Friendster Virus Alert
Have you ever received a friendster message from a friend that has a message of something like LOL, WOW etc..It look like this..This pic was to taken from my support PC just to make sure. A highschool friend send me this one but it was not actually from her. It was mimicking his friendster account.
If you open the link in the message, you were to be diverted to an philshing youtube account. It was actually fake and if you will notice the address it was also non existent, they are simply mimick. But it mimicking was done in random in such a way different IP`s was displayed for every message you received.
The harmful part of this message wasthe SETUP.EXE thing you could see once you open the address. Don`t save this file because if you do,it was a RAT of remote access Terminal controller. Meaning, the hacker could open your computer remotely. It was a virus with a purpose so be carefull.
Another version of this one is the win32.worm.its origin..Someone figured it out ito be in friendster also. See below for the info.
IF youreceive this kind of message simply deleted or else just simply say goodbye to your files.
Please tell the people who sent those to change their Passwords immediately and scan their PC for viruses.
Those are virus/worms generated messages that originated from myspace and facebook called... Net-Worm.Win32.Koobface.a and Net-Worm.Win32.Koobface.
For more info:
If you open the link in the message, you were to be diverted to an philshing youtube account. It was actually fake and if you will notice the address it was also non existent, they are simply mimick. But it mimicking was done in random in such a way different IP`s was displayed for every message you received.
The harmful part of this message wasthe SETUP.EXE thing you could see once you open the address. Don`t save this file because if you do,it was a RAT of remote access Terminal controller. Meaning, the hacker could open your computer remotely. It was a virus with a purpose so be carefull.
Another version of this one is the win32.worm.its origin..Someone figured it out ito be in friendster also. See below for the info.
IF youreceive this kind of message simply deleted or else just simply say goodbye to your files.
Please tell the people who sent those to change their Passwords immediately and scan their PC for viruses.
Those are virus/worms generated messages that originated from myspace and facebook called... Net-Worm.Win32.Koobface.a and Net-Worm.Win32.Koobface.
For more info:
Win32.Worm.KoobFace.A
( Net-Worm.Win32.Koobface.b; W32.Koobface.A )Spreading: | very high | |
Damage: | very low | |
Size: | 16652 | |
Discovered: | 2008 Aug 05 |
SYMPTOMS:
- Presence of "Systray" key in autorun locations of windows registry.- Presence of next files on the system:
C:\Windows\mstre6.exe- Increased internet traffic.
C:\Windows\tmark2.dat
- "Friend users" from myspace.com receives links with commentaries via Inbox messages from user with infected system.
TECHNICAL DESCRIPTION:
Once it is launched, it moves itself to C:\WIndows\mstre6.exe and then it executes itself from the specified location.
It finds the default explorer cookies folder and searches into it for files which contain "myspace.com".
If no appropriate files are found, it shows a MessageBox with the following text: "Error installing Codec. Please contact support", creates a file in C:\Windows\tmark2.dat and writes "1" into it. This way it marks the operating system for its presence, and then it terminates itself, subsequently deleting its file. So the worm infects only systems which use myspace.com.
If such cookies are found on the system, it adds an entry into the Registry autorun under the "Systray" key name.
The worm also deletes the following registry key:
This technique is extremely efficient, especially given the fact that users are more likely to trust links sent by friends than by unknown contacts. The worm spreads from one system to another by using the Myspace contact lists.
So so much for now..Goodnight GodBless to all my readers.
It finds the default explorer cookies folder and searches into it for files which contain "myspace.com".
If no appropriate files are found, it shows a MessageBox with the following text: "Error installing Codec. Please contact support", creates a file in C:\Windows\tmark2.dat and writes "1" into it. This way it marks the operating system for its presence, and then it terminates itself, subsequently deleting its file. So the worm infects only systems which use myspace.com.
If such cookies are found on the system, it adds an entry into the Registry autorun under the "Systray" key name.
The worm also deletes the following registry key:
HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\NavigatingNext, it gets from its server (zzzping.com) miscellaneous links and short captions to be sent via MySpace.com. The links it attempts to send to the Myspace.com contacts point users to a fake codec update, which proves to be an infected binary file containing a copy of the worm.
This technique is extremely efficient, especially given the fact that users are more likely to trust links sent by friends than by unknown contacts. The worm spreads from one system to another by using the Myspace contact lists.
So so much for now..Goodnight GodBless to all my readers.