Okay, there's a virus going around on MSN. - THe virus goes like this, *clears throat for an announcement*: "are these your pics?
http://msgrpics.net/?msn=<contact name here>"I've spent AGES finding out how it all works, it seems nobody has put anything about it on the internet, and it kills any process killers or anti-virus software on its list, which is what prompted me to make a fix of my own.It replicates itself by sending that link, and can take on any of the following forms:1. lsass.exe2. crss.exe3. services.exe4. smss.exe5. winlogon.exeIt stores registry keys in the following locations:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunlsassHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunservicesHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunsmssHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRuncsrssHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwinlogonHKEY_USERS<user SID here>SoftwareMicrosoftWindows NTCurrentVersionWindowsloadHKEY_USERS<user SID here>SoftwareMicrosoftWindows NTCurrentVersionWindowsunAnyway, I made a fix for it, and you can download it here: http://www.fileden.com/files/2006/7/21/138833/Fixer.zipSpent like, 1.5 days making it nice and easy. - The idea is that the virus imitates critical processes so that in dumb old task manager it thinks that it is a critical process also. Trying to close all the critical process using a BATCH file however, still won't let you close the actual thing, but WILL let you close the imitations. Also, it deletes the registry keys created by the virus so that it cannot run on startup. The files themself seem to be in a folder which doesn't exist no matter how I try to access them, so fortunately it means you can't run it accidentally.If it says it didn't work, it just means that you don't have the virus it's looking for, so you could have something else, or it's already deleted the virus. The download includes "psgetsid" by Symantec, a DLL for deleting keys in the registry (which I use to remove the run on startup key for the virus), a simple batch program for closing the processes and outputting the SID into a file, and lastly, the GM file which uses the other files to remove the virus.Hmm, are you allowed to make virus-removal tools with game maker? - I recall it not being allowed on the GMC… Anyway, try to send that link to anyone who has that virus, and you'll save the world. [/major overstatement]I hope this helps anyone who accidentally clicked that link and got that MSN virus. I do recommend that you run a virus scan on your antivirus program to remove the traces of the virus, but this will completely stop the virus from working.
Pretty cool!
I don't use MSN any more, but if I did, I'd be thanking you now.George, that link wont work, it doesn't download unless the link ends with @hotmail.com
So there.And yeah, thanks for the comment - I probably wouldn't have made the fix if I hadn't accidentally clicked the link *facepalm*Out of interest, how does it force itself upon the victim in infection?
"are these your pics?
http://msgrpics.net/?msn=<contact name here>"it spreads in the form of an MSN message, the person clicks the link, and BAM.Yeah, but when you click on it, it asks you to download something (which is obviously not an image file or zipped folder containing quote pictures), so you can simply hit cancel. :|
Hit cancel?! LOL. That's not as bad as the virus that came with a readme.
Tell me more?
Lol. That's hilrious. Can you imagine a virus' readme?
=====Instructions====Click the exe. Everything will be done automatically. =====Credits======Scr1ptk1dXXXVIIII pro - virusgive credit if used. Oh no. You can't. BECAUSE YOUR PC WILL NEVER WORK AGAINWell, some sites use an EXE to gather info about the PC to make the page display properly, so people probably thought it was one of those sites (especially sites which check the system info, such as that minimum requirements checker site).
Also, I believe that on IE it doesn't show a warning at all, and just plain downloads it.