MSN Virus

Shanghai Expat Forum Index » Hot Topics Forums » Technology Issues

Author

Message

cornsey1011

Wonder Wit

Joined: Mar 23, 2003
Posts: 3781
Location: Shanghai...looking for a new abode
Status: Offline

Posted: Mar 17, 2005 - 11:43 AM
Post subject: MSN Virus

The best advice is to not accept any files through MSN except for .jpeg as there are too many virus' going around at the moment.

THey are nasty as well, especially for home users as it renders your PC unable to download the updates and removal tools.

It begs the question what is the point of anti-virus software if it can be disabled by a simple virus and leave you unable to access the virus software websites. I see lawsuits in their future.

Anyway....i have successfully removed this virus from my PC through this removal tool.

Hopefully you will be able to download it as well at

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a. removal.tool.html

Description of the virus below. What a bitch!!!

Quote:

Details:
Arrival and Installation

This worm arrives on a system via MSN Messenger. Upon execution, it drops the following copies of itself in the system root folder (usually C:\):

Annoying crazy frog getting killed.pif
Crazy frog gets killed by train!.pif
Fat Elvis! lol.pif
How a Blonde Eats a Banana...pif
Jennifer Lopez.scr
LOL that ur pic!.pif
lspt.exe
Me on holiday!.pif
Mona Lisa Wants Her Smile Back.pif
My new photo!.pif
See my lesbian friends.pif
The Cat And The Fan piccy.pif
Topless in Mini Skirt! lol.pif
Also under the root folder, it drops the following nonmalicious files:

Crazy-Frog.Html
Message to n00b LARISSA.txt
British National Party.jpg
It also drops the following files on the system, as follows:

%System%\FORMATSYS.EXE
%System%\SERBW.EXE
%Windows%\MSMBW.EXE
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm creates the following registry entries to enable its dropped files to run at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
%Random Value% = "%Random Data%"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\Run
%Random Value% = "%Random Data%"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
%Random Value% = "%Random Data%"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run
%Random Value% = "%Random Data%"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
%Random Value% = "%Random Data%"

%Random Value% may be any of the following:

ltwob
serpe
avnort
%Random Data% may be any of the following:

%Windows%\msmbw.exe
%System\serbw.exe
%System\formatsys.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

It also writes the following text in autorun.inf:

OPEN=autorun.exe

This worm also drops the following files in the C:\Documents and Settings\%User name%\Local Settings\Application Data\Microsoft\CD Burning\ directory:

AUTORUN.EXE
AUTORUN.INF
(Note: %User name% stands for the currently logged-on user.)

AUTORUN.EXE is a copy of this worm, while AUTORUN.INF serves as the autostart routine to automatically launch AUTORUN.EXE. This worm does this so that it can copy itself into a CD while the affected user is burning. The worm is then launched automatically from the CD when the created CD is being read by the system.

Other Registry Modifications

This worm may also add or modify the following registry entries to enable the System Restore tool, so that this worm can be included in the files to be restored in case the user restores the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows NT\SystemRestore
DisableSR = "0"
DisableConfig = "0"

Propagation via Instant Messenger

This worm propagates via MSN messenger. It sends an instant message to all online contacts of an affected user that contains a link to a certain Web site. When a user clicks on this link, a copy of this worm is downloaded into the system.

The following screenshot shows how this worm attempts to send a copy of itself to target users:

Propagation via Peer-to-peer File Sharing Networks

This malware also propagates via eMule. It copies itself as the following files in the %Program Files%\Program Files\eMule\Incoming\ folder, the %Root%\My Shared folder and the \Shared folder of an affected system:

Messenger Plus! 3.50.exe
MSN all version polygamy.exe
MSN nudge bomb.exe
(Note: %Root% is usually C:\.)

Antivirus Retaliation

The worm also performs HOSTS file modification to redirect affected users to the following Web site when they access certain Web sites that are related to antivirus and security companies:

64.2<BLOCKED>.167.104
As of this writing, the said Web site is already unavailable.

It does this when a user accesses the following Web sites:

www.symantec.com
www.sophos.com
www.mcafee.com
www.viruslist.com
www.f-secure.com
www.avp.com
www.kaspersky.com
www.networkassociates.com
www.ca.com
www.my-etrust.com
www.nai.com
www.trendmicro.com
www.grisoft.com
securityresponse.symantec.com
symantec.com
sophos.com
mcafee.com
liveupdate.symantecliveupdate.com
viruslist.com
f-secure.com
kaspersky.com
kaspersky-labs.com
avp.com
networkassociates.com
ca.com
mast.mcafee.com
my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
grisoft.com
sandbox.norman.no
www.pandasoftware.com
uk.trendmicro-europe.com
Process Termination

This worm terminates the following processes, if found running on the system:

apvxdwin.exe
atupdater.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avconsol.exe
avengine.exe
avsynmgr.exe
avwupd32.exe
avxquar.exe
bawindo.exe
blackd.exe
ccapp.exe
ccevtmgr.exe
ccproxy.exe
ccpxysvc.exe
cfiaudit.exe
cmd.exe
defwatch.exe
drwebupw.exe
escanh95.exe
escanhnt.exe
firewall.exe
frameworkservice.exe
icssuppnt.exe
icsupp95.exe
luall.exe
lucoms~1.exe
mcagent.exe
mcshield.exe
mcupdate.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
msconfig.exe
msdev.exe
navapsvc.exe
navapw32.exe
nisum.exe
nopdb.exe
nprotect.exe
nupgrade.exe
ollydbg.exe
outpost.exe
pavfires.exe
pavproxy.exe
pavsrv50.exe
peid.exe
petools.exe
regedit.exe
reshacker.exe
rtvscan.exe
rulaunch.exe
savscan.exe
shstat.exe
sndsrvc.exe
symlcsvc.exe
taskmgr.exe
Update.exe
updaterui.exe
vshwin32.exe
vsstat.exe
vstskmgr.exe
w32dasm.exe
winhex.exe
wscript.exe
It also terminates processes that contain the following strings in their window title:

-CILLIN
ADWARE
ALERTS
ANTI
AUTOSTARTED
Avg
BENIGN
BLOCKER
BUG
BULLGUARD
BUSTER
CENTER
CLEANER
CMD
Command
DESTROY
DETECTION
DOCTOR
EARTHLINK
EDITOR
ELIMINATE
EYE
FIGHT
Filter
FIREWALL
FIX
FIXING
HEAL
HELP
HUNTER
KERIO
Kill
LABS
LIVEUPDATE
MALWARE
MALWHERE
MCAFEE
NETCOP
NOD32
NORTON
PANDA
PROCESS!A
PROMPT
PROTECTOR
REGISTRY
REMOVAL
RESTORE
SANDBOX
SCAN
SECURE
SECURITY
SOPHOS
SPY
SPYBOT
SPYWARE
STOPPER
SWEEPER
TASK
TOOL
TREND
Update
VCATCH
VIRUS
WATCH
WORM
Once it terminates these processes, this worm prevents them from executing again as long as it is running in memory.

It also prevents Windows Explorer from browsing the folder where this worm's currently executing copy is residing.

Anti-ASSIRAL Routines

This worm attempts to terminate the following processes associated with the malware WORM_ASSIRAL.C:

CmdPrompt32.pif
LOVE_LETTER_FOR_YOU.pif
MSLARISSA.pif
SP00Lsv32.pif
However, due to some errors in its code, it fails to terminate the said processes.

It also attempts to delete the following files, which are dropped by WORM_ASSIRAL.C:

%System Root%\MESSAGE_TO_BROPIA.txt
%System Root%\WinVBS.vbs
%System%\CmdPrompt32.pif
%System%\MSLARISSA.pif
%Windows%\SP00Lsv32.pif
It successfully deletes the said files as long as they are not running in memory.

This worm also drops and executes the text file Message to n00b LARISSA.txt in the said folder when it is the 1st, 7th, 10th, 19th, 25th, 26th, or the 30th day of the month.

The file contains the following message:

Hey LARISSA **** off, you **** n00b!.. Bla bla to your ****
Saving the world from Bropia, the world n33ds saving from you!

'-S-K-Y-'-D-E-V-I-L-'

Other Details

This worm drops and executes the file Crazy-Frog.Html in the root folder of the affected system (usually C:\). The said file displays a large image from the following site:

http://frog.0ca<BLOCKED>h.com/big_deal.jpg
The file though does not display as an image since the said link contains an HTML file and not an image file. The HTML file has the following details:

Title: .:*Crazy-frog*:.

The following META information:
:*****-Off*:. (author)
Crazy_frog (description)
Bropia (keywords)

It also accesses the following location and displays it at the bottom part of the file Crazy-Frog.Html:

http://udjc.com/coun<BLOKCED>r/index.php?u=yyyyyyyyyyyy&s=bluesky
This link appears to contain a global infection counter for this worm.

A file named British National Party.jpg, which is downloaded from the URL http://frog.0catch.com/BNP.jpg, may also be opened using the affected system's default image viewer. However, since this file is actually an .HTML file, it may just generate an error message.

It creates the mutex ‘-F-u-c-k-‘Y-o-u’ to ensure that only one instance of itself is present in memory of an infected system.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

kyd

Reacher

Joined: Jan 08, 2005
Posts: 230

Status: Offline

Posted: Mar 17, 2005 - 02:44 PM

anyway, don't receive any files [via MSN] when it ends with .pif
i've tried a couple of times, then my computer will go mad!
since in the beginning i thought they were trusted files from my FRIENDS!
donnu they can be sent automatically

_________________
Kyd-Loves to Kid

Azrael
FooJay
FooJay

Joined: Aug 13, 2003
Posts: 1753
Location: Terra Paradiso

Posted: Mar 23, 2005 - 01:46 PM

Hey corney..... I take it that you've slain the f*cker outta ya pc huh?

_________________
Little pictures in my head. Turn me inside out again. Cuz f^&*ing up takes practice. I feel I'm well rehearsed. Cuz the past is a bully. And the futures even worse. You tell me what you fear. Cuz I can feel it like a curse...

lucky

LoopKicker