New MSN Messenger Virus/Trojan – March 2009
For the last couple of days a friend has been bringing their laptop over to my place for me to try and clean this darn msn virus/trojan, which seems to be one tough SOB because everything i have tried hasnt worked. The laptop (Windows XP SP3) has AVIRA AntiVir for antivirus and i have installed and scanned the pc with every single anti-spyware/anti-malware software out there, which includes Ad-Aware, Spyware Terminator, Super Antispyware, Malwarebytes’ Anti-Malware, Rootkit Revealer, and Spybot – Search & Destroy which i chose from Download.com’s top 20 list and from Filehippo’s Anti-Spyware category . Unfortunately none of these great removal software was able to find or remove it.
Well this new MSN virus/trojan posts messages to your contacts like the ones found below.
YOU ARE ON THE FRONTPAGE OF THIS WEBSITE!! http://www.gallery-pictures.com
NO FUCKING WAY!! LOL WHAT HAVE YOU BEEN UP TO?! http://solox99.photodropperz.com
how is this possible?! i just found u through my profile (?!?!?) http://sarfar.gallery-pix.com/
What the virus/trojan does is send links to what seem to be an MSN login page asking you for your email and password for the purpose of “spread the word about this new 100% real and upcoming Messenger Community Site” which is stated in there terms of use at the bottom of the page. The links sometime have the infected user’s msn username in the subdomain (ex. http://username.gallery-pix.com) and will always look like the image to the right with the heading “PICS FOR MSN FRIENDS v2.0c” or “Pics & Photos 4Frenz v.2.5″.
Alternatively, the messages will link to a sex dating signup webpage with the title “Meet Real Sex Partners TONIGHT – JOIN FOR FREE! — Swingers, Free Adult Chat & Adult Personals Site” which are found at the http://www.fastxxxnow.com/new4/ and http://www.fastxxxnow.com/new5/.
Google Help
After some checking on google, it picked up some of the post messages from what seems to be a group board at this chinese website http://www.365groups.com/
After doing some more digging in google i found a discussion on a dog bulletin board about it.
http://www.labradorforums.co.uk/ftopic-57428-days0-orderasc-0.html
The infected person stated that they formatted the pc and it still didnt solve the problem as the virus/spyware seems to have attached itself to MSN.
Removal Attempts
So after all the scanning with anti-virus/spyware/malware, i decided to remove MSN messenger and all its dependances and installed them again. Didnt help. I tried the various MSN removing softwares like MSN Virus Removal, MSN Virus Cleaner, and IMP Fix suggested in the dog bulletin board with not luck.
Infected Domains
Below is a list of domains which have the same MSN login page.
http://www.areyou-onthisphoto.com/
http://www.dontstayin-pics.com/
http://www.flicker-photoz.com/
http://www.flicker-pics.com/
http://www.galleri-support.com/
http://www.galleryshotz.com/
http://www.greaterpics.com/
Infection Behaviour
My friend told me that when she was infected that MSN Messenger would continously disconnect and reconnect and it seems within the time it was disconnection and reconnecting that the virus/trojan would send these messages to her contacts. That is what she told me but i have no way to verify it, but one thing to keep in mind is whether the virus/trojan is sending the messages to your contacts when you are online or not, and you can know this by the date and time stamp MSN Messenger attaches to each chat post.
Update – Finally Removed
Well what i noticed when i signed into my own MSN Messenger (Windows Live Messenger) account from my friend’s infected pc, that it wasnt sending out the same type of messages to my contacts, which lead me to believe that the account itself is infected and not the pc. So i did some more digging around and was able to finally remove the darn thing by doing the following (not sure what part of this did the trick though). I ran Rootkit Revealer and noticed it brought up MSN Messenger results in the
C:\Documents and Settings\user account\Local Settings\Application Data\Microsoft\Messenger\email@host.com folder
(of course “user account” and “email@host.com” will differ for you on your pc), which you wont be able to reach to in window explorer unless you have hidden files and folders showing [instructions how to do this]. So in that folder i simply deleted all the files and folder. Then i noticed that MSN Virus Removal suggested the changing of my password, so i did that. It must be one of these two that did it but i believe the changing of the password would have done it, but i wont know for certain unless she gets infected again. 
Hope this helps someone out there and if so, drop me a comment below.
2nd Update
Would like to thank everyone who commented and was happy to hear from all those who were helped by this post as i never dreamt that it would be so popular. Well most people said the changing of the password worked, so do try that first before the removal of the files from the computer. I came across a good blog on how to remove some other windows live messenger viruses, so i case you werent able to find a solution with what i have given here, do check out this post.
Comments March 18th, 2009
Ofcourse we all know that AVG provides a full featured AntiVirus suite for free, but they also have a pro version where there is a broader scanning options and scheduling scans more than once a day, and many other features.
Don’t even think of replacing your current Firfox with this, no, just give it time this is still Beta. I 
