MSN Messenger Hijacking - (13/02/02
this is where you're happily wallowing in your messenger addiction and all of sudden you're being slammed (or slamming your friends!) with a link that's similar to... "Go to http://www.domainname.com.page.html Now" (the link changes so is not specific to a particular site/url) and you have no idea what it is so you click the link... well hold that click! How serious is this.. well it certainly has the potential to be one nasty wee flaw but in the overall big picture I wouldn't go hanging up my cables and cords just yet. It's not the flaw that will kill you it's what you "could" get from the site you're re-directed too so don't go clicking for the sake of clicking..

Now hands up everyone who think this latest security flaw is a MSN Messenger issue? Based on the emails we've been getting it would seem a lot.. many of you have emailed us for older versions of messenger adamantly declaring you're not going to go back to versions 4.5/4.6 (if msn messenger at all) until this problem has been fixed.. and rightly so if it was messenger causing the problem. Sadly it slams most versions of messenger (going back won't cure you) and if you want to point the finger in the right direction you're need to look at your brower as Internet Explorer is the one that takes the blame this time... messenger is merely a vehicle it uses. Yes, it's an ActiveX issue and you can disable this (via IE from the control menu hit Tools > Internet Options > Security (tab) > Custom Levels.. you'll find your ActiveX settings at the top of the Security Settings window) but I'm not going to cover this indepth here as what your ActiveX settings are is a personal choice depending on how and what you use the net for.. if you completely disable ActiveX you'll run into a few problems so play with your settings until you find something that's workable. Back onto the hijacking...

[Microsoft Security Bulletin MS02-005 - Cumulative Patch for Internet Explorer] (released 11 February 02) brings our attention to this flaw.. I must have missed their press release to all msn messenger users warning us of this serious problem or did they just not bother to notify anyone at all? Personally I suspect the latter but my personal gripe aside they have released a patch [q316059] that they state fixes 6 of the most serious (MOST?? like how many more are there!) security problems as mentioned in their original article. Don't delay getting your hands on this... download and install it immediately. For further reading don't go past [Finjan.com] as they have the most compact information in their article [MSN Messenger Control Exploit (Messenger Hijack) February 10, 2002] a good read if your looking for the in's and out's of this problem and it's geek speak free :-) Another brillant article is [MSN Messenger Hijacking] by Tom Gilder and Thor Larholm (oh don't you just want to shower them with cups of coffee for bringing this to everyones attention.. ty, ty, ty!) and they have a [MSN Hijacking - Demonstration] (read their article first) which will blow your socks off if you're vulnerable and/or have never seen this type of security flaw.

if you clicked... (updated 15/02/02)
[Trend Micro - JS_MENGER.GEN]
[Symantec JS.Menger.Worm]
[Virus Information Center - JS.CoolNow]
[Sophos - JS/Coolnow-A ]


Point to Note...
There is a known security problem with msn messenger so don't go getting the two confused.. messenger hijacking is quite different from the one mentioned at [securityfocus.com] in their article [Microsoft MSN ActiveX Object Information Disclosure Vulnerability] so if you need to work out which is what then check out [infoworld.com] which has an article [MSN Messenger vulnerable through IE bug] that touches on both.
UPDATE 15/02/02: version 4.6.0076 is now available




Virus/Trojan/Worm info...
as you know we rely a great deal on readers input.. this has been submitted by Bullfrognc aka ÅñЮêw™ [bullfrognc@yahoo.com]

PIC1234(1)(1).exe (and similar variations)

Removal Instructions...
Hit ctrl+alt+delete, if you see "MsgSprd" select, click end task. If it is not listed then your are NOT infected. Hit Start,select Find, hit files and folders, enter PIC1234(1)(1).exe in "Named" Click find, once located right click, select delete.
Next... after you have deleted the PIC.exe file go to Start, then Run and type in the box: Regedit and then you hit OK. Then you click on the plus signs (+) beside each of the following folders: HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current Version
Then you look for a folder called Run- (NOTE: Make sure Run- has a dash beside it because there are two.) Click on Run- and look in the big white part on the right for something having to do with MSN Messenger. Right click on it and delete it. Close out Regedit and then go back into Start, then Run and you type in Msconfig in the box and then you hit OK. Click on the Startup tab and look for something that is like Msn Messenger + Directory + Picfilename and UNCHECK the box that it's beside and click OK and when it asks you if you want to restart your computer say NO. Close out MsConfig and open My Computer. Open the C: drive (or main drive) and look for a folder that says something like Messenger1324 and delete it. Close out My Computer and open Recycle bin and delete Messenger1324 from there.
Links...
[Trend - TROJ_NEWPIC.A]


UPDATE: TROJ_CHOKE
on 13 August 2001 MSN released a statement [Known Issues page] about the Hello virus (no not the exact same one as posted above.. it's it appears slightly diffferent) The worm is transmitted via MSN Messenger in a file transfer/attachment... perhaps now is a good time to remind ourselves that we should be scanning everything BEFORE we open it. I can guarantee that the time it takes to scan the received files is a great deal less than the time it'll take to remove a virus/trojan :-)

Removal Instructions once again provided by Bullfrognc aka ÅñЮêw™ [bullfrognc@yahoo.com]

Press Ctrl+Alt+Delete and look for the file program Choke. Click on it and hit End Task. Next, go to start, find, files or folders, and then a box will appear. Make sure that the "look in" area says C: (or the main drive) and type Choke in the "Named" box and click Find Now. Once the file has appeared delete it and close out the Find box and open Recycle Bin and delete Choke from there. Next, go to Start and choose Run. When the box appears type in Regedit (also known as the registry) and click OK. Click on the plus sign beside the following folders:

HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion

Now look for a folder called Run (NOTE: This Run, unlike the other one, does not have a dash beside it!) Click on Run and look in the big white part on the right. There should be something called Choke. Delete it. Close out Regedit and open My Computer. Open C: (or the main drive) and look for 3 files. They are Choke, Dalist and about. Delete them all. If you do not see Dalist or about this is okay. Some versions of Choke do not contain these files. Once you have deleted these 3 files close out My Computer and open Recycle Bin and delete the 3 files from there.
Links...
[McAfee.com - W32/Choke.worm]
[Symantec - W32.Choke.Worm]
[Sophos.com - W32/Choke]
[TrendMicro - TROJ_CHOKE.A]
[Virus.com - W32.CHOKE.WORM]

don't know what virus you've got?? check this out...