As of today, I’ve received a message from one of my mates in MSN and the message was one which I wouldn’t have expected, which goes like “Can you have a look at my pic, I’m going to use it on Myspace?” and a file “Image26.zip” was sent. Being a bit suspicious, I asked a few questions and didn’t get a reply.
I downloaded the file and got it scanned with AVG Free, and NO virus or warnings was shown. Inside the zip file, instead of an image file, there was an executable file image26_photobucket.exe. Double clicked on the file but nothing turns up on the screen. On that point forward, I know I’ve just done something wrong.
My computer hanged for a while and MSN wasn’t responsive. The reason was that the file that I have just clicked triggered and installed a custom built service known as rndsvc.exe to open up threads to keep on sending the same Image26.zip to all of your friends in your contact list. I had to immediately disconnect from the internet to stop the file from being sent.
How you can delete the worm/virus
1. If you haven’t, disconnect from the internet
2. Press CTRL+ALT+DEL and shut down the service rndsvc
3. Goto C:\windows\system32\ and delete the filename rndsvc.exe
4. Never ever double click on any executable file (*.exe) received from unknown sources, especially those says that it’s an image file but then turned up as executables.
* Just a bit surprised why AVG Free didn’t pick up it as a worm/trojan when i scan the file. Anyway, it wasn’t quite a problem as I know what I was dealing with.
Updated (November 11 2007)
Just checked my registry and saw that the worm/trojan was one of the process/services that was set to be run automatically each time windows is started up. You can delete it by:
1. Start Menu -> Run -> type in Regedit -> OK
2. Expand HKEY_LOCAL_MACHINE -> SOFTWARE ->Microsoft -> Windows -> CurrentVersion -> Run
3. On the right side window, you will see an entry with Name=Application Process and Data=rndsvc.exe (that’s the worm/trojan!)
4. Right click on that entry, and DELETE it once and for all!
5. Grab a beer and celebrate your achievement 🙂
* Previously brfore the update, you could have just deleted it from \windows\system32 and it will disinfect the worm/trojan. Since it has nothing to run during startup, the entry in the registry won’t do any harm anyway. Clearing that entry from the registry is more of like a final cleanup.