Virus’d
Here’s how it all started. A simple little message in Live Messenger from a co-worker:
hey is it really you on this pic?
http://msnprofiles.ms.funabc.de/viewimage.php?=billy@email.com
(of course I’ve munged the URL and email a bit, but the email address would be your Live ID address)
From there a day went from pleasant to crappy pretty quickly.
In the Beginning
One person got that message at work today and clicked the link. They got a prompt, ran a program (thinking they were opening the picture) and started sending similar messages to most of their Messenger contact list.
From there it cascaded and went downhill quickly.
Fortunately, we caught on quickly enough to get the madness stopped with only 6 infected client PCs!
Unfortunately, I learned a valuable lesson about idly clicking on things while on the phone… I was one of the infected. I’m so very humiliated.
Know what though? While my Messenger sent a few new hits before I squashed it, I didn’t get the borked hosts file and I didn’t get the full payload (just the infected “picture” with a .com extension. heh). I run Vista and, in this case, I think it actually saved me some additional grief.
What IS This Thing?
Four of the Six machines had seriously fubar’d local hosts files (the user who didn’t has much lower local rights on his PC… there’s food for thought). Every AV company and most major web sites were all set to 127.0.0.1 — talk about doing terrible things to curing the virus or using the Internet! Fortunately, we figured that one out quickly enough.
Assuming that the local AV was as compromised as the hosts files, we initially tried going the online scanner route. I’d recently heard good things about Kaspersky’s Online scanner so we started there. It did a good job identifying spyware but only on one machine did it identify a virus: Buzus.aa. Since it only spotted that on one, we weren’t quite sure if that was really what we were after. It also didn’t seem to want to fix the found issues (for free).
On to Panda Security’s online option. While that page mentions disinfecting, cleaning the detected viruses wasn’t an option.
Hmm… ok, how about Trend Micro’s Housecall? Well, we had no luck with that one either. (and honestly, I can’t recall if it was because it wouldn’t fix or didn’t detect).
While all of that was going on, our CIO was off doing some research of his own. Based on the file he fetched from the “bad” url and a visit to Virus Total we suddenly had a good idea of what we were up against — and which AV vendors had cures. Finally, we could see a bit of light at the end of a tunnel. It is very frustrating now knowing what you’re up against. (Symantec calls it W32.Spybot.Worm. An oldie but a goodie.)
Finally a Bit of Good News
For client antivirus we run a very old version of Symantec Corp Edition. Honestly, I don’t trust it all that much, but they still send updates for it so we continue to use it while I continue to vow to replace it. The second time we refreshed that Virus Total link (above) we noticed that Symantec had just updated their data files. Well, that’s a good sign, right?
We headed to our centralized AV console and pulled the dats and then did a big push out to all the clients. Then we visited each infected machine and started a manual scan. Lo and behold, it was detecting and fixing them. Sweet!
It actually took two runs to fix — the second one being in safe mode. If we hadn’t been so giddy we would’ve figured that out sooner. But now, several hours later, I’m pleased to say that things seem to be back to normal.
Done
*phew* That sucked. Now that Google Talk can support group chats, I’m toying with just making the draconian call of banning Live Messenger. Something similar happened 6 months ago… time to burn the barn door behind the sinking horse!
On that note, looks like the final scan is finished and clean so I do believe I’ll pack up and head for home. I have a big day of lecturing folks ahead of me tomorrow.
(just found a similar tale)
Possibly Related posts:
- Virus’d – The Follow-up
- Active Virus Shield Rode Off into the Sunset
- Active Virus Shield
- More on today’s Windows Exploit
- Swatted
Comments
11 Responses to “Virus’d”
Leave a Reply
Referrals and Ads
Flair and Sparklies
Is this you?
http://msnprofiles.ms.funabc.de/viewimage.php?=billy@email.com
*grin*
LOL! You got a mean streak :p
Just in case anyone ends up here from a search, some more tips and links for removal can be found at this forum thread:
http://www.broadbandreports.com/forum/r19947177-New-virus-going-around-on-msn-messenger
Deploy macs through the office and the problem will go away
Lol, you sound like Rich’s twitter comment from last night. Wise guys, the all of ya.
I am with Kaspersky very satisfaid::)
So, Handy, I shouldn’t make my obligatory “this has never happened in linux” comment?
Yeah, this definitely happened to me awhile ago. Funny ow all those links you get from your friends can seem so trusting.
[...] mentioned a couple days ago that we had a small virus outbreak at the office this week. Thought I got it all cleaned up Wednesday night, but I ended up chasing it [...]
[...] Virus’d [...]
[...] card and buy the full version. The Kaspersky option is just one example of that. [I seem to rediscover this trend all too frequently. My memory is [...]