Please Help!!!

My PC is infected with DVS-NewPhoto25.JPG_www.image-facebook.com
It is a .com file when active it send a message to all your yahoo messenger which is look like this.

I think I just found a pic of my evil twin. It looks so much like me, don’t you think? http://www3.image-facebook.info:84/user.find&ProfileID=3295/DVS-NewPhoto25.JPG.zip

DO NOT CLICK THE LINK!!! UNLESS YOU KNOW WHAT YOUR DOING!

beware not to open the zip file. However a user on my PC open it. I need help on how to delete it.

I still have the file but I do not know how to attach it.
I have google it but no result. I have check with virus total but 80% of the anti-virus does not know it yet. see result.

Antivirus	Version	Last Update	Result
a-squared	4.5.0.50	2010.02.02	-
AhnLab-V3	5.0.0.2	2010.02.01	-
AntiVir	7.9.1.156	2010.02.02	-
Antiy-AVL	2.0.3.7	2010.02.02	-
Authentium	5.2.0.5	2010.02.02	-
Avast	4.8.1351.0	2010.02.02	-
AVG	9.0.0.730	2010.02.01	-
BitDefender	7.2	2010.02.02	-
CAT-QuickHeal	10.00	2010.02.02	-
ClamAV	0.96.0.0-git	2010.02.02	-
Comodo	3790	2010.02.02	-
DrWeb	5.0.1.12222	2010.02.02	-
eSafe	7.0.17.0	2010.02.02	-
eTrust-Vet	35.2.7276	2010.02.02	-
F-Prot	4.5.1.85	2010.02.01	-
F-Secure	9.0.15370.0	2010.02.02	-
Fortinet	4.0.14.0	2010.02.02	-
GData	19	2010.02.02	-
Ikarus	T3.1.1.80.0	2010.02.02	-
Jiangmin	13.0.900	2010.02.02	-
K7AntiVirus	7.10.962	2010.02.01	-
Kaspersky	7.0.0.125	2010.02.02	-
McAfee	5879	2010.02.01	-
McAfee+Artemis	5879	2010.02.01	-
McAfee-GW-Edition	6.8.5	2010.02.02	Heuristic.BehavesLike.Win32.CodeInjection.H
Microsoft	1.5406	2010.02.02	VirTool:Win32/CeeInject.gen!BB
NOD32	4827	2010.02.02	-
Norman	6.04.03	2010.02.02	-
nProtect	2009.1.8.0	2010.02.02	-
Panda	10.0.2.2	2010.02.01	-
PCTools	7.0.3.5	2010.02.02	-
Prevx	3.0	2010.02.03	-
Rising	22.33.01.04	2010.02.02	-
Sophos	4.50.0	2010.02.02	-
Sunbelt	3.2.1858.2	2010.02.02	-
TheHacker	6.5.1.0.176	2010.02.02	-
TrendMicro	9.120.0.1004	2010.02.02	-
VBA32	3.12.12.1	2010.02.01	-
ViRobot	2010.2.2.2168	2010.02.02	-
VirusBuster	5.0.21.0	2010.02.01	-

Additional information
File size: 251911 bytes
MD5   : 70cdaaa5b4f131c5e431b9c8fbc494b8
SHA1  : 08cb7646ad48a1679b6dd9495d73ff90b2887c5a
SHA256: 1da87f9efcb320a71121e5f4f919d3e35bfd46d96bd33c1eaddfbcc11d852511
PEInfo: PE Structure information
	
	( base data )
	entrypointaddress.: 0x1EB40
	timedatestamp.....: 0x4B68C69D (Wed Feb  3 01:43:09 2010)
	machinetype.......: 0x14C (Intel I386)
	
	( 5 sections )
	name viradd virsiz rawdsiz ntrpy md5
	.text 0x1000 0x1DC52 0x1DE00 6.03 7c100d3d1dd0cef421b84b13e51c94f3
.rdata 0x1F000 0x188 0x200 3.90 9049ac14c25b4520f27daf17d06d49fb
.data 0x20000 0x564 0x600 4.36 42a2fd7453b47a8515dc3f88c1380d8a
.CRT 0x21000 0x8 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0x22000 0x1B4 0x200 5.10 420eb308ae646c7e07252450a6469ca0
	
	( 2 imports )
	
> kernel32.dll: HeapAlloc, GetProcessHeap, HeapFree, GetProcAddress, LoadLibraryA, lstrlenA, lstrcpyA, GetCommandLineA, ExitProcess, GetModuleHandleA, GetStartupInfoA
> user32.dll: wsprintfA
	
	( 0 exports )
	
TrID  : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 6144:oP/9pM29qUH0CZe6LMo4yaUG+69Ezlj4L:odpM29qUUge6LMSWEi
PEiD  : -
RDS   : NSRL Reference Data Set
-

Please help!!!

Please remove the link to live malware.

Then please post a HijackThis! log.

VirusTotal update, now also Ikarus and Shopos detect it

http://www.virustotal.com/analisis/7342bde8b2cc8edc272b2e70c6ba78c54f77c13098a1c3d8968a32da92729bce-1265269556

Hi Pondus,

Whether this variant has been detected by avast 5.0?

Have no idea, but i see one strange thing…in my upload to virusTotal the detection from Microsoft is removed ???

I uploaded the hole zip.file…

Hi Pondus,

Maybe we need to submit it to virus at avast dot com.
To let ALWIL virus team to analyze this one whether polymorphic malware or not?

My computer has also been infected with this virus – I stupidly downloaded DVS-NewPhoto25.JPG from a link in an apparently innocuous Skype message and opened it. Everything went haywire and my AVGfree scanner was disabled. I have reinstalled AVGfree and done a whole computer scan with only this result:

“C:\WINDOWS\system32\drivers\etc\hosts”;“Host file contains forbidden domain name guru.avg.com”;“Healed”

I then scanned just the rogue zip file, with this result:

"No infection was found during this scan
Folders selected for scanning:;“C:\My Documents\ephemera\DVS-NewPhoto25.JPG.zip;”
Scan started:;“04 February 2010, 14:28:34”
Scan finished:;“04 February 2010, 14:28:36 (1 second(s))”
Total object scanned:;“2” "

System Restore Point is still disabled and it refuses to be turned on again. Skybot won’t load.

When I opened the file several warnings (I think from Skybot) about registry changes flashed up but they disappeared before I had a chance to click “Reject”. Ad-Aware found nothing wrong in the registry but it refused to update itself so it was using very out-of-date datafiles. However it eventually located the following:

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : brian_barder@rambler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:brian barder@rambler.ru/
Expires : 21.3.17 17:16:46
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : brian_barder@kontera[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:brian barder@kontera.com/
Expires : 29.10.10 00:33:12
LastSync : Hits:12
UseCount : 0
Hits : 12

[etc. – lots of tracking cookies]

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : brian_barder@hit.gemius[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:brian barder@hit.gemius.pl/
Expires : 7.1.15 09:36:12
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 39
Objects found so far: 51

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : barder2@avgtechnologies.112.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Barder2\Cookies\barder2@avgtechnologies.112.2o7[1].txt

Disk Scan Result for C:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 52
15:24:30 Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:04:52.391
Objects scanned:184372
Objects identified:82
Objects ignored:42
New critical objects:0

Are there any clues here to what’s infected and how to remove the infections?

Any suggestions most welcome.

Latest VirusTotal
http://www.virustotal.com/analisis/82d089968147f2bd4c15b900ca1783fa3b4a926f17167dbdf85edb3122021644-1265308305

so no also Bitdefender detect it, that should mean you can remove it with

Bitdefender Online Virus Scan http://www.bitdefender.com/scanner/online/free.html

Or BitDefender 10 Free Edition, this is only a On demand scanner

I have now done a completescan with Bitdefender Online Virus Scan (and a couple of other online virus scanners) but none of them can detect any infection. The zip file presumably did its dirty work, disabling various functions on the computer (including System Restore point), changing registry entries and sending out more Skype messages to six of my Skype contacts with links to the infected zip file, but the zip file on my hard disk is no longer detected as ‘infected’ presumably because it has done its work and is now harmless.

I have uninstalled Skype but not yet attempted to reinstall it. As far as I can tell I don’t have a Windows XP installation or repair CD for my Dell Dimension PC.

I’m now baffled. How can I restore the computer to the state it was in before I idiotically opened that d***** zip file? Anyone got any ideas please?

A few things that need to be noted here.

This is because the url to zip file was being updated with new bins, you obtained a 2nd copy of the virus that had been repacked and not the same variant as first.

The fact that you can access online scan sites implies the virus installed with limited privileges and may be easier to remove then the person initially infected with the worm. The zip still contains the worm itself, but is almost undetected by most av, scanning it and returning 0 results only means the av you use doesn’t detect it.

Furthermore,

Just because bitdef detects one of the older variants means nothing, more than likely the original exe that infected your pc has updated itself to a new one if the infection is more than a day old.

Now to the fun stuff, this worm will spread over Skype, Yahoo, Googletalk, MSN, AIM, and even ICQ if any of these clients are running exit them immediately. It will spread to removable drives such as usb keys, or ext harddrives, it will spread across LAN using MS08-067. To avoid further chaos make sure the infected pc is removed from any networks immediately, do not insert any usb keys into a clean pc unless it has been reformatted after being used on infected system. In order to remove the worm you need to figure out which version your system is infected with ( there are MANY ).

To find out which…-> get HostsXpert v4.3 rename it to blah.scr and run it, if nothing happens (it exits itself, or ur pc tries to turn off == BAD) you may be in luck.
If it does any of the above you have managed to get yourself infected with one of the latest versions of this worm.
Do not waste time with online scanners or anti-virus, there is a 99% possibility whatever av you think will work won’t or you think has definitions for the worm will not if the worm has updated.

When writing this I assume you have one of the newer variants as no hjt log is posted. If running HJT causes it to exit or pc to shutdown you are indeed infected with the suspect worm. Now, you may have noticed I have not given it a name as it’s alias changes depending on whatever it has been encrypted with (vb based, C++ based, etc) and there are many variants with a multitude of names. The only commonality is that when run in vm, or an environment it deems unacceptable the worm displays a message saying “W32.Nytemare says → Your kongfu is no good” and exits. Please reply with results of running HostsXpert and I will try to assist you in removal.

A note: As a NAdmin of JetAirways I have had to fight off this bastard when it infected most of our corporate systems and almost caused us to shutdown operations for a few days when infected pcs became unstable. This is why I have a fair amount of knowledge on the subject and ever since the initial infection, myself and a few others have been tracking the worm as it evolves.

A friend from Indonesia has just run into this virus as:

MVC-NewPhoto042.JPG.zip

from www1.crazyphotohost.com

I’ll not post the entire URL. The URL seems to change from time to time, as the earlier spam messages sent out were from a different URL, but contained the same payload.

On my friend’s machine, wcoredt.exe is marked as suspicious (I don’t have that file on my machine), but if the file is moved, svchost.exe starts complaining.

I used wget to pull down a copy, and I ran avast! on it (4.8.1368) with the latest virus signatures to no effect. I unpacked it and ran avast! against the unpacked files, and the virus was not detected.

HostsXpert didn’t reveal any hosts other than localhost, so it does not appear that I’m infected. I am running the latest version of Malwarebytes to see if that picks up the file. I’ll also run HJT and SysInternals RootkitRevealer to make sure my system is clean.

Virustotal only has one entry that flags this particular variant, and that’s Symantec 20091.2.0.41 2010.02.16 as Suspicious.Insight.

We’re both running XP/Professional. I have the latest updates. The Indonesian machine has not been updated in a while.

Any thought about how to rescue this person’s machine would be greatly welcomed. I’ve tried getting Malwarebytes installed on Indonesian machine, but it just runs and exits (once installed).