I’ve always been creating awareness to users so that everyone will watch out for those fake MSN messages sent by your friends from contact list. At first it was the PICS FOR MSN FRIENDS, then came VERIFY WHO BLOCKED YOU ON THEIR MSN CONTACT LIST. Those fake messages are sent by an automated system created by the phishers that got hold of your MSN login and password. It is unclear what the phishers will do to your MSN accounts but they seemed to be harvesting a lot of accounts.
Recently I’ve been getting new type of MSN fake messages sent by my friend from my contact list. As usual they will be offline when you get that message and if they are online, most probably they’ve sent that message earlier as an offline message to you. The message only contains one sentence “hi. this is your photo?” followed by a smiley and a 5 random generated letters. At the next line, it has a URL link that changes all the time.
Previously if you clicked on the link, it will present you a page to enter your MSN login information but this time, it will auto prompt you to download a file “Picture_2525.exe” 1.8MB in size which IS a virus.
If you accidentally run the file, you should see a small window that says “bedava Film indir. Hemen TIKLA 7” which I have no idea what is that since Google Translate does not support Azerbaijani. Clicking on that window will open an advertising page on your default browser.
I’ve analyzed the Picture_2525.exe file by running it on my test computer and I found out that it drops a few files to your system32 folder and installs a service to auto startup the file when Windows is booted up. It also changes your Internet Explorer start up page to point to www.googlesayfa.com/en which looks very similar to the official Google Search page except that it has a Google Adsense advertisement at the bottom and a sentence that says “this website unofficial Google Search Fan website”. Other than that, it also creates a connection to a US IP 67.228.41.155 and port 6772.
I uploaded the Picture_2525.exe to VirusTotal and 33 out of 41 antivirus is able to detect this file as a threat. Fortunately this virus is not hard to clean because it is not “persistent”. I could create a batch file to auto clean it but you can just run the commands below to get rid of it.
1. Open Windows Task Manager (press Ctrl+Shift+Esc simultaneously), go to the Processes tab and right click at the processes below and select End Process:
svlost.exe
svlostSrv.exe
tasman.exe
2. Then simultanously press Win+R to bring up the Run window and type the following command.
sc delete svlostServices
3. Delete the files listed below in Windows\System32 folder.
libeay32.dll
ssleay32.dll
svlost.exe
svlosta.dll
svlostb.dll
svlostSrv.exe
tasman.exe
4. Again simultanously press WIN+R to bring up Run window and type the two commands below. Type once, hit enter and then continue to the second one.
reg delete "hkcu\software\microsoft\internet explorer\main" /v default_page_url /f reg delete "hkcu\software\microsoft\internet explorer\main" /v "Start Page" /f
The virus has been completely removed from your computer. However, I’d still advice you to change your MSN password just to be on the safe side. I did a Reverse IP search using my DomainTools account on the domain that I received from the MSN message and it showed me that there are 52 more domains that is hosted under the same server.
You should avoid visiting all the websites below.
Ahvalimsn.info Ankemsn.info Arabiamarabia.info Arabimsnks.info Asmsnas.info Azrrufi.info Baemsn.info Burdamsns.info Demlikciheymsn.info Denimenter.info Dubaimsn.info Ehlenselamam.info Elmsnulblock.info Gerwhymsn.info Habibimwhos.info Habibmsnd.info Habibulmsn.info Hakmsns.info Haydari.info Heymanat.info Hombilmombil.info Kimbenibans.info Kimbitr.info Kimpetek.info Leyyamsn.info Lovemsnlove.info Lovepoemswhy.info Maishemsn.info Menzilmsn.info Msnbut.info Msniblock.info Msniblocki.info Msnminepr.info Msnmsntsn.info Msnsenm.info Mustarabis.info Myfedorea.info Mysoutchests.info Nerdenmsns.info Patlirafan.info Peyamnetsd.info Pirinces.info Reddumsn.info Senmsnen.info Seyyarmsn.info Seyyarmsnn.info Tayyarmsn.info Thisallfreegetit8.info Turustum.info Vasilios.info Wheremerewhy.info Zlanmsnm.info Karamsns.info
If any of your friend sends you such message, tell them to come to this page on how to clean up the virus that is on their computer.
Related posts:
I have searched in the task manager and windows 32 file . i could not find any of those files you listed . does that mean they’re deleted by my anti-virus programme . howver , when i boot up my comp , there will be a alert of a virus and my windows defender will automatically remove it . it is successful . but it always pops up everytime i bott up the comp . is the virus deleted or not ?!
it better to use robtex for domain reversing.
domaintools only allow limited count of list domain.
o0o0 ma search b4 doing nythin else save me..:)
thanks for the info. pls tell more.
tank you for thes i liking
Thanks ray, i got the is this you in picture and downloaded it. got it in an email, i also got the Iphone kidnap today from the same contact in a msn message
Thank you very much. Yes, it is Turkish.
my msn got hacked and the pisher also changed my password. How they do this?
I like this article so much.
i got infected by such a virus but the process where nt there, it had something else(only one) the description it gave was some firewall service. (i only have the windows firewall)
Thanks for notifying us..
Good awarness post
Thank you Raymond – very useful detail.
Hi Raymond –
Did you verify that libeay32.dll & ssleay32.dll that you recommend deleting are actually infected? They’re normally OpenSSL dlls and needed by any apps relying on them for third party HTTPS support – curl and wget for example. Worst that could happen on deleting them is you have to put the files back before the other apps work again but just thought you might want a heads up :)
i get alot of messages from my friends with some of the links u mentioned.
great info raymond
thanks …
Thanks for the great write up Raymond. Amazes me how people insist on criticizing people’s work, if you don’t like the post, then don’t comment.
Gr8 work dear
True, a Trojan is a program that appears harmless but hides malicious functions however the term “computer virus” is also sometimes used as a catch-all phrase to include all types of malware, adware, and spyware programs that do not have the reproductive ability.
A virus, Raymond? I´d call it malware or a trojan. This exe is not a virus in the original meaning of the word.
Thanx for the info
Good work. Thanks.
Always nice and useful info that you brought to us. Thanx for the articles raymond. I know that its worth it much when I decide to subscribe to your blog. Keep up your great info ;)
Aw sorry to disappoint you emtunc but you’re just exaggerating. There was never a time when I have great articles “everyday” because everything I write here is based on my personal experience with computers.
Why don’t you tell us all what was the daily great article that you enjoyed so much, then I can know how to satisfy you.
I see a very busy man who used to have great articles everyday but now they’re a bit :(
That’s not Azerbaijani Raymond, it’s Turkish: “Download free movie. Click now”.
I have no idea about what that “7″ might be.
firefox blocks the websites says its been reported as a attack site so thats ok:) still dont open linsk which say
here is vidoe of you or here is picture of you!
thnx raymound i got this type of messages by email!!! so many times and msn chats it is bot beware block people like this very dangerous!!
Thanks emtunc for pointing out all the “mistakes”, if that is all you see in this article.
It’s not Azerbaijani… it’s Turkish.
It says “Free film downloads, hurry”… not sure what tikla means.
These aren’t “new” btw… they’ve been around for years now
Thanks for this information…I will change my msn password because i also got this kind of problem before…thanks again!
This is good to know. Is it possible that this also sends other messages. My friend once send me the picture message but is now also sending me messages about winning an iPhone or a laptop (it’s in Dutch).
Screenshot is in the url.
Thanks!
Thanks for sharing the info..!!
Good Day..
Such a great piece of information, thanks for telling us. Previously published yours, I already refer one of friend to it, One more time thanks.
You are great.
Regards,
Ahmad Saleem