Shoutbox

I've got some worm that only comes up when mnsplus is installed - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! Help (/forumdisplay.php?fid=12)
+----- Thread: I've got some worm that only comes up when mnsplus is installed (/showthread.php?tid=86541)

I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 07:34 AM

Hello,

*Please don't click on the link in this post.*

Unbelievable as it may sound, I have some kind of worm that only comes up when MsgPlus is installed. If I remove MsgPlus, it's *seems* to be gone, if I install MsgPlus again, it comes back.

Every few minutes it displays the text below in a chat window. It only displays it in a chat with one specific person, I have not seen it in chats with others yet though most of my chats are with that person.
This is the text:

---------------
Hi, ich habe letztens ein paar Seiten gesucht, die kostenlos Klingeltöne, Logos und Games aufs Handy schickt. Download http://sie7ben.si.ohost.de/mufa.xxx
---------------

That is German, note that I am from netherlands though.
I have nod32 antivirus installed, a hardware firewall, ad-aware, spybot search and destroy and spywareblaster. Neither of these programs find anything. Note that I scan without MsgPlus installed, as I don't like running with the worm active.

Off course, although the worm does not show up when MsgPlus is not installed that doesn't mean it's still there somewhere.

I'm back on xp after a year linux, man what a difference with regards to security.


RE: I've got some worm that only comes up when mnsplus is installed by ShawnZ on 10-10-2008 at 07:48 AM

it's your contact that has the virus, not you. get them to run a virus scan.


RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 08:25 AM

Hi,

Why do you say so and why does it come up only if *I* have MsgPlus installed.


RE: I've got some worm that only comes up when mnsplus is installed by ShawnZ on 10-10-2008 at 09:00 AM

well, if a message appears to be coming from a contact, it probably is :p there are many viruses that, when installed, send a message to all of your contacts (from you) trying to get your contacts to install the virus as well. as for the msgplus thing, coincidence? :p


RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 09:09 AM

I'm sorry but to me this makes no sense. She has the message too. Where it comes from is not clear.
And you haven't satisfied my second question, why does it disappear when *I* deinstall MsgPlus.
Please be more informative in stead of some guesses.


RE: I've got some worm that only comes up when mnsplus is installed by ShawnZ on 10-10-2008 at 09:17 AM

quote:
Originally posted by JeanC
I'm sorry but to me this makes no sense. She has the message too. Where it comes from is not clear.
And you haven't satisfied my second question, why does it disappear when *I* deinstall MsgPlus.
Please be more informative in stead of some guesses.

who does it say is saying the message? you, or your contact?
RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 09:36 AM

In my window it says that I say it. My friend is away, I'll ask her when she's back.
Edit: it's from me she says.


RE: I've got some worm that only comes up when mnsplus is installed by Spunky on 10-10-2008 at 10:53 AM

quote:
Originally posted by ShawnZ
Please be more informative in stead of some guesses.

They are not guesses. It is always the case that when you start getting messages like this from contacts (or send them to contacts) that it is a virus. If you don't appear to send these messages, then you have it... If you see these messages but your contact does not, then they have it...

As for Messenger Plus! Live being the cause, I'm not 100% you know what exactly it is you're dealing with anyway seeing as you cal it a worm and yet have no anti-virus results. Can you please tell me the URL of the site that you downloaded it from, it may be a rogue program pretending to be MP!L but secretly causing damage to your computer
RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 03:24 PM

This is the link http://mirror3.msgpluslive.net/MsgPlusLive-470.exe

I installed yet another virus scanner, avast, it finds more stuff than avg, and it has instant messenger protection.
It detected some infections but in old backup files that are not in use anyway.

And it does not detect anything running..

And it's a mystery to me why it only happens when I install MsgPlus.

Note I am a not illiterate being a c programmer for about 25 years. Though I must say the way this is going in windows with respect to safety, it's getting absurd. I recall the years when virus scanning was something I did when I was bored, now I have constant protection. End of rant.


RE: RE: I've got some worm that only comes up when mnsplus is installed by Vilkku on 10-10-2008 at 03:42 PM

quote:
Originally posted by JeanC
This is the link http://mirror3.msgpluslive.net/MsgPlusLive-470.exe

I installed yet another virus scanner, avast, it finds more stuff than avg, and it has instant messenger protection.
It detected some infections but in old backup files that are not in use anyway.

And it does not detect anything running..

And it's a mystery to me why it only happens when I install MsgPlus.

Note I am a not illiterate being a c programmer for about 25 years. Though I must say the way this is going in windows with respect to safety, it's getting absurd. I recall the years when virus scanning was something I did when I was bored, now I have constant protection. End of rant.
Well, this doesn't have to be caused by an virus. If you or your friend used an online "block checker" (which require you to fill in password and email) they gain access to your account and send stuff like that to your contacts. As why it only happens while you have Plus! installed seems strange to me.
RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 04:01 PM

Edit: the first time I downloaded was from here
http://www.mastaline.com/fwd/MsgPlusLive

The first link I gave is from the second download after I had de-installed the first one.


quote:
Originally posted by Vilkku
quote:
Originally posted by JeanC

Well, this doesn't have to be caused by an virus. If you or your friend used an online "block checker" (which require you to fill in password and email) they gain access to your account and send stuff like that to your contacts. As why it only happens while you have Plus! installed seems strange to me.

Beats me too.
But as it seems whatever it is, is from my pc, not hers. And I have not been to block checker sites like those for years.

RE: I've got some worm that only comes up when mnsplus is installed by NiteMare on 10-10-2008 at 04:41 PM

do you have any scripts installed, say ones that you didn't get from the msgplus script library?


RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 05:09 PM

No scripts installed whatsowever.

quote:
Originally posted by NiteMare
do you have any scripts installed, say ones that you didn't get from the msgplus script library?

RE: I've got some worm that only comes up when mnsplus is installed by Felu on 10-10-2008 at 05:19 PM

Ok. First of all uninstall both messenger and Plus! and delete their folders from Program Files. Download them again from http://get.live.com and http://www.msgpluslive.net

Lets see if that solves the problem.


RE: RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-10-2008 at 05:23 PM

I aldready did that but without deleting the folders.
I will do this tomorrow and get back with results.

quote:
Originally posted by Felu
Ok. First of all uninstall both messenger and Plus! and delete their folders from Program Files. Download them again from http://get.live.com and http://www.msgpluslive.net

Lets see if that solves the problem.

RE: I've got some worm that only comes up when mnsplus is installed by ShawnZ on 10-10-2008 at 08:02 PM

is that the website you got msgplus from originally?


RE: I've got some worm that only comes up when mnsplus is installed by Th3rmal on 10-10-2008 at 10:09 PM

quote:
Originally posted by SpunkyLoveMuff
quote:
Originally posted by ShawnZ
Please be more informative in stead of some guesses.

They are not guesses. It is always the case that when you start getting messages like this from contacts (or send them to contacts) that it is a virus. If you don't appear to send these messages, then you have it... If you see these messages but your contact does not, then they have it...

As for Messenger Plus! Live being the cause, I'm not 100% you know what exactly it is you're dealing with anyway seeing as you cal it a worm and yet have no anti-virus results. Can you please tell me the URL of the site that you downloaded it from, it may be a rogue program pretending to be MP!L but secretly causing damage to your computer
erm you quoted the wrong person =/
RE: I've got some worm that only comes up when mnsplus is installed by Dane on 10-10-2008 at 11:43 PM

Interesting file...I submitted the "mufa.exe" file to a few antivirus labs, its not related to Messenger Plus! Live if it is indeed that file causing the problems.  I'll post the results when I get them.


RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-11-2008 at 10:45 AM

progress so far:
I have trouble deleting c:\program files\msn gaming zone
It has a subfolder 'windows' which seems empty but starting up in safe mode there are several files there.
I can delete them but after reboot they are back.
More people are having this problem: http://www.tomshardware.co.uk/forum/57314-35-remove-gaming-zone
I tried the solution from that thread but the folder is still there.
I will first try to get rid of that folder before I install anything msn again.


I can't get rid of that folder.
Tried this http://www.mvps.org/ecvogel/kb/XP_remove_progs.htm
and this http://techrepublic.com.com/5208-6230-0.html?foru...&messageID=2204593

Booted a second time into safe mode, this time there were no files in that folder, deleted the folders, rebooted, and back they were.

I'm gonna reinstall windows next week.
On an afterthought, it could just be that this is one of microsofts quirks. The same as with 'c:\program files\xerox' and 'c:\program files\microsoft frontpage' which also seems undeletable.

FWIW I have msn and msgplus nstalled again at the moment. Did not have any trouble yet, but that friend is not online and I had this only with her...

See how things go..
RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-11-2008 at 04:52 PM

The symptoms seem to have gone away.

As to the role of msgplus I can only conclude that something in it made this thing show up, some vulnerability because really the moment I installed msgplus it showed up and vice versa.

Maybe one could even say be glad it was brought to light this way.

Still gonna reinstall windows though, it boots far too slow to my liking.


RE: I've got some worm that only comes up when mnsplus is installed by Spunky on 10-12-2008 at 01:43 PM

It was not a vulnerability in Plus! It was probably whatever piece of crap is on your computer can't hook onto the WLM process properly and so gets detected...


RE: I've got some worm that only comes up when mnsplus is installed by ShawnZ on 10-12-2008 at 01:48 PM

quote:
Originally posted by SpunkyLoveMuff
It was probably whatever piece of crap is on your computer can't hook onto the WLM process properly and so gets detected...

wtf are you talking about :p
RE: I've got some worm that only comes up when mnsplus is installed by Dane on 10-12-2008 at 08:26 PM

So, I submitted the virus to Symantec, Eset, McAfee, and Trend Micro.  Trend Micro has responded with protection, and has provided the updated pattern file at its website. The new detection is for TROJ_BUZUS.AKK.  It is NOT related to Messenger Plus! Live in any way.

McAfee has now responded with the detection as GENERIC PWS.Y (Trojan) and has provided an updated DAT with detection on 10/10/2008 and suggests updating your virus definitions to detect this threat.

Symantec has now responded with the detection as W32.Kelvir and has issued new virus definitions on October 14th, 2008 protecting against this threat.

quote:
GENERIC PWS.Y Writeup @ McAfee

Overview -

This is a detection for many non-descript password stealing trojans.

Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Characteristics -

This detection covers many nondescript password stealing (PWS) trojans - typically one-off creations that have been received by Avert.  There are many variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan, so this description is meant as a general guide.

These trojan are designed to search for passwords when run on the victim's system, and return the passwords to the trojan creator. The specific type of password stolen varies from trojan to trojan, but can include the following:

Local or domain usernames/passwords Online banking numbers/username/passwords Dial-up numbers/usernames/passwords Email servers/usernames/passwords Insant Messenging usernames/numbers/passwords Online game credentials Any passwords typed at the keyboard.  This information may be captured by monitoring keystrokes or mouse movement throughout the infected system, or just in particular windows.  It may also gather information from registry entries or files on the system.  Once this information is gathered, it is sent to the trojan creator.  This information is most commonly sent by email, HTTP or IM, to the trojan creator.

Specific features and symptoms of the detected sample will vary.

It is common for trojans to copy themselves to a location where their presence is unobtrusive.  Most commonly, trojans will use the Windows or Windows System Directory (e.g. C:\Windows or C:\Windows\System32).  The trojan may use a stealthy filename to make itself appear to be a valid Windows file, or use a random filename to thwart searches for malicious filenames.  A registry entry may be created to run the malicious file again at Windows startup.


Symptoms -
Password stealers are stealthy by design so most users will not notice that one is installed.  Typically these PWS trojans will attempt to hook the victim computer's registry to load themselves at startup.  Some PWS trojans may have mail clients built in so that they can send logged information to the trojan creator.

Method of Infection -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

RE: I've got some worm that only comes up when mnsplus is installed by JeanC on 10-13-2008 at 08:53 AM

Thanks.
I will try to notify avast too.