On April 10, 2006, many Yahoo Messenger users in Vietnam reported the emergence of a new virus disguised as a link “anhdep.jpg” that was spreading rapidly.
 |
When clicking on the virus link disguised as an image file, a window appears as shown in the image. Do not be foolish enough to click “run” or “save”! |
The aforementioned virus, whose origin is unclear, sends a message to all nicknames in the Yahoo Messenger friend list, reading: “Beautiful girl! …check this out…” along with the accompanying link: /Giift/?file=Anhdep.jpg or /Gift/?file=e-card.htm… hosted from the domain xrobots.net.
Although the link displays a jpg extension (image format), when users click on it, software appears with an exe extension. The interface prompts you to choose “Run” or “Save”.
Looking closely at this link, it is evident that the author of the link intentionally deceived users with the file name anhdep.jpg, using the syntax ?file=. In reality, upon clicking the link, the computer will ask the user whether they want to download a file named anhdep.jpg.exe (where anhdep.jpg is the file name).
Immediately after users foolishly allow the virus to infiltrate their machines by running the software that appears, the virus’s software will automatically send messages to all Yahoo Messenger addresses in your friend list if you open the chat nick. Even the infected user is unaware that they are spreading these dangerous links.
Currently, there are no specific statistics on the damage caused by this virus, but with its terrifying exponential spread, it is clearly posing a significant security risk to the online community in Vietnam.
All links spreading the virus “gaidep”; “anhdep”… originate from the website www.xrobots.net. This is a black site containing numerous viruses and spyware. Some reliable sources indicate that this domain was only created two days prior, yet viruses and spyware from here are spreading alarmingly within the online community in Vietnam, primarily through Yahoo Messenger.
According to private sources from VietNamNet, it is possible that the author of this link is Vietnamese (as most infected Yahoo Messenger users are Vietnamese). This type of virus is a BOT virus, which, upon infiltrating a computer, takes control (also known as a zombie computer), forming a Botnet for the virus author to control. Some less skilled Vietnamese hackers even attempt to spread these types of BOT viruses by hiring children to install them at internet cafes for 1,000 VND per machine.
At the level of national security response, when similar incidents occur, the internet service provider controlling the international internet connection (in Vietnam, it is VDC) needs to take early intervention measures to block access from Vietnam to the domain www.xrobots.net. This action will initially reduce the potential for virus spread through Yahoo Messenger, as users unaware of the threat click on the links.
The best advice is that when receiving offline messages or strange messages from anyone in your Yahoo Messenger list containing links related to the address xrobots.net or links of unclear intent, immediately close that chat window and do not click on the link or run any software that appears on the screen.
For infected machines, you can manually delete the virus file from C:Windows, delete file messenger.exe. If deletion fails, run Safe Mode and delete it there. The last resort is to delete the file C:Windowsmessenger.exe from MSDOS.
The Phong
