GB64 Virus Alert

[davo]

Browsing the forums yesterday from my work computer saw my machine infected with a virus.

here is a little info on it, it is called Pinkslipbot. It hit the wild on March 16.

The delivery method looks to have been via a specially crafted jpeg, probably one of the scene ads, which then redirects to a specially crafted pdf.

The virus does not become active until a reboot at which time it appears as

C:\Documents and Settings\user.name\Application Data\Orxu\evpun.exe\evpun.exe

I cant post images here, so I cant provide a clip of the path that lead to the infection. Suffice to say it comes from here....

first 'http://dkrt.co.cc/games/liti.php ?f=16' to direst you to the pdf which causes the actual exploit...

'http://dkrt.co.cc/k.php?f=16&s=%84%B0%9 ... 0%90%90%90'

This is a classic spoofed address designed to take advantage of an exploit.

This is what it looks like when it first lands on your system, before the reboot...

File Name: WM_25315_info.exe
File Type: EXEW32
File Size: 141 KB

I may have some of the detail worng, secrutiy is not my forte, I am just trying to relate my understanding of what the security guy at work has told me.