Watch out for the latest WLM worms

[ishan_rulz]

Recent reports include a worm that spreads by the imageXX.zip filename (eg. image13.zip) and drops rpmsvc.exe when the imageXX.JPG-www.photobucket.com inside the zip file is executed. The file transfer is usually preceded by one of the following messages:

 

This picture isnt you... right?

newest pics for ya

hey did i ever show you this picture of me?

is it ok if I add this pic to my new slideshow?

can i up some of these pics of ya to my myspace profile?

Wow i think i found your pic on myspace!

hah I think I found an old pic of us!

haha lets hope your parents dont see this picture of you

you care if i put this pictuer of you in my new album?

OMFG!!!!!!!!

wow! look at this old picture i found

sorry about the messup i fixed the pic! Try it one more time pz

is this pic tooo sexy for photobucket??

>> You can find a complete list here.

 

If you're one of the unfortunate victims that accepted the transfer and opened it, here are the removal instructions:

 

1) Run regedit.exe and delete the following registry entry:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"Remote Terminal Service" = "rpmsvc.exe "

 

2) Restart Windows.

 

3) Delete the virus files:

 

%System%\rpmsvc.exe (Read-only, System, Hide attribute)

%temp%\imageXX.zip

 

Another worm dubbed Warezov.* (or Stration) is spreading through the following link: and triggers the download of photo.exe. So whatever you do, don't!

 

Source: C.I.S.R.T

[rridgely]

Never EVER post a link to a live malware site. Even though the link wasn't a hyperlink there is always someone dumb enough to try it and then be mad at us when they get infected.