New Aim Virus!! Here's How To Fix It!

Status
Not open for further replies.
M

mebdrew

If you recently got an IM from your friend to download a cool Christmas Screensaver, IT IS AN AIM VIRUS!! HEre's what the message said...
This AIM user has sent you a Christmas Card! To open it please visit: hxxp://greetings.aol.com/index.pd?source=greetingscard?my_christmas_card.scr
This senders personal note: Merry Christmas!

The sinker is that the link really take you to hxxp://209.235.17.26/My_Christmas_Card.SCR WHICH IS A VIRUS!

To get rid of it... here's what you do....

Let me tell you its sneaky! It disguises itself as lsass.exe which is
a legitimate windows process, BUT, this virus lists it as a service, which the legitimate lsass.exe is not! the fake lsass.exe also lists itself in the C:\windows\ directory, the real lsass.exe is located in
the C:\WIndows\system32\ directory.... SOOO here's how to kill teh
dork...
Start->run-> Services.msc
Locate the "Local security Authority Subsystem Service" and right
click-> propertires.. You can't stop it so select 'disable' from the
startup options list. Then restart your computer. Go to C:\windows
and delete lsass.exe VOILA! all gone!!!

DO NOT DELETE C:\windows\system32\lsass.exe THIS IS A LEGIT PROCESS!!!!
 
help

i got the virus somehow, and when i go to get rid of it, and go to start, run, services, there is no LSASS properties. is there another way to get rid of it? if not, i could use some more help with this way
 
OK let me walk you through, once you're in services you need to look for Local Security Authority Subsystem Service. As a general point, each service listed has a gear icon to the left of them, make sure you scroll down to the L section. Once you've located the Local Security Authority Subsystem, double click it. Once the dialoge box has opened select 'disable' from the start-up type drop down menu. Then Restart your computer and you should be fine :) (you may want to try and delete LSASS.exe from the windows directory, make sure you can view hidden files and folders)!!
If you do not find the Local Security Authority Subsystem Service, then you do not have this particular AIM virus, it may be a variant. I reccomend posting a HiJack this log in the appropriate forum if this is the case.

HOPE THIS HELPS!

~Drew
 
Ah yes, wow... I am very suprised to see this post. Many, and I mean seriously many, of my friends got this virus. It's a variant of the SDBot. Let me tell you, it's not a pretty virus. Task Manager actually thinks it's the real "LSASS". We spied on the botnet for a while before it was shut down, and we were ready to report it to the authorities since it seemed to be unkown, until we found it. I'm glad to see this was all taken care of.

We believe that it is possable the bot masters also tried to infect the infected computers with other viruses (seemed to be spyware/adware), so make sure you deal with those as well! I find it funny how their names were things like "TuffCat" and "*****d" :rolleyes: . Who's laughing now, bot masters? That's right! You see, the whole structure of a botnet simply doesn't work anymore. A little packet sniffing gives away everything about it, and so it can easily be discovered and reported. Good thing too!
 
All of my friends were getting it, and it was hard for me to figure out how to fix it over the phone, so I intentionally put it on my machine, to figure out how to get rid of it. I have a exported list of all the standard services that should be running, and keep a vigilant eye on my Hijackthis logs, running proccesses, and kill those crappy adware spyware programs on the spot. I didn't seem to find any other viruses on my machine, however it was only on my machine for 15 minutes or so, and I was disconnected from the net during removal. If you happen to come across any please don't hesitate to ammend my post!! THANKS!! :)!! The only other thing it might have changed is a few registry entries to those who do not have SP1, but hopefully that isn't' too many people.

~Drew
 
Correction! It may change a few registry entries in the auto updates section to those who have SP1! SP2 users are not affected as much!
 
Yes, when we were tracking this virus, we discovered that it does change such things. I remember upon infected my PC with it, the virus somehow got crupt along the way. When it was run on my PC, it opened the SP log and showed what it did to it. Very interesting.

I am glad to see that this virus no longer works. The botnet has been shut down, thus the "bot masters" can no longer remotly control any computers. All the AIM spam is not automated, it was controlled by the botnet and it's masters. We have evidence for this. Our log bot picked up this on their botnet (IRC) before we were about to report it:

[20:53] <****> .AIM <font color="red"><b>This AIM user has sent you a Greetings Card, to open it visit: <a href="http://**.**.***.***/OLDBAMy_Christmas_Card.com">http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM</a><br>This senders personal note: Merry Christmas!</b></font>

So no need for the people who are still infected to worry about spreading it anymore!

Heh, too bad before we could report it someone else did. All the same, I am very glad to see that this virus has come to a hault so quickly.
 
New one out

Just want to give you a heads up, theres an aim virus Should i post these pictures on my myspace or Photobook]
then it givs a what looks like a legit link, dont click it it will put up an away message and send that message to your entire buddy list

just a word of warninig :giddy: :giddy:
 
How to fix the new virus

i was talking on aim and then this message comes up that says: can i post a pic. of you on my myspace (or something like that), and i have myspace myself, so i clicked it just because i was bored, opened the file, and it said Compressed (zipped) Folder was the location i was going... so then i thought nothing of it, but then i look at that last post from swker98 that warned people about it, and i signed back on aim and it sent the "thing" to all my friends..i want to know how to get rid of this i ran all my virus scans and it diden't pick it up, and i even tryed looking for the "thing". It has been driving me crazy:mad:.....so please help me!!
 
Hello and welcome to Techspot.

stevo26 said:
i was talking on aim and then this message comes up that says: can i post a pic. of you on my myspace (or something like that), and i have myspace myself, so i clicked it just because i was bored, opened the file, and it said Compressed (zipped) Folder was the location i was going... so then i thought nothing of it, but then i look at that last post from swker98 that warned people about it, and i signed back on aim and it sent the "thing" to all my friends..i want to know how to get rid of this i ran all my virus scans and it diden't pick it up, and i even tryed looking for the "thing". It has been driving me crazy:mad:.....so please help me!!
Click to expand...

Go HERE and follow the instructions in the order they are given.

Then, open a new thread in the security and the web forum and post a fresh HJT log, only after doing the above.

Regards Howard :wave: :wave:
 
Status
Not open for further replies.

Similar threads

D
Microsoft is adding a Copilot icon to Windows 11 taskbar, here's how to hide it
Replies
9
Views
304
erickmendes
erickmendes
midian182
Upcoming Qualcomm Snapdragon X SoCs aim to match Apple's M-series performance and efficiency
Replies
5
Views
434
Mr Majestyk
M
Shawn Knight
Payday 3 launches in September, and here's what you'll need to run it
Replies
0
Views
297
Shawn Knight
Shawn Knight

Latest posts

Back