?
Solved

MSN Attack - URGENT

Posted on 2006-05-26
12
Medium Priority
?
985 Views
Last Modified: 2009-12-16
infection occurs through MSN messenger.  user receives a message from a friend in their list.  the message has a link.  partial url is http://www.imfriendz.net (not the complete url).  user clicks on it and it downloads a file that causes the infection.  it spreads itself through MSN

link to saved hijackthis log
http://www.hijackthis.de/logfiles/90feb393f2d29872b64f87f86290caa0.html

items listed as "potentially nasty" are not nasty.  it is our domain.

spybot partially detects it, and calls it FakeMSN8Beta, but is unable to completely remove it.  spybot does fix the hosts file, which the infection fills with various security websites and points them all to 127.0.0.1.  infection also disables ability to view hidden files.

ewido finds nothing.

ran scan with Symantec Corporate AV 10.0 with updated definition.  it detected nothing.  called Symantec and they have not heard of it.  sent them data and info for them to research

spybot id's the following
system32\netstat
system32\taskkill
and a registry entry in local_machine\software\microsoft\windows\currentversion\run\csrss

i have checked a non-infected computer and system32\csrss is a valid file, as are netstat and taskkill.  the registry entry is not valid.

ideas?
0
Comment
Question by:zephyr_hex (Megan)
  • 5
  • 3
  • 3
  • +1
12 Comments
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16773036
run MY recipe:
--------------------
Download and install this
http://www.majorgeeks.com/HijackThis_d3155.html

Then copy the log and paste it in the analyzer
http://www.hijackthis.de/

Analyze the file and POST THE LINK here so that we can take a look at it..

In the mean time, there are several things to apply:

Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine
---------------
Download Ewido, http://www.ewido.net/en/download/, install, open program, check for updates, restart computer, press F8 before windows logo appears, select safe mode, open Ewido, run full system scan. let Ewido delete all it finds, if anything is called serious by Ewido, disable Norton's Goback, and run Ewido again.
---------------
chkdsk /r
--------------
Windowsupdate everything except .NET items
0
 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16773108
i have run hijackthis.  i have posted a link to the analyzed log.  i have run ewido.  see my original post above for all that info.  there is nothing in startup that is bad.

i am not connecting these computers to the internet to do windows updates, but they should be up to date because i have auto-updates enabled.
0
 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16773168
fyi
i have removed the registry entry that spybot identifies.  spybot is still partially detecting an infection.  it now just lists:
system32\netstat.com
system32\killtask.com

there must be some part of the infection left.

also, one of my users states that spybot is not even fixing his hosts file.

i would hate to put one of these computers on msn to test and see if it's fixed...  is there some other way?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16773176
"see my original post above for all that info."
Ha!  I just saw the title and Copied and Pasted my solution.

:-)

OK..

Did you uninstall MSN messenger?
Also, check this if NOTdone already
"Go to MSCONFIG, START-RUN-type MSCONFIG <enter> then located any programs you recognize that you can turn off. Note your changes as you may need to re-enter them.  Restart your machine"
0
 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16773288
the attack is not limited to the MSN Messenger program.  one of the infected computers runs Trillian, which has the ability to chat with MSN friends.  uninstalling MSN Messenger will not remove the infection.  it's just the method the infection spreads through, i believe.

i have checked msconfig startup items.  all entries are valid.

i think the infection is partially cleaned.  i just don't know if it's fully clean because spybot is still complaining.

when the infection first hit, i had everyone log out of msn messenger.  the infected computers acted normal, other than a browser hijack.  but there were more subtle issues with the infected computers, too.  for one, you could not view hidden files in the folder options.  i would select it, hit accept and ok, and then go back into the folder view options and the setting was back to "do not show" hidden files and folders.  i also suspect this infection disabled system restore because the 2 computers i checked have it disabled.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16773289
"system32\netstat.com
system32\killtask.com"

Can you confirm that Spybot really says ".com" ?

If so, see if you can locate these two files in the system32 folder.

If you can't see the files with Windows Explorer (even with hidden files option enabled), then  suspect a rootkit.
In that case get and run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

If RKR reports anything interesting be sure to save the log to a text file first, you will need it later, and let us know a summary.
0
 
LVL 30

Expert Comment

by:Irwin Santos
ID: 16773319
Ok.zeph...

take the drive out and put it into another computer as a slave (make sure the system is CLEAN & UPdated with latest virus & malware definitions).
Scan that drive...
what happens?
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 16773547
zephyr_hex,

Try these:( If neither helps, there's another one I can think of)

1. Please Download MsnVirRem.exe to your desktop from one of the following mirrors:

http://downloads.malwareremoval.com/MsnVirRem.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item9
http://www.greyknight17.com/spy/MsnVirRem.exe

* First close any other programs you have running as this will require a reboot
* Double click MsnVirRem.exe to run it
* Once open, click the button labelled "Search and Destroy"
      <<Your computer will now be scanned for Infected Files>>
* When scanning is finished you will be prompted to reboot only if infected, Click OK
* Now click the "REBOOT" Button.
* After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
* A Message should popup from MsnVirRem if not, double click the program again and it will finish


2. http://www.jayloden.com/AIMFix.exe
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16773573
It sounds very much like an Alcan worm, though they normally show up in the HJT log but yours didn't.

If none of the above works then this has to be an alcan worm: (basing on the "system32\netstat.com, and system32\killtask.com")

1. Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

2. then, Download Alcra PLUS Remover.
http://metallica.geekstogo.com/alcanshorty.bfu 
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

3 . Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.
0
 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16773969
irwinpks - yes, spybot said .com on those files, and i looked for them in system32 and did not find them.  i also searched windows folder and did not find those files with a .com ending.

i will try the other suggestions as soon as i can.  all infected computers have been removed from the network/internet, so at least this thing is contained.

earlier this evening, i finally got spybot to show clean results (by removing the registry entry i mentioned above while in safe mode, then reboot and rerun spybot in regular mode).

but... i am not convinved spybot removed the infection completely.  so i will try the suggestions above.  hopefully those suggestions will give some kind of feedback/results which confirm the infection has been completely removed.

thanks for the input.
0
 
LVL 44

Author Comment

by:zephyr_hex (Megan)
ID: 16779840
the msnvirrem.exe took care of the stuff spybot was missing.
infected files:
c:\windows\system32\byyopef\csrss.exe
c:\windows\system32\byyopef\smss.exe
c:\windows\system32\byyopef\csrss.ini
c:\documents and settings\username\start menu\programs\startup\csrss

the files in system32 were not visible, even with setting folder options to allow viewing of hidden files.  i was able to copy the files to a usb from the command line.  will be submitting them to symantec.

thanks.  i am more confident that the baddie is gone.  i was pretty sure that spybot wasn't getting it all, and this seems to be true.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16781309
So it was a W32.Chod.D worm!
This is the second time that that worm was able to hide from hijackthis scan, I thought it might have been the Alcan worm.

Virus/worm writers are really getting very clever and now ahead of Hijackthis.exe!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question