Your MSN Contacts May Be Sending You Viruses (mainmsn.com)

Posted by tim in Wednesday, January 23rd 2008 under: Uncategorized

If you receive this instant message through MSN, for heaven’s sake DO NOT CLICK IT:

<friend> says: Hey, isn’t this YOU?? :S http://mainmsn.com/images/viewimage.php?=your@email.com

Clicking this message downloads a virus onto your computer (except that the link above goes to VirusTotal’s results for the file). This virus appears to take control of MSN and send the same message to everyone on your friends list. However, it may do other virus-like things on your system. I’m not running Windows so I can’t see the full effects, but the person who sent it to me is now contemplating a full reformat of their hard drive to eliminate the infection.

If you have any further information, please leave it in the comments.

Who is mainmsn.com? There’s scant information on the internet.
The downloaded file name is PIC006.JPG-www.photoshare.com. Besides program code, the file contains a section of HTML code that appears to display a hardcoded error message:
- “Warning: fopen(cnt) [function.fopen]: failed to open stream: Permission denied in /home/a7095595/public_html/images/viewimage.php on line 9″
What does the virus actually do? Among other things, the payload seems to contain a variation of the IRCBot worm, which causes your computer to monitor a remote IRC channel for commands from a hacker. Depending on the commands given, this could have dire consequences.
How does the infection happen? My friend had to run the file, not merely download it, but use caution if you do decide to download a copy.

Here’s an object lesson in security: trusted sources are the most dangerous attack vectors. This virus - in the grand tradition of the ILOVEYOU virus - relies on personal relationships and trust to make people perform a typically dangerous action unawares. Keep your shields up and beware random messages!

50 Comments Already

Xiao Said,

January 24th, 2008 @3:41 am

My friend asked me to open it for her, but My anti-Virus software stop it and told me that it is a Trojan.

Mark Said,

January 24th, 2008 @4:59 am

Your AV software might have picked it up, but if it’s Symantec, it may not have stopped it.

Jeff Said,

January 24th, 2008 @7:32 am

How am i supposed to get rid of it ?

Marcin Said,

January 24th, 2008 @8:36 am

I use up-to-date free AVG antivirus. You can download it from http://www.download.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html

Mark Said,

January 24th, 2008 @10:06 am

I’m no expert, but it is a varient of the SPYBOT.YXX trojan.
Search for any files called wkssvc.exe and any registry entries of this name.
It also blocks access to anti-virus websites, so delete or modify your HOSTS file.

chrismac Said,

January 24th, 2008 @11:40 am

I got rumbled with this as well, bloody idiot that I am!!!!! I’m usually so careful too but I just wasn’t paying attention as I thought was from a trusted source!!!!!

Anyway, anyone came across a pukka fix for it yet??

Ben Said,

January 24th, 2008 @1:37 pm

We got this is the office today.

I added my method for removing on our forum.

http://www.escapestudios.com/forum/showthread.php?t=873

chrismac Said,

January 25th, 2008 @2:19 am

cheers Ben, that helped greatly and was painless!!! although the registry entry wasn’t quite where you said it was on my machine, but hey i got it anyway or at least appear to have!
Cheers again!

yummii Said,

January 28th, 2008 @3:52 pm

Oh thanks for this article!!!.. I did the same thing - usually i’m really cautious but I saved it then actually ran the file! thought it was from a trusted source.. Now my internet isn’t working..I tried removing it but I don’t think my anti-virus app can detect it cos my Internet doesn’t work (using work internet to find out how to fix this issue..)..

Do you know what else this trojan does? I turned my computer off - Can the trojan still go through the files and grab personal data?

Jonathan Said,

January 28th, 2008 @5:09 pm

This virus does several things on your computer, it tries to run a trojan, & a variation of the worm as mentioned above. it also creates a registry key to run the file wkssvc.exe from your c:\windows directory on a reboot

leaves a prefetch for the wkssvc.exe

Norton and other virus protection catch and quarantine but do not register the changes made to registry nor does it remove the file wkssvc.exe

these need to be removed manually

to remove the file you will need your protected systems viewable otherwise it will not find it.

John Said,

January 28th, 2008 @7:32 pm

Good thing I was running Windows Vista

Chris Said,

January 28th, 2008 @8:10 pm

still infects Vista

Jonathan Said,

January 29th, 2008 @10:39 am

If you clear up the previous files mentioned you may still be infected with the worm.

Open your registry and run a search of spool.exe any registry key that has this is not valid.

In fact if you find a key under the heading “search assistant” you can delete the entire parent key of search assistant. You will be able to tell because it will have several other keys relating to wkssvc.exe.

Also Open your host file located at

c:\windows\system32\drivers\etc\

and remove all the junk that was added as a result of the virus.

Once done remove the spool.exe file from c:\windows\system32

Ken Said,

January 29th, 2008 @12:51 pm

I seem to have this virus but don’t have wkssvc service, files or registry key. Any thoughts???

-Ken

Jonathan Said,

January 29th, 2008 @2:18 pm

Ken, check for the spool.exe as previously mentioned. It adds a reg key in the run key for windows so it runs every time you boot.

any registry keys that just say spool.exe are invalid

spool.exe is the perpetrator of the worm portion of the virus.

yummii Said,

January 29th, 2008 @4:55 pm

I didn’t have the file wkssvc.exe either however, I managed to locate the spool.exe file and deleted it…

Also, I opened the start up menu (Start>Run>Msconfig) and went through all the start up applications and looked them up on the net to see which was a virus/ trojan and then went through the C:/windows/system and C:/windows/system32 folders to manually delete them…

The internet seems to be working on my computer now but it’s still playing up now and then - although ths issue is isolated to just IE based apps (eg MSN/ IE7) - Firefox is fine..

Oh Ken, you might want to look in this folder for the file C:\WINDOWS\Prefetch the file will have a *.pf extension - I wasn’t able to locate the file wkssvc.exe but I was able to locate wkssvc.exe [something something] .pf - I did a search on the net and found that that file was associated to the virus as well..

I’m soo glad this blog article was created! All the articles I read were basically saying “hey there’s this problem!” but didn’t provide a solution!

Jonathan Said,

January 29th, 2008 @5:11 pm

yummi, you may want to search again for that file (wkssvc.exe). Make sure you go to tools|folder options and uncheck hide system files.

should be located in c:\windows

I say this because originally I thought I had deleted it and then went and checked this way and found it still on the computer even though my registry could no longer call the file it was still there.

yummii Said,

January 30th, 2008 @3:23 am

hey jonathon! thanks for the tip - i tried to locate the file but i can only locate the wkssvc.dll file
also, thanks heaps for the c:\windows\system32\drivers\etc\ tip! i went into the host file and WOW! i didn’t realise how much rubbish that virus added!!!

Carey Said,

January 30th, 2008 @9:05 am

1.) These 3 files need to be removed:

C:\windows\wkssvc.exe
C:\windows\system32\spool.exe
C:\windows\system32\vxconfig.xml (this file was hard, I had to use a special program to unlock)

2.) Repair the hosts file

3.) Remove all references to wkssvc.exe from the registry.

Carey Said,

January 30th, 2008 @9:17 am

I made a mistake, it is vsconfig.xml NOT vXconfig.xml

yummii Said,

January 30th, 2008 @4:42 pm

hey carey! how do we remove all references to wkssvc.exe from the registry? sorry i’m not a very technical person…

i have ccleaner which cleans up missing links etc - would i just need to run another session on ccleaner?

Angelyne Said,

January 31st, 2008 @1:18 pm

We were hit by this virus at my work, and a system restore appears to have fixed the problem. I ran a rootkit revealer and a couple of span and the machine was cleaned.

Chris Said,

February 4th, 2008 @11:30 am

here, I created a tool for my company that we use to clean this. It deletes the wkssvc.exe file and removes it from reg, also the spool.exe file and it’s reg. It will also fix your Host file as well. If you have made any intentional changes to your host file you may want to advoid this. Should work on XP and Vista.

http://www.sharebigfile.com/en/file/6646/msnclean-exe.html

PS Said,

February 4th, 2008 @12:02 pm

Chris,
Great tool, helped us out a ton. Greatly appreciated!

Paul Said,

February 5th, 2008 @3:22 pm

Thanks Chris that seemed to do the trick. I can’t delete the file itself tho, keeps coming up with i do not have permission. Any clues?

Scott Said,

February 5th, 2008 @10:44 pm

Paul,

You have to do into the dos prompt “Start>Run>cmd” and run the command “attrib -h -s -r c:\windows\wkssvc.exe” Once that is completed you run the command “del c:\windows\wkssvc.exe” You might have to run “Start>Run>msconfig” as mentioned earlier to make it so the file does not boot when you start your computer, if you have not done that already. That should get rid of the file itself.

anthony. Said,

February 6th, 2008 @12:43 pm

i got this virus after my friends birthday party and ive been trying to get rid of the virus for days.. ive tryed the program ’spybot - search and destroy and it didnt help much because the program lags when i try to fix the thing.

and when i go to msconfig on ‘run’ and dissable the spool.exe and wkssvc.exe it dissables it then i go to the cmd program and type in the command ”attrib -h -s -r c:\windows\wkssvc.exe” and it says the file c:\windows\wkssvc.exe is not found.. i need serius help can someone explain it step by step thoroughly?
thanks

RainCaster Said,

February 6th, 2008 @6:10 pm

I’ve seen a permutation of this that uses a link to http://msnprofiles.ms.funpic.de/...

The file is a *.com file with a win32 PE header. Looks like some crappy old code, Delphi probably. Then a more modern virus injected into it.

Tom Said,

February 7th, 2008 @7:16 pm

Cheers for the cleanup know ho but the file still seems to be on desktop and i cannae get rid?? help greatly appreciated…

Liten Said,

February 7th, 2008 @11:13 pm

When i go to the cmd program and type in the command ”attrib -h -s -r c:\windows\wkssvc.exe” and it says the file c:\windows\wkssvc.exe is not found…
Does that mean that I don’t have the virus anymore?
Also, I found the spool.exe file but I read (http://www.escapestudios.com/forum/showthread.php?t=873) that I shouldn’t erase it… What can I do?

Jess Said,

February 8th, 2008 @2:59 am

Hey, i received dat msg today and my friendz got it from me now and their friendz got it form them -_-
do u kno how i can get rid of it?
HELP !!

Derek Said,

February 8th, 2008 @2:03 pm

I got that virus last night, and before i found some of these forums I had alread deleted the partition on my hard drive and reinstalled everything on the computer, i know that deleting the partition doesn’t always get rid of all the data, so i’ve been searching for the virus on my computer and so far i haven’t found anything and when i boot the computer i don’t get those messages telling me to run and install certain programs that i had been popping up after i got the virus. Does that mean that i got rid of it or have i just made things worse? Does anyone know, and if it would still be there how would I be able to find it?

Brock Said,

February 8th, 2008 @3:49 pm

Hey, so i was a sucker and ran the friggen thing last night after recieving it from a friend over msn…. sigh*, you know your to trustworthy when… Anyhow, so im abit confused. I got into the C:system32 file but i cant find spool. I ran a search on both wksscvc.exe and spool.exe. I found one wksscvc.exe file in the C: drive and deleted it. But as far as spool goes, none are titled spool.exe. There are a number of spool files but they all are named things like “winspool” “SpoolSS” ect. Just for reference, nothing appears to be broken or changed on my computer but i know for a fact that i do have this virus. I get the promt to run the “wkssvcv.exe” on every reboot also. I ran MSconfig and found the file that keeps this reboot promp appearing but wasnt sure how to go about deleting it and what not. Any help would be awsome!!

Sam Said,

February 8th, 2008 @7:47 pm

Has anyone been able to find an official name for this virus?

Rodney Said,

February 9th, 2008 @3:29 pm

If you go that thread. they tell you a surefire way to get rid of it.

Rodney Said,

February 9th, 2008 @3:29 pm

http://www.escapestudios.com/forum/showthread.php?t=873

Weej Said,

February 10th, 2008 @1:11 am

I have found wkssvc.dll , and wkssvc.dll.mui .. also spool.exe.mui , and spoolss.dll and spoolss.dll.mui .. By the way I have Vista. What the frig do i do!!?? Do I delete this or not? PLEASE HELP

Christina Said,

February 11th, 2008 @9:07 pm

Chris, I tried your fix and I am still getting the pop-up box upon start-up. Help!!! I don’t want to spend the massive $$$ to get this fixed….

MyMomClickedOnTheLink! Said,

February 14th, 2008 @5:50 am

Hey thanks Chris. I used the program you uploaded and it killed off the virus right away. Only for a short while though, it comes right back up every time my com reboots. Any help with this? thanks =)

the Sav Said,

February 16th, 2008 @5:37 am

I found that this worked for me
Download highjack this from trend micro
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
put a check mark beside these links
O4 - HKLM\..\Run: [MSN Messenger] msn.com
O4 - HKLM\..\RunServices: [MSN Messenger] msn.com
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Now down at the bottom click on fix
Restart your computer

Mamawolfe Said,

February 17th, 2008 @8:26 am

I got rid of the pop-up box, but it seems to have done some damage -I can’t get on a couple of internet sites. Any ideas on how to fix this? Thanks!

Anna Said,

February 22nd, 2008 @11:54 am

I got this virus on my old laptop, I was running XP, I got careless and I sure had to pay for it.

My brother was just surfing around when it crashed; there was nothing installed on it but a few safe programs because I just recently gave it to my brother.

So, I’m asking why the hect did my coputer crash?

I mean, I can’t do anything, I’ve tried to install Windows again and put it in Safe mode but it just wont work.

It says:
“Windows/System32/Config/System file missing or corrupt” when I try to boot into XP Pro and get no further.

What am I going to do?!

Macka Said,

February 23rd, 2008 @8:37 pm

For those of you who avoid/don’t undserstand the registry, an automatic removal tool can be found at http://www.msnvirusremoval.com

Josh Said,

March 2nd, 2008 @11:29 am

Thanks for the virus cleaner it helped loads and deleted the virus straight away!!!
Pembo

Sarah Said,

March 10th, 2008 @7:14 pm

Hi!

I’m really not technical at all and desperetely in need of help. My friend sent me a link which I stupidly clicked on - at work - and now I’m screwed. I did a virus scan using homecall and it detected some things in my c:\WINDOWS file under the following names

\system32\cbtmhtktd.dll
\system32\cilgfhyw.dll
\system32\jcycqgeo.dll
\system32\jkkjg.dll
\system32\sbrjfknl.dll
\system32\yaywxyy.dll

I have no idea what my registry is or how to do a search on msconfig so if anyone can help me, step by step, my job may just be saved!! And I will be eternally grateful!

Thanks

Mandy Said,

March 18th, 2008 @4:51 pm

Everytime I try to remove the spool.exe file it says I do not have permission or access is denied, even in the comman prompt! What do I do?

Z666 Said,

March 29th, 2008 @2:17 am

I did not find any of the above mentioned files on my pc (I checked all the hidden and the system files as well), but my MSN was infected. I found a tool called MSNFix.zip and it’s find 2 files and deleted them:

C:\DOCUME~1\ [MY USER NAME] \LOCALS~1\Temp\winlogon.exe
C:\DOCUME~1\ [MY USER NAME] \LOCALS~1\Temp\services.exe

The File and Registry deletions have been saved in 2008.03.28._15072452.zip

************************ HKLM\…\Winlogon\Userinit

Userinit = C:\WINDOWS\system32\userinit.exe,

I Hope it helps. And I hope that my MSN finally clean !

Z666