After a week, I received a similar instant message from my sister-in-law. This time, the message was an invitation to view some photos in some website by clicking the provided link. Since there was no other note included, I suspected that the message was not from her. My suspicion was confirmed when after a few seconds, another message was sent. Hmm, another compromised messenger account, I thought. I sent a message back and advised her to change her messenger password ASAP.
I initially thought that this was some kind of an instant messaging spam. After running a search in Google, I realized that it is even worse. There seems to be two forms of attack, one is an actual virus/worm that spreads via instant messaging and the other is a phishing attack launched against YM users. For the latter, the attack usually starts with an instant message from the user's contact list. The message usually includes a link to a Yahoo-looking site requiring visitors to login and thus revealing their yahoo id and password. The phisher then uses this information to trick other YM users in the contact list of the compromised account. Worse, the phisher also gains access to all personal information in the user's other Yahoo accounts such as emails, photos, groups, etc.
The virus/worm version is reported to take control of your messenger, and send messages with website links to your contact list without your knowledge. When the link is clicked, the virus downloads a copy of itself to the user's PC, disables the registry editor and task manager, hijacks Internet Explorer homepage, and leads users to sites that automatically install malicious softwares on their PCs. Moreover, there seems to be several variants of this virus/worm out there: Yh032.explr, w32.KMeth, Worm_Sohanad.B, etc.
Y! Messenger viruses take advantage of the program's vulnerabilities that come with Java script and VBS. You can be infected simply by clicking a link to a picture (.JPG). When the page presenting that picture loads, java scripting run's a VBS (visual basic script - works on any Windows machine) that rewrites data on your harddisk. After you get infected, the virus starts sending mass messages to all contacts in your list asking them to follow a link, like in the example bellow. The messages vary, being generated randomly from different keywords from the virus's database.
If you are already infected, the easiest way to remove the virus/worm is to use system restore if you are using Windows XP. See Microsoft Help for details. Be sure to choose a restore point before you got the virus/worm and then scan your system for any signs of the virus/worm after the restore. Update your PC regularly and use an up-to-date antivirus program. If this doesn't work, you can try to do the next steps:
1: Close the IE browser. Log out messenger / Remove Internet Cable.
2: To enable Regedit
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
3: To enable task manager : (To kill the process we need to enable task manager)
Click Start, Run and type this command exactly as given below: (better - Copy and paste)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4: Now we need to change the default page of IE though regedit.
Start>Run>Regedit
From the below locations in Regedit chage your default home page to google.com or other.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main
Just replace the attacker site with google.com or set it to blank page.
5: Now we need to kill the process from back end. Press Ctrl + Alt + Del
Kill the process svhost32.exe . ( may be more than one process is running.. check properly)
6: Delete svhost32.exe , svhost.exe files from Windows/ & temp/ directories. Or just search for svhost in your comp.. delete those files.
7: Go to regedit search for svhost and delete all the results you get.
Start menu > Run > Regedit >
8: Restart the computer. That’s it now you are virus free.
I don’t know whether any removal patch that works for such Trojans/viruses. But we can easily delete them manually.
 
No comments:
Post a Comment