NEW AIM ADWARE

[Stephen Dolenc]

This is an AOL Instant Messaging Virus / Adware

Victims send the following message to their entire buddy
list in approximately 25 minute intervals:
"check this out, is that you?"

"this" is linked to the following php address:
http://files.superwwwhost.com/get.php?pic=43242.jpg

If you click on the link, a file that ends in ".jpg.exe"
tries to be downloaded. Obviously, the extension implies
the file is an executable, not an image file. More than
half of my friends missed that...

Could your Anti-spyware / Anti-virus engineers look at
this and see if you can produce some kind of removal
procedure to set users system back to status quo.

Sorry I can't give you more information, I'm not exactly
sure how this file impacts the registry or directories of
infected systems because I have not clicked it myself.

Keep up the great work--I can't wait to join you guys
someday,

Stephen Dolenc

 

[AndyManchesta]

Hi Stephen

I just downloaded this to try out some fixes

I believe this is a new virus as its not being detected
by Norton or Trend Micro plus Spysweeper and Spybot are
both showing clear

This Virus could allow a remote user to control the pc,I
cannot be sure of this as i dont know what the virus is
yet but generally most of the viruses that spread through
MSN or AOL have this feature.Ususally when the virus is
run part of it tries to open a port on the pc and then
tries to connect to a external site.If this works then
that can allow the attacker to control the pc with the
virus.

So removing this is important to ensure the systems
involved do not get further problems by a attacker
deleting files or downloading more files.


I downloaded the file to the desktop that created a file
called :

442113[1].jpg.exe

I disabled my protection and double clicked it and run
the file.This created both these entries in hijack this :

C:\WINDOWS\find.exe

HKLM\..\Run: [Find] C:\WINDOWS\find.exe


I could fix these entries using hijack this but i want to
go for this manually incase there's any other traces of
this.

Its not helping that none of the scanners are detecting
this but if its new then im sure it will be added to
their definitions very soon


Removal :



Press Control,Alt & Delete (Task Manager)

Go to processes and end this process:

Find.exe


Then open the Windows folder and delete :

Find.exe (174kb)


You will see a Find.exe in the Windows System32 Folder
But do not remove this as its a genuine windows file !!!

Its the Find String Utility (Microsoft 9.00kb)

Ive scanned the file at jotti's site which uses 13 virus
scanners to check for malware but its showing clean so Im
happy to leave it in place as i dont believe its
connected to this.


Then Open regedit

Goto start then run and type

regedit


(To work regedit open it and first goto HKEY_LOCAL_MACHINE
then press the plus + beside it then go to SOFTWARE and
click the plus+ beside it,Then to Microsoft and the plus+
then Windows and the + then Current Version and the plus+
and finally to the RUN folder.Left click the run button
and then you will see values open up in the page on the
right.Delete "Find" = C:\WINDOWS\Find.exe



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run


On the right pane delete

"Find" = C:\WINDOWS\Find.exe



Also delete Find from the Winlogon folder:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\
Winlogon


In the right pane, delete the value:

"Find" = C:\WINDOWS\Find.exe


Exit Regedit


Clear the recycle bin and temp files

Goto recycle bin and delete the contents

Open a Internet window and goto tools on the top bar then
to Internet Options

Delete cookies and files(when deleting files choose
delete all offline content)

Goto start then Run and type

%temp%

remove everything you can out of this folder as the temp
files are not needed,if any say you cannot delete them,it
means they are in use but delete what you can from here.


Thats it the system will be clean again

If you have any problems let me know

Regards Andy