me aint i a cutey virus

I picked up the file and opened it in Notepad. The results were quite interesting. For one, this worm appears to be written in VB. It also appears to make changes to the Registry in the following Keys:

H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M I C R O S O F T \ W I N D O W S \ C U R R E N T V E R S I O N \ R U N S E R V I C E S \

H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ M I C R O S O F T \ W I N D O W S \ C U R R E N T V E R S I O N \ R U N \

H K E Y _ C L A S S E S _ R O O T \ e x e f i l e \ s h e l l \ o p e n \ c o m m a n d \
. e x e

C:\Windows\System.ini is also mentioned

Here are more interesting strings:

C o m p a n y N a m e W i z a r d - P r o d u c t i o n s

P r o d u c t N a m e H e l l

F i l e V e r s i o n 1 . 0 0

F i l e V e r s i o n 1 . 0 0

P r o d u c t V e r s i o n 1 . 0 0

I n t e r n a l N a m e H e l l

O r i g i n a l F i l e n a m e H e l l . e x e

__vbaFPFix __vbaAryUnlock __vbaAryLock __vbaRedim __vbaVarAnd __vbaVarCmpLt __vbaLateMemCallLd __vbaVarOr __vbaFixstrConstruct __vbaRecAnsiToUni __vbaRecUniToAnsi __vbaFpI4 __vbaInputFile __vbaAryConstruct2 __vbaObjVar __vbaFileCloseAll __vbaAryDestruct __vbaI2Abs __vbaUI1I2 __vbaGenerateBoundsError __vbaI4Str __vbaStrI2 __vbaPut4 __vbaFpR4 __vbaVarLateMemSt __vbaVarLateMemCallLd __vbaVarDiv __vbaLateMemCall __vbaLateMemSt __vbaStrI4 __vbaVarCmpEq __vbaFileClose __vb
o f & s u p p o r t e d s o c k e t s . , W i n d o w s S o c k e t s e r r o r __vbaStrUI1 – W i n s o c k . d l l i s n o t r e s p o n d i n g . M a k e s u r e y o u a r e c o n n e c t e d t o t h e i n t e r n e t . S o c k e t e r r o r o c c u r r e d i n C l e a n u p 0 0 : 0 0 & _ O s c a r _ B u d d y L i s t W i n E d i t _ O s c a r _ I c o n B t n 0 __vbaFPFix __vbaAryUnlock __vbaAryLock __vbaRedim __vbaVarAnd __vbaVarCmpLt __vbaLateMemCallLd __vbaVarOr __vbaFixstrConstruct __vbaRecAnsiToUni __vbaRecUniToAnsi __vbaFpI4 __vbaInputFile __vbaAryConstruct2 __vbaObjVar __vbaFileCloseAll __vbaAryDestruct __vbaI2Abs __vbaUI1I2 __vbaGenerateBoundsError __vbaI4Str __vbaStrI2 __vbaPut4 __vbaFpR4 __vbaVarLateMemSt __vbaVarLateMemCallLd __vbaVarDiv __vbaLateMemCall __vbaLateMemSt __vbaStrI4 __vbaVarCmpEq __vbaFileClose __vbaGet4 __vbaVarTstGt __vbaFileOpen __vbaLsetFixstr __vbaStrFixstr __vbaLsetFixstrFree __vbaR8IntI2 __vbaVarTstGe __vbaFPInt __vbaVargVarMove __vbaVarTstNe __vbaVarNot __vbaInStr W s c r i p t . S h e l l __vbaI2Str __vbaInStrVar __vbaExitProc __vbaLateIdCall __vbaPrintObj __vbaVarSub __vbaLateIdSt €G@ 4¹@ __

It also appears to make refernces to the AIM sever name (oscar) and the AIM buddy list

it might be a trojan, which it seems so..

sounds like wut happened to my sisters computer.

Thats wut it prolly is. A lil script kiddy tryin to be cool and sendin
binded trojans =(

*sighs* damn trojans.

Quote:

Originally posted here by fr0z3n
it might be a trojan, which it seems so..

sounds like wut happened to my sisters computer.

Thats wut it prolly is. A lil script kiddy tryin to be cool and sendin
binded trojans =(

*sighs* damn trojans.

'

Speaking of Binded Trojans...

today I get this file via MSN Messenger: log_frontgirl[1].jpg no doule extention or anything....open it up and it has a pic that sorta looks like Britney but ten I get told that she didn't send it....worm....run housecall on it and it finds BO2K and gets rid of it.