Home > Computer > Beware of the New “hi. this is your photo?” MSN Virus

Beware of the New “hi. this is your photo?” MSN Virus

Posted By Raymond In Category: Computer

Feb
23
2010
Donate

I’ve always been creating awareness to users so that everyone will watch out for those fake MSN messages sent by your friends from contact list. At first it was the PICS FOR MSN FRIENDS, then came VERIFY WHO BLOCKED YOU ON THEIR MSN CONTACT LIST. Those fake messages are sent by an automated system created by the phishers that got hold of your MSN login and password. It is unclear what the phishers will do to your MSN accounts but they seemed to be harvesting a lot of accounts.

Recently I’ve been getting new type of MSN fake messages sent by my friend from my contact list. As usual they will be offline when you get that message and if they are online, most probably they’ve sent that message earlier as an offline message to you. The message only contains one sentence “hi. this is your photo?” followed by a smiley and a 5 random generated letters. At the next line, it has a URL link that changes all the time.

hi. this is your photo?

Previously if you clicked on the link, it will present you a page to enter your MSN login information but this time, it will auto prompt you to download a file “Picture_2525.exe” 1.8MB in size which IS a virus.


If you accidentally run the file, you should see a small window that says “bedava Film indir. Hemen TIKLA 7” which I have no idea what is that since Google Translate does not support Azerbaijani. Clicking on that window will open an advertising page on your default browser.
edava Film indir. Hemen TIKLA 7

I’ve analyzed the Picture_2525.exe file by running it on my test computer and I found out that it drops a few files to your system32 folder and installs a service to auto startup the file when Windows is booted up. It also changes your Internet Explorer start up page to point to www.googlesayfa.com/en which looks very similar to the official Google Search page except that it has a Google Adsense advertisement at the bottom and a sentence that says “this website unofficial Google Search Fan website”. Other than that, it also creates a connection to a US IP 67.228.41.155 and port 6772.

I uploaded the Picture_2525.exe to VirusTotal and 33 out of 41 antivirus is able to detect this file as a threat. Fortunately this virus is not hard to clean because it is not “persistent”. I could create a batch file to auto clean it but you can just run the commands below to get rid of it.

1. Open Windows Task Manager (press Ctrl+Shift+Esc simultaneously), go to the Processes tab and right click at the processes below and select End Process:

svlost.exe
svlostSrv.exe
tasman.exe

2. Then simultanously press Win+R to bring up the Run window and type the following command.

sc delete svlostServices

3. Delete the files listed below in Windows\System32 folder.

libeay32.dll
ssleay32.dll
svlost.exe
svlosta.dll
svlostb.dll
svlostSrv.exe
tasman.exe

4. Again simultanously press WIN+R to bring up Run window and type the two commands below. Type once, hit enter and then continue to the second one.

  • reg delete "hkcu\software\microsoft\internet explorer\main" /v default_page_url /f
  • reg delete "hkcu\software\microsoft\internet explorer\main" /v "Start Page" /f

    • The virus has been completely removed from your computer. However, I’d still advice you to change your MSN password just to be on the safe side. I did a Reverse IP search using my DomainTools account on the domain that I received from the MSN message and it showed me that there are 52 more domains that is hosted under the same server.
    domaintools reverse ip
    You should avoid visiting all the websites below.

  • Ahvalimsn.info
  • Ankemsn.info
  • Arabiamarabia.info
  • Arabimsnks.info
  • Asmsnas.info
  • Azrrufi.info
  • Baemsn.info
  • Burdamsns.info
  • Demlikciheymsn.info
  • Denimenter.info
  • Dubaimsn.info
  • Ehlenselamam.info
  • Elmsnulblock.info
  • Gerwhymsn.info
  • Habibimwhos.info
  • Habibmsnd.info
  • Habibulmsn.info
  • Hakmsns.info
  • Haydari.info
  • Heymanat.info
  • Hombilmombil.info
  • Kimbenibans.info
  • Kimbitr.info
  • Kimpetek.info
  • Leyyamsn.info
  • Lovemsnlove.info
  • Lovepoemswhy.info
  • Maishemsn.info
  • Menzilmsn.info
  • Msnbut.info
  • Msniblock.info
  • Msniblocki.info
  • Msnminepr.info
  • Msnmsntsn.info
  • Msnsenm.info
  • Mustarabis.info
  • Myfedorea.info
  • Mysoutchests.info
  • Nerdenmsns.info
  • Patlirafan.info
  • Peyamnetsd.info
  • Pirinces.info
  • Reddumsn.info
  • Senmsnen.info
  • Seyyarmsn.info
  • Seyyarmsnn.info
  • Tayyarmsn.info
  • Thisallfreegetit8.info
  • Turustum.info
  • Vasilios.info
  • Wheremerewhy.info
  • Zlanmsnm.info
  • Karamsns.info

    • If any of your friend sends you such message, tell them to come to this page on how to clean up the virus that is on their computer.


    Related posts:
  • Beware of PICS FOR MSN FRIENDS Phishing Websites
  • Remove ANY MSN Virus with MSN Virus Removal Software and MSNFix
  • Kaspersky Offers FREE Tool to Scan and Remove Virus
  • Beware of VERIFY WHO BLOCKED YOU ON THEIR MSN CONTACT LIST Websites
  • Paint.NET – Probably the BEST FREE Image and Photo Editor
    • Ahmad Saleem

      Such a great piece of information, thanks for telling us. Previously published yours, I already refer one of friend to it, One more time thanks.

      You are great.

      Regards,

      Ahmad Saleem

    • Sutanuka Basu Ray

      Thanks for sharing the info..!!
      Good Day..

    • http://jonkerman.netne.net/2010-02-23_101431.png Danny

      This is good to know. Is it possible that this also sends other messages. My friend once send me the picture message but is now also sending me messages about winning an iPhone or a laptop (it’s in Dutch).
      Screenshot is in the url.
      Thanks!

    • Apiz

      Thanks for this information…I will change my msn password because i also got this kind of problem before…thanks again!

    • emtunc

      It’s not Azerbaijani… it’s Turkish.
      It says “Free film downloads, hurry”… not sure what tikla means.
      These aren’t “new” btw… they’ve been around for years now

    • http://www.raymond.cc/ Raymond

      Thanks emtunc for pointing out all the “mistakes”, if that is all you see in this article.

    • sohail20

      thnx raymound i got this type of messages by email!!! so many times and msn chats it is bot beware block people like this very dangerous!!

    • sohail20

      firefox blocks the websites says its been reported as a attack site so thats ok:) still dont open linsk which say
      here is vidoe of you or here is picture of you!

    • hex

      That’s not Azerbaijani Raymond, it’s Turkish: “Download free movie. Click now”.

      I have no idea about what that “7″ might be.

    • emtunc

      I see a very busy man who used to have great articles everyday but now they’re a bit :(

    • http://www.raymond.cc/ Raymond

      Aw sorry to disappoint you emtunc but you’re just exaggerating. There was never a time when I have great articles “everyday” because everything I write here is based on my personal experience with computers.

      Why don’t you tell us all what was the daily great article that you enjoyed so much, then I can know how to satisfy you.

    • http://www.arispi.com ari

      Always nice and useful info that you brought to us. Thanx for the articles raymond. I know that its worth it much when I decide to subscribe to your blog. Keep up your great info ;)

    • Arda Hakan

      Good work. Thanks.

    • Ajay

      Thanx for the info

    • Gabethebabe

      A virus, Raymond? I´d call it malware or a trojan. This exe is not a virus in the original meaning of the word.

    • http://www.raymond.cc/ Raymond

      True, a Trojan is a program that appears harmless but hides malicious functions however the term “computer virus” is also sometimes used as a catch-all phrase to include all types of malware, adware, and spyware programs that do not have the reproductive ability.

    • http://viethak.com abhi_12ka4

      Gr8 work dear

    • http://www.faqpal.com FAQPAL

      Thanks for the great write up Raymond. Amazes me how people insist on criticizing people’s work, if you don’t like the post, then don’t comment.

    • http://www.itechmax.com Hammad

      i get alot of messages from my friends with some of the links u mentioned.
      great info raymond
      thanks …

    • Moose

      Hi Raymond –

      Did you verify that libeay32.dll & ssleay32.dll that you recommend deleting are actually infected? They’re normally OpenSSL dlls and needed by any apps relying on them for third party HTTPS support – curl and wget for example. Worst that could happen on deleting them is you have to put the files back before the other apps work again but just thought you might want a heads up :)

    • Merlin_Magii

      Thank you Raymond – very useful detail.

    • http://www.technoskillonline.com sudharsan @ technoskillonline

      Thanks for notifying us..
      Good awarness post

    • SHAN

      i got infected by such a virus but the process where nt there, it had something else(only one) the description it gave was some firewall service. (i only have the windows firewall)

    • wilson

      I like this article so much.

    • http://jobberies.com Nagobonar

      my msn got hacked and the pisher also changed my password. How they do this?

    • Uzmanprogram

      Thank you very much. Yes, it is Turkish.

    • Catherine

      Thanks ray, i got the is this you in picture and downloaded it. got it in an email, i also got the Iphone kidnap today from the same contact in a msn message

    • http://itisturkish oubahida

      tank you for thes i liking

    • lyche

      thanks for the info. pls tell more.

    • Nimmy

      o0o0 ma search b4 doing nythin else save me..:)

    • invisible_theater

      it better to use robtex for domain reversing.
      domaintools only allow limited count of list domain.

    • Jamez

      I have searched in the task manager and windows 32 file . i could not find any of those files you listed . does that mean they’re deleted by my anti-virus programme . howver , when i boot up my comp , there will be a alert of a virus and my windows defender will automatically remove it . it is successful . but it always pops up everytime i bott up the comp . is the virus deleted or not ?!

    Copyright © 2005-2012 - Raymond.CC Blog