Wednesday, March 26, 2008

IMG00231.JPG-live.messenger Infection

Have you had a message via MSN :

tell me is this really you ? http://photogallery.gigacities.net/viewimage.php?

It's a virus which seems to be not detected and spreading very rapidly.. anyway to remove it.

close down messenger to stop any more distributions... Then


Go to start --> run -->
regedit
press return
navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look for either an entry that has a data value of 'msn.com'

delete that entry.

reboot laptop /pc

once back in windows

go to start --> run
cmd
press return
cd \windows
attrib -r -h -s msn.com
del msn.com

exit

GONE

3 comments:

Alan said...

Hey, thanks for this post. It helped me get that virus off my system! =)

Alex said...

I had a similar MSN Messenger invitation to visit a related site:

http://album.gigacities.net/email.php?=[my HOTMAIL e-mail address]

The MSN Message said:

"hey, is this your picture ?! http://album.gigacities.net/email.php?=[my HOTMAIL e-mail address]"

Following the link (NOT RECOMMENDED), yields the file:

IMG00231[1].JPG-www.imageupload.com

It is shown to have Size 39,424 bytes and Size on disk: 40,960 bytes.

This is an MS-DOS .com application that presumably delivers the MSN virus / worm payload.

I was a little disappointed that my current version of Symantec Endpoint Protection with CURRENT threat protections as of TODAY 11 APR 2008 did NOT detect or quarantine this worm. But this is not unusual in the case of Trojans of this type.

I wanted to alert ALL that this worm is now using variant album.gigacities.net rather than only photogallery.gigacities.net

See also: http://www.siteadvisor.com/sites/gigacities.net/postid?p=823036
http://en.wikipedia.org/wiki/Backdoor.Win32.IRCBot

Chris said...

Hey thanks for the advice, I got this virus which stopped me from even connecting to the net, your advice got me back online but I'm a bit stuck on the end part. I've deleted the entry in the registry editor and restarted my PC (which then let me back on the net) but when going into the cmd screen it won't acknowledge the command (the 'attrib -r-h-s msn.com') part onwards, just says things like 'invalid switch -r-h-s' or 'incorrect parimeter'. Any chance you could guide me on where I'm going wrong? Thanks