Recent reports include a worm that spreads by the imageXX.zip filename (eg. image13.zip) and drops rpmsvc.exe when the imageXX.JPG-www.photobucket.com inside the zip file is executed. The file transfer is usually preceded by one of the following messages:
This picture isnt you... right?
newest pics for ya
hey did i ever show you this picture of me?
is it ok if I add this pic to my new slideshow?
can i up some of these pics of ya to my myspace profile?
Wow i think i found your pic on myspace!
hah I think I found an old pic of us!
haha lets hope your parents dont see this picture of you
you care if i put this pictuer of you in my new album?
OMFG!!!!!!!!
wow! look at this old picture i found
sorry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
>> You can find a complete list here.
If you're one of the unfortunate victims that accepted the transfer and opened it, here are the removal instructions:
1) Run regedit.exe and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Remote Terminal Service" = "rpmsvc.exe "
2) Restart Windows.
3) Delete the virus files:
%System%\rpmsvc.exe (Read-only, System, Hide attribute)
%temp%\imageXX.zip
Another worm dubbed Warezov.* (or Stration) is spreading through the following link: and triggers the download of photo.exe. So whatever you do, don't!
Source: C.I.S.R.T