Yahoo Messenger Virus Attack

RisingSun · 05-10-06, 12:02 PM

Yes it is removed from your computer.

Check again once that what you did here..

4: Now we need to change the default page of IE though regedit.

Start>Run>Regedit

From the below locations in Regedit chage your default home page to google.com or other.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main

Just replace the attacker site with google.com or set it to blank page.

Have you modified any other option rather than changing only default page ?

RisingSun · 05-10-06, 12:09 PM

Do you use Zone Alarm firewall ??????

navy · 05-10-06, 12:19 PM

RisingSun · 05-10-06, 12:25 PM

Just go through this url... you can resolve the problem

http://support.microsoft.com/kb/320159

05-10-06, 01:42 PM

friend,, .... even i follow the commands u mentioned, i am able to delete temporarily.

whenever i login into yahoo messenger .. the virus nsl-school is attacking, showing additional link as 'you are effected with virus, use this to clean' along with available, busy, not available,....

please suggest me... ( pvdramesh55@yahoo.com)

preethisingh · 05-10-06, 02:04 PM

It worked fine for me.

sunnyhup · 05-10-06, 03:44 PM

thank u guys for good info..

yathish · 05-10-06, 03:47 PM

Thanku admin and evishy.

rk_ramakrishnamca · 05-10-06, 05:51 PM

Thank u very much adminstrator.

05-10-06, 05:53 PM

Thnaks for the Info
But Still my Home page options are disabled.
Please help me

**Admin** · 05-10-06, 06:10 PM

To enable IE use current- use default -use blank options..

Strat>Run>Regedit

Go to this pleace :

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] -

Right Click on the Homepage & selecet modify. Replace the 1 with 0.

Thats all. let me know if you need any more help.

RisingSun · 05-10-06, 07:31 PM

More about this virus :

Method of propagation:
• No own spreading routine

Aliases:
• Kaspersky: IM-Worm.Win32.Qucan.a
• Eset: Win32/KillAV.NBD
• Bitdefender: Win32.Worm.IM.Sohanat.A

It was previously detected as:
• Worm/Qucan.A

Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Disable security applications
• Downloads malicious files
• Registry modification

Files It tries to download some files:

– The location is the following:
• http://64.26.25.75/**********
It is saved on the local hard drive under: %WINDIR%\svhost.exe Detected as: Tr/Dldr.Qucan.A

– The location is the following:
• http://64.26.25.75/**********
It is saved on the local hard drive under: %WINDIR%\svhost32.exe Furthermore this file gets executed after it was fully downloaded. Detected as: Worm/AutoIt.B

Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "svchost"="%WINDIR%\svhost32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Task Manager"="%WINDIR%\svhost32.exe"
• "svchost"="%WINDIR%\svhost.exe"

The following registry keys are changed:

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
Old value:
• "content url"=%user defined settings%
New value:
• "content url"="nsl-school.org"

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
Old value:
• "content url"=%user defined settings%
New value:
• "content url"="nsl-school.org"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
Old value:
• "Start Page"=%user defined settings%
New value:
• "Start Page"="nsl-school.org"

Process termination List of processes that are terminated:
• bkav2006.exe; Anti-Trojan.exe; ANTS.exe; apvxdwin.exe; ATCON.exe;
ATUPDATER.exe; ATWATCH.exe; AUPDATE.exe; AUTODOWN.exe; AUTOTRACE.exe;
AUTOUPDATE.exe; Avconsol.exe; AVP.exe; AVP32.exe; avpcc.exe; avpm.exe;
AVPUPD.exe; Avsynmgr.exe; AVWUPD32.exe; AVXQUAR.exe; bdmcon.exe;
bdoesrv.exe; bdss.exe; CMGrdian.exe; drwebupw.exe; GUARD.exe;
iamapp.exe; iamserv.exe; ICLOAD95.exe; ICLOADNT.exe; ICMON.exe;
ICSSUPPNT.exe; ICSUPP95.exe; ICSUPPNT.exe; LUCOMSERVER.exe;
MCAGENT.exe; mcupdate.exe; MINILOG.exe; MOOLIVE.exe; NAVAPW32.exe;
NMAIN.exe; NPROTECT.exe; NSCHED32.exe; NUPGRADE.exe; regedit.exe;
regedt32.exe; RuLaunch.exe; Vshwin32.exe; VsStat.exe; zatutor.exe;
zonealarm.exe

File details Programming language:
The malware program was written in Visual Basic.

Spoorthi · 05-10-06, 11:50 PM

so much of info.......

06-10-06, 12:49 AM

than u very much

06-10-06, 02:16 AM

hi...!!!

i tried this procedure twice/ but it still didnt work for me...!!

int he internet options > general i am not able to change my hoem page.

and when i run >REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

a window jsut appears adn fades away...

i am sad......

in my yahoo messeger window under the available/ invisible tab....
all these sites appear.... adn suddenly even thogu i am int he invisible mode.... it changes to the visible mode and that msg is sent to all my friend list....

kindly help
rgrds./
Mhj

05-10-06, 12:02 PM	#16 (permalink)
RisingSun Senior Member Join Date: Sep 2006 Posts: 230 Thanks: 21 Thanked 33 Times in 29 Posts Rep Power: 7	Re: Yahoo Messenger Virus Attack Yes it is removed from your computer. Check again once that what you did here.. 4: Now we need to change the default page of IE though regedit. Start>Run>Regedit From the below locations in Regedit chage your default home page to google.com or other. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main HKEY_USERS\Default\Software\Microsoft\Internet Explorer\Main Just replace the attacker site with google.com or set it to blank page. Have you modified any other option rather than changing only default page ?
Offline

05-10-06, 12:09 PM	#17 (permalink)
RisingSun Senior Member Join Date: Sep 2006 Posts: 230 Thanks: 21 Thanked 33 Times in 29 Posts Rep Power: 7	Re: Yahoo Messenger Virus Attack Do you use Zone Alarm firewall ??????
Offline

05-10-06, 12:19 PM	#18 (permalink)
navy Junior Member Join Date: Oct 2006 Posts: 2 Thanks: 0 Thanked 2 Times in 1 Post Rep Power: 4	Re: Yahoo Messenger Virus Attack no
Offline

05-10-06, 12:25 PM	#19 (permalink)
RisingSun Senior Member Join Date: Sep 2006 Posts: 230 Thanks: 21 Thanked 33 Times in 29 Posts Rep Power: 7	Re: Yahoo Messenger Virus Attack Just go through this url... you can resolve the problem http://support.microsoft.com/kb/320159
Offline

05-10-06, 01:42 PM	#20 (permalink)
FRIEND Unregistered Posts: n/a	Re: Yahoo Messenger Virus Attack friend,, .... even i follow the commands u mentioned, i am able to delete temporarily. whenever i login into yahoo messenger .. the virus nsl-school is attacking, showing additional link as 'you are effected with virus, use this to clean' along with available, busy, not available,.... please suggest me... ( pvdramesh55@yahoo.com)

05-10-06, 02:04 PM	#21 (permalink)
preethisingh Junior Member Join Date: Jul 2006 Posts: 1,391 Thanks: 1 Thanked 28 Times in 25 Posts Rep Power: 19	Re: Yahoo Messenger Virus Attack It worked fine for me.
Offline

05-10-06, 03:44 PM	#22 (permalink)
sunnyhup Senior Member Join Date: Jul 2006 Age: 28 Posts: 336 Thanks: 0 Thanked 29 Times in 19 Posts Rep Power: 9	Re: Yahoo Messenger Virus Attack thank u guys for good info..
Offline

05-10-06, 03:47 PM	#23 (permalink)
yathish Moderator Join Date: Sep 2006 Location: Bangalore Posts: 2,404 Thanks: 71 Thanked 456 Times in 345 Posts Rep Power: 74	Re: Yahoo Messenger Virus Attack Thanku admin and evishy.
Offline

05-10-06, 05:51 PM	#24 (permalink)
rk_ramakrishnamca Member Join Date: Aug 2006 Age: 26 Posts: 92 Thanks: 1 Thanked 11 Times in 8 Posts Rep Power: 5	Re: Yahoo Messenger Virus Attack Thank u very much adminstrator.
Offline

05-10-06, 05:53 PM	#25 (permalink)
Unregistered Unregistered Posts: n/a	Re: Yahoo Messenger Virus Attack Thnaks for the Info But Still my Home page options are disabled. Please help me

05-10-06, 06:10 PM	#26 (permalink)
Admin Administrator Join Date: Mar 2006 Posts: 60 Thanks: 2 Thanked 100 Times in 9 Posts Rep Power: 10	Re: Yahoo Messenger Virus Attack To enable IE use current- use default -use blank options.. Strat>Run>Regedit Go to this pleace : [HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] - Right Click on the Homepage & selecet modify. Replace the 1 with 0. Thats all. let me know if you need any more help.
Offline

05-10-06, 07:31 PM	#27 (permalink)
RisingSun Senior Member Join Date: Sep 2006 Posts: 230 Thanks: 21 Thanked 33 Times in 29 Posts Rep Power: 7	Re: Yahoo Messenger Virus Attack More about this virus : Method of propagation: • No own spreading routine Aliases: • Kaspersky: IM-Worm.Win32.Qucan.a • Eset: Win32/KillAV.NBD • Bitdefender: Win32.Worm.IM.Sohanat.A It was previously detected as: • Worm/Qucan.A Platforms / OS: • Windows 95 • Windows 98 • Windows 98 SE • Windows NT • Windows ME • Windows 2000 • Windows XP • Windows 2003 Side effects: • Disable security applications • Downloads malicious files • Registry modification Files It tries to download some files: – The location is the following: • http://64.26.25.75/******** It is saved on the local hard drive under: %WINDIR%\svhost.exe Detected as: Tr/Dldr.Qucan.A – The location is the following: • http://64.26.25.75/******** It is saved on the local hard drive under: %WINDIR%\svhost32.exe Furthermore this file gets executed after it was fully downloaded. Detected as: Worm/AutoIt.B Registry The following registry keys are added in order to run the processes after reboot: – [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] • "svchost"="%WINDIR%\svhost32.exe" – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] • "Task Manager"="%WINDIR%\svhost32.exe" • "svchost"="%WINDIR%\svhost.exe" The following registry keys are changed: – [HKCU\Software\Yahoo\pager\View\YMSGR_buzz] Old value: • "content url"=%user defined settings% New value: • "content url"="nsl-school.org" – [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast] Old value: • "content url"=%user defined settings% New value: • "content url"="nsl-school.org" – [HKCU\Software\Microsoft\Internet Explorer\Main] Old value: • "Start Page"=%user defined settings% New value: • "Start Page"="nsl-school.org" Process termination List of processes that are terminated: • bkav2006.exe; Anti-Trojan.exe; ANTS.exe; apvxdwin.exe; ATCON.exe; ATUPDATER.exe; ATWATCH.exe; AUPDATE.exe; AUTODOWN.exe; AUTOTRACE.exe; AUTOUPDATE.exe; Avconsol.exe; AVP.exe; AVP32.exe; avpcc.exe; avpm.exe; AVPUPD.exe; Avsynmgr.exe; AVWUPD32.exe; AVXQUAR.exe; bdmcon.exe; bdoesrv.exe; bdss.exe; CMGrdian.exe; drwebupw.exe; GUARD.exe; iamapp.exe; iamserv.exe; ICLOAD95.exe; ICLOADNT.exe; ICMON.exe; ICSSUPPNT.exe; ICSUPP95.exe; ICSUPPNT.exe; LUCOMSERVER.exe; MCAGENT.exe; mcupdate.exe; MINILOG.exe; MOOLIVE.exe; NAVAPW32.exe; NMAIN.exe; NPROTECT.exe; NSCHED32.exe; NUPGRADE.exe; regedit.exe; regedt32.exe; RuLaunch.exe; Vshwin32.exe; VsStat.exe; zatutor.exe; zonealarm.exe File details Programming language: The malware program was written in Visual Basic.
Offline

05-10-06, 11:50 PM	#28 (permalink)
Spoorthi Senior Member Join Date: Mar 2006 Posts: 4,793 Blog Entries: 2 Thanks: 9 Thanked 699 Times in 534 Posts Rep Power: 108	Re: Yahoo Messenger Virus Attack so much of info.......
Offline

06-10-06, 12:49 AM	#29 (permalink)
Unregistered Unregistered Posts: n/a	Re: Yahoo Messenger Virus Attack than u very much

06-10-06, 02:16 AM	#30 (permalink)
mhj Unregistered Posts: n/a	Re: Yahoo Messenger Virus Attack hi...!!! i tried this procedure twice/ but it still didnt work for me...!! int he internet options > general i am not able to change my hoem page. and when i run >REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f a window jsut appears adn fades away... i am sad...... in my yahoo messeger window under the available/ invisible tab.... all these sites appear.... adn suddenly even thogu i am int he invisible mode.... it changes to the visible mode and that msg is sent to all my friend list.... kindly help rgrds./ Mhj

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HEART ATTACK PROCEDURE": (THIS IS NOT A JOKE!)	AjayKumar.Kataram	Health & Fitness	2	21-09-06 11:41 AM
Messenger Plus! 4.01 - 16th july latest release	vjsreevs	Latest Tech News & Innovations	2	19-07-06 12:04 PM
Yahoo And Msn Messegers	source	Latest Tech News & Innovations	0	14-07-06 05:04 PM
how to see yahoo messenger hidden friends	madmadman	Other Queries	2	28-06-06 08:28 PM
Yahoo messenger beta version !!!	vjsreevs	Latest Tech News & Innovations	0	28-06-06 01:20 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode