Results 1 to 2 of 2

Thread: Heads Up - handcuffs.pif

  1. February 17th, 2005, 12:42 PM #1
    i2c
    i2c is offline
    Senior Member
    Join Date
    Jul 2003
    Posts
    634

    Heads Up - handcuffs.pif

    just had a few people get infected with what I think is a new MSN worm with the file name "handcuffs.pif"

    Apparently It shows a picture of a girl wearing handcuffs (raahhh...), and then transmitts its link to all people on your MSN messenger contact list.

    Ive got the file, disasm'ed it and with my limited knowledge of ASM, ive been able to see that it makes calls to the RPC libary, its written by a german I think or a german speaker, becuase the function is called ficken - which me "**** u/ screw u...(u get the idea)" in german.

    The image is displayed with GDI, which isnt surprising..

    I think there might be some form of encryption or something funny going on, becuase the PE head is all messed up - although is a pif file a PE? im not sure would be gratefully if someone could tell me.

    it looks new becuase last night google only indexed 2 sites talking about "handcuffs.pif" and then this morning theres 118 listed,

    Damn, I wanna mess with this thing more! but ive gotta go and sit in a lecture and listern to 2hrs worth of CMOS theory - great

    i2c
    Reply With Quote Reply With Quote
  2. February 17th, 2005, 02:20 PM #2
    jinxy
    jinxy is offline
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Is this the same one as,
    From Here
    # Beautiful Ass.pif
    # John Kerry as Super Chicken.scr
    # Kool.pif
    # Me & you pic!.pif
    # Me Pissed!.pif
    # sexy.pif
    # She Could Fit her Ass in a Teacup.pif
    # she's ****in fit.pif
    # titanic2.jpg.pif

    It creates the following registry entries to run at every Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run
    %Random% = "C:\WINNT\System32\Isass.exe"

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\RunServices
    %Random% = "C:\WINNT\System32\Isass.exe"

    The variable %Random% may be any of the following strings:

    * Anti
    * Isass
    * NvMsnW

    Propagation Routine

    This worm propagates using MSN Messenger, a popular chat program. It sends a copy of itself using any of the file names listed earlier, which were dropped in the root folder.

    Payload

    This worm is capable of disabling the right-click feature of the mouse. It can also prevent the system from loading the following system applications:

    * REGEDIT.EXE
    * TASKMGR.EXE

    This worm also drops the file l0l_53xy_l0l.html in the current folder where it is executed. When run, this HTML file attempts to connect to the following Web sites in order to display an image:

    * http://counter.rapidcounter.com/coun<BLOCKED>/1107713659/bbldotg
    * http://www.freewebs.com/lol_<BLOCKED>_you_lol/l0l_53xy_l0l.jpg

    As of this writing, the said sites are inaccessible.

    Other Details

    This worm runs on Windows 98, ME, NT, 2000, and XP.
    IE Bropia,??

    Only my nipper got sent, "she could fit her ass in a teacup.pif" only it was changed to a shortcut to an msdos progy
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules