New Aim Virus!! Here's How To Fix It!

By mebdrew
Dec 4, 2005
  1. If you recently got an IM from your friend to download a cool Christmas Screensaver, IT IS AN AIM VIRUS!! HEre's what the message said...
    This AIM user has sent you a Christmas Card! To open it please visit: hxxp://
    This senders personal note: Merry Christmas!

    The sinker is that the link really take you to hxxp:// WHICH IS A VIRUS!

    To get rid of it... here's what you do....

    Let me tell you its sneaky! It disguises itself as lsass.exe which is
    a legitimate windows process, BUT, this virus lists it as a service, which the legitimate lsass.exe is not! the fake lsass.exe also lists itself in the C:\windows\ directory, the real lsass.exe is located in
    the C:\WIndows\system32\ directory.... SOOO here's how to kill teh
    Start->run-> Services.msc
    Locate the "Local security Authority Subsystem Service" and right
    click-> propertires.. You can't stop it so select 'disable' from the
    startup options list. Then restart your computer. Go to C:\windows
    and delete lsass.exe VOILA! all gone!!!

    DO NOT DELETE C:\windows\system32\lsass.exe THIS IS A LEGIT PROCESS!!!!
  2. khurst

    khurst TS Rookie


    i got the virus somehow, and when i go to get rid of it, and go to start, run, services, there is no LSASS properties. is there another way to get rid of it? if not, i could use some more help with this way
  3. mebdrew

    mebdrew TS Rookie Topic Starter

    OK let me walk you through, once you're in services you need to look for Local Security Authority Subsystem Service. As a general point, each service listed has a gear icon to the left of them, make sure you scroll down to the L section. Once you've located the Local Security Authority Subsystem, double click it. Once the dialoge box has opened select 'disable' from the start-up type drop down menu. Then Restart your computer and you should be fine :) (you may want to try and delete LSASS.exe from the windows directory, make sure you can view hidden files and folders)!!
    If you do not find the Local Security Authority Subsystem Service, then you do not have this particular AIM virus, it may be a variant. I reccomend posting a HiJack this log in the appropriate forum if this is the case.


  4. Dragonz31

    Dragonz31 TS Rookie

    Ah yes, wow... I am very suprised to see this post. Many, and I mean seriously many, of my friends got this virus. It's a variant of the SDBot. Let me tell you, it's not a pretty virus. Task Manager actually thinks it's the real "LSASS". We spied on the botnet for a while before it was shut down, and we were ready to report it to the authorities since it seemed to be unkown, until we found it. I'm glad to see this was all taken care of.

    We believe that it is possable the bot masters also tried to infect the infected computers with other viruses (seemed to be spyware/adware), so make sure you deal with those as well! I find it funny how their names were things like "TuffCat" and "*****d" :rolleyes: . Who's laughing now, bot masters? That's right! You see, the whole structure of a botnet simply doesn't work anymore. A little packet sniffing gives away everything about it, and so it can easily be discovered and reported. Good thing too!
  5. mebdrew

    mebdrew TS Rookie Topic Starter

    All of my friends were getting it, and it was hard for me to figure out how to fix it over the phone, so I intentionally put it on my machine, to figure out how to get rid of it. I have a exported list of all the standard services that should be running, and keep a vigilant eye on my Hijackthis logs, running proccesses, and kill those crappy adware spyware programs on the spot. I didn't seem to find any other viruses on my machine, however it was only on my machine for 15 minutes or so, and I was disconnected from the net during removal. If you happen to come across any please don't hesitate to ammend my post!! THANKS!! :)!! The only other thing it might have changed is a few registry entries to those who do not have SP1, but hopefully that isn't' too many people.

  6. mebdrew

    mebdrew TS Rookie Topic Starter

    Correction! It may change a few registry entries in the auto updates section to those who have SP1! SP2 users are not affected as much!
  7. Dragonz31

    Dragonz31 TS Rookie

    Yes, when we were tracking this virus, we discovered that it does change such things. I remember upon infected my PC with it, the virus somehow got crupt along the way. When it was run on my PC, it opened the SP log and showed what it did to it. Very interesting.

    I am glad to see that this virus no longer works. The botnet has been shut down, thus the "bot masters" can no longer remotly control any computers. All the AIM spam is not automated, it was controlled by the botnet and it's masters. We have evidence for this. Our log bot picked up this on their botnet (IRC) before we were about to report it:

    [20:53] <****> .AIM <font color="red"><b>This AIM user has sent you a Greetings Card, to open it visit: <a href="http://**.**.***.***/"></a><br>This senders personal note: Merry Christmas!</b></font>

    So no need for the people who are still infected to worry about spreading it anymore!

    Heh, too bad before we could report it someone else did. All the same, I am very glad to see that this virus has come to a hault so quickly.
  8. swker98

    swker98 TechSpot Paladin Posts: 1,077

    New one out

    Just want to give you a heads up, theres an aim virus Should i post these pictures on my myspace or Photobook]
    then it givs a what looks like a legit link, dont click it it will put up an away message and send that message to your entire buddy list

    just a word of warninig :giddy: :giddy:
  9. stevo26

    stevo26 TS Rookie

    How to fix the new virus

    i was talking on aim and then this message comes up that says: can i post a pic. of you on my myspace (or something like that), and i have myspace myself, so i clicked it just because i was bored, opened the file, and it said Compressed (zipped) Folder was the location i was going... so then i thought nothing of it, but then i look at that last post from swker98 that warned people about it, and i signed back on aim and it sent the "thing" to all my friends..i want to know how to get rid of this i ran all my virus scans and it diden't pick it up, and i even tryed looking for the "thing". It has been driving me please help me!!
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Go HERE and follow the instructions in the order they are given.

    Then, open a new thread in the security and the web forum and post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...