Virus’d

calendar Posted on February 6, 2008   comments 11 Comments

Here’s how it all started. A simple little message in Live Messenger from a co-worker:

hey is it really you on this pic? :) http://msnprofiles.ms.funabc.de/viewimage.php?=billy@email.com

(of course I’ve munged the URL and email a bit, but the email address would be your Live ID address)

From there a day went from pleasant to crappy pretty quickly.

In the Beginning

One person got that message at work today and clicked the link. They got a prompt, ran a program (thinking they were opening the picture) and started sending similar messages to most of their Messenger contact list.

From there it cascaded and went downhill quickly.

Fortunately, we caught on quickly enough to get the madness stopped with only 6 infected client PCs!

Unfortunately, I learned a valuable lesson about idly clicking on things while on the phone… I was one of the infected. I’m so very humiliated.

Know what though? While my Messenger sent a few new hits before I squashed it, I didn’t get the borked hosts file and I didn’t get the full payload (just the infected “picture” with a .com extension. heh). I run Vista and, in this case, I think it actually saved me some additional grief. :-)

What IS This Thing?

Four of the Six machines had seriously fubar’d local hosts files (the user who didn’t has much lower local rights on his PC… there’s food for thought). Every AV company and most major web sites were all set to 127.0.0.1 — talk about doing terrible things to curing the virus or using the Internet! Fortunately, we figured that one out quickly enough.

Assuming that the local AV was as compromised as the hosts files, we initially tried going the online scanner route. I’d recently heard good things about Kaspersky’s Online scanner so we started there. It did a good job identifying spyware but only on one machine did it identify a virus:  Buzus.aa. Since it only spotted that on one, we weren’t quite sure if that was really what we were after. It also didn’t seem to want to fix the found issues (for free).

On to Panda Security’s online option. While that page mentions disinfecting, cleaning the detected viruses wasn’t an option.

Hmm… ok, how about Trend Micro’s Housecall? Well, we had no luck with that one either. (and honestly, I can’t recall if it was because it wouldn’t fix or didn’t detect).

Virus TotalWhile all of that was going on, our CIO was off doing some research of his own. Based on the file he fetched from the “bad” url and a visit to Virus Total we suddenly had a good idea of what we were up against — and which AV vendors had cures. Finally, we could see a bit of light at the end of a tunnel. It is very frustrating now knowing what you’re up against. (Symantec calls it W32.Spybot.Worm. An oldie but a goodie.)

Finally a Bit of Good News

For client antivirus we run a very old version of Symantec Corp Edition. Honestly, I don’t trust it all that much, but they still send updates for it so we continue to use it while I continue to vow to replace it. The second time we refreshed that Virus Total link (above) we noticed that Symantec had just updated their data files. Well, that’s a good sign, right?

We headed to our centralized AV console and pulled the dats and then did a big push out to all the clients. Then we visited each infected machine and started a manual scan. Lo and behold, it was detecting and fixing them. Sweet!

It actually took two runs to fix — the second one being in safe mode. If we hadn’t been so giddy we would’ve figured that out sooner. But now, several hours later, I’m pleased to say that things seem to be back to normal.

Done

*phew* That sucked. Now that Google Talk can support group chats, I’m toying with just making the draconian call of banning Live Messenger.  Something similar happened 6 months ago… time to burn the barn door behind the sinking horse!

On that note, looks like the final scan is finished and clean so I do believe I’ll pack up and head for home. I have a big day of lecturing folks ahead of me tomorrow.

(just found a similar tale)

tags Tags: , , , , , , , ,

Related Posts Possibly Related Posts

Comments

11 Responses to “Virus’d”

  1. Rich G. on February 6th, 2008 8:36 pm

    Is this you?
    http://msnprofiles.ms.funabc.de/viewimage.php?=billy@email.com
    *grin*

  2. Chris Kasten on February 6th, 2008 9:37 pm

    LOL! You got a mean streak :p

  3. Chris Kasten on February 7th, 2008 7:27 am

    Just in case anyone ends up here from a search, some more tips and links for removal can be found at this forum thread:

    http://www.broadbandreports.com/forum/r19947177-New-virus-going-around-on-msn-messenger

  4. Peter Motyka on February 7th, 2008 8:03 am

    Deploy macs through the office and the problem will go away :)

  5. Chris Kasten on February 7th, 2008 8:08 am

    Lol, you sound like Rich’s twitter comment from last night. Wise guys, the all of ya.

  6. mirgi on February 7th, 2008 10:28 am

    I am with Kaspersky very satisfaid::)

  7. Vox on February 7th, 2008 11:45 am

    So, Handy, I shouldn’t make my obligatory “this has never happened in linux” comment? :)

  8. Steven Stoddard on February 8th, 2008 8:29 am

    Yeah, this definitely happened to me awhile ago. Funny ow all those links you get from your friends can seem so trusting. :(

  9. » pingback » Virus’d - The Follow-up » Solo Technology on February 8th, 2008 12:39 pm

  10. » pingback » Virus Alert! msn sending virus using user email add « Searching for The Game on March 12th, 2008 10:13 pm

  11. » pingback » Swatted » Solo Technology on June 22nd, 2008 4:31 pm

Leave a Reply




Have you read the Comments section on the Disclaimer page?

About

Wandering the Internet, looking at all things bright and shiny. Playing with many, writing about some. More …

Recent Posts

Recent Comments: