MSN Messenger virus

Was suprised about how hard to is to contact Microsoft with reference to this
sort of thing. Alot of my friends have recently been infected by a virus
spreading itself on msn urging people to click a link to a 'picture' which in
reality opens up a dos-file.

"is that you on that photo?!
http://www.sam22.com/photos.php?photo=photo211.jpg"

this is the link that people recieve - although I would suggest you not
click on it. Just wondering if microsoft had worked out any type of fix? As
this has put alot of mates in a bind.

Thanks

From: "Smiler" <Smiler@discussions.microsoft.com>

| Was suprised about how hard to is to contact Microsoft with reference to this
| sort of thing. Alot of my friends have recently been infected by a virus
| spreading itself on msn urging people to click a link to a 'picture' which in
| reality opens up a dos-file.
|
| "is that you on that photo?!
| hxxp://www.sam22.com/photos.php?photo=photo211.jpg"
|
| this is the link that people recieve - although I would suggest you not
| click on it. Just wondering if microsoft had worked out any type of fix? As
| this has put alot of mates in a bind.
|
| Thanks


I wouldn't call that a DOS file. In reality it is a Win32 executable renamed as a .PIF
file.

There isn't anything that really can be done specifically by Microsoft. However, abuse
complaints can be filed to the ISP of
www.sam22.com == 81.4.97.147

http://www.dnsstuff.com/tools/whois....7.147&email=on and file a complaint for
hosting malware.
Send your complaints to; abuse@proserve.nl and secure@proserve.nl nothing the URL of the
above.

Basically this is a simple Social Engineering con. A message that piques your interest but
it's intent is to infect you.

Complete scanning result of "photo211.pif", processed in VirusTotal at 10/05/2006 00:29:55
(CET).

[ file data ]
* name: photo211.pif
* size: 137216
* md5.: 50f685141c9252a13ece1febd372e491
* sha1: 50c74be39a4bbe966848c89fb874ecf69ffcd31a

[ scan result ]
AntiVir 7.2.0.22/20061004 found nothing
Authentium 4.93.8/20061004 found nothing
Avast 4.7.892.0/20061004 found [Win32:Agent-BNP]
AVG 386/20061004 found [Generic2.DIS]
BitDefender 7.2/20061004 found nothing
CAT-QuickHeal 8.00/20061004 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20061004 found nothing
DrWeb 4.33/20061004 found [Win32.HLLW.Foite]
eTrust-InoculateIT 23.73.13/20061004 found nothing
eTrust-Vet 30.3.3114/20061004 found nothing
Ewido 4.0/20061004 found nothing
F-Prot 3.16f/20061004 found nothing
F-Prot4 4.2.1.29/20061004 found nothing
Fortinet 2.82.0.0/20061004 found nothing
Ikarus 0.2.65.0/20061004 found nothing
Kaspersky 4.0.2.24/20061004 found [Backdoor.Win32.Agent.fs]
McAfee 4866/20061004 found nothing
Microsoft 1.1603/20061004 found nothing
NOD32v2 1.1790/20061004 found nothing
Norman 5.80.02/20061004 found nothing
Panda 9.0.0.4/20061004 found [Suspicious file]
Sophos 4.10.0/20061004 found [Troj/DwnLdr-FSN]
Symantec 8.0/20061004 found nothing
TheHacker 6.0.1.091/20061004 found nothing
UNA 1.83/20061004 found nothing
VBA32 3.11.1/20061004 found nothing
VirusBuster 4.3.7:9/20061004 found nothing

[ notes ]
packers: ASProtect
packers: Aspack



The Sophos module in the below Multi AV Scanning Tool acan be used to clean an infected PC.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Oh ! when I click on it I get a message in Dutch saying:-
This Internet site has been concluded temporarily because of abuse of script
regards, Richard

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eyeRRWA6GHA.2104@TK2MSFTNGP06.phx.gbl...
> From: "Smiler" <Smiler@discussions.microsoft.com>
>
> | Was suprised about how hard to is to contact Microsoft with reference to
> this
> | sort of thing. Alot of my friends have recently been infected by a
> virus
> | spreading itself on msn urging people to click a link to a 'picture'
> which in
> | reality opens up a dos-file.
> |
> | "is that you on that photo?!
> | hxxp://www.sam22.com/photos.php?photo=photo211.jpg"
> |
> | this is the link that people recieve - although I would suggest you not
> | click on it. Just wondering if microsoft had worked out any type of
> fix? As
> | this has put alot of mates in a bind.
> |
> | Thanks
>
>
> I wouldn't call that a DOS file. In reality it is a Win32 executable
> renamed as a .PIF
> file.
>
> There isn't anything that really can be done specifically by Microsoft.
> However, abuse
> complaints can be filed to the ISP of
> www.sam22.com == 81.4.97.147
>
> http://www.dnsstuff.com/tools/whois....7.147&email=on and file
> a complaint for
> hosting malware.
> Send your complaints to; abuse@proserve.nl and secure@proserve.nl
> nothing the URL of the
> above.
>
> Basically this is a simple Social Engineering con. A message that piques
> your interest but
> it's intent is to infect you.
>
> Complete scanning result of "photo211.pif", processed in VirusTotal at
> 10/05/2006 00:29:55
> (CET).
>
> [ file data ]
> * name: photo211.pif
> * size: 137216
> * md5.: 50f685141c9252a13ece1febd372e491
> * sha1: 50c74be39a4bbe966848c89fb874ecf69ffcd31a
>
> [ scan result ]
> AntiVir 7.2.0.22/20061004 found nothing
> Authentium 4.93.8/20061004 found nothing
> Avast 4.7.892.0/20061004 found [Win32:Agent-BNP]
> AVG 386/20061004 found [Generic2.DIS]
> BitDefender 7.2/20061004 found nothing
> CAT-QuickHeal 8.00/20061004 found [(Suspicious) - DNAScan]
> ClamAV devel-20060426/20061004 found nothing
> DrWeb 4.33/20061004 found [Win32.HLLW.Foite]
> eTrust-InoculateIT 23.73.13/20061004 found nothing
> eTrust-Vet 30.3.3114/20061004 found nothing
> Ewido 4.0/20061004 found nothing
> F-Prot 3.16f/20061004 found nothing
> F-Prot4 4.2.1.29/20061004 found nothing
> Fortinet 2.82.0.0/20061004 found nothing
> Ikarus 0.2.65.0/20061004 found nothing
> Kaspersky 4.0.2.24/20061004 found [Backdoor.Win32.Agent.fs]
> McAfee 4866/20061004 found nothing
> Microsoft 1.1603/20061004 found nothing
> NOD32v2 1.1790/20061004 found nothing
> Norman 5.80.02/20061004 found nothing
> Panda 9.0.0.4/20061004 found [Suspicious file]
> Sophos 4.10.0/20061004 found [Troj/DwnLdr-FSN]
> Symantec 8.0/20061004 found nothing
> TheHacker 6.0.1.091/20061004 found nothing
> UNA 1.83/20061004 found nothing
> VBA32 3.11.1/20061004 found nothing
> VirusBuster 4.3.7:9/20061004 found nothing
>
> [ notes ]
> packers: ASProtect
> packers: Aspack
>
>
>
> The Sophos module in the below Multi AV Scanning Tool acan be used to
> clean an infected PC.
>
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE to
> go through your
> FireWall to allow it to download the needed AV vendor related files.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
> Normal Mode.
> This way all the components can be downloaded from each AV vendor's web
> site.
> The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
> Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
> or you can
> download the files and perform a scan in Normal Mode. Once you have
> downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
> Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
> to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
> Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
> comprehensive PDF help
> file. http://www.ik-cs.com/multi-av.htm
>
> Additional Instructions:
> http://pcdid.com/Multi_AV.htm
>
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "RJK" <notatospam@hotmail.com>

| Oh ! when I click on it I get a message in Dutch saying:-
| This Internet site has been concluded temporarily because of abuse of script
| regards, Richard
|

Abuse messages work ! :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

I got the same crap! Found the virus and deleted it but now my firewall and
the system restore doesnt work!

"Smiler" wrote:

> Was suprised about how hard to is to contact Microsoft with reference to this
> sort of thing. Alot of my friends have recently been infected by a virus
> spreading itself on msn urging people to click a link to a 'picture' which in
> reality opens up a dos-file.
>
> "is that you on that photo?!
> http://www.sam22.com/photos.php?photo=photo211.jpg"
>
> this is the link that people recieve - although I would suggest you not
> click on it. Just wondering if microsoft had worked out any type of fix? As
> this has put alot of mates in a bind.
>
> Thanks

skeemdrop aka skeemdrop@discussions.microsoft.com in
microsoft.public.security.virus
<58F44C1C-90FB-404C-A030-1BA4756762F2@microsoft.com> on 11/15/2006
after much thought,came up with this jewel:

> I got the same crap! Found the virus and deleted it but now my
> firewall and the system restore doesnt work!

Get a router with a built in firewall and a real backup program.

max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages:
Virus Removal Instructions
http://home.neo.rr.com/manna4u/
Keeping Windows Clean
http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help and Tools
http://home.neo.rr.com/manna4u/tools.html
Change nomail.afraid.org to gmail.com to reply.
nomail.afraid.org is setup specifically for use in USENET
Feel free to use it yourself.

Does anyone know if this is a vulnerability with just IE or does FF
suffer from the same vulnerability. Thanks.

On 11/15/2006 10:24 AM, something possessed skeemdrop to write:
> I got the same crap! Found the virus and deleted it but now my firewall and
> the system restore doesnt work!
>
> "Smiler" wrote:
>
>> Was suprised about how hard to is to contact Microsoft with reference to this
>> sort of thing. Alot of my friends have recently been infected by a virus
>> spreading itself on msn urging people to click a link to a 'picture' which in
>> reality opens up a dos-file.
>>
>> "is that you on that photo?!
>> http://www.sam22*com/photos*php?photo=photo211*jpg" (LINK OBFUSCATED WITH * FOR SAFETY)
>>
>> this is the link that people recieve - although I would suggest you not
>> click on it. Just wondering if microsoft had worked out any type of fix? As
>> this has put alot of mates in a bind.
>>
>> Thanks

From: "William" <starrwarz@g_~-clothes-~_m~more_clothes~ail.com>

| Does anyone know if this is a vulnerability with just IE or does FF
| suffer from the same vulnerability. Thanks.
|


Different vulnerabilities as they are made by different vendors.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm