Warning to MSN messenger users

[dplax]

The messages I got were (WARNING DON'T TRY THE LINK!! I disassembled it on purpose since it is the file which contains the virus):

The Boz dit: (yeah, I know I have a french version of Messenger)
omg this is funny!
http:// DON'T jose.rivera4 TRY .home. THE att.net LINK /cute.pif

If you a get a message like this from someone you trust you are likely to fall for it. As did Bozos and Deathkiller. There were only two warnings for me, one was that Deathkiller sent me the message and less than a minute later Bozos sent the same message. Exactly the same message. The other warning sign was Firefox telling me that the file I was trying to save to disk or run from current location was a ms-dos executable file. So I asked Bozos and from there we found out that it was a virus.

[ 03-07-2005, 02:36 PM: Message edited by: dplax ]

[shamrock_uk]

Ah yes, that's the guy I reported - both him and that stupid .pif are now officially "offline" [img]graemlins/hehe.gif[/img]

[ 03-07-2005, 02:37 PM: Message edited by: shamrock_uk ]

[slicer15]

Um...I'm having problems removing the virus...

The symptoms I'm having are that now and then a message box entitled "Windows Internet Explorer" pops up saying "You must click Yes to continue" with only an OK button underneath. I get round this by just clicking the red X to quit the message window. This is usually accompanied by my MacAfee Anti-Virus coming with a message saying a trojan has been cleaned, or C:\c.exe has been cleaned or "The worm Sdbot.worm.gen.i has been detected and cleaned" etc etc. Now, whenever I run a scan it comes up clean, but these messages persist. I downloaded the Symantec Bropia Removal tool but it says the Bropia worm wasn't found. Can anyone enlighten me?

As far as I can see, the virus isn't directly harmful. Just my anti-virus pops up now and then with a Cleaned message, or the message box comes up. This all started after I'd accepted the .pif file so I'm assuming it must be related. I am extremely grateful for any help offered.

EDIT: Oh, and for some reason when I try and access my McAfee options it says "you are prohibited from viewing ActiveX and this page may be displayed with errors" - it certainly is, it's blank. This means I can't update my Anti-Virus, and I've never had that message before...

[ 03-07-2005, 04:46 PM: Message edited by: slicer15 ]

[dplax]

If I remember correctly from what Deathkiller told me Microsoft's antivirus kills it.

A different method, which worked for Bozos was ending the process before restarting. Once that was done he didn't have any problems. I'm not sure how to remove it once you restarted since then it might write itself into several locations.

I didn't get the file, so I'm not sure how deeply it entrenches itself in the system, but it doesn't seem to go very deep. I'm not even sure whether it creates registry entries.

[shamrock_uk]

No, its not really persistent.

Look for a random .exe file in the root of your C:\ drive and also a new one in c:\windows\system32 - that's where it usually hides.

You can also go to Start -> Run and type "msconfig" Look under the startup tab and uncheck anything dodgy there which will prevent it from running when you restart.

A decent firewall that watches for unauthorised application launches will catch this in the act - I would really recommend you download either Zone Alarm or Kerio Personal Firewall.

[ 03-07-2005, 05:00 PM: Message edited by: shamrock_uk ]

[slicer15]

I'm really unfamiliar with this so I have no idea what to look for in either the Windows folders or on the Startbar menu under msconfig. I can't scan my PC because ActiveX has been disabled (something I definitely did not do) and where on earth is the official Microsoft anti-virus program? If you mean the Malicious Software Remover it didn't find anything on my PC. I definitely know I still have it because the anti-virus messages still popup. Isn't there some sort of program I can get that will find the file for me? I am too paranoid that I'll screw my PC up by deleting a wrong .exe file.

Again, I really appreciate the help guys. Thanks a lot. [img]smile.gif[/img]

[Bozos of Bones]

By my understanding of teh thing, and I have made three observations(activated the cute thing three times), it works like this:
CASE 1: Computer connected to internet, cute started, MSN running
It activates, puts itself into RAM memory, and adresses itself as a Windows component, so Windows will see it as a change and incorporate it into it's registry when you shut down the PC. Untill you shut down, all it does is it sends itself to all MSN contacts, and later to contacts that change their status(double sending has happened to a person who changed status twice). If you are here, just Ctrl+Alt+Delete, and go to Processes. Right-click on "cute" and choose End Process Tree. You now have approximately(haven't checked, but it's the most occuring) one minute untill it reactivates itself, and in that window you are to delete it. Nothing remains, as the virus hasn't had time to bury itself anywhere. The code is very simple and light, so it can stay small, and be downloaded before people start suspecting anything. I also believe it's recognised as a legit Browser(Messenger) Helper Object by most anti-virus programs. AVG and avast didn't pick it up.
CASE 2: All as in case 1, but you have restarted the PC.
This is where the fun starts. It has successfully written itself into the registry, and there are several methods to help you here. It is always running in the background, leave it and run hijackthis so you can trace it to where it is. Now, go shut it down, delete it and it's registry entry(has the same name as hijackthis tells you). Unless you have already worked in the registry before, and are comfortable with it, DO NOT do this. Use the Microsoft AV link provided by DK to get rid of it, it works well.
CASE 3: Activated on a closed computer, no connection anywhere.
It just sat there in teh Running Processes and did nothing but slow down my PC somewhat. After restart it writes itself in the reg, but still harmless untill you run MSN. Go to case 3 for removal instructions.

In all three cases it works as a performance degrader, bringing my processor use up to 100% in the first two cases, and only to 20% in the third., and my normal usage is 7% with winamp running and MSN and stuff...
Things like this are born from bets, two guys bet who will infect the more computers. It slows down your computer only because then you notice it. The more people notice it, the more reports they make to symantec/AVG vault/whatever virus tracking site there is, and that's the scoreboard. It has no trojan functions, not even a report of activity to the maker.

[shamrock_uk]

Well, you shouldn't have any .exe files in the root of your C:\ drive so that should be easy to pick out.

As for the one in your system32 folder, arrange files by date and see what comes up. Best post the last couple of filenames up here and we can make sure you don't delete something important.

As for ActiveX being disabled, nothing will increase your computers security more Can't help you with McAffee though because I never use it

You may find nothing - it does seem to just 'vanish' - I've seen this on several computers that sent out these MSN messenger messages. No scans pick it up, or removal tools.

Your internet explorer pop-ups may be related to something else - go to internet options and clear all your cache, offline files, cookies. Then go to 'view objects' and delete everything there that shouldn't be (ie. leaving something like Shockwave Flash but get rid of anything without a clear and proper name)


And what Bozos said

[ 03-07-2005, 05:17 PM: Message edited by: shamrock_uk ]