new Virus/worm in MSN ?

On april 2, i got a link from a friend

But when i clicked it…
(hehe he didnot send it to me :P)
MSN started to live its own live.
Opening chatscreens, sending this link to all my friends etc.
and when they click it, receiving the links back
No mouse and tons of adware installed (driveclean eg.)

AVAST dit not detect this in the IM protection (high level).

Cannot find anything about this, not avast, norton, mcafee, etc…
Even spybot, ad-aware didn’t find anything.

This is the link (DO NOT CLICK)

yo wtf youre nude in this photo htt p://ww w.s tupidpictures.info/p hoto13.ph p
(added some spaces in the link, incase of accidental clicking).

Could someone tell me wich worm/virus this is?

re-installed msn and (before/after)
ran several full scans, normal mode and safe mode, with avast, spybot and adaware and every thing looks clear, only msn still has his own live (once and a while) but no link.

I hope Alwil team improve detection of this one…

sorry i opened up one about this same thing. How can i get rid of this now ? It is relly annoying me now bigstyle There must be a way to get rid of this. .

If avast is not detecting it, I suggest full computer on-line scanning:
Kaspersky
Trendmicro housecall
Ewido
F-Secure
Panda ActiveScan
BitDefender (free removal of the malware)

why avast has’nt spotted this, i dont know. very bad.

Not a software is perfect… next time, the others will miss what avast will detect…

Online scanning with mcafee and norton no results, everything is clean ???
even there they dont’t speak about this virus/worm or whatever it is

re-installed msn and everything looks quiet
Only once and a while avast gives a warning about Win32:VBStat-C[trj]
and some annoying popups form drivecleaner.com and some antivirus program that says that the pc is not protected against the SerWab (?)

Also ran scans with spybot and adaware, no results. (also in safe mode windows)
(On my own pc ran a scan with pc doctor from google pack, and discovered 60 infections wich where NOT detected with spybot and adaware)

A new tool RogueRemover, available here http://www.malwarebytes.org/rogueremover.php, this should hopefully deal with the rogue av program.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

zeromechanic, please test the tools posted by David and run avast at boot time (again, if necessary). avast shouldn’t be given you intermittent warnings about infections if you’re really clean…

I don’t think these messages come from avast but a rogue program.

and some antivirus program that says that the pc is not protected against the SerWab (?)

This is the scum ware rogue program trying to get you to purchase an AV product to cure a non-existent problem.

OK guys well there is another one to worry about and this virus also comes from MSN and looks you out of everything. The only program that will stay open is msn, everything else will open and close immediately, this includes task manager.

It is sent under the same pretense “hey look at this…weblink” and the file extension is bush.exe,. I got it from a family member and so immediately clicked it, I know not smart. Avast also did not catch it in MSN and later scanned it in safe mode and still did not pick it up. The scariest part is that it was reported in USA Today on 08/16/2001.

Now don’t get me wrong cause I love my avast and I thank the team that put it together and made it free to home users. I truly love this program. What scares me is did I fully remove it?

So far it seems to be gone because I am able to write to you on the pc that would open nothing. I am hoping that perhaps a member can suggest a tool to advise that will scan for this particular virus?

For those who want to know how I got it off my pc manually, I did a ran msconfig, under boot.ini, booted in safe mode, then ran a search all files, searched the files to remove it.

Any help you can give is appreciated.

My heartfelt thanks goes out to the creators and team involved with such a freat program such as avast.

There will always be something like this coming along, it is social engineering, appealing to people sense of curiosity and you have to apply a degree of pro-active action, don’t click on links in unsolicited, unknown messages or emails and don’t open attachments.

avast won’t catch anything like a link in msn there is nothing to detect, it doesn’t scoot off and scan all links in emails or messages it only scans the existing content. The malware wasn’t in the message but at the other end of the link, avast is primarily an anti-virus and a single application is unlikely to catch everything.

Something that was reported in 2001, what was reported in 2001, that type of tricking a user to click on a link or the specific malware bush.exe ?
Any of which could have different variants that are different to the original, unfortunately there really is insufficient information to say what it might have been and if it is completely gone.

If you haven’t already got the software I mentioned in a previous post try installing that to improve overall detection.

A google search for bush.exe returns many hits, http://www.google.com/search?q=bush.exe, but there could well be many different bush.exe files totally unrelated, like faces-of-bush.exe so if your file was slightly different to just bush.exe then this search is not worth much.

Looks like i got rid of it.

After searching the net, google remove drivecleaner, I found that it might be a Vundu infection.
According tho the site it’s the most common one… :-
used several scans, like norton, mcafee etc etc and none of them detected anything.
strange, it was “released” in 2006

The removal instructions where updated at 9 jan 2007…

used the vundu remover, and nomore $#@##@$ popups at the time.
(it found app. 25 infected .dll files in the system32 folder)
and started to use firefox, seems also to be faster than IE

this are the links, hopefully it works for others also.

http://www.bleepingcomputer.com/forums/topic71782.html

http://www.bleepingcomputer.com/forums/topic18610.html

maybe an idea to add this infection to the Avast scanner, and then be the only one to detect this infection ;D ;D

maybe an idea to add this infection to the Avast scanner, and then be the only one to detect this infection
Unfortunately this comes under the heading of Malware and not Virus although the edges are starting to blur. This is where a multi layer protection comes in with an anti-virus and anti-spyware protection. Malware is continually changing the file names/sizes and action so it would need full time staff just to track these, let alone viruses

ok clear,
I thought that it would make Avast even better then is is right now. ;D

But should avast not detect trojans?
according to the links, the vundu is a familiy of trojans.
Avast detects and stops the VBStat-C trojan…

but it is strange that no scanner detects this.
not spybot, not adaware, not…

and then i start to wonder, what is more annoying
the threat of a virus( most people are already protected by an antivirus)
or beeing bombarded with these popups.

anyhow, thanx for the replies.
problem seems to be solved.
now waiting for the next one ;D ;D ;D

This is not malware but a real honest to goodness virus W32/Culler-C that IS NOT detected by Avast ???

W32/Culler-C is a worm for the Windows platform that spreads via MSN Messenger.

W32/Culler-C includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Culler-C attempts to terminate and disable various security software applications and Windows processes such as Task Manager.

When first run, W32/Culler-C will display the following error message:

“Component “COMDLG32.OCX” or one of its dependencies no correctly registered a file is missing or invalid.”

It then copies itself to:

\Cfreer.exe
\Nzil.exe
\Juegs.exe
\Negdo.exe

W32/Culler-C attempts to download and execute files from a remote location. At the time of writing, these files were unavailable for download.

The worm sets the following registry entries to run at system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows
\Cfreer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
\Nzil.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
\Juegs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemUpdate
\Negdo.exe

W32/Culler-C sets the following registry entry:

HKCU\Software\VB and VBA Program Settings\SysUpdate\sistema
Marcar
1

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

Sent an example.

If anybody wants to play ;D its available from http://www.webfaqtory.com/bush.zip Password=Culler. Unless you want to be REAL popular with friends and family, close MSN messenger first

To get rid of this worm you will need to download Process Explorer from http://download.sysinternals.com/Files/ProcessExplorer.zip as the worm hooks into Taskmanager and regedit and prevents them from running.

From Process Explorer look for Juegs.exe or Cfreer.exe or (less likely) Nzil.exe or Negdo.exe. Terminate this process. The worm is now disabled and you can run regedit to delete the following keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows
\Cfreer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate
\Nzil.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System
\Juegs.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SystemUpdate
\Negdo.exe

Then delete the following files:

\Cfreer.exe
\Nzil.exe
\Juegs.exe
\Negdo.exe

Reboot and check that taskmanager and regedit start OK and none of the above files are running.

There will also be a copy of bush.exe in your cache, depending on your browser settings. It would be best to delete the cache to remove this copy

Complete scanning result of “bush.exe”, received in VirusTotal at 05.10.2007, 11:29:05 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.10.2007 no virus found
AntiVir 7.4.0.15 05.10.2007 Worm/VB.AU.62
Authentium 4.93.8 05.10.2007 no virus found
Avast 4.7.997.0 05.10.2007 no virus found
AVG 7.5.0.467 05.09.2007 Worm/VB.BDH
BitDefender 7.2 05.10.2007 Win32.Worm.IM.VB.I
CAT-QuickHeal 9.00 05.09.2007 I-Worm.VB.au
ClamAV devel-20070416 05.10.2007 no virus found
DrWeb 4.33 05.09.2007 no virus found
eSafe 7.0.15.0 05.08.2007 Win32.Adclicker
eTrust-Vet 30.7.3624 05.10.2007 Win32/Subaso.J
Ewido 4.0 05.10.2007 Worm.VB.au
FileAdvisor 1 05.10.2007 no virus found
Fortinet 2.85.0.0 05.10.2007 W32/VB.AU!worm.im
F-Prot 4.3.2.48 05.10.2007 no virus found
F-Secure 6.70.13030.0 05.10.2007 IM-Worm.Win32.VB.au
Ikarus T3.1.1.7 05.10.2007 IM-Worm.Win32.VB.au
Kaspersky 4.0.2.24 05.10.2007 IM-Worm.Win32.VB.au
McAfee 5027 05.09.2007 W32/Culler
Microsoft 1.2503 05.10.2007 no virus found
NOD32v2 2255 05.09.2007 Win32/VB.NKS
Norman 5.80.02 05.09.2007 no virus found
Panda 9.0.0.4 05.09.2007 W32/MSNDiablo.A.worm
Prevx1 V2 05.10.2007 Polynomial.Code.Exploit
Sophos 4.17.0 05.08.2007 W32/Culler-C
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.10.2007 Trojan.Adclicker
TheHacker 6.1.6.112 05.10.2007 no virus found
VBA32 3.12.0 05.09.2007 IM-Worm.Win32.VB.au
VirusBuster 4.3.7:9 05.09.2007 no virus found
Webwasher-Gateway 6.0.1 05.10.2007 Worm.VB.AU.62

Yea, this problem with the link happened to me and my other friends as well, except it said “OMG Is that you? :o” with a link (this happened a while ago, forgot link.)

When i clicked on it, all of a sudden the computer was in control and started to install crap (sorry for the language) like search bars, games, etc.

Unfortunately I didn’t have avast then. I had Windows Defender and no AdAware.

That shows that windows defender isnt that strong. :slight_smile: