Yet another MSN Messenger based Virus - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Skype & Live Messenger (/forumdisplay.php?fid=10)
+----- Thread: Yet another MSN Messenger based Virus (/showthread.php?tid=49301)
Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 06:54 AM
Not again...
quote:My suspicions were confirmed once i got this message 3 times in a 2 minute convo. Do not download anything with a link to a file, unless the contact can clarify what they are saying
LMAO! you've got to see this! www.[removed].com/download.php?type=movies&id=3710
This has been identified as:
Win32/Nochod.I worm
(Backdoor.Win32.VBbot.i)
RE: Yet another MSN Messenger based Virus by segosa on 08-22-2005 at 07:36 AM
Well if you give me the full URL I can download it, run it in vmware and see what it is.
RE: Yet another MSN Messenger based Virus by dylan! on 08-22-2005 at 07:43 AM
yep people always say that to me and i say no i dont its a virus 
RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 08:22 AM
quote:sent it
Originally posted by segosa
Well if you give me the full URL I can download it, run it in vmware and see what it is.
quote:my msn contacts often dont know that they have said it, so i always ask when they give me links of that nature
Originally posted by dylan!
yep people always say that to me and i say no i dont its a virus
RE: Yet another MSN Messenger based Virus by Dane on 08-22-2005 at 08:25 AM
May I get a copy of that URL too?
RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 08:40 AM
quote:yes you may!
Originally posted by Dane
May I get a copy of that URL too?
RE: Yet another MSN Messenger based Virus by Dane on 08-22-2005 at 08:58 AM
Thank you very much. This virus is, as I just surprisingly found out, related to another virus I submitted to major virus companies earlier this week.
This file has been submitted to Symantec AntiVirus Response Team/Symantec Security Response (Makers of Norton AntiVirus) and McAfee AVERT (Makers of McAfee AntiVirus)
RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 09:10 AM
thanks
i'm gonna submit it to my virus scanner and a few others
RE: Yet another MSN Messenger based Virus by uberdosis on 08-22-2005 at 09:34 AM
These things wouldnt get around if msn messenger wasnt infested with noobs.
RE: Yet another MSN Messenger based Virus by linx05 on 08-22-2005 at 09:53 AM
NOD32 already detects it with its heuristics ![[Image: 1050064750_2.gif]](http://smilies.neo101.nl/smilies/1050064750_2.gif)
RE: Yet another MSN Messenger based Virus by Pyro on 08-22-2005 at 10:04 AM
someone should find out what is making it say go to {msnvirus.com} of wateva and make a patch for it 
RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 03:04 PM
i see what you are saying
a bit off-topic here, but...
somebody could make a plugin which checks for a .txt or any other information file which could contain excerpts of url's, filenames and/or prose used to transmit the virus.
you would have to get user support for a plugin like that however.
RE: Yet another MSN Messenger based Virus by ShawnZ on 08-22-2005 at 03:07 PM
quote:
Originally posted by Fergy
i see what you are saying
a bit off-topic here, but...
somebody could make a plugin which checks for a .txt or any other information file which could contain excerpts of url's, filenames and/or prose used to transmit the virus.
you would have to get user support for a plugin like that however.
it wouldnt be stored in a txt :/
quote:
Originally posted by YA_MUM
someone should find out what is making it say go to {msnvirus.com} of wateva and make a patch for it
patch a virus? why not just delete it? :\
RE: RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 03:10 PM
quote:yeah i know, i was just using it as an example, some sort of file that could contain a blacklist
Originally posted by ShawnZ
it wouldnt be stored in a txt :/
RE: Yet another MSN Messenger based Virus by ShawnZ on 08-22-2005 at 03:11 PM
quote:
Originally posted by Fergy
quote:yeah i know, i was just using it as an example, some sort of file that could contain a blacklist
Originally posted by ShawnZ
it wouldnt be stored in a txt :/
Um no, the links are sent live to all the people using it in a botnet over IRC.
www.m00.cx/wiki/index.php/botnets
RE: Yet another MSN Messenger based Virus by Sunshine on 08-22-2005 at 03:22 PM
There is nothing you can do about it besides using common sense (and keep your AV definitions up to date, but that will not protect against new virusses). Seriously, do you want the same thing as with the .pif, MSNM blocking it? Blocking all urls? Because that would be the only thing to prevent these messages.
Most important rule to prevent getting infected:
If the first thing sent in a message is a link, do not click it! Virusses/worms always send messages to all contacts on sign in.
Second thing that will stop it beeing spred is:
Warn the person you got that message from and if you can provide instructions on how to get rid of it. That person can then get rid of it and send your intructions to the contact he/she got it from.
RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 03:30 PM
i'm talking about MSN not IRC
say somebody sent you something like this:
quote:The plugin would check it's blacklist for a match, it finds a match in *.reallybadfile.pif (where * is a wildcard) and alerts you that your contact has been infected with a known virus (this could also inform your contact as well).
OMGZ! you have 2 check dis out: http://www.reallybadsite.com/with/a/reallybadfile.pif
RE: Yet another MSN Messenger based Virus by ShawnZ on 08-22-2005 at 03:41 PM
quote:
Originally posted by Fergy
i'm talking about MSN not IRC
say somebody sent you something like this:
The plugin would check it's blacklist for a match, it finds a match in *.reallybadfile.pif (where * is a wildcard) and alerts you that your contact has been infected with a known virus (this could also inform your contact as well).
I meant irc as in thats where the virus gets the new link from.
RE: Yet another MSN Messenger based Virus by Fergy on 08-22-2005 at 03:51 PM
ahh yeah, got it!
RE: Yet another MSN Messenger based Virus by Dane on 08-23-2005 at 02:20 AM
REMINDER: Microsoft provides FREE virus removal over the telephone. 1-866-PCSAFETY or 1-866-727-2338
This phone number is for virus and other security-related support. It is available 24 hours a day for the U.S. and Canada.
On another note, The related virus I was talking about, McAfee has provided an EXTRA.dat for detection of a virus that is related to this one. A fix for this virus has not yet been issued by McAfee, this is simply a fix for the related virus.
Simply copy the EXTRA.dat to your McAfee Program Directory
I have attached the zip file containing EXTRA.DAT.
-----------------------------------------
The file Fergy originally spoke of is Backdoor.Tixanbot. The virus also has been known to spread as saying something along the lines of "Download the msn plus update! {url here}"
Update: Symantec Security Response has just issued Beta Virus Definitions (RapidRelease) that include protection for the original threat in this thread. Download them here
RE: Yet another MSN Messenger based Virus by Max on 08-23-2005 at 09:48 AM
Thanks for that Dane and Fergy. 
RE: RE: Yet another MSN Messenger based Virus by CookieRevised on 08-23-2005 at 10:28 AM
quote:the initial idea has some potential in it. But it needs to be made pretty solid and by someone who knows what he is doing.
Originally posted by Fergy
i'm talking about MSN not IRC
say somebody sent you something like this:
quote:The plugin would check it's blacklist for a match, it finds a match in *.reallybadfile.pif (where * is a wildcard) and alerts you that your contact has been infected with a known virus (this could also inform your contact as well).
OMGZ! you have 2 check dis out: http://www.reallybadsite.com/with/a/reallybadfile.pif
In order to let it work and make a difference (other than just a local plugin which you use and update) it needs to get widespread. AND it needs to be able to update/correct itself on a very regular basis with new threads or updated info.
Also, a great thought need to be put in in the control panel of such a plugin. eg: selecting your own response messages is good language wise, but it isn't so good when it comes down to informing users, as many will not know how to solve/get rid of such virusses and give the wrong instructions (see the block-checker thread on mess.be for a good example of this)....
RE: Yet another MSN Messenger based Virus by Ezra on 08-23-2005 at 11:06 AM
Pana Software also knows about this virus , If your definitions are before 21 aug then update them else you are safe
Information about the virus from Panda
RE: Yet another MSN Messenger based Virus by vincerooney on 08-23-2005 at 01:43 PM
anyone know a scanner to get rid of this virus?
Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.********.com
I'm being sent it by all my contacts and its getting annoying as heck. anyone know anyway to remove it/
RE: Yet another MSN Messenger based Virus by CookieRevised on 08-23-2005 at 01:52 PM
quote:Please search before posting... There is already a very recent and complete thread about it, here...
Originally posted by vincerooney
anyone know a scanner to get rid of this virus?
Did you know you can find out who blocked you on MSN? Check it out, it's free http://www.********.com
quote:
Originally posted by CookieRevised
How to remove the "Block Checker" malware correctly
[SNIPPED]
Please see CookieRevised's reply to 'Block Checker malware' for an updated version of removal instructions.
For those who want to refer to this, this is the link:
http://shoutbox.menthix.net/showthread.php?tid=49089&pid=517501#pid517501
RE: Yet another MSN Messenger based Virus by vincerooney on 08-23-2005 at 01:56 PM
ah sorry i searched for it on the msn messenger forum instead. apologies.
RE: Yet another MSN Messenger based Virus by CookieRevised on 08-23-2005 at 01:58 PM
[OFF TOPIC]
quote:No worries... but never specify which forum to search, always search all forums (unless you know exactly where it was specifically posted); this goes for all types of searches on all forums on the net and even searchbots like Google and the likes. If you do that, then you will find far more matches. It is only then (when there are too many matches or too many wrong ones) that you could specify further
Originally posted by vincerooney
ah sorry i searched for it on the msn messenger forum instead. apologies.
[OFF TOPIC]
RE: Yet another MSN Messenger based Virus by Fergy on 08-23-2005 at 07:21 PM
quote:ouch, that's bad, perhaps some screenshots may help them understand a bit better.
Originally posted by CookieRevised
(see the block-checker thread on mess.be for a good example of this)....
RE: Yet another MSN Messenger based Virus by Max on 08-23-2005 at 07:24 PM
Hmmm... MsgShit.com is trying to cash in for something that doesn't work with there own so called Block Checker. 
RE: Yet another MSN Messenger based Virus by Fergy on 08-23-2005 at 07:26 PM
oh how many people will fall for that one...
RE: Yet another MSN Messenger based Virus by Dane on 08-23-2005 at 08:11 PM
quote:I could write definitions for such a program if someone could actually code it, im not great with programming.
Originally posted by CookieRevised
the initial idea has some potential in it. But it needs to be made pretty solid and by someone who knows what he is doing.
In order to let it work and make a difference (other than just a local plugin which you use and update) it needs to get widespread. AND it needs to be able to update/correct itself on a very regular basis with new threads or updated info.
Also, a great thought need to be put in in the control panel of such a plugin. eg: selecting your own response messages is good language wise, but it isn't so good when it comes down to informing users, as many will not know how to solve/get rid of such virusses and give the wrong instructions (see the block-checker thread on mess.be for a good example of this)....