Password changing Virus/Worm spreading through MSN

Discussion in 'Computer Security' started by =?Utf-8?B?U3VwZXJUeWNvb24=?=, May 27, 2006.

  1. Yesterday i recieved a link in an MSN messenger conversation too a web
    address which ended in my email address, and had php somewhere i it. The link
    asked me to download an .exe file with my email address as the name. Being
    stupid I downloaded and ran this file, assuming that if it were malicious the
    my virus scanner (Norton 2004 - regularly updated virus definitions) would
    catch it.

    When i clicked the .exe file nothing seemed to happen, the file disappeared
    from my desktop and there were no immediate symptoms. However, when I came to
    log onto my computer today windows would not accept my password (i'm running
    Windows XP Home Edition). I tried many times, including playing with things
    like capitalisation, and discovered that my password had definitely been
    changed. Also I found that the alt + ctrl + delete + delete key combination
    which normally opens the 'classic' windows logon screen where i could attempt
    to use the default 'Administrator' account no longer functioned.

    I can't find any reference to this issue anywhere, and i'm worried that i
    might have to do a clean install of windows. However, if anyone else has has
    this problem then i'm hoping that the virus/worm merely sets the password to
    something offensive and I can log on and change it back.
     
    =?Utf-8?B?U3VwZXJUeWNvb24=?=, May 27, 2006
    #1
    1. Advertisements

  2. Issue is now resolved (I hope) - I delved out an old password reset disk from
    ages ago and somehow that seemed to work! Moral of the story: Don't run .exe
    s from unknown locations, and always have a password reset disk handy!
     
    =?Utf-8?B?U3VwZXJUeWNvb24=?=, May 27, 2006
    #2
    1. Advertisements

  3. From: "SuperTycoon" <>

    | Issue is now resolved (I hope) - I delved out an old password reset disk from
    | ages ago and somehow that seemed to work! Moral of the story: Don't run .exe
    | s from unknown locations, and always have a password reset disk handy!

    How do you know that you are STILL not infected ?


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode.
    This way all the components can be downloaded from each AV vendor's web site.
    The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file. http://www.ik-cs.com/multi-av.htm

    Additional Instructions:
    http://pcdid.com/Multi_AV.htm


    * * * Please report back your results * * *
     
    David H. Lipman, May 27, 2006
    #3
  4. =?Utf-8?B?U3VwZXJUeWNvb24=?=

    Elendil Guest

    If necessary, you could've booted into safe mode and then logged in using
    the hidden default admin account which doesn't have a password. Through the
    default and main admin account you could've changed/removed the password
    from your admin account and then done away with the program. I'd recommend
    that you either switch from Norton 2004 to either a newer version of Norton
    or a different anti-virus product. Should you accept my advice I advise you
    get either Kaspersky AntiVirus or NOD32 AV as opposed to upgrading Norton.
     
    Elendil, May 27, 2006
    #4
  5. =?Utf-8?B?U3VwZXJUeWNvb24=?=

    Elendil Guest

    Also a good point by David, you didn't mention how you cleaned yourself.
    Follow the Comprehensive Malware Removal Instructions on the Detailed
    Malware Removal page of my website: www.freewebs.com/stopmalware this set of
    instructions includes David's Multi_AV tool along with some steps to clean
    your computer of spyware and all the other non-viral stuff.
     
    Elendil, May 27, 2006
    #5
  6. Unfortunately you're correct, I am still infected - it seems that my initial
    euphoria at getting logged on was a little premature.

    I attempted to start Norton to run a full virus scan and the program reports
    an internal error, then a problem with the liscence - advising me to
    uninstall and reinstall the program - I will try this later.

    Internet connection is not functional, although within the 'network
    connections' panel both the internet connection, and connection to the router
    claim to be active they remain in this status even when the router is turned
    off. Attempting to access the interent through IE and Firefox fails.
    Attempting to repair the network connections also fails.

    Windows security centre reports that "The Security Centre is unavailable
    because the Security Centre process was not started or has been stopped"

    Faced with this the only functional malware removal tool of any sort on my
    computer was Spybot S&D. A scan using this yielded three 'critical' issues
    that had not been present recently:
    "Fake" MSN8 Beta
    Windows Firewall Notifications Blocked
    Windows Antivirus Notifications Blocked


     
    =?Utf-8?B?U3VwZXJUeWNvb24=?=, May 27, 2006
    #6
  7. Sorry for the double-post: Forgot to mention that my lack of an internet
    connection prevents my from running David's removal tool - even if I download
    the zip file on this machine and transfer it on a flash drive I won't be able
    to download the necessary files to run the program
     
    =?Utf-8?B?U3VwZXJUeWNvb24=?=, May 27, 2006
    #7
  8. From: "SuperTycoon" <>

    | Unfortunately you're correct, I am still infected - it seems that my initial
    | euphoria at getting logged on was a little premature.
    |
    | I attempted to start Norton to run a full virus scan and the program reports
    | an internal error, then a problem with the liscence - advising me to
    | uninstall and reinstall the program - I will try this later.
    |
    | Internet connection is not functional, although within the 'network
    | connections' panel both the internet connection, and connection to the router
    | claim to be active they remain in this status even when the router is turned
    | off. Attempting to access the interent through IE and Firefox fails.
    | Attempting to repair the network connections also fails.
    |
    | Windows security centre reports that "The Security Centre is unavailable
    | because the Security Centre process was not started or has been stopped"
    |
    | Faced with this the only functional malware removal tool of any sort on my
    | computer was Spybot S&D. A scan using this yielded three 'critical' issues
    | that had not been present recently:
    | "Fake" MSN8 Beta
    | Windows Firewall Notifications Blocked
    | Windows Antivirus Notifications Blocked


    Chances are you got hit with a P2P worm. I virus that uses network protocols to spread and
    I am to tell 'ya that SpyBot S&D is insufficient.
    It sounds like this infector (a P2P worm ?) has played havoc with NAV. Probably deleted
    Registry values and has modfied various "policies" as the FireWall,.

    You need to immediately take proactive actions. Start with trying to do a System Resore to
    state PRIOR to the receipt of the MS messenger message. Then use the Multi AV Scanning Tool
    to scan your computer.

    NOTE: There may be a chance that the infector has affected the System Restore capability as
    well.
     
    David H. Lipman, May 27, 2006
    #8
  9. From: "SuperTycoon" <>

    | Sorry for the double-post: Forgot to mention that my lack of an internet
    | connection prevents my from running David's removal tool - even if I download
    | the zip file on this machine and transfer it on a flash drive I won't be able
    | to download the necessary files to run the program
    |


    Do it on another PC. extract the files and click on the "start menu" icon in C:\AV-CLS.
    Download all four AV modules but down't run scans.

    Copy the C:\AV-CLS folder tree to the Flash Drive. Then on the affected PC, copy the
    ..:\AV-CLS folder to the "C:" drive root.

    Then click on the "start menu" icon in C:\AV-CLS and run a scan starting with the McAfee
    module.
     
    David H. Lipman, May 27, 2006
    #9
  10. =?Utf-8?B?U3VwZXJUeWNvb24=?=

    Malke Guest

    Then from another machine get Sysclean and its updates, as well as any
    other programs/updates/tools you need. David's Multi_AV is more
    comprehensive since it uses 4 different scan engines, but if you can't
    get the files you need you can use something else.

    See:
    http://www.elephantboycomputers.com/page2.html#Removing_Malware
    http://www.elephantboycomputers.com/page2.html#TrendMicros_Sysclean

    Malke
     
    Malke, May 27, 2006
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.