new irc virus causes no boot!

Discussion in 'Windows Desktop Systems' started by moooo, Oct 26, 2003.

  1. moooo

    moooo Guest

    I was a dumbass once i woke up and went to what i thought was a good link from a friend , well it turned out to be some new virus
    all i remember about it was something like ***brittany.jpg be aware of it

    now to my problem, i went to it, and now i rebooted because my stuff was acting slow. sure enough it deleted a major file it appears.
    <windows root>\system32\ntoskrnl.exe
    is there a way for recovery to fix this or will i have to format.. i just need to save 3 files on that drive (study guide for cs test on monday!) any help would be great.

    -moooo-
     
  2. moooo

    moooo Guest

    new irc virus

    just giving the heads up on a new irc virus going around
    it was something like ***brittney.jpg or close to it. it will load ie, and windows media player so that is the starting symptoms of it. if cou can close out the webpage asap.
    hope youdon't get it like i did.

    -moooo-
     
  3. TheBlueRaja

    TheBlueRaja BR to Some

    Messages:
    766
    Location:
    Fawkirk!
    Try putting your Windows CD into the CD-ROM, and booting from that (You may need to change your BIOS settings to boot from a CDROM). If it works when your PC loads it will ask if you to press a key if you want to boot from a CD, press a key ;). The setup CD will then load some stuff into memory and the setup menu appears. At this point press ENTER to setup windows XP now and NOT 'R' for the recovery console. You should then get an option to repair your XP installation.

    Hope this helps.
     
  4. TheBlueRaja

    TheBlueRaja BR to Some

    Messages:
    766
    Location:
    Fawkirk!
    Incidetnally, check with www.symantec.com or some other virus company for information on the virus you caught - there may very well be a repair tool you can download.
     
  5. moooo

    moooo Guest

    thanks

    i will try that now :) lets hope it works :)
     
  6. Enyo

    Enyo Moderator

    Messages:
    1,338
    I have not seen anything new in the last week that does this.

    The closest thing is VBS.Ptnet.A@mm from 2001 that has the filename Britney.jpg.vbs and uses IRC to spread.

    This one sounds more like point of infection was a webpage.

    If you could provide more details that would be good.
     
  7. moooo

    moooo Guest

    back!

    just installed a new os folder :)
    go here at your own risk (good thing i log irc chats :p)
    link removed ;)

    be aware of it though its where i got the virus.. once you get infected i found out it sends to irc channels without the user knowing.. do not go there unless you know alot of virus or what ever..


    mods if you want me to take it out i will or if you could edit its up to you.. maybe it will give more info on what is going on though
     
  8. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    FireBird is not affected. it is indeed an infected file, as firebird says its broken, so it tries to execute something other than normal picture.
     
  9. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Code used:

    Code removed
     
  10. shaunj66

    shaunj66 H.T.I.D!

    Messages:
    113
    Location:
    United Kingdom, South.
    Just one more reason to use Firebird! :cool: Or any non-Microsoft browser.
     
  11. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Looks like another IE problem.
     
  12. Enyo

    Enyo Moderator

    Messages:
    1,338
    Re: back!

    Never post live exploits on the forum. You can PM them to the appropriate person. Never live link anything like this!

    As for the exploit it uses a WMP flaw. It replaces wmplayer.exe with a trojan, downloader.trojan in a similar instance, don't know about this one but i imagine its the same. Downloader.trojan (its not one single trojan but a class of them) is a small trojan used to download a bigger one which could be anything.

    In a simular example this was used for home page hijacking and nothing more.

    When i just attempted to capute the trojan it downloaded, executed but was 1) Removed by WFP 2) A 16-bit app that crashed before complete execution.
     
  13. moooo

    moooo Guest

    i won't link again, i msg'd you on irc and another mod, + put beware in the info :(
    won't do it again, sorry
     
  14. Enyo

    Enyo Moderator

    Messages:
    1,338
    Dont worry about it :) I'll speak to you on IRC in a moment.
     
  15. Bronx Bomber

    Bronx Bomber Guest

    yea, i heard about that.

    glad that i dont use IE.
     
  16. Enyo

    Enyo Moderator

    Messages:
    1,338
    Have a few more details now. Just been reading a couple more threads elsewhere.

    Firstly the link that was above has now been made safe and the account hosting the binary suspended. Secondly the worm deletes key system files and changes the system registry.

    The worm also spams the URL of the worm into IRC channels.

    This ones damage is huge and at this time is undetected and the flaw that enables this is unpatched.

    Use extreme caution while online! At this time i have disabled scripting. I have posted info in the security section about this and some toggle controls that make it easy.
     
  17. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Thread m00fed
     
  18. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,333
    Location:
    new york
    microsoft know about this yeet?
     
  19. Enyo

    Enyo Moderator

    Messages:
    1,338
    Well a simular issue was patched earlier this year so two things could have happened 1) The patch did not work 2) This is new in which case MS wont know.

    Trying to see if any POC for this kind of issue has been published.

    KAV now detects this worm as "IRC-Worm.Fagot". No other vendor is listed as detecting this yet.

    This is a real mean virus. I hope it does not become widespread.

    Check this out:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;828026

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences

    Note If a value does not exist, the default data value is used.
    PlayerScriptCommandsEnabled: Turns on or off URL script commands in the stand-alone player. The default value is 0 (off).
    WebScriptCommandsEnabled: Turns on or off URL script commands in the embedded player. The default value is 1 (on).
    URLAndExitCommandsEnabled: Turns on or off URLAndExit script commands. The default value is 1 (on).

    Turn them all off if they are on.
     
  20. Enyo

    Enyo Moderator

    Messages:
    1,338