New MSN Messenger virus doing the rounds, how to get rid of it!
// February 18th, 2009 // Custom descriptions of malware, Malware Related
Source: salmon @malwarebytes.org forum
Today I was alerted to a pretty fresh and as of yet poorly detected msn messenger worm (thanks salmon). As usual this worm spreads by infecting a computer user who is running the MSN Messnger client and then automatically sends messages to the users contacts encouraging them to click a link in order to view a photograph of them or a friend. In this case, the user is encouraged to click on a link leading to http://hi5-album.com/foto.php? (do not visit this site as you will be exposed to malware) which currently redirects to a file named PIC2009-02-15-JPG.exe hosted at http://66.29.31.3 /~rivux/PIC2009-02-15-JPG.exe
If the user acccepts the transfer of this file, the malware author adds another element of deception to try and get the user to launch the file on their machine by giving the executable an image file icon, so it looks like a picture file which a person is more likely to click without thinking twice (and by default, windows disables the file extension (the end bit after the dot, so the .exe part would not be visible at all!):
So if you are unlucky enough to launch the file PIC2009-02-15-JPG.exe, the malware gets straight into action.
Firstly, the filetype of the malware originally is a Win32 Self extractor, which contains the actual virus inside (almost like a container)…when you double click it or open the file, it will extract the contents of the container to C:\DOCUME~1\user\LOCALS~1\Temp\IXP000.TMP ….IXP000.TMP is also a container and contains inside the files TMP4351$.TMP and rye.exe
At this point, the malware will display a fake error message in order to try and avert any suspicion the user has about why no picture or photo was shown:
The malware then copies itself into the location C:\WINDOWS\winlogon.exe …Notice the use of the file name winlogon.exe…there is a legitimate file called winlogon.exe that is part of the windows operating system but the real version will be in C:\WINDOWS\system32\winlogon.exe, not C:\WINDOWS\winlogon.exe. The file located in C:\WINDOWS\winlogon.exe file is a fake.
To make sure that the malware is able to start each time you turn on the computer, it will add an entry to the windows registry at this location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window UDP Control Servic “winlogon.exe”
and to top it off, it will change your homepage using another registry value:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page “http://www.postarticles.net”
So an infected computer’s Internet Explorer will now default to the postarticles.net page.
Finally, the malware does a DNS name query for the site radiofm24.info …… and when it gets the IP address (currently 216.87.167.7) it will connect to it using the IRC protocol and join a zombie botnet of other infected computers using the following commands:
Connect ->216.87.167.7:4244
Nick: [00|USA|120106]
Username: XP-4979
Server Pass: gooback
Joined Channel: #!spr! with Password xole
Channel Topic for Channel #!spr!: “.msn.stop|.msn.msg http://hi5-album.com/foto.php?=”
Private Message to Channel #!spr!: “msn// Thread Activated: Sending Message.”
Private Message to Channel #!spr!: “msn// Thread Disabled.”
By this stage your computer has “called home” to the malware creator and announced that it is ready to accept commands from the bad guy who planted this virus on your computer. Right now, all of your passwords, personal data and online security are at risk because whoever is on the other side has full access to your computer…if you reckognise the symptoms such as the strange new homepage or downloading a photo/image after a friend asked you to click on a link you would be very wise to perform a scan to remove this dangerous malware…. and here is how:
The free version of Malwarebytes Anti-Malware will detect and remove this nasty malware and many others by downloading, installing, updating it and then running a scan. It costs nothing to download and is completely free for personal use. Give it a spin and see how easily it gets rid of this nasty by visiting their website and downloading it here: http://www.malwarebytes.org/mbam.php
If Malwarebytes doesn’t seem to do the trick, download and fire up Kaspersky AVPTool, a free virus removal utility from the well known security vendor. It can be downloaded by clicking HERE
Malwarebytes free does not provide realtime protection to prevent such infections from happening in the first place…if the free version helped you remove the msn virus, consider buying the PRO version of Malwarebytes to protect your computer in real time alongside your current antivirus, by clicking HERE
22 Responses to “New MSN Messenger virus doing the rounds, how to get rid of it!”
Leave a Reply
- Praveen said: I also have the same problem. But the thing is now...
- Woody said: okguy i had the exact same problem as jordanna abo...
- Rika-chan said: For those who can't open the Internet I had the sa...
- Capricorn Logan said: thank god for telling me this but im glad i got th...
- kristina said: I installed it, tried to start it, the virus said ...
- Kali said: I already have Malwarebytes' Anti-Malware, but I c...
- my_virtual_c facebook application. Self propagating spam/worm?
- IOBit accused of stealing proprietary Malwarebytes database
- How to remove/delete Secure Keeper virus/malware
- How to remove/delete Security Tool virus/malware
Except that mbam doesn’t seem to find and fix this bug. I’ve noticed that my son got this one on his computer, winlogon.exe is in windows dir, but mbab (just installed) doesn’t detect it. Is Kaspersky better?
Hi,
I did a live test on the sample I downloaded and MBAM detected and removed it via a “quick scan”…. I’m not getting commission from them or anything so thats the only reason I recommend it for such infections.
Kaspersky definitely does detect the file I analysed as I sent it to them. Try Kaspersky AVPTool (free) and see if that detects it, if not post back and I can help out with a manual removal.
AVPTool can be downloaded here: ftp://ftp.kaspersky.com/devbuilds/AVPTool/index.html
I’ll update the article with a link too, forgot to add it in.
Jupp, my fault! I made sure I had the latest version, re-ran a full scan and after some 2 hours of scanning it found it in the very end! Had to reboot to get rid of the false winlogon.exe it had placed in c:/windows/
Good stuff!
Hello there. I (idiotically) clicked the virus link to the hi-5 from an msn conversation and have the malware. I have the trend micro internet security system and it cant seem to find it in a scan. I have little knowledge of computers sorry, any help please would be much appreciated.
Hi,
Download and run either malwarebytes or AVPTool scan, as I explained in the article. Both will find and remove the virus.
Thanks, it worked just ran a quick scan and all is now fine (for now..)
My friend sent me this and I clicked it n tryed to run it and it came up with the thing where u choose the fil name n save and i kept clikin save n it neva did so i just gav up n closed it but now i keep sendin peeps that: ahha! is this you? thing i dunno if I hav got the full virus coz i don’t seem to hav anythin else happenin???
I’ve got the virus too, and I use malwarebytes to get rid of it, and it work, but I must’ve pressed something in the quarrantine part and it’s back again.
What should I do?
When I scan for it I can’t find the virus at all!
I had the pop up link. I run it but it took quite long to actually run so before it could finish running it, I cancelled it. So does anyone think I had got the virus?
Replies are greatly appreciated.
Thanks
If your friends sends you the file and you click it but you chose cancel when a window asks you to choose between ‘open’, ‘save’ and ‘cancel’, will you still get the virus? Please reply ASAP. Thanks a lot! [=
Help!!! Someone. Does anyone know if i get the virus if I clicked on the link and click run but since it took too long to run, I cancelled it.
Can someone help me please? I am just a beginnier at computers so please help.
Thank you.
Sry for the load of questions. What if my link was something like the one above is it still a virus? Please reply all the messages I have sent as soon as possible. Thanks!
My daughter got this virus last night on msn, she clicked on the picture but cant remember what she did next. I have restored her computer to factory preset and it still seems to be here. I cannot load her antivirus it wont recognise it nor will it let me run msn. I have ran both scanners that you suggested and neither of them found the virus. Any ideas as to what to do next plz. ty
Same as JN: ran malwarebytes, which didn’t detect it, then tried to use avptool scan, which just seemed to give me a fake trojan alert (not sure if it’s related). Any input on what I may have done improperly or how to perform manual removal would be very much appreciated. Thanks!
I know it’s foolish of me to ask, but who’s sending these viruses?
i have a question. i tried malware it doesnt detect it, i used kaspersky and its scanned but i cant see any pictures when i open my internet. help please thanx!
helppppppp
Malwarebytes’ Anti-Malware 1.35
Database version: 1942
Windows 6.0.6000
05/04/2009 23:57:32
mbam-log-2009-04-05 (23-57-32).txt
Scan type: Quick Scan
Objects scanned: 62476
Time elapsed: 6 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
i have no idea should may msn be cleared now?? was that the probmen Help please!!
Hi, I got a Virus like this a few days ago altho the website was like http://www.myspaceinpicture.com/SomeRandomNumber/MyEmail And it sent to all my friends. It was Via msn aswell. I just wonder is it the same as this one.
Hi had the same virus and ran the malwarebytes and cleared the virus, however i can’t get my Messenger to work, can open it but nothing else… is there a way to solve it or is it a case of rebooting? Sorry not computer buff so asking on the off chance?
hey guyzz
is this messenger virus, isn’t it?
how can i remove it help me pls answer
http://www.tinyphotosend.com/tinyphotosend.com/sacedfiles/57943046/newphoto013.JPG.zip
hey guyzz
is this messenger virus, isn’t it?
how can i remove it help me pls answer