
Anybody know anything more about this? Is it truly a virus or some other kind of malware? I believe I could still get a copy of it and PM it to *some* people that would require it for analysis, however I'd rather not go into that kind of a situation...
So this is both a Heads Up and a Request for Comments[:P]/Info... stay alert!