pin Posted October 20, 2006 Report Share Posted October 20, 2006 Wouldn't normally post this, but there is a very nasty worm spreading via MSN at the moment. The format is roughly you will get a message from one of your contacts which will say something like "Is this you in the picture" and a link to a .jpg. When you click on it the site redirects you to a file of the same name but with a .pif extension (old format for windows icon files) which is executable by default. If you open this you are screwed. The worm itself is being called a bunch of things depending on who you listen to :- [koho 1] ~ > clamscan photo656.pif photo656.pif: Trojan.MSNMaker FOUND Most sites are calling it MSNMaker.something The vulnerability is ages old, but this one drops a very nasty worm on your machine :- http://virusinfo.prevx.com/viruscenter.asp?GRP=4804300017 It can log keystrokes, activate other vulnerabilities and all sorts, nasty thing. Just be warned (most AV scanners can't detect it yet, norton which is a pile of **** certainly doesn't) Quote Link to comment Share on other sites More sharing options...
Guest jonrms Posted October 20, 2006 Report Share Posted October 20, 2006 speaking of norton... I have the professional norton antivirus and firewall.... along with windows own firewall... what do you reccomend.... anything free?:look:? because my wife keeps paying them a hundred or so to update our system... (mug) anyway thats my wife. I am tired of norton slowing my pc down to a unbearbale crawl. please help almight computer one. Quote Link to comment Share on other sites More sharing options...
gibby Posted October 20, 2006 Report Share Posted October 20, 2006 Will you know if this is on your computer? Quote Link to comment Share on other sites More sharing options...
dazza Posted October 20, 2006 Report Share Posted October 20, 2006 Pin whats yours views on McAFee? Quote Link to comment Share on other sites More sharing options...
pin Posted October 20, 2006 Author Report Share Posted October 20, 2006 http://www.prevx.com/ http://www.grisoft.com/ (avg) http://www.f-prot.com http://www.kaspersky.com/ Ditch norton, it will be causing you more headaches than its capable of fixing for you. McAffee used to be good, they have the best engine out there but **** software round it I have a guy that works for me that came from McAfee and he's **** hot, they know their stuff :look: Quote Link to comment Share on other sites More sharing options...
Markio Posted October 20, 2006 Report Share Posted October 20, 2006 I use Kerio Personal Firewall. I assume it does the job! (and for free). And as mentioned AVG for Anti Virus. Quote Link to comment Share on other sites More sharing options...
pin Posted October 20, 2006 Author Report Share Posted October 20, 2006 Will you know if this is on your computer? The thing it drops (might drop more than one thing) is covert, you probably wouldn't notice it, no. I use Kerio Personal Firewall. I assume it does the job! (and for free). And as mentioned AVG for Anti Virus. Since this requires you to click on a link, no firewall will help you. As always keep bang up to date with the updates for whatever you use and regularly scan your machine. Quote Link to comment Share on other sites More sharing options...
gibby Posted October 20, 2006 Report Share Posted October 20, 2006 Ive just installed that prevx scanner, should this pick it up? Gibby Quote Link to comment Share on other sites More sharing options...
pin Posted October 20, 2006 Author Report Share Posted October 20, 2006 (edited) One of my lot got a message off a contact, it had this link in it :- http://www.photogbase.com/pictures.php?photo656.jpg (please don't click this ) wget http://www.photogbase.com/pictures.php?photo656.jpg http://www.photogbase.com/pictures.php?photo656.jpg => `pictures.php?photo656.jpg' HTTP request sent, awaiting response... 302 OK Location: photo656.pif [following] http://www.photogbase.com/photo656.pif It masks this redirect and downloads the .pif file instead, so this is what you are watching out for. It might be that this link comes to you in an email or a forum post, just be careful and always set your browser to ask you what to do each time you click (don't auto download) - and check the name of the file its downloading. In this case I spotted that it was .pif instead which screams WARNING substituted http with hxxp. so no one gets zapped by it on here Edited October 20, 2006 by Teal Quote Link to comment Share on other sites More sharing options...
Jimjim Posted October 20, 2006 Report Share Posted October 20, 2006 Hey all, about this worm!! i was once silly enough to fall for it about this time last year!!! once you select the .jpg that it has posted on the msn chat window it will then automatically send itself to all the 'online contacts' that you have, i found the only way to get rid of it was to 'system reboot' to either the day before or the day before that. if you delete the file on its own it will reappear about 5 mins later or when you next use the computer, another way of getting rid of a 'few' (you will find maybe six shortcut looking things in the MY COMPUTER window) is to make a folder, put them into the folder then delete the folder. I have Norton 2006 and so far my computer is completely healthly.......so far lol Jim Quote Link to comment Share on other sites More sharing options...
pin Posted October 20, 2006 Author Report Share Posted October 20, 2006 Ive just installed that prevx scanner, should this pick it up? Gibby http://virusscan.jotti.org/ is an online scanner which you send stuff too, and it tells you what AV scanners can find and clean it :- AntiVir Found Backdoor-Server/MSNMaker.W.9 backdoor ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found Trojan.MSNMaker Dr.Web Found BackDoor.Oscar F-Prot Antivirus Found nothing Fortinet Found W32/MSNMaker.W!tr.bdr Kaspersky Anti-Virus Found Backdoor.Win32.MSNMaker.w NOD32 Found a variant of Win32/MSNMaker Norman Virus Control Found nothing VirusBuster Found nothing VBA32 Found Nothing Hey all, about this worm!! i was once silly enough to fall for it about this time last year!!! once you select the .jpg that it has posted on the msn chat window it will then automatically send itself to all the 'online contacts' that you have, i found the only way to get rid of it was to 'system reboot' to either the day before or the day before that. if you delete the file on its own it will reappear about 5 mins later or when you next use the computer, another way of getting rid of a 'few' (you will find maybe six shortcut looking things in the MY COMPUTER window) is to make a folder, put them into the folder then delete the folder. I have Norton 2006 and so far my computer is completely healthly.......so far lol Jim The payload is different this time, and nasty, its called Backdoor.Oscar and :- Backdoor.Oscar runs in the background and connects to an IRC server. The threat will then give attackers full access to the infected system. The threat is capable of File Transfer, Keylogging, Denial of Service, Packet Sniffing, can scan the infected system for information and update itself. Like I said before this is an old exploit but with a new and NASTY payload Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.