Thursday, January 10, 2008

Latest MSN messenger Worm/virus spreading like wildfire

What are MSN messenger Worms?
How to recognize them?
How to remove them?
How to prevent them?

What are MSN messenger Worms?

Any kind of worms/virus spreading through the use of Microsoft's IM client Windows Live Messenger/Msn Messenger, is MSN messenger worms/Virus. Normally what happens is if the system is infected with MSN messenger worms/virus, the only threat is that user's information is at risk. Previously, I've seen vicious worms which could transmit the data from the infected computer to worm writers. Besides, the threat level is low unless you don't share important informations across the MSN contacts.

How come latest Antivirus softwares are not detecting them?
Antivirus is not always the solution for variant nature of worms/virus which use IM networks(protocol). I'm writing variant nature, because, everytime, the worm writer puts the new name to it's worm. So, the worm gets new name more often and it goes undetected even by latest Antivirus softwares. After all, IM networks are made to share information and files.

How to recognize them?
-If all of a sudden, your friends(in IM) start asking you about the stuffs you never sent them. (Normally, they'll ask you 'have you sent me some links or photos' if they are smart enough, else they would click/open blindly)
-If you are feeling computer is getting slow(because, they do consume memory and they stay in memory, so they are memory resident)
NOTE: You may never know what's going on under your nose unless someone notifies you.

OR

if you are not infected but your friends whose computer is infected might send you with alluring texts or words without his consent.
"Hey, i've an interesting pictures IMAGE32131.jpg.com? to share with you" and you are given with the link to click


Normally, infected computer would send something like above through MSN messenger


So.. normally, you would see different changes on these words with the same objective, i.e to send you some obnoxious looking(at least for me) file name but trying to deceive people by making it look like JPG(image) file.

Innocent user just sees/reads the IMAGE**.jpg and forgets about another extention IMAGE**.jpg.com or IMAGE**.jpg.exe. Those .com and .exe are the executable file extention, which means it runs automatically, as soon as you double click them thinking to see an image files.

NEVER EVER CLICK any file name ending with .COM or .EXE. They are made to run instantaneously.

I recently got strange message from my friend on MSN messenger and these WORM WRITERS have come up with unique but working formula.
Infected computer sent me asking "
Hey, i've new pictures on facebook.com ..blah blah"
and the name of sent file was "newfacebook.com"
Again, innocent user might think, oh it's from facebook.com and he/she might end up clicking the same .COM extention.

NEVER EVER CLICK any file name ending with .COM or .EXE. They are made to run instantaneously.

How to remove them?
Ummm.. This is the most important part. Couple of years back, during Windows 98 age, i had big fight with these kinds of worms and i always won. But this is Vista age and Vista is not at risk for the time being. And, there are various forms of similar worms existing for XP. Before you try to fight and eradicate this worm, i want you to load one weapon in your arsenal,just for now. Believe me, it's pretty easy.

That weapon is UNLOCKER.
Unlocker is freeware software to detach some files from the system which refuse to get deleted/moved/copied.

Some files refuse to get deleted/moved/copied


You need this because, to kill memory resident worm, it will help you. And why you need it, because, the worm will be deleted instantly. Some msn messenger worms are very stubborn and they don't want you to delete them. so, Unlocker is the solution.

Download from http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe

Once you installed Unlocker, lets get to the business.

1. Run MSCONFIG
-Click 'Start' button --> Run and type 'msconfig' without quotes and hit 'Enter' key
-Now click the 'Startup' tab and carefully examine the suspicious file/item that's starting automatically, everytime your windows starts.
(Oh, lemme tell you something about MSCONFIG. This is small tool in Microsoft Windows which lets you control what to start and what not to start everytime windows runs. It has other things to do too but right now, you don't need to understand more than that.

MSCONFIG SCREEN and check the location of startup file in folder and registry


And, finding suspicious file/item from the 'Startup' is pretty easy. Just see the file/item and try to check their 'LOCATION' and folder location by extending your gaze at the right side of MSCONFIG screen. You'll see where those files/items are stored, you'll also see where those programs are set in the REGISTRY of windows. )

-Once you think you found the suspicious file/item(it could be MsgSprd, Messenger, newfacebook,pic1324,Image etc), uncheck that, click apply and click OK.

Just Don't restart the PC. Click the option which says, you'll restart your PC later time.

2. Click Start-->Run--->type 'Regedit' and hit enter key.
(Regedit will launch the Registry and please don't play around with it beyond my guide. One single mistake/delete of registry key could result useless Operating System and it's hectic going back to safemode.. and so, but don't worry)

If you've noticed the suspicious file name, remember its few initials and on the registry screen, follow this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Under Run, check on the right hand side and see if there is the entry saved for those suspicious files. Delete the one or two which look suspicious entry(Right click the entry and select DELETE key).

Close the Windows Registry. (actually, from msconfig, we did the same thing, but we're making sure with this second step that, it would remove it's traces from registry too)

3. Now, press CTRL+SHIFT+ESC key together and you'll be brought up 'Windows Task Manager' screen
-click the Application tab and from there, 'end task' any suspecting file/item.. only if there is.. else let it be.

4. And, Delete/flush the TEMP folder. In windows XP/98, go to C:\windows\temp and delete all the files from there. If some files refuses to get deleted, use UNLOCKER.
Right click on the file which is refusing to get deleted and select UNLOCKER. From the next screen, select 'Unblock and delete' option and click okay. That's it.

5. Not necessary, but still clean your browser's CACHED temporary files. Delete all offline contents from IE and firefox.

6. Lastly, remove/uninstall your MSN messenger and download latest version from http://get.live.com/messenger/overview

How to prevent them?
After you restarted your computer, my recommendations to your online security are as follows:

Good Firewall: Firewall will block all the access to your computer from remote computer. Firewall gives you control what to choose and what not to choose. If you don't have firewall, you are not safe.

Download COMODO firewall. From there click 'Download Now' button and select the link for 32 bit if your processor is 32 bit or 64 bit, if your processor is 64 bit. Mostly it's 32 bit if your computer is more than a year old or so.
COMODO is super firewall till date i've tried. So, believe my words and download it. Rest follow their online instruction to master this application. It's plain easy

Efficient Antivirus: Antivirus should kill/remove all kind of virus and worms,must consume low memory and so. Look no further, download NOD32(for XP) and follow this link
Follow each and every steps how to successfully installing this antivirus. Regularly update antivirus

Smart Anti-spyware: Words of caution, i've seen bogus anti-Spywares on net. Stay away from them. And always use, SPYBOT - Search and Destroy

This antispyware will remove all the spywares from your computer, so give a thorough scan after you install it and yeah, regularly update it's database too.

With the COMBO of these three, you'll be at least, 99 percent safe on net and use your brain(be smart) for 1 more percent to be hundred percent safe.

NOTE: never accept suspcious files, never open enticing emails, never visit suspicious sites or never install anything from any webpage if you doubt. Happy surfing.

Related link:
How to find if someone has blocked you on MSN messenger

18 comments:

ametya said...

Oddi baba, Yaslai guff bhanne ???
Title suhaayena, hai. Guff little, Info high rakhnus title ko naam.

Navin said...

Serious Informative guff ni mitra!!
Guff sadhai guffai hunu parcha bhanney pani chainani hoina ra .., kahiley kahi gyanbardhak khurak pani huna sakcha ni.. ahahaha.. bujhnu bhayena???

Khaati kuro chahi k bhaney dekhi, Info rakhyo bhaney Visitor naaula bhanney darrr, GUFF rakhyo bhaney, tehi guff garney baani baseka hami Nepali Daju-bhai aaunu huncha, khusi laagcha.. Tesailey ho, aru ta ' mero guff ' sajilo pani cha sunna laai, samjhana lai..

dhanyabaad comments ko laagi

webringnet.com said...

thanks for the info. i'm rare use msn live, so never came accross that problem. do you have info about YM

Navin said...

YM, not yet.. but if someone asks me, i'll write on it too :)

i write mostly as per demand of my reader :)

ametya said...

When I did a see of your blog, I thought you as a 'Kuire'(Who either loves Nepal or lives in Nepal), title given by his nepalese friends. After seeing your picture and name too, i was still in puzzling thinking you as the same, having nepali name given by his friends. But when i saw my nepali comment response in good and humorous style(in Nepali), then my puzzle went far.Long time to feel you as a nepali.Is it only because of new type of guff ?? that do in the teritory of info and techno. Nice to see such site that really provide curiosity in us,we reader.

ametya said...

When I did a see of your blog, I thought you as a 'Kuire'(Who either loves Nepal or lives in Nepal), title given by his nepalese friends. After seeing your picture and name too, i was still in puzzling thinking you as the same, having nepali name given by his friends. But when i saw my nepali comment response in good and humorous style(in Nepali), then my puzzle went far.Long time to feel you as a nepali.Is it only because of new type of guff ?? that do in the teritory of info and techno. Nice to see such site that really provide curiosity in us,we reader.

ametya said...

When I did a see of your blog, I thought you as a 'Kuire'(Who either loves Nepal or lives in Nepal), title given by his nepalese friends. After seeing your picture and name too, i was still in puzzling thinking you as the same, having nepali name given by his friends. But when i saw my nepali comment response in good and humorous style(in Nepali), then my puzzle went far.Long time to feel you as a nepali.Is it only because of new type of guff ?? that do in the teritory of info and techno. Nice to see such site that really provide curiosity in us,we reader.

Navin said...

Ametya JI, thanks for your nice comments and yeah, I'm as Nepali as you. :) If you go through 'MY WORDS' section, couple of articles are in Nepali unicode. thanks for your comments once more :) keep visiting and yeah, I added you on my LINK (blogroll) . glad to include you on my friends list

Speed said...

launa .... ametya tech talks ko lagi khirey nai huna parchaa ra bhaneko ??? hamro nepali daju bhai lai esto underestimate nagardium na bhanya .......

ametya said...

Speed ji, Mero Aascharyabhav lai tyasari -ve tarikale herna bhayena ni. In my surfing, I saw not only this nice blogsite having bold tech n info guff but also another blogsite(nam birse) talking openly in sex. Aba yasto intresting as well as sahasik blogsite haru herna paauda aakha fadeko fadyai hunu lai underestimate gareko bhanna mildaina.Ho ki haina Navin ji tapai aafaile bhannu paryo...

That sex site was also terrific and i am pleased to see that nepalese guys are openly talking abt sex and in knowledge abt that. I am more pleased when i saw a girl named Prerana in such site commenting. That was a nice shock to me.Ani yasto dami shock lai mahasus garna ta time laagi halchha ni haina ra speed ji ?

ametya said...

Launa, mathi maile jun sex site ko kura gareko thiye, tyo ta tapaikai po rahecha ta yar. Tapaile mero site ma comment gare pachi balla thaha paye. Earth is round bhanthe, ekdam thik rahecha. Jun sex site lai asti dekhi khojiraheko thiye(tapaiko site herda herdai line gayo, nam pani yad gareko thiyina), tyo malai khojdai aaye jasto feel bho. Speed ji, sex jasto gahan bishayalai yasari public rupma charchako mudda banaune tapaiko nitant naulo ra sahasik karya ko ma sarahana garchhu.It's totally nice shock to see a nepali guy here talking abt info and techno as his guff and another guy talking abt sex in nepali style.

Navin said...

ha ha ha ha. maaf garnu hola mitra haru..haaso roknai sakina..

Yeah, earth is round and someone somewhere will definitely sees his/her acquaintance and that's just happened.

Ani, Ametya Ji ko kura ekdum thik ho, .. ani hamro Speed bro pani machey gajab kai sahasi ho.. Who is talking/expressing about sex..and sex education..

and sacchai bhannu parda, malai Tapai ko, Ametya Ji, blog pani asshaddai mann parcha, ek dum unique yaar.. k ho k, everyday, i open all my friends blog under LINKS on this very blog and , i have to admit, i mostly check by yours cos, it's getting interesting and it's way captivating.. keep doing that (Y).

And, thanks for your nice comments, Speed and Ametya Ji

ametya said...

Can you plz tell me what is this Vibes ? and what is it's tasks in a blogsite ?

Navin said...

didn't get you properly ;)

generator said...

All,

The worm/virus in question was called spool.exe. I am not sure if this is the same for all people, but after killing this process using the task manager, I was once again able to connect to the internet. I quarantined the file immediately afterwards. I hope this helps.

Navin said...

generator, thank you for sharing your experience with you :) I appreciate that :)

Anonymous said...

dumb ass , spool.exe isnt a virus ,, it would hav been infected ,, try n use a printer without it n see how far u get ,,

Navin said...

Anon,
Spoolsv.exe is Microsoft's Spooler service which runs in background and normally resides under :/windows/system32 folder. Many times Trojan overwrites this file, hack the system initialization files and divert the execution of spooler service somewhere else.
It's very suspicious if spoolsv.exe is sitting somewhere around other than windows folder or if the background process with spool.exe or any other variants other than spoolsv.exe is found. Then it's time to get alert.

Spool.exe is indeed a way to trick users to think it's legit while it's not, it's a trojan that could let the remote attacker execute harmful codes.

nobody is dumb, everyone is in learning phase, keep that in mind.

Copyright © 2014
Designed by Navin