MSN VIRUS, and how to fix it.

Posted by wazu on Dec. 16, 2007, 3:47 p.m.

Okay, there's a virus going around on MSN. - THe virus goes like this, *clears throat for an announcement*: "are these your pics?

http://msgrpics.net/?msn=<contact name here>"

I've spent AGES finding out how it all works, it seems nobody has put anything about it on the internet, and it kills any process killers or anti-virus software on its list, which is what prompted me to make a fix of my own.

It replicates itself by sending that link, and can take on any of the following forms:

1. lsass.exe

2. crss.exe

3. services.exe

4. smss.exe

5. winlogon.exe

It stores registry keys in the following locations:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunlsass

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunservices

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunsmss

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuncsrss

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinlogon

HKEY_USERS<user SID here>SoftwareMicrosoftWindows NTCurrentVersionWindowsload

HKEY_USERS<user SID here>SoftwareMicrosoftWindows NTCurrentVersionWindows

un

Anyway, I made a fix for it, and you can download it here: http://www.fileden.com/files/2006/7/21/138833/Fixer.zip

Spent like, 1.5 days making it nice and easy. - The idea is that the virus imitates critical processes so that in dumb old task manager it thinks that it is a critical process also. Trying to close all the critical process using a BATCH file however, still won't let you close the actual thing, but WILL let you close the imitations. Also, it deletes the registry keys created by the virus so that it cannot run on startup. The files themself seem to be in a folder which doesn't exist no matter how I try to access them, so fortunately it means you can't run it accidentally.

If it says it didn't work, it just means that you don't have the virus it's looking for, so you could have something else, or it's already deleted the virus. The download includes "psgetsid" by Symantec, a DLL for deleting keys in the registry (which I use to remove the run on startup key for the virus), a simple batch program for closing the processes and outputting the SID into a file, and lastly, the GM file which uses the other files to remove the virus.

Hmm, are you allowed to make virus-removal tools with game maker? - I recall it not being allowed on the GMC… Anyway, try to send that link to anyone who has that virus, and you'll save the world. [/major overstatement]

I hope this helps anyone who accidentally clicked that link and got that MSN virus. I do recommend that you run a virus scan on your antivirus program to remove the traces of the virus, but this will completely stop the virus from working.

Comments

PY 17 years ago

Pretty cool!

I don't use MSN any more, but if I did, I'd be thanking you now.

wazu 17 years ago

George, that link wont work, it doesn't download unless the link ends with @hotmail.com

So there.

And yeah, thanks for the comment - I probably wouldn't have made the fix if I hadn't accidentally clicked the link *facepalm*

s 17 years ago

Out of interest, how does it force itself upon the victim in infection?

wazu 17 years ago

"are these your pics?

http://msgrpics.net/?msn=<contact name here>"

it spreads in the form of an MSN message, the person clicks the link, and BAM.

Ryan-Phoenixan 17 years ago

Yeah, but when you click on it, it asks you to download something (which is obviously not an image file or zipped folder containing quote pictures), so you can simply hit cancel. :|

F1ak3r 17 years ago

Hit cancel?! LOL. That's not as bad as the virus that came with a readme.

PY 17 years ago

Tell me more?

E-Magination 17 years ago

Lol. That's hilrious. Can you imagine a virus' readme?

=====Instructions====

Click the exe. Everything will be done automatically.

=====Credits======

Scr1ptk1dXXXVIIII pro - virus

give credit if used. Oh no. You can't. BECAUSE YOUR PC WILL NEVER WORK AGAIN

wazu 17 years ago

Well, some sites use an EXE to gather info about the PC to make the page display properly, so people probably thought it was one of those sites (especially sites which check the system info, such as that minimum requirements checker site).

Also, I believe that on IE it doesn't show a warning at all, and just plain downloads it.