wazu

Last Login:
January 28, 2010
Warn:

Rank:
Member
Member Points:
50


User Profile
Follow

Hits: 13,449
Joined January 27, 2007
Examples (1)
Favorite Users
MMORPGguy
DesertFox
Polystyrene Man
Rob
Trogdor
wazu


MSN VIRUS, and how to fix it.
Posted on December 16, 2007 at 16:47

Okay, there's a virus going around on MSN. - THe virus goes like this, *clears throat for an announcement*: "are these your pics?
http://msgrpics.net/?msn=<contact name here>"

I've spent AGES finding out how it all works, it seems nobody has put anything about it on the internet, and it kills any process killers or anti-virus software on its list, which is what prompted me to make a fix of my own.

It replicates itself by sending that link, and can take on any of the following forms:

1. lsass.exe
2. crss.exe
3. services.exe
4. smss.exe
5. winlogon.exe

It stores registry keys in the following locations:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunlsass
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunservices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunsmss
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuncsrss
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinlogon
HKEY_USERS<user SID here>SoftwareMicrosoftWindows NTCurrentVersionWindowsload
HKEY_USERS<user SID here>SoftwareMicrosoftWindows NTCurrentVersionWindows
un

Anyway, I made a fix for it, and you can download it here: http://www.fileden.com/files/2006/7/21/138833/Fixer.zip

Spent like, 1.5 days making it nice and easy. - The idea is that the virus imitates critical processes so that in dumb old task manager it thinks that it is a critical process also. Trying to close all the critical process using a BATCH file however, still won't let you close the actual thing, but WILL let you close the imitations. Also, it deletes the registry keys created by the virus so that it cannot run on startup. The files themself seem to be in a folder which doesn't exist no matter how I try to access them, so fortunately it means you can't run it accidentally.

If it says it didn't work, it just means that you don't have the virus it's looking for, so you could have something else, or it's already deleted the virus. The download includes "psgetsid" by Symantec, a DLL for deleting keys in the registry (which I use to remove the run on startup key for the virus), a simple batch program for closing the processes and outputting the SID into a file, and lastly, the GM file which uses the other files to remove the virus.

Hmm, are you allowed to make virus-removal tools with game maker? - I recall it not being allowed on the GMC... Anyway, try to send that link to anyone who has that virus, and you'll save the world. [/major overstatement]

I hope this helps anyone who accidentally clicked that link and got that MSN virus. I do recommend that you run a virus scan on your antivirus program to remove the traces of the virus, but this will completely stop the virus from working.


Dev - Er, any ideas how to make this work?
Related Posts
This is some other blog post
ng elit. Donec aliquet tincidunt blandit
Duis justo odio, consectetur eget facilisis vitae
Dev - Warning
Dev - After editing rating, make rating display change
Dev - When editing, update "edited" column
Dev - Restore deleted comments
Dev - Display deleted comments if mod (hidden, then with dropdown)
Dev - After deletion or during edit, make rating dropdown appear again
Dev - Stricter rating rules. Prevent user from rating again
Dev - Pages
Dev - Reporting
Quote
I hope this helps anyone who accidentally clicked that link and got that MSN virus.

Yes, I accidentally clicked the link on the top of the blog. Thanks a lot. >_>
Posted by CyrusRoberto December 16, 2007 16:52 - 5.4 years ago
| [#01]

Pretty cool!
I don't use MSN any more, but if I did, I'd be thanking you now.
Posted by PY December 16, 2007 16:55 - 5.4 years ago
| [#02]

Get back on MSN.
Posted by CyrusRoberto December 16, 2007 16:58 - 5.4 years ago
| [#03]

George, that link wont work, it doesn't download unless the link ends with @hotmail.com

So there.

And yeah, thanks for the comment - I probably wouldn't have made the fix if I hadn't accidentally clicked the link *facepalm*
Posted by wazu December 16, 2007 17:04 - 5.4 years ago
| [#04]

Out of interest, how does it force itself upon the victim in infection?
Posted by s December 16, 2007 21:10 - 5.4 years ago
| [#05]

"are these your pics?
http://msgrpics.net/?msn=<contact name here>"

it spreads in the form of an MSN message, the person clicks the link, and BAM.
Posted by wazu December 16, 2007 21:18 - 5.4 years ago
| [#06]

Yeah, but when you click on it, it asks you to download something (which is obviously not an image file or zipped folder containing quote pictures), so you can simply hit cancel. :|
Posted by Ryan-Phoenixan December 16, 2007 21:33 - 5.4 years ago
| [#07]

Hit cancel?! LOL. That's not as bad as the virus that came with a readme.
Posted by F1ak3r December 17, 2007 0:34 - 5.4 years ago
| [#08]

Tell me more?
Posted by PY December 17, 2007 11:14 - 5.4 years ago
| [#09]

Lol. That's hilrious. Can you imagine a virus' readme?

=====Instructions====

Click the exe. Everything will be done automatically.

=====Credits======

Scr1ptk1dXXXVIIII pro - virus
give credit if used. Oh no. You can't. BECAUSE YOUR PC WILL NEVER WORK AGAIN
Posted by E-Magination December 17, 2007 11:22 - 5.4 years ago
| [#10]

Well, some sites use an EXE to gather info about the PC to make the page display properly, so people probably thought it was one of those sites (especially sites which check the system info, such as that minimum requirements checker site).

Also, I believe that on IE it doesn't show a warning at all, and just plain downloads it.
Posted by wazu December 17, 2007 17:17 - 5.4 years ago
| [#11]

Recent Activity
 
Active Users (0)