Beware of the New “hi. this is your photo?” MSN Virus
Author: Raymond23 Feb
I’ve always been creating awareness to users so that everyone will watch out for those fake MSN messages sent by your friends from contact list. At first it was the PICS FOR MSN FRIENDS, then came VERIFY WHO BLOCKED YOU ON THEIR MSN CONTACT LIST. Those fake messages are sent by an automated system created by the phishers that got hold of your MSN login and password. It is unclear what the phishers will do to your MSN accounts but they seemed to be harvesting a lot of accounts.
Recently I’ve been getting new type of MSN fake messages sent by my friend from my contact list. As usual they will be offline when you get that message and if they are online, most probably they’ve sent that message earlier as an offline message to you. The message only contains one sentence “hi. this is your photo?” followed by a smiley and a 5 random generated letters. At the next line, it has a URL link that changes all the time.
Previously if you clicked on the link, it will present you a page to enter your MSN login information but this time, it will auto prompt you to download a file “Picture_2525.exe” 1.8MB in size which IS a virus.
If you accidentally run the file, you should see a small window that says “bedava Film indir. Hemen TIKLA 7” which I have no idea what is that since Google Translate does not support Azerbaijani. Clicking on that window will open an advertising page on your default browser.
I’ve analyzed the Picture_2525.exe file by running it on my test computer and I found out that it drops a few files to your system32 folder and installs a service to auto startup the file when Windows is booted up. It also changes your Internet Explorer start up page to point to www.googlesayfa.com/en which looks very similar to the official Google Search page except that it has a Google Adsense advertisement at the bottom and a sentence that says “this website unofficial Google Search Fan website”. Other than that, it also creates a connection to a US IP 67.228.41.155 and port 6772.
I uploaded the Picture_2525.exe to VirusTotal and 33 out of 41 antivirus is able to detect this file as a threat. Fortunately this virus is not hard to clean because it is not “persistent”. I could create a batch file to auto clean it but you can just run the commands below to get rid of it.
1. Open Windows Task Manager (press Ctrl+Shift+Esc simultaneously), go to the Processes tab and right click at the processes below and select End Process:
svlost.exe
svlostSrv.exe
tasman.exe
2. Then simultanously press Win+R to bring up the Run window and type the following command.
sc delete svlostServices
3. Delete the files listed below in Windows\System32 folder.
libeay32.dll
ssleay32.dll
svlost.exe
svlosta.dll
svlostb.dll
svlostSrv.exe
tasman.exe
4. Again simultanously press WIN+R to bring up Run window and type the two commands below. Type once, hit enter and then continue to the second one.
reg delete "hkcu\software\microsoft\internet explorer\main" /v default_page_url /f reg delete "hkcu\software\microsoft\internet explorer\main" /v "Start Page" /f
The virus has been completely removed from your computer. However, I’d still advice you to change your MSN password just to be on the safe side. I did a Reverse IP search using my DomainTools account on the domain that I received from the MSN message and it showed me that there are 52 more domains that is hosted under the same server.
You should avoid visiting all the websites below.
Ahvalimsn.info Ankemsn.info Arabiamarabia.info Arabimsnks.info Asmsnas.info Azrrufi.info Baemsn.info Burdamsns.info Demlikciheymsn.info Denimenter.info Dubaimsn.info Ehlenselamam.info Elmsnulblock.info Gerwhymsn.info Habibimwhos.info Habibmsnd.info Habibulmsn.info Hakmsns.info Haydari.info Heymanat.info Hombilmombil.info Kimbenibans.info Kimbitr.info Kimpetek.info Leyyamsn.info Lovemsnlove.info Lovepoemswhy.info Maishemsn.info Menzilmsn.info Msnbut.info Msniblock.info Msniblocki.info Msnminepr.info Msnmsntsn.info Msnsenm.info Mustarabis.info Myfedorea.info Mysoutchests.info Nerdenmsns.info Patlirafan.info Peyamnetsd.info Pirinces.info Reddumsn.info Senmsnen.info Seyyarmsn.info Seyyarmsnn.info Tayyarmsn.info Thisallfreegetit8.info Turustum.info Vasilios.info Wheremerewhy.info Zlanmsnm.info Karamsns.info
If any of your friend sends you such message, tell them to come to this page on how to clean up the virus that is on their computer.
[tags]msn, virus, photo, Picture_2525.exe, live[/tags]
: Copying this article to your website is strictly NOT allowed. However, if you like this article, you can use the HTML code below to directly link to this article.
Related Articles
Remove ANY MSN Virus with MSN Virus Removal Software and MSNFix Beware of BEAUTIFUL girls walking pass when you are exiting the carpark Easily edit your Photos online Protect Facebook Private Photos and Albums from Being Viewed by Anyone Using Javascript Hack Disable Automatic Photo Sharing when Drag and Drop Images to MSN Chat Window Best Online Photo Editor with Photoshop Basic Function Beware of PICS FOR MSN FRIENDS Phishing Websites
Have computer technical problems? Get FREE help from Raymond.CC FORUM
31 Comments to “Beware of the New “hi. this is your photo?” MSN Virus”
« Previous 1 2 « Previous 1 2Leave a reply
Incoming Search Terms for the Article
msn virus 2010 - www.zlanmsnm.info - new msn virus 2010 - www.kimpetek.info - new msn virus - www.azrrufi.info - www.msniblocki.info - www.peyamnetsd.info - www.heymanat.info - www.turustum.info - www.denimenter.info - www.patlirafan.info - bedava film indir hemen tikla - www.myfedorea.info - msn email virus 2010 - zlanmsnm info - azrrufi.info - 2010 msn virus - www.haydari.info - www.lovepoemswhy.info - azrrufi - http://www.zlanmsnm.info/ - www.leyyamsn.info - heymanat.info - azrrufi info - zlanmsnm.info - zlanmsnm - www.lovemsnlove.info - msn link virus 2010 - heymanat info - heymanat - www.ahvalimsn.info - www.menzilmsn.info - bedava film indir. hemen tikla 6 - msn virus removal 2010 - msn 2010 virus - patlirafan - www.kimbitr.info - kimpetek - www.demlikciheymsn.info - msn virus - msn virus remover 2010 - patlirafan.info - www.msnsenm.info - www.maishemsn.info - bedava film indir. hemen tikla - http://www.azrrufi.info/ - bedava film indir. hemen tikla 5 - clean virus msn 2010 - picture_2525.exe -Latest Posts
- Buster Sandbox Analyzer Makes Sandboxie Stronger
- Un-Ethical Conduct By Security Firm Leads to Facebook Leaks
- Easily Delete or Replace Multiple Lines for All Files in a Folder
- Install Java Runtime (JRE) Portable in USB Flash Drive
- Launchy – Powerful Launching from your Keyboard
- Oops! Backup syncs your files and prevents data loss
- Reclaim Privacy shows how secure your Facebook Privacy Settings are
Ads
Friends
- The NeoSmart Files
- gHacks.net
- dotTech
- Freeware Genius
- CypherHackz
- Life Rocks 2.0
- ZHacks
- Approach Women That You See
Translate
Thank you very much. Yes, it is Turkish.
Thanks ray, i got the is this you in picture and downloaded it. got it in an email, i also got the Iphone kidnap today from the same contact in a msn message
tank you for thes i liking
thanks for the info. pls tell more.
o0o0 ma search b4 doing nythin else save me..:)
it better to use robtex for domain reversing.
domaintools only allow limited count of list domain.