new msn virus? help!

[I.P.Freely]

Hi there,
Whilst i was out playing football this evening, my sister
accepted a file off her friend on MSN (possibly without her friend knowing
this was occurring...) called 'Best Friends' - this sounds like a randomly
generated name.

The task manager cannot be displayed to stop the file, but as an I.T pro,
i'm confused as to what to do.

Rededit can't start, as the virus closes all windows/applications, i can
however use windows explorer.

I think the virus is possibly named O.exe, as this wouldn't allow the
computer to shutdown. My norton corporate anti-virus program *can* scan, but
finds nothing.

msmsgs.exe is running <--normal messenger program
msnmsgr.exe is running <--*not* normal, i only have one messenger program,
the above! (?)

mscv.com <--google yields no results, randomly generated filename?

I did manage to exit this 'mscv' by repeatedly hitting ctrl-alt-del - but it
just restarted again. I feel this hidden applications O.exe is also causing
problems, as well as mscv.exe Regedit wont run, msconfig WILL run - tried
disabling just about everything, it done nothing; most symantec removal
tools for common new propogation viruses either are closed by the virus, or
find nothing.

I should specify that i've connected successfully to the laptop's regedit
via the wireless link (prob a good idea to disable internet access now, eh?)
but i couldn't open anything down the tree, came up with an error.

Help! I think I need it!

Cheers,

G.

 

[David H. Lipman]

From: "I.P.Freely" <[email protected]>

| Hi there,
| Whilst i was out playing football this evening, my sister
| accepted a file off her friend on MSN (possibly without her friend knowing
| this was occurring...) called 'Best Friends' - this sounds like a randomly
| generated name.
|
| The task manager cannot be displayed to stop the file, but as an I.T pro,
| i'm confused as to what to do.
|
| Rededit can't start, as the virus closes all windows/applications, i can
| however use windows explorer.
|
| I think the virus is possibly named O.exe, as this wouldn't allow the
| computer to shutdown. My norton corporate anti-virus program *can* scan, but
| finds nothing.
|
| msmsgs.exe is running <--normal messenger program
| msnmsgr.exe is running <--*not* normal, i only have one messenger program,
| the above! (?)
|
| mscv.com <--google yields no results, randomly generated filename?
|
| I did manage to exit this 'mscv' by repeatedly hitting ctrl-alt-del - but it
| just restarted again. I feel this hidden applications O.exe is also causing
| problems, as well as mscv.exe Regedit wont run, msconfig WILL run - tried
| disabling just about everything, it done nothing; most symantec removal
| tools for common new propogation viruses either are closed by the virus, or
| find nothing.
|
| I should specify that i've connected successfully to the laptop's regedit
| via the wireless link (prob a good idea to disable internet access now, eh?)
| but i couldn't open anything down the tree, came up with an error.
|
| Help! I think I need it!
|
| Cheers,
|
| G.
|



Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt496.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *

 

[I.P.Freely]

From: "I.P.Freely" <[email protected]>
Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt496.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM.

2) Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as
possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full
Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform
using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and
re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~
600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* * Please report back your results * *

Hi there again, thanks for the quick reply... i downloaded your utility and
extracted it over the network. The sys-update works fine, and downloades the
latest pattern windows, the command window is not closed.

However, when a grey 32bit windows applications loads stating 'trend-micro'
in red at the top-right, it closes instantly.

This is the problem with this virus, it closes any removal tool loaded...

Symantec's tool (can't remember which now....argh!) no no, i do, it was
'serflog virus removal tool'- loaded fine and scanned, but didn't find the
aforementioned virus.

Geez!

I have an update! I'm browsing the laptop from my pc....i notice the
following files:


l0ser.html <--contains evil comments about bill gates "f**** loser ha"

i_love_you.123greetings.com <--blatently dodgy

ms-dos shortcut, 'me at the beach'
'my piccy'
'paris hilton sex tape'
'really cute'
'shoot bill gates'
'death of crazy frog'
'lol busted are gay'


To name but a few!

 

[David H. Lipman]

From: "I.P.Freely" <[email protected]>

|
| Hi there again, thanks for the quick reply... i downloaded your utility and
| extracted it over the network. The sys-update works fine, and downloades the
| latest pattern windows, the command window is not closed.
|
| However, when a grey 32bit windows applications loads stating 'trend-micro'
| in red at the top-right, it closes instantly.
|
| This is the problem with this virus, it closes any removal tool loaded...
|
| Symantec's tool (can't remember which now....argh!) no no, i do, it was
| 'serflog virus removal tool'- loaded fine and scanned, but didn't find the
| aforementioned virus.
|
| Geez!
|
| I have an update! I'm browsing the laptop from my pc....i notice the
| following files:
|
| l0ser.html <--contains evil comments about bill gates "f**** loser ha"
|
| i_love_you.123greetings.com <--blatently dodgy
|
| ms-dos shortcut, 'me at the beach'
| 'my piccy'
| 'paris hilton sex tape'
| 'really cute'
| 'shoot bill gates'
| 'death of crazy frog'
| 'lol busted are gay'
|
| To name but a few!
|



Please send me an email so I can provide you information on a licensed scanner to use.

Just remove ~nospam~.

 

[Zephyr]

It sounds like the new W32.Serflog.C worm. A detailed description is
available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html.

Norton AntiVirus should be able to detect it using the latest definitions.
Make sure you download and install the definitions manually as the
LiveUpdate definitions capable of detecting this worm are not released until
later today.

You can download the latest definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html.

Hope this helps.

 

[GM]

It sounds like the new W32.Serflog.C worm. A detailed description is
available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html.

Norton AntiVirus should be able to detect it using the latest definitions.
Make sure you download and install the definitions manually as the
LiveUpdate definitions capable of detecting this worm are not released until
later today.

You can download the latest definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html.

Hope this helps.

Yep that's it! No wonder i couldn't find info on it, ie: mscv.com wasn't
coming up on google - it's too new!

 

[Jeremy Goff]

Hi there,
Whilst i was out playing football this evening, my sister
accepted a file off her friend on MSN (possibly without her friend knowing
this was occurring...) called 'Best Friends' - this sounds like a randomly
generated name.

The task manager cannot be displayed to stop the file, but as an I.T pro,
i'm confused as to what to do.

Rededit can't start, as the virus closes all windows/applications, i can
however use windows explorer.

I think the virus is possibly named O.exe, as this wouldn't allow the
computer to shutdown. My norton corporate anti-virus program *can* scan, but
finds nothing.

msmsgs.exe is running <--normal messenger program
msnmsgr.exe is running <--*not* normal, i only have one messenger program,
the above! (?)

mscv.com <--google yields no results, randomly generated filename?

I did manage to exit this 'mscv' by repeatedly hitting ctrl-alt-del - but it
just restarted again. I feel this hidden applications O.exe is also causing
problems, as well as mscv.exe Regedit wont run, msconfig WILL run - tried
disabling just about everything, it done nothing; most symantec removal
tools for common new propogation viruses either are closed by the virus, or
find nothing.

I should specify that i've connected successfully to the laptop's regedit
via the wireless link (prob a good idea to disable internet access now, eh?)
but i couldn't open anything down the tree, came up with an error.

Help! I think I need it!

Cheers,

G.

Could also be http://www.sophos.com/virusinfo/analyses/w32rbotfq.html

J

 

[Lil' Abner]

Hi there again, thanks for the quick reply... i downloaded your
utility and extracted it over the network. The sys-update works fine,
and downloades the latest pattern windows, the command window is not
closed.

However, when a grey 32bit windows applications loads stating
'trend-micro' in red at the top-right, it closes instantly.

This is the problem with this virus, it closes any removal tool
loaded...

Did you try it in Safe Mode?

 

[GM]

Did you try it in Safe Mode?

As i said, i'm an I.T Pro - i've tried everything you'd expect to try. Virus
scans are not picking it up, as it has only been released, i suppose my only
option is to wait it out till a remover is created

 

[GM]

Could also be http://www.sophos.com/virusinfo/analyses/w32rbotfq.html

Symantec call the virus serflog - others call it 'summom' or 'sumom'.

The characteristics are exactly as the serflog.c virus describe on
symantec's webpage, go to their initial homepage and 'view new threats' - or
use the link i provided in my previous posts.

 

[GM]

It sounds like the new W32.Serflog.C worm. A detailed description is
available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.c.html.

Norton AntiVirus should be able to detect it using the latest definitions.
Make sure you download and install the definitions manually as the
LiveUpdate definitions capable of detecting this worm are not released
until later today.

You can download the latest definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html.

Hope this helps.

In fairness, you can't use any of those methods as the virus will close all
programs just about.

You need to remember that when giving advice on this one folks, it closes
most programs

 

[Peter]

Symantec call the virus serflog - others call it 'summom' or 'sumom'.

The characteristics are exactly as the serflog.c virus describe on
symantec's webpage, go to their initial homepage and 'view new threats' - or
use the link i provided in my previous posts.

i cant resist asking how come i never got a virus and have no firewall
and no active on line virus schecker and i use yahoo chat msn
messenger chat and aol chat and used to use mirc?

 

[GM]

i cant resist asking how come i never got a virus and have no firewall
and no active on line virus schecker and i use yahoo chat msn
messenger chat and aol chat and used to use mirc?

It's just out yesterday, plus maybe your friends/people on your list don't
have it, therefore the virus can't automatically try send itself to you.

Firewall wont make a difference in this case.

 

[Peter]

It's just out yesterday, plus maybe your friends/people on your list don't
have it, therefore the virus can't automatically try send itself to you.

Ok thanks, How will I know when it arives?

 

[GM]

Ok thanks, How will I know when it arives?

The point of that reply was what? You said zilch, the above text is moi's!

 

[daveR]

Hi there again, thanks for the quick reply... i downloaded your utility and
extracted it over the network. The sys-update works fine, and downloades the
latest pattern windows, the command window is not closed.

However, when a grey 32bit windows applications loads stating 'trend-micro'
in red at the top-right, it closes instantly.

This is the problem with this virus, it closes any removal tool loaded...

Symantec's tool (can't remember which now....argh!) no no, i do, it was
'serflog virus removal tool'- loaded fine and scanned, but didn't find the
aforementioned virus.

Geez!

I have an update! I'm browsing the laptop from my pc....i notice the
following files:


l0ser.html <--contains evil comments about bill gates "f**** loser ha"

i_love_you.123greetings.com <--blatently dodgy

ms-dos shortcut, 'me at the beach'
'my piccy'
'paris hilton sex tape'
'really cute'
'shoot bill gates'
'death of crazy frog'
'lol busted are gay'


To name but a few!

HELP!!
I HAVE JUST GOT THIS VIRUS TOO !!

Basically, I just turned on my PC, and got an MSN from a friend :-
Do you want to accept the file "death of crazy frog.pif"
like a moron i accepted, and as soon as i ran the file i realised it
was bad.

i called him & it seems the file was sent automatically by his msn
when i logged on.

now - even if i serach the word "virus" in IE / Firefox or Opera the
browser just shuts down.
same as the OP - the symantec response just shuts down

i used our 2nd PC here to find this thread in google groups - when i
went back to my (infected) PC & tried to add alt.comp.anti-virus to my
news account ... outlook shut down!! hence had to quickly create a
google account to post this ..

trying to talk to my msn friend i notice my msn is trying to send him
"shoot bill gates.pif"


help I'm not very PC literate how do i get rid of this ????????

 

[Peter]

The point of that reply was what? You said zilch, the above text is moi's!

Sorry, my questio got inserted in your text. Question was what should
i be looking for to prepare myself from an attack.

 

[Roger Wilco]

In fairness, you can't use any of those methods as the virus will close all
programs just about.

You need to remember that when giving advice on this one folks, it closes
most programs

Can you rename the tool to the name of a program it doesn't kill? Maybe
use the same name as one of its own executables but from another
directory?

 

[GM]

Can you rename the tool to the name of a program it doesn't kill? Maybe
use the same name as one of its own executables but from another
directory?

No.

It's the crappest virus i've ever been in contact with, due to the
closing-down nature of it.

I'm using 'NOD32' antivirus which has installed and is the *only* one that's
been able to install without closing, and is currently running, although the
virus is trying to close it.

I will le you know what happens, ie:after scan, even though it's found the
virus, can it remove it...

 

[Roger Wilco]

you.


The point of that reply was what? You said zilch, the above text is

moi's!

You were talking to yourself?