CISRT issued an advisory about an IM worm. This is a typical worm that you avoid quite simply by not opening attachments in IM, especially when they claim to be Paris Hilton Videos. There is nothing particularly interesting about the worm, but there is something interesting about the write up at http://www.cisrt.org/enblog/read.php?128.

CISRT gives instructions on how to manually remove the worm. I’ll quote a short part of the instructions...

------------------------------------------------------------------------------------------------------------
Step 1.
"Start"->"Run", type "REGEDIT", open the reistry editor.

Step 2.
Go to
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

delete "printers"="{CLSID}" in right panel

please copy the {CLSID} before deleting it

Step 3.
------------------------------------------------------------------------------------------------------------

Hmmm, perhaps the part about copying the {CLSID} should go before the instructions to delete.

You know those phone messages where they say some menu items have changed so listen to the whole selection?

This is a case where it is wise to read all of the instructions before starting! Of course, if you are that wise you probably didn’t need the instructions anyway :)

Randy Abrams
Director of Technical Education