Forums: Waiting for Godot:

anyone else seen this virus? It seems to be a new one - and my laptop is now infected with it.

What it does is send your MSN Messenger contacts a message saying something like 'Hi, I'm going to post this photo of us to my myspace, what do you think?' then it sends you a ZIP file.

In that ZIP file is the virus.

Yeah it was indeed a bit stupid to just open that file, but it came from a trusted contact and it seemed reasonable enough - the wording of the message is quite good.

After realising I'd been had - I scanned the original file with AVG, but it said it was ok.


There isn't much info I can google at the mo - I've seen a few things, but nothing so far works. If anyone else gets it, and finds a solution that actually works, post back here?




*waits for the 'get a mac' suggestions...

Hmm, I haven't seen this virus but I am interested to know what it does to your system if anything...

it doesn't seem to do anything so far, no one's reported any problems other than that it sends the damn message to all your contacts - repeatedly too.

oh I should say that I managed to delete the payload file (that IMG-0012.zip) from the system, so now all it does is message the contacts with the text without the attachment - so at least it can't spread from me now.

Last night, my sister said her computer got a virus, that and this thread prompted me to actually scan my hard drive, which I do about once a year.

Yeah, I'm that l33t.

Or so I thought... :O

File C:\Documents and Settings\Jody\Local Settings\Temp\nsiCA8.tmp\touchanswer.exe is infected with probably a variant of Win32/TrojanDownloader.Agent trojan.

Where der fark did DAT come from!?

Guys,

Try this:

STEP 1
Delete registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Lsass Services"="%Windows%\system\lsass.exe"

STEP 2
Restart WINDOWS

STEP 3
Delete virus files:
%Windows%\system\lsass.exe
%Windows%\IMG-0012.zip

STEP 4
Remove "Windows Sharing" from exceptions tab of Windows Firewall

STEP 5
Set registry data:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="20000"

Welcome to 12S!

people still use MSN messenger?

tools

Originally posted by: Deus Ex Machina
people still use MSN messenger?

hell yeah. The more successful young middle management people in the company use it for what it is - instant messaging. If they need to make an urgent request to a colleague at another company they just IM them. Emails are now regarded as snail mail - they get answered when they get around to it or are used as formal documentation. IM's are what get answered to right away.

yeah I still occasionally use it for IMing with clients and a few distant old friends.

Originally posted by: mperazac
Guys,

Try this:

STEP 1
Delete registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Lsass Services"="%Windows%\system\lsass.exe"

STEP 2
Restart WINDOWS

STEP 3
Delete virus files:
%Windows%\system\lsass.exe
%Windows%\IMG-0012.zip

STEP 4
Remove "Windows Sharing" from exceptions tab of Windows Firewall

STEP 5
Set registry data:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="20000"

I actually did most of those steps the other day, plus I also went thru the registry and deleted all references to IMG-0012.zip.

One thing - make sure you don't delete ALL lsass.exe files though - the one in \windows\system32\ is actually a system file that you need.


I didn't post results back here cos I wasn't sure it was dead - but after a couple of days I think I can say the virus has gone away for good.