AIM Virus



Richard Mueller
07-09-2005, 11:48 PM
My neice, and many of her friends, received an AIM message with the text
"Check out my pictures". The link seems to infect the computer, sending
messages to everyone in the buddy list. NAV scan with latest signature file
dated 5/11/2005 shows nothing. PandaSoftware scan reveals no virus. client is
Windows XP (SP2) with ZoneAlarm firewall. Internet search reveals several
recent similar reports, but no virus name. The only suggested fix is to
delete aim.exe. Any suggestions, or does anyone know what the virus is?

Richard Mueller

David H. Lipman
07-09-2005, 11:48 PM
From: "Richard Mueller" <RichardMueller@discussions.microsoft.com>

| My neice, and many of her friends, received an AIM message with the text
| "Check out my pictures". The link seems to infect the computer, sending
| messages to everyone in the buddy list. NAV scan with latest signature file
| dated 5/11/2005 shows nothing. PandaSoftware scan reveals no virus. client is
| Windows XP (SP2) with ZoneAlarm firewall. Internet search reveals several
| recent similar reports, but no virus name. The only suggested fix is to
| delete aim.exe. Any suggestions, or does anyone know what the virus is?
|
| Richard Mueller


I have no idea what your niece was infected with but deleting AIM.EXE is NOT the answer.


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. If you are using Windows XP, you may have to disable the Windows XP FireWall to
allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Richard Mueller
07-09-2005, 11:48 PM
Interesting. I had to disable ZoneAlarm before GetFiles.bat could ftp the
files. The first scan in Safe Mode found several adware/spyware programs not
found by SpyBot Search & Destroy (or NAV). It found one file (msaccrt.exe)
infected with W32/Opanki.gen virus. Second scan under Windows found a few
more adware programs and another copy of W32/Opanki.gen in the \System Volume
Information\_Restore folder.

Research on W32\Opanki.gen reveals it is a variant of W32.Allim.B. This is a
worm spread through Americal Online Instant Messager that drops a variant of
Backdoor.Sdbot, which allows access by a remote hacker. The body of the
message for W32.Allim.B is "hey check out this", instead of "check out my
pictures" in the variant received by my niece.

I think what I found is a variant that NAV does not yet recognize (signature
file dated 5/16/2005). Of course, there is no way to tell this to Symantec. I
submitted email feedback about this yesterday with no response. There is
really no way to communicate with them.

Thanks for the help and the bat files. Worked great.

Richard Mueller

David H. Lipman
07-09-2005, 11:48 PM
From: "Richard Mueller" <RichardMueller@discussions.microsoft.com>

| Interesting. I had to disable ZoneAlarm before GetFiles.bat could ftp the
| files. The first scan in Safe Mode found several adware/spyware programs not
| found by SpyBot Search & Destroy (or NAV). It found one file (msaccrt.exe)
| infected with W32/Opanki.gen virus. Second scan under Windows found a few
| more adware programs and another copy of W32/Opanki.gen in the \System Volume
| Information\_Restore folder.
|
| Research on W32\Opanki.gen reveals it is a variant of W32.Allim.B. This is a
| worm spread through Americal Online Instant Messager that drops a variant of
| Backdoor.Sdbot, which allows access by a remote hacker. The body of the
| message for W32.Allim.B is "hey check out this", instead of "check out my
| pictures" in the variant received by my niece.
|
| I think what I found is a variant that NAV does not yet recognize (signature
| file dated 5/16/2005). Of course, there is no way to tell this to Symantec. I
| submitted email feedback about this yesterday with no response. There is
| really no way to communicate with them.
|
| Thanks for the help and the bat files. Worked great.
|
| Richard Mueller

The McAfee Commnad Line Scanner works pretty good !
Files found in the fiollowing were found in the System Restore cache.
c:\System Volume Information\_Restore

I am glad your neice is now cleaned up.

Since adware was found, I suggest you also perform the following....

1) Download the following item...

Adaware SE (Free personal version)
http://www.lavasoftusa.com/

2) Update Adaware with latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Adaware SE, perform a Full Scan of your platform and clean/delete
any parasites found.
6) Restart your PC and perform a "final" Full Scan of your platform using Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Richard Mueller
07-09-2005, 11:48 PM
I'll be out of town a few days, but will try the Adaware scan.

Symantec posted a security response for this AIM virus today. Even this
description is a little different from what I saw. They call it W32.Opanki,
but their virus definitions won't recognize it until May 25.

http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html

Richard Mueller

N. Miller
07-09-2005, 11:48 PM
On Tue, 17 May 2005 21:21:02 -0700, Richard Mueller wrote:

> I think what I found is a variant that NAV does not yet recognize (signature
> file dated 5/16/2005). Of course, there is no way to tell this to Symantec. I
> submitted email feedback about this yesterday with no response. There is
> really no way to communicate with them.

Actually, there is a way to communicate with them, and even to submit a
suspected viral file.

http://securityresponse.symantec.com/avcenter/submit.html

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint


AIM Virus