1. In order to clean the computer, please restart it in Safe Mode and delete the following files:

C:\Windows\photo album.zip
C:\Windows\system32\rdihost.dll

2. In order to delete the files, go to Start, Programs, Accessories, click on Windows Explorer and navigate to "Local disk C", Windows folder.

3. Search and delete the photoalbum.zip. file.

4. Navigate to the System32 folder and delete the rdihost.dll file.

5. After that we recommend that you download Bullguard and run a full scan of your system.

SYMPTOMS

1. Increased network activity.

2. An open connection with www.fr[blocked].biz

3. Presence of the next files in the C:\Windows and C:\Windows\System32 folders: photo album.zip, rdihost.dll.


DESCRIPTION

1. When it's executed, the malware will create a file named rdihost.dll in C:\Windows\System32 folder and it will inject it in explorer.exe process.

2. It will create an own copy as an archive in C:\Windows folder, named photoalbum.zip.

3. It will connect to an IRC channel on www.fr[blocked].biz and it will wait for commands from a malicious attacker.

4. It can deactivate the Security Center and Shared Access services, it can download and files
or it can attack other computers.

5. It can spread itself by sending the archive trough the MSN Messenger using the following messages: