Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

New MSN virus on the run

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Sun Sep 17, 2006 3:09 pm    Post subject: New MSN virus on the run Reply with quote

Hi There:)
Be careful with your messenger. There's a new MSN virus on the run. If you get a link which looks like this. Please don't click on it. It's adware and spreeds out to all your contacts!! Evil or Very Mad :

Messages you can get from Messenger contacts:
huh Neutral wow... its u on that photo right?!?
or
eh Razz, bist du das auf dem foto???

hxxp://wwx.uglyphotos.net/photo223.PIF
xx is for tt and W

The message and link pops up automatically and seems to be send from one of your friends, but it isn't.

By clicking on this link you'll be guidded to some photos which activate the vira if you open them.
The treat will install over 30 different vira and some other fake programs on your computer, which makes the computer more or less useless.


If you have Kaspersky Antivirus installed you will be very well protected.

If you get infected you can remove the infection with SUPERAntiSpyware or Ewido:

http://www.superantispyware.com/

The worm which is on the run is: Worm/Braban.H. :

http://www.avira.de/en/threats/section/fulldetails/id_vir/2621/worm_braban.h.html

When you click on the link all your contacts in your adresslist will get the link. Your computer will be slow and you'll loose the control over your PC.

btw.This treat has been able to deactivate several Antivirus Software


This infection has been seen in a huge amount over the last past days in e.g Germany , Denmark and Norway.

Info update :
Another worm which is seen is: Worm.Licat.c

I can't find any info about Worm.Licat.c Mad

and also 888 Toolbar is seen Mad

You'll have to use following tools to fix this treat:

1. ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
2 http://www.superantispyware.com/
3. http://www.ewido.net/en/ (Demo download)
4. Hijackthis

also you have to uninstall messenger because the exefile in Messenger will be terminated by the treat:
C:\Programs\MSN Messenger\msnmsgr.exe --> Worm.Licat.c

At moment I have only seen reports on this treat in the news and in forums in following countries so far: Germany, The Netherlands, Denmark, Norway and Sweden. At moment there is not given any info about how quick this treatment is spread out to other countries.

There is not found any info about Worm.Licat.c yet.

Please be careful out there Wink


kind regards
Franthy
Back to top
View user's profile Send private message
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Tue Sep 19, 2006 4:08 am    Post subject: Reply with quote

Hi again Smile

Latest news about the treat :
The MSN-worm is no longer active after the web-site uglyphotos.net was closed down last night. But this doesn't means that the danger is over. The creator of the worm is still able to activate the web-site again and then the worm will be dangerous as it was before.
Therefore please don't click on any unknown weird messages or links given to you in MSN-messenger and keep your securitysoftware updated:wink: .

with kind regards
Franthy
DK
Back to top
View user's profile Send private message
nosirrah
Warrior


Joined: 30 Aug 2006
Last Visit: 16 Jul 2007
Posts: 160

PostPosted: Tue Sep 19, 2006 6:01 am    Post subject: Reply with quote

These threats have a history of popping up on legit sites that have been hacked . The last version of the AIM virus that I worked on involved several hacked websites and socially engineered messages prompting the recipient to "check out a cool video" . The hacked page then prompted the recipient download and install the latest version of flash from the hacked page . The file was even named flash.exe .


A good rule of thumb is to never click links within IM windows of any chat program . Instead PM the person back and ask if they just sent you a PM . If they did not then have them update their security software and run a scan and send them here for help .
Back to top
View user's profile Send private message
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Tue Sep 19, 2006 9:42 am    Post subject: Reply with quote

Quote:
A good rule of thumb is to never click links within IM windows of any chat program . Instead PM the person back and ask if they just sent you a PM . If they did not then have them update their security software and run a scan and send them here for help .


@nosirrah

I really do agree with you Thumb Up
Back to top
View user's profile Send private message
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Thu Sep 21, 2006 6:36 am    Post subject: Reply with quote

Thursday 4.33 pm local time:
Arrrrrrrrrrrrrrrgh!!! The msn-worm is back with a new link and new face. The creator has opened the site uglyphotos.net again Evil or Very Mad . This time the message and link looks like this:

Message:
"check peolol checkpeopleonline.pe.funpic.de/p*******.PIF"

Link: "pleonline.pe.funpic.de/p*******.PIF"

This time the worm e.g deactivating all security settings in IE and installs a new toolbar.

In this writing moment experts are working highspeed testing the worm. Until now there are only 7 out of 27 tested antivirusprograms which are able to detect and deactivate the worm.

There is no info given from which country it comes or where it is spread out yet.

So again up with the shields!Crying or Very sad
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 23 Sep 2014
Posts: 10329
Location: sunny California

PostPosted: Thu Sep 21, 2006 8:11 am    Post subject: Reply with quote

Thanks for the info. Most interesting.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Thu Sep 21, 2006 10:21 am    Post subject: Reply with quote

More info about the first treat:
http://digg.com/security/Uglyphotos_net_the_Newest_Worm_for_MSN_Messenger

http://maximerousseau.com/?p=54
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Sep 21, 2006 10:45 am    Post subject: Reply with quote

Looks like this guy has rented a dedicated server for spreading this crap:

uglyphotos.net resolves to 69.64.36.26
RDNS resolves to air326.startdedicated.com

Looking up startdedicated.com reveals that LARTs should be sent to server4you.com, because that's the actual hosting company.

Domains on air326.startdedicated.com:
bbij.com
bzcu.com
cheapbags.info
poorok.com
uglyphotos.net
yluz.com

Following one of the email addresses that were used as whois contact leads to a freehost site, that apparently has been used for spreading the virus, before the BOfH set an end to this Wink
http://photos.ogre.nl/

What makes me wonder though, that all the domains are still alive. Seems so far no one has complained there.
Back to top
View user's profile Send private message
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Fri Sep 22, 2006 6:03 am    Post subject: Reply with quote

I have found some further reading about the first treat over at offensivecomputing.net.

http://www.offensivecomputing.net/?q=node/278

We have not got further informations about the second treat so far.
Back to top
View user's profile Send private message
franthy
Junior Member


Joined: 09 Aug 2006
Last Visit: 25 Feb 2008
Posts: 40
Location: Denmark

PostPosted: Thu Sep 28, 2006 1:48 am    Post subject: Reply with quote

Latest from Kaspesky

New alert!: Sep 27.
http://www.viruslist.com/en/weblog?weblogid=199850358

http://www.viruslist.com/en/weblog?weblogid=199354341
http://www.viruslist.com/en/weblog?weblogid=199850358
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group