How to recognize them?
How to remove them?
How to prevent them?
What are MSN messenger Worms?
Any kind of worms/virus spreading through the use of Microsoft's IM client Windows Live Messenger/Msn Messenger, is MSN messenger worms/Virus. Normally what happens is if the system is infected with MSN messenger worms/virus, the only threat is that user's information is at risk. Previously, I've seen vicious worms which could transmit the data from the infected computer to worm writers. Besides, the threat level is low unless you don't share important informations across the MSN contacts.
How come latest Antivirus softwares are not detecting them?
Antivirus is not always the solution for variant nature of worms/virus which use IM networks(protocol). I'm writing variant nature, because, everytime, the worm writer puts the new name to it's worm. So, the worm gets new name more often and it goes undetected even by latest Antivirus softwares. After all, IM networks are made to share information and files.
How to recognize them?
-If all of a sudden, your friends(in IM) start asking you about the stuffs you never sent them. (Normally, they'll ask you 'have you sent me some links or photos' if they are smart enough, else they would click/open blindly)
-If you are feeling computer is getting slow(because, they do consume memory and they stay in memory, so they are memory resident)
NOTE: You may never know what's going on under your nose unless someone notifies you.
OR
if you are not infected but your friends whose computer is infected might send you with alluring texts or words without his consent.
"Hey, i've an interesting pictures IMAGE32131.jpg.com? to share with you" and you are given with the link to click
So.. normally, you would see different changes on these words with the same objective, i.e to send you some obnoxious looking(at least for me) file name but trying to deceive people by making it look like JPG(image) file.
Innocent user just sees/reads the IMAGE**.jpg and forgets about another extention IMAGE**.jpg.com or IMAGE**.jpg.exe. Those .com and .exe are the executable file extention, which means it runs automatically, as soon as you double click them thinking to see an image files.
NEVER EVER CLICK any file name ending with .COM or .EXE. They are made to run instantaneously.
I recently got strange message from my friend on MSN messenger and these WORM WRITERS have come up with unique but working formula.
Infected computer sent me asking "
Hey, i've new pictures on facebook.com ..blah blah"
and the name of sent file was "newfacebook.com"
Again, innocent user might think, oh it's from facebook.com and he/she might end up clicking the same .COM extention.
NEVER EVER CLICK any file name ending with .COM or .EXE. They are made to run instantaneously.
How to remove them?
Ummm.. This is the most important part. Couple of years back, during Windows 98 age, i had big fight with these kinds of worms and i always won. But this is Vista age and Vista is not at risk for the time being. And, there are various forms of similar worms existing for XP. Before you try to fight and eradicate this worm, i want you to load one weapon in your arsenal,just for now. Believe me, it's pretty easy.
That weapon is UNLOCKER.
Unlocker is freeware software to detach some files from the system which refuse to get deleted/moved/copied.
You need this because, to kill memory resident worm, it will help you. And why you need it, because, the worm will be deleted instantly. Some msn messenger worms are very stubborn and they don't want you to delete them. so, Unlocker is the solution.
Download from http://ccollomb.free.fr/unlocker/unlocker1.8.5.exe
Once you installed Unlocker, lets get to the business.
1. Run MSCONFIG
-Click 'Start' button --> Run and type 'msconfig' without quotes and hit 'Enter' key
-Now click the 'Startup' tab and carefully examine the suspicious file/item that's starting automatically, everytime your windows starts.
(Oh, lemme tell you something about MSCONFIG. This is small tool in Microsoft Windows which lets you control what to start and what not to start everytime windows runs. It has other things to do too but right now, you don't need to understand more than that.
And, finding suspicious file/item from the 'Startup' is pretty easy. Just see the file/item and try to check their 'LOCATION' and folder location by extending your gaze at the right side of MSCONFIG screen. You'll see where those files/items are stored, you'll also see where those programs are set in the REGISTRY of windows. )
-Once you think you found the suspicious file/item(it could be MsgSprd, Messenger, newfacebook,pic1324,Image etc), uncheck that, click apply and click OK.
Just Don't restart the PC. Click the option which says, you'll restart your PC later time.
2. Click Start-->Run--->type 'Regedit' and hit enter key.
(Regedit will launch the Registry and please don't play around with it beyond my guide. One single mistake/delete of registry key could result useless Operating System and it's hectic going back to safemode.. and so, but don't worry)
If you've noticed the suspicious file name, remember its few initials and on the registry screen, follow this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Under Run, check on the right hand side and see if there is the entry saved for those suspicious files. Delete the one or two which look suspicious entry(Right click the entry and select DELETE key).
Close the Windows Registry. (actually, from msconfig, we did the same thing, but we're making sure with this second step that, it would remove it's traces from registry too)
3. Now, press CTRL+SHIFT+ESC key together and you'll be brought up 'Windows Task Manager' screen
-click the Application tab and from there, 'end task' any suspecting file/item.. only if there is.. else let it be.
4. And, Delete/flush the TEMP folder. In windows XP/98, go to C:\windows\temp and delete all the files from there. If some files refuses to get deleted, use UNLOCKER.
Right click on the file which is refusing to get deleted and select UNLOCKER. From the next screen, select 'Unblock and delete' option and click okay. That's it.
5. Not necessary, but still clean your browser's CACHED temporary files. Delete all offline contents from IE and firefox.
6. Lastly, remove/uninstall your MSN messenger and download latest version from http://get.live.com/messenger/overview
How to prevent them?
After you restarted your computer, my recommendations to your online security are as follows:
Good Firewall: Firewall will block all the access to your computer from remote computer. Firewall gives you control what to choose and what not to choose. If you don't have firewall, you are not safe.
Download COMODO firewall. From there click 'Download Now' button and select the link for 32 bit if your processor is 32 bit or 64 bit, if your processor is 64 bit. Mostly it's 32 bit if your computer is more than a year old or so.
COMODO is super firewall till date i've tried. So, believe my words and download it. Rest follow their online instruction to master this application. It's plain easy
Efficient Antivirus: Antivirus should kill/remove all kind of virus and worms,must consume low memory and so. Look no further, download NOD32(for XP) and follow this link
Follow each and every steps how to successfully installing this antivirus. Regularly update antivirus
Smart Anti-spyware: Words of caution, i've seen bogus anti-Spywares on net. Stay away from them. And always use, SPYBOT - Search and Destroy
This antispyware will remove all the spywares from your computer, so give a thorough scan after you install it and yeah, regularly update it's database too.
With the COMBO of these three, you'll be at least, 99 percent safe on net and use your brain(be smart) for 1 more percent to be hundred percent safe.
NOTE: never accept suspcious files, never open enticing emails, never visit suspicious sites or never install anything from any webpage if you doubt. Happy surfing.
Related link:
How to find if someone has blocked you on MSN messenger
Comments
Title suhaayena, hai. Guff little, Info high rakhnus title ko naam.
Guff sadhai guffai hunu parcha bhanney pani chainani hoina ra .., kahiley kahi gyanbardhak khurak pani huna sakcha ni.. ahahaha.. bujhnu bhayena???
Khaati kuro chahi k bhaney dekhi, Info rakhyo bhaney Visitor naaula bhanney darrr, GUFF rakhyo bhaney, tehi guff garney baani baseka hami Nepali Daju-bhai aaunu huncha, khusi laagcha.. Tesailey ho, aru ta ' mero guff ' sajilo pani cha sunna laai, samjhana lai..
dhanyabaad comments ko laagi
i write mostly as per demand of my reader :)
That sex site was also terrific and i am pleased to see that nepalese guys are openly talking abt sex and in knowledge abt that. I am more pleased when i saw a girl named Prerana in such site commenting. That was a nice shock to me.Ani yasto dami shock lai mahasus garna ta time laagi halchha ni haina ra speed ji ?
Yeah, earth is round and someone somewhere will definitely sees his/her acquaintance and that's just happened.
Ani, Ametya Ji ko kura ekdum thik ho, .. ani hamro Speed bro pani machey gajab kai sahasi ho.. Who is talking/expressing about sex..and sex education..
and sacchai bhannu parda, malai Tapai ko, Ametya Ji, blog pani asshaddai mann parcha, ek dum unique yaar.. k ho k, everyday, i open all my friends blog under LINKS on this very blog and , i have to admit, i mostly check by yours cos, it's getting interesting and it's way captivating.. keep doing that (Y).
And, thanks for your nice comments, Speed and Ametya Ji
The worm/virus in question was called spool.exe. I am not sure if this is the same for all people, but after killing this process using the task manager, I was once again able to connect to the internet. I quarantined the file immediately afterwards. I hope this helps.
Spoolsv.exe is Microsoft's Spooler service which runs in background and normally resides under :/windows/system32 folder. Many times Trojan overwrites this file, hack the system initialization files and divert the execution of spooler service somewhere else.
It's very suspicious if spoolsv.exe is sitting somewhere around other than windows folder or if the background process with spool.exe or any other variants other than spoolsv.exe is found. Then it's time to get alert.
Spool.exe is indeed a way to trick users to think it's legit while it's not, it's a trojan that could let the remote attacker execute harmful codes.
nobody is dumb, everyone is in learning phase, keep that in mind.