Nasty MSN MESSENGER Trojan

[John Jupp]

Tweet

If you received a msn message via messenger anytime after 22.30 from me then run pc in safe mode (F8) and do antivirus scan if you had clicked on any hyperlink in the message. Msn messenger trojan was sent at that time.
It uses spool.exe to instantly link to your messenger and email and works very fast. wkssvc.exe (delete it if need be) is a prefetch file which runs through spool.exe to your dns and is the source of the w32trojan. Took 2 hours to remove after scans failed to remove it.. currently running a backup spybot scan as sucker is persistent.

Was only online half a minute before frantic call from my security people.

[tijan]

I was infected about two weeks ago, it eventually destroyed my operating system, wiped out everything on my desktop. Operating system couldnt load anymore. Affected my harddisk and makes a nuisance of me to my msn contacts. It automatically resume work about 5 min when you log on to your msn and sends a zip file to all your contact.

Best advise is to logon and mail all your contact not to open any zip file. Youve got 5 min or less to do that.

My laptop is still at NHS to see the doctor. Had to get another one within hours.

[tbp]

This really reinforces the need to have a good anti virus and firewall.

I can recommend Kaspersky, fantastic and doesn't slow your PC down at all like Norton can. Recently won PC Pro's award for best antivirus package.

CCL are selling the OEM version (a lot cheaper, but no manual for £10.47, or a 3 user licence for £13.50 ish) available at:

Buy Kaspersky Internet Security 7.0*KASP-IS-1-V710PK-0 from CCL - Online Retailer of the Year 2007

It's so cheap theres no excuse not to buy it, especially when you use your PC to earn you money. Free anti virus checkers like AVG aren't much good, and (im not sure if this still the case) didn't pick up this particular virus when it first started spreading.

I have no association with CCL Online or Kaspersky, but its a great security package (includes firewall, anti phishing, spam blocker etc), and CCL are the cheapest place i`ve found it at. Really fast service, with next day delivery as standard. Ordered 3 of the 3 user packages now for home, work and friends and the service has been excellent.

If you don't already have a good anti virus package, then get one now! Don't do as many people do and wait until you've got a virus before thinking about it...

[John Jupp]

I have uninstalled windows live messenger for the moment and running constant scans. Apologies to the 12 people who received messages from me. I will email you all via a server email.

The trojan specifically targets PayPal logins.

I received an open message from someone whilst talking to someone else and because it was from a trusted source did not think to check the url, it downloaded a file and pffft! 30 seconds later and anyone who was online on messenger at the time I was online received an instant message with the link to the trojan.

Sorry

[John Jupp]

WKSSVC in C:1386 DL_ File
WKSSVC.EXE-2189A0D1.pf in C:WINDOWS:Prefetch PF File
wkssvc.dll in C:WINDOWS:SYSTEM 32 Application Extension

All 3 files will have to be replaced with clean files tomorrow. I shall remove the hard drive and scan with a second pc. Now running a triple firewall and isolation to prevent it gaining access to the net as the bugger is still there!! However it is not loaded but because it is in SYSTEM 32 it keeps trying to load. My firewalls prevent this happening at Startup. Emails sent to everyone via their msn messenger email addresses who were sent a copy of the trojan by me.

[John Jupp]

This really reinforces the need to have a good anti virus and firewall.

I can recommend Kaspersky, fantastic and doesn't slow your PC down at all like Norton can. Recently won PC Pro's award for best antivirus package.

CCL are selling the OEM version (a lot cheaper, but no manual for £10.47, or a 3 user licence for £13.50 ish) available at:

Buy Kaspersky Internet Security 7.0*KASP-IS-1-V710PK-0 from CCL - Online Retailer of the Year 2007

It's so cheap theres no excuse not to buy it, especially when you use your PC to earn you money. Free anti virus checkers like AVG aren't much good, and (im not sure if this still the case) didn't pick up this particular virus when it first started spreading.

I have no association with CCL Online or Kaspersky, but its a great security package (includes firewall, anti phishing, spam blocker etc), and CCL are the cheapest place i`ve found it at. Really fast service, with next day delivery as standard. Ordered 3 of the 3 user packages now for home, work and friends and the service has been excellent.

If you don't already have a good anti virus package, then get one now! Don't do as many people do and wait until you've got a virus before thinking about it...

I have one hardware and two software firewalls that don't conflict plus also a spyware scanner plus a 24 hour webhost security team which monitors my outgoing messages from my pc. They telephoned me in 30 seconds! However it still takes an individual to make it all go wrong and that's what happened. I was busy in chat and got another chat message and without checking clicked the link and Bam!

[tbp]

Bad luck John

Do feel for you, its amazing that just one action thats done near instantly without a second thought can cause so many problems. Thats the joy of computers for you

I remember in my very first proper computing job, in the first week I managed to infect the whole of the companies network with a virus from a magazine coverdisk.

I was forgiven, but as punishment for the next couple of years it was daily job to enter the 20 or so virus signatures that were faxed over to us daily by hand (around 128 characters each if I remember right). (That was how virus checkers worked in those days, you got a fax with the characters that made up the virus signatures, and had to manually type them in to be protected, one wrong character and you weren't protected). Although that makes me sound ancient, I was only 13 at the time, although it was long ago enough that the year 2001 still sounded very futuristic

Back to your virus, I was having a look around the other night for the other person who got the virus who's on A4U, and there are removal instructions if you have a hunt around.

Do get a copy of Kaspersky if you can, not only does it check Messenger files specifically, it also constantly scans any open file, so it would have picked this up and stopped it in its tracks. It even catches stuff that Norton used to let through. (It was quite amazing when I installed it just how much nasty stuff it shows you is floating around).

[tbp]

I have one hardware and two software firewalls that don't conflict plus also a spyware scanner plus a 24 hour webhost security team which monitors my outgoing messages from my pc. They telephoned me in 30 seconds! However it still takes an individual to make it all go wrong and that's what happened. I was busy in chat and got another chat message and without checking clicked the link and Bam!

That is very impressive with your security team. You could still do with Kaspersky though, as your firewalls will only stop traffic in / out, Kaspersky (or any other good virus checker) would have caught the file itself, and stopped it from running instantly.

Its a layer of protection that should be at the very heart of your system. Its worth it, as it could of saved you. I know from experience as it has caught it on mine.

I don't know what it is about this particular one, as it doesn't seem that different from others, but its spreading at an incredible rate. By the time word got out, it had already infected thousands of systems, and by then it was too late.

[tbp]

Saying that, I have Kaspersky and I`m still up at 2.40 in the morning with you (not literaly for those wondering).

Nothing can save me from my work lol

[John Jupp]

All depends if it is the same trojan. I tell you this sucker is good. It's picked up by both Norton and SpyBot but cross migrates (183 versions in 30 seconds) and is bloody hard to remove. Got the sucker isolated on the machine, not quarantined, just isolated and re-routed the operating system to work online as so many registries were being altered it was attempting to get everywhere. Removed all the other variables but cannot get rid of this yet so there is another hidden program masquerading and not part of those 3 files.

I'll find the sucker. When it comes to net security I am usually **** hot so I am really kicking myself. Only thankful I caught it quickly and warned as many people as possible.

Problem is I've been contacting businesses all over the world to warn them. You should read my address list. I can use messenger again no problem and I am using it now quite safely, just need to keep the trojan isolated on my machine, bugger would connect instantly to messenger if I allowed it through again.

This is why I hate Windows Live Messenger. I always used msn messenger and uninstalled windows messenger because of vulnerabilities and pop up spam. Then Microsoft scrapped msn messenger and combined it with windows messenger to create windows live messenger and I just knew it would be a matter of time before someone came out with another nasty messenger trojan that uses system 32.

[John Jupp]

Found the sucker.

It was a hybrid which was combined with spool.exe and lo and behold both were in System 32!

So removed in safe and replaced the dll with a replacement file now running a full diagnostic.

4.58 am, time for bed.

[Rich79]

I received an MSN message from a friend on Sunday evening and clicked the link, but it didn't go anywhere or open anything up, it seemed like a dead link.

After a couple of seconds I realised it was dodgy (the contact who sent it was offline & the URL was somewhat suggestive) then I close the window down. It happened once more that evening and I immediatey closed the window down again, and since then I have not seen it and had no other problems.

Can anyone suggest whether I am likely to have been infected?!!

This is a home-PC rather than for work so I haven't got amazing security, Kapersky looks a bargain tho thanks for the reccomendation!

[John Jupp]

If you clicked on the link and downloaded the given file. Otherwise you probably would be all right. If you use Spybot 2007 Search & Destroy it will when running check any registration changes and ask permission first

[John Jupp]

My security team uses a highly dangerous hacker tool called NetCat but it is excellent if used safely and it collects a list of ip addresses of infected machines.

The list of infected machines is put on a blacklist.

[Gavinio]

I had this last year from a member of this forum who I still haven't forigiven!

I'd say it took nearly 3 working days worth of man-hours to sort it out, and I'm fairly decent with a computer.

This was at work, but at home I use NOD32 and I think it's a superb bit of kit. Kaspersky is the other one I'd recommend as above.