• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

new irc virus causes no boot!

M

moooo

Guest
#1
I was a dumbass once i woke up and went to what i thought was a good link from a friend , well it turned out to be some new virus
all i remember about it was something like ***brittany.jpg be aware of it

now to my problem, i went to it, and now i rebooted because my stuff was acting slow. sure enough it deleted a major file it appears.
<windows root>\system32\ntoskrnl.exe
is there a way for recovery to fix this or will i have to format.. i just need to save 3 files on that drive (study guide for cs test on monday!) any help would be great.

-moooo-
 
M

moooo

Guest
#2
new irc virus

just giving the heads up on a new irc virus going around
it was something like ***brittney.jpg or close to it. it will load ie, and windows media player so that is the starting symptoms of it. if cou can close out the webpage asap.
hope youdon't get it like i did.

-moooo-
 
#3
Try putting your Windows CD into the CD-ROM, and booting from that (You may need to change your BIOS settings to boot from a CDROM). If it works when your PC loads it will ask if you to press a key if you want to boot from a CD, press a key ;). The setup CD will then load some stuff into memory and the setup menu appears. At this point press ENTER to setup windows XP now and NOT 'R' for the recovery console. You should then get an option to repair your XP installation.

Hope this helps.
 
#6
I have not seen anything new in the last week that does this.

The closest thing is VBS.Ptnet.A@mm from 2001 that has the filename Britney.jpg.vbs and uses IRC to spread.

This one sounds more like point of infection was a webpage.

If you could provide more details that would be good.
 
M

moooo

Guest
#7
back!

just installed a new os folder :)
go here at your own risk (good thing i log irc chats :p)
link removed ;)

be aware of it though its where i got the virus.. once you get infected i found out it sends to irc channels without the user knowing.. do not go there unless you know alot of virus or what ever..


mods if you want me to take it out i will or if you could edit its up to you.. maybe it will give more info on what is going on though
 

X-Istence

*
Political User
#8
FireBird is not affected. it is indeed an infected file, as firebird says its broken, so it tries to execute something other than normal picture.
 
#10
Originally posted by X-Istence
FireBird is not affected. it is indeed an infected file, as firebird says its broken, so it tries to execute something other than normal picture.
Just one more reason to use Firebird! :cool: Or any non-Microsoft browser.
 
#12
Re: back!

Originally posted by moooo
just installed a new os folder :)
go here at your own risk (good thing i log irc chats :p)
link removed ;)

be aware of it though its where i got the virus.. once you get infected i found out it sends to irc channels without the user knowing.. do not go there unless you know alot of virus or what ever..


mods if you want me to take it out i will or if you could edit its up to you.. maybe it will give more info on what is going on though
Never post live exploits on the forum. You can PM them to the appropriate person. Never live link anything like this!

As for the exploit it uses a WMP flaw. It replaces wmplayer.exe with a trojan, downloader.trojan in a similar instance, don't know about this one but i imagine its the same. Downloader.trojan (its not one single trojan but a class of them) is a small trojan used to download a bigger one which could be anything.

In a simular example this was used for home page hijacking and nothing more.

When i just attempted to capute the trojan it downloaded, executed but was 1) Removed by WFP 2) A 16-bit app that crashed before complete execution.
 
M

moooo

Guest
#13
i won't link again, i msg'd you on irc and another mod, + put beware in the info :(
won't do it again, sorry
 
#16
Have a few more details now. Just been reading a couple more threads elsewhere.

Firstly the link that was above has now been made safe and the account hosting the binary suspended. Secondly the worm deletes key system files and changes the system registry.

The worm also spams the URL of the worm into IRC channels.

This ones damage is huge and at this time is undetected and the flaw that enables this is unpatched.

Use extreme caution while online! At this time i have disabled scripting. I have posted info in the security section about this and some toggle controls that make it easy.
 
#19
Well a simular issue was patched earlier this year so two things could have happened 1) The patch did not work 2) This is new in which case MS wont know.

Trying to see if any POC for this kind of issue has been published.

KAV now detects this worm as "IRC-Worm.Fagot". No other vendor is listed as detecting this yet.

This is a real mean virus. I hope it does not become widespread.

Check this out:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828026

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences

Note If a value does not exist, the default data value is used.
PlayerScriptCommandsEnabled: Turns on or off URL script commands in the stand-alone player. The default value is 0 (off).
WebScriptCommandsEnabled: Turns on or off URL script commands in the embedded player. The default value is 1 (on).
URLAndExitCommandsEnabled: Turns on or off URLAndExit script commands. The default value is 1 (on).

Turn them all off if they are on.
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,017
Latest member
bettyicrewsi