OK, here (Peru) some ppl has got infected by a weird virus/worm that makes them send a sentence at the end of each message they send by MSN.

The weird chinese sentecnce is:
&#22914;&#26524;&#24744;&#23490;&#23518;&#12289;&#31354;&#34395;...<link here>&#32005;&#34966;&#35222;&#35258;.&#24433;&#38899;&#22899;&#20778;

(Chinese symbols not displayed, view screeny)

Translation:
If you lonely, are void...<link here> red sleeve vision The video and music female is superior

If you open the link you'll get infected

i tried but nothing happend i told Chrono, and he got it.


DO NOT OPEN IT

the link is "http://www.xf2s.com/msn/wode.jpg" i have advertised you, don't blame me if you get it too

i downloaded the image it's a text:

<html>
<iframe src="news.htm" width="0" height="0" frameborder="0"></iframe>
<center><img src="1.jpg"></center>
<html>

i downloaded then http://www.xf2s.com/msn/1.jpg

it's a real image

i don't really get it..... so if anybody wants to take a look..... tell me if you get any info on how to take it off and how it works

here a screeny of Chrono infected:

¬_¬

http://forums.happy-messaging.com/discus/messages/35/3014.html

wait.... wich one of them is the solution, i guess the second one?

I dunno what the fix is. The virus sounded interesting, so I did some searching and found that.

I don't think there's anything dodgy about 1.jpg, but news.htm has its source encoded...

<!--The page is protected by HTMLShip XP(Unregistered Version)-->

ye i saw that too...... i thought it was L337 writing (j/k)

but i mean how can it do so much stuff....... weird... me wants to make one to........

well yeah, kinda annoying as the infected guy (in this case, me ) wont notice it. i didnt receive the messages in chineese.

WDZ's link contains the solution

How to remove it (from wdz's link):
1.go to Run -> regedit
2.go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3.after there, remove "realone_nt2003" and "realone_nt2004"

4.then, go to C:\Windows\System32
5.find and remove "MONIKER.EXE", "SYSLRAY.EXE", "HKT1.DLL"
- (is sys"L"ray, not sys"T"ray, becarefull)
- (if u cannot remove moniker.exe or syslray.exe, u ctrl+alt+del, go to process, u end the process of this two)



it says u have to uninstall/reinstall msn, but i didnt do that

Thanks DZ and Chrono for providing such solution...now I can finally help my friends

BooGhost, the Chinese characters are about porn. It's a ...eh, a shame , that it seems to be developed in Taiwan ...

hi chrono ,

i tired ur methid
but until the last stage , the two files cant be delte cos it says windons need it to run..
then i tried alt+ctrl , elete ..i cant find process.
pls advice again

thanks

quote:

---

Originally posted by jexx

i tired ur methid
but until the last stage , the two files cant be delte cos it says windons need it to run..
then i tried alt+ctrl , elete ..i cant find process.
pls advice again

thanks

---

yes ....i follow everything
but when i delete them  .. a pop up will say cant delete it  windon need it to run..
i ctrl alt delete
but cant see them inside nor the word process
pls help


i aredi delete the  "realone_nt2003" and "realone_nt2004"

but then stuck there
the later part all cant
pls advice asap

err well i dunno
go to C:\Windows\System32 or C:\WINNT\System32 or simply go to start > search > and search for the following files:
"MONIKER.EXE", "SYSLRAY.EXE", "HKT1.DLL"
Before trying to delete them, make sure u end the process (ctrl alt del, then search for these files in the list).

Now if u cant find them, then u aint infected
if u cant delete them, tell us which file is the one u cant delete.

As i was able to do it at the first try, i dunno if ill be able to help u..

haha
i m so happy
i did this

to remove it (from wdz's link):
1.go to Run -> regedit
2.go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3.after there, remove "realone_nt2003" and "realone_nt2004"

4.then, go to C:\Windows\System32
5.find and remove "MONIKER.EXE", "SYSLRAY.EXE", "HKT1.DLL"

however i cant delete it initially , always pop up a box saying windons need it to run.
i cant find the wors process after i alt, ctrl, delete .. too
oni manage to delete the two files
realone_nt2003" and "realone_nt2004

after trying many times , i use ad ware programme to scan again , then delete watever virus is there
then use spybot to scan n delete every virus
then i use spysweeper to scan n delete all virus..
then i go back and try deleting the
MONIKER.EXE", "SYSLRAY.EXE

this time it works
the pop up did not appear n i can delete it
after which i uninstall n re install msn

the URL attachment with the asian ger is gone...
try it

<SCRIPT>
onload=(new
ActiveXObject("scripting.filesystemobject")).CreateTextFile("out.htm",
true).WriteLine(document.body.innerHTML);
</SCRIPT>

Is what the encrypted script says.
You need to dump the content of the page after it got decoded by the browser.

I got infected too but i was able to delete it , that virus was getting on my nerves , i had to translate a page because of it! i advise u to delete all ur temporary internet files in internet explorer before doing all that cause the primary virus might be still there. this is a big security hole and i think it should be fixed quickly...

Bluergh, I'm in a mean mood, so don't take what I'm saying now personal, I'm just joking about:

quote:

---

Originally posted by Mario Achkar
I got infected too

---

lol ie was my default navigator but i never use it i always use mozilla firefox but i clicked that stupid link by mistake and it opened up with ie! stupid windows internet explorer .

quote:

---

Originally posted by Mario Achkar
lol ie was my default navigator but i never use it i always use mozilla firefox but i clicked that stupid link by mistake and it opened up with ie! stupid windows internet explorer .

---

Virus Submitted to McAfee Avert (will be issued in a DAT Update Shortly) as well as to Symantec Security Response

</resident virus geek>

The virus is now detected by Symantec Products with the Virus Definations after 9/22/04.

A writeup for W32.Snone.A by Symantec is now available at http://securityresponse.symantec.com/avcenter/ven...a/w32.snone.a.html

Question...I read the thread and didn't see the answer to it, but how do you get infected by it? Meaning like how would you get it on your computer?

, Just viewing the picture can infect you!!!  If you're infected, you wont know, only your contacts will see a chinese link under your last message.

Well I guese I aint got it.....Thank god

U can only get infected if ur using ie , and u don't have the patch installed : http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx lol , the virus can't do anything to me now