MSN virus, whats the name?

Recently I got a link to a virus through MSN . Here is the link: REMOVED
It had my email address at the end there. Well anyways, I was wondering what the name of the virus was, so I can research it and correct the problem on my buddies computer. Before I do that I’m uninstalling his NAV and installing Avast. NAV didn’t pick any viruses up. Any info on this would be greatly appreciated.

Sorry I can’t throw any light on the MSN issue.

However NAV is a pig to remove, use the add remove as normal and then check out these links for relevant information.
The NAV 2003 removal tool can be downloaded here: ftp://ftp.symantec.com/misc/consumer/Rnav2003.exe
Manual Removal NAV 2004 - Manual Removal NAV 2004
Manual Removal NAV 2003 or earlier - Manual Removal NAV 2003 or earlier

I could of used that link about a month ago. The NAV install didn’t go smoothly so I couldn’t use the add/remove programs. I deleted all Symantec and NAV folders, but it would still run. That tool was the only way to get rid of it. Thanks for the reply. Anyone else have an idea?

Welcome to the forums.

A google search reveals nothing and obviously the link won’t reveal anything as you would have to have your email address, etc. to work.

[b]Not Found[/b] The requested URL /msn.php was not found on this server.
Looking at http :// www. messengertools.org/ gives a German server authorisation error, so I doubt anyone can check this out. Hopefully this is a one off that you will need to watch out for in the future.

Once you have downloaded avast and removed NAV, install avast, it will run a full scan after installation.

I did a google search with the original link. I couldn’t find anything either. Here is the original text:

haha, is this really you? REMOVED

I would remove the link as it releals your email and the forums are open to the public and spambots trawling for email addresses. Not only that but it is an active link to a possible malware file so it should be removed, just to be sure. I noted that the page it directs too showed a loading page, supposedly loading your contact details, see image, I have obscured your email address.

I have downloaded the contactinfo.exe which is generated by this link I will put it in the avast virus chest, scan it and send it to avast if necessary.

Edit: Not being an MSN user, this may be a way of adding contact information to someone elses MSN contacts, but to me it seems strange to use an exe file to do it. I have scanned it and nothing was detected.

I have also scanned it at Jotti and it is picked up by a few AVs (See Image) so if you have the file on your HDD delete it and empty the deleted items folder.

I will send it to avast! for them to check out.

I also sent a copy of this file to avast! but have yet to hear from them. Since you friend has Norton on his computer I sent a copy of the file to The Symantec Antivirus Research Center last night and this was the response I received this morning:

Dear William Smith ,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\Documents and Settings\Owner\Desktop\contactinfo.exe
machine: ROSEANDMARCS
result: This file is infected with W32.SillyIM

Developer notes:
C:\Documents and Settings\Owner\Desktop\contactinfo.exe is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Downloading and Installing RapidRelease Definition Instructions:

  1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
  2. Click this link to the ftp site: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.
  3. When a download dialog box appears, save the file to the Windows desktop.
  4. Double-click the downloaded file and follow the prompts.

This message was generated by Symantec Security Response automation

Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/)
and give them the tracking number in the subject of this message.

Yeah I got the same virus last night right before I went out >:(. So I spent all day trying to figure out what it was. I got the same message back from Symantec. But if you had the same problem as I, the threat disabled all kinds of goodies. NAV, Windows firewall and the task manager (processes view). And if you were like me tried to look up w32.sillyim on Symantec’s page but came up emtpy. The only advice I can offer is goto http://www.sysinternals.com/Utilities/Autoruns.html . This program autoruns will let you set what processes are running and what processes come on and start up. Here’s what I did. Start windows in “Boot logging or last known good start up…” This should atleast allow you to get onto the internet. Download the program, it is a .zip file. Extract it somewhere you can easily find it. Launch then look under the log on tab. There should be two “SVCHOST.exe” running. Look really close and you will notice they have a MSN icon on them. Disable both of them. Close and now you computer should be able to boot normally. Still trying to figure out exactly what this virus was. If anybody finds out please post. Good hunting

If you are using an NT based OS (NT, w2k, XP) then I suggest that you don’t use IM or any other program that connects to the internet, whilst logged on to an account with administrator privileges.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator.

Short reply:

W32.SillyIM is the name, it seems Avast! Can’t find it, may I suggest you upgrade your systems to find more viruses or something (I’m not really an expert, but I’m smart enough not to press dumbass links).

Norton could find it, which amazes me, cause Norton never found the 137 viruses I had before going to Avast!

Please find a solution to kill this small virus soon, don’t want it to catch me.

-Greetings from a Avast! user.

Which is why we advise people to use Jotti and or send copies of undetected or suspicious files to avast to help update the VPS detections.

And they might be more inclined to do so if they got a personal email in response and the virus was added the next day. I know NAV isn’t popular round here, but that really is pretty good service, isn’t it?

Makes you think.

I don’t mind not getting a personal email, getting a fast VPS update would be more than enough for me.

With the size of the NAV team I would imagine they have enough slack manpower to write personal emails ;D

It seems I am also infected with this virus, and I can blame my sister for that, and what is worse because the virus disabled the Firewall/ICS service the internet on my computer stopped working, so I asked my sister had she done anything… her reply “No, I reseted the computer ages ago but I haven’t done anything”, seeing that the firewall/ICS was disabled I re-enabled it and I had the internet again.

Now that I had time to see if anything was up with this computer I found that it was obviously infected with some virus however the virus checker would not detect it and I could find little info on the net…also sites like syamantec.com were not working… looking in my hosts file I saw a whole heap of sites routed to 127.0.0.1 (DO note I had already stopped the virus “svshost.exe” (that was what it was named on my computer) while in Safe mode, so I had effectively removed the virus before I found out what it is, however unable to fix the damage it has done until I knew what it had done).

Ok so after knowing it did the above, also knowing it closed security related processes I found a Trojan that is similar which does have removal instructions:
Backdoor.Tixanbot
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.tixanbot.html

That might help others hopefully clean their machine without having to reformat, however I think I might still reformat as I can not be sure I have fixed all the damage caused.

After questioning my sister about the above (also suspecting it might have something to do with MSN that she uses a lot) she told me “I clicked on a link my friend sent me … and it did …” and that she didn’t tell me when I asked her just after it happened because she was afraid I would yell at her. Now she has something to really be afraid of, I am certaintly not letting her near a computer for a long time.

Edit: I forgot to note, that after updating my virus defs for NAV (Corporate Ed) it found it as W32.SillyIM

Hi, I stumbled upon this forum while looking for some information about this as one of my friends got hit with it, If your computer savey someone over at Computing.net has apparentlty found a way to circumvent most of the problems using third party utilities. The thread can be found at http://www.computing.net/security/wwwboard/forum/16836.html

Hope that will help you guys as so far it seems to be the only ‘easy’ way to remove it.

You don’t have to do that, you can use ‘Safe Mode’, that is what it was made for. THe program won’t be run in Safe Mode so it can’t prevent you using Task Manager/msconfig/Services/regedit etc.

The problem comes in cleaning all the mess it leaves, once the actual virus is removed you have to clean the hosts file, restore your registory settings (very difficult to do it you don’t know what has been changed), re-enable all services that the virus Disabled and fix any other damage done.

Until someone like symantec/mcaffe releases information on how to clean it up (I would say symantec should soon as they seem to of been the first to update their defs for this virus) I suggest anyone infected to backup important files and then format the computer.

The symantec site I put in my previous post has removal instruction for a similar virus, it is so similar I believe they are directly related so follow them if you can. However without NAV you might not be able to find the virus (until the defs for Avast are updated, which shouldn’t take too long to happen). So instead follow these steps:

1: Go into safe mode (By pressing F8 when windows starts to load (which is during the DOS like screen, just repeativly press F8 until you get the options window to come up) then select “Safe Mode”)

2.Click Start → Run…, then type ‘msconfig’ then click OK

  1. Click the “Startup” tab

  2. Uncheck anything that you don’t know what it is, if you are computer savvy you might be able to spot which entry is the virus (in my case it was svshost.exe in some random named folder in the %system% folder), in which case you can also delete the affending file however unless you are pretty certain then just unchecking the checkbox is fine.

If you are not sure what any of the entries are, just click ‘Disable All’, windows has nothing in their that is critical, so it should be alright.

  1. Back up all files you want to keep, you can reset the computer to get out of Safe Mode if you need to as the virus should of been prevented from starting from the above (do note it has not been removed), after you have backed up everything you need to…

  2. Reinstall Windows afresh, in other words format. If you don’t feel confident doing this, get a friend that is to do it for you.

This virus mucks with your hosts file, so if you DO have NAV, to be able to update the virus defs you have to clean the hosts file, do everything above except the format/backup.

[I took this from symantec’s website and edited it a little as I can’t be bothered doing it myself ;)]

1. Navigate to the following location:
      * Windows 95/98/Me:
        %Windir%
      * Windows NT/2000/XP:
        %Windir%\System32\drivers\etc

        Notes:
      * The location of the hosts file may vary and some computers may not have this file. There may also be multiple copies of this file in different locations. If the file is not located in these folders, search your disk drives for the hosts file, and then complete the following steps for each instance found.
      * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
  1. Double-click the hosts file.
  2. If necessary, deselect the “Always use this program to open this program” check box.
  3. Scroll through the list of programs and double-click Notepad.
  4. When the file opens, delete all the entries other than “127.0.0.1 localhost”
    or entries that DO NOT follow the pattern “127.0.0.1 somethinghere”
  5. Close Notepad and save your changes when prompted.

This should now let you visit sites such as symantecs, microsofts etc and then you can update your virus defs. Do also note for NAV their ‘Live Update’ has not yet updated the defs for this virus, you have to download it manually from their site (they call this service “Intelligent Update”) or you can use the update posted in a previous post.