By tradition, 2007 now has its own Christmas worm. Worms typically take advantage of public holidays or worldwide events, counting on the increased carelessness of Messenger users during these periods.
McAfee on Christmas day identified a variant of the W32/Checkout worm spreading via through MSN/Windows Live Messenger. The W32/Checkout!0e4a3c52 worm (aka Backdoor.Win32.PBot.b and IM-Worm.Win32.Agent.av) spreads as Christmas-2007.zip (~56 KB), which unzips to a img2007-12.JPEG.scr file. It is accompanied by one of the following messages:
* Christmas photo! :D
* vengo de fi este foto ßlbum
* Hey i que hace el ßlbum de foto! Si ve a el loL del em
* xmas photo!: D
* haha :D lol, christmas pictures off me
* hola, My Christmas picture for you :)
It copies itself into the Windows folder as %Windir%\Christmas-2007.zip and %Windir%\Servidevice.exe, and creates a registry keys to hook system startup (HKEY_LOCAL_MACHINE\Microsoft\Windows\ CurrentVersion\Run\"ryan1918" = "servidevice.exe").
>> Further details at McAfee.