login | register | shoutbox

 What happened to the Messenger Plus! forums on msghelp.net?
Shoutbox » MsgHelp Archive » Skype & Technology » Skype & Live Messenger » msn virus

msn virus
Author: Message:
CookieRevised
Elite Member
*****

Avatar

Posts: 15517
Reputation: 173
– / Male / Flag
Joined: Jul 2003
Status: Away
RE: msn virus
quote:
Originally posted by cam92
okay so i dont remember clicking on anything bad to get a virus
You got infected by downloading and executing some dodgy file or clicking on some dodgy link (and then executing the downloaded file) though.

Anyways, there are many variants of such malware.

The one listed by you is a Visual Basic 6.0 program, created on a Vista/Win7 machine, signed by "MattNet" and "Malware Farms"
The creator is called Matt btw.

A quick look at the pseudo code shows it is a variation of the one reported here.

Anti-Malware from Malwarebytes is reported to be able to remove it. Although, since this seems to be a new variation, the anti-malware program might not detect it or be able to remove it completely (see Threatexpert link below).

-----------

Some reports indicate it creates the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "%AppData%\hvex.exe"
Where hvex can be hvex, image_001, and other goofy names.

And it creates files here:
%AppData%\hvex.exe
%Temp%\MLLklhghDJ.log
eg:
C:\Documents and Settings\username\Application Data\hvex.exe
C:\Documents and Settings\username\Local Settings\Temp\MLLklhghDJ.log

Where hvex can be hvex, image_001, and other goofy names.
And MLLklhghDJ can be other random names like chdkCJLDF6 or bNNm8jhje7, BcKeIE1KMJ, etc.
Also note that the log file is not a real log file but actually a DLL file used by the malware.

-----------

I've submitted the file to Threatexpert and this is the report:
http://www.threatexpert.com/report.aspx?md5=234ed...32cf2f4d9bad48fd48
and
http://www.threatexpert.com/report.aspx?md5=f4ec7...6f16e4d035f56fb391

Apparently, it creates even more files and registry entries than I could determine from quickly reading the source.
Make sure you check all of those files and registry entries!

EDIT: WTF? the report has been cut down... It showed far more 'stuff' than it does now :dodgy:
Because of this, I'll attach both full reports (for the original exe file, and the one which is downloaded from the first) to this post instead, see attachment.

EDIT: Other variants: http://www.threatexpert.com/reports.aspx?find=hvex.exe
-----------

After you've successfully removed the malware completely, do not forget to change your password and alternative question for your Windows Live ID!!!

.zip File Attachment: reports.zip (29.65 KB)
This file has been downloaded 87 time(s).

This post was edited on 07-26-2010 at 06:03 PM by CookieRevised.
.-= A 'frrrrrrrituurrr' for Wacky =-.
07-26-2010 09:52 AM
Profile PM Find Quote Report
« Next Oldest Return to Top Next Newest »

Messages In This Thread
msn virus - by cam92 on 07-20-2010 at 12:55 PM
RE: msn virus - by Menthix on 07-20-2010 at 12:56 PM
RE: msn virus - by cam92 on 07-20-2010 at 01:01 PM
RE: msn virus - by matty on 07-20-2010 at 01:18 PM
RE: msn virus - by cam92 on 07-20-2010 at 03:04 PM
RE: msn virus - by Vamprant on 07-25-2010 at 05:11 AM
RE: msn virus - by CookieRevised on 07-26-2010 at 09:52 AM
RE: msn virus - by Vamprant on 07-26-2010 at 04:05 PM
RE: msn virus - by lavey92 on 07-29-2010 at 12:57 PM


Threaded Mode | Linear Mode
View a Printable Version
Send this Thread to a Friend
Subscribe | Add to Favorites
Rate This Thread:

Forum Jump:

Forum Rules:
You cannot post new threads
You cannot post replies
You cannot post attachments
You can edit your posts 		HTML is Off
myCode is On
Smilies are On
[img] Code is On