new irc virus causes no boot!

M

moooo

Guest
I was a dumbass once i woke up and went to what i thought was a good link from a friend , well it turned out to be some new virus
all i remember about it was something like ***brittany.jpg be aware of it

now to my problem, i went to it, and now i rebooted because my stuff was acting slow. sure enough it deleted a major file it appears.
<windows root>\system32\ntoskrnl.exe
is there a way for recovery to fix this or will i have to format.. i just need to save 3 files on that drive (study guide for cs test on monday!) any help would be great.

-moooo-
 
new irc virus

just giving the heads up on a new irc virus going around
it was something like ***brittney.jpg or close to it. it will load ie, and windows media player so that is the starting symptoms of it. if cou can close out the webpage asap.
hope youdon't get it like i did.

-moooo-
 
Try putting your Windows CD into the CD-ROM, and booting from that (You may need to change your BIOS settings to boot from a CDROM). If it works when your PC loads it will ask if you to press a key if you want to boot from a CD, press a key ;). The setup CD will then load some stuff into memory and the setup menu appears. At this point press ENTER to setup windows XP now and NOT 'R' for the recovery console. You should then get an option to repair your XP installation.

Hope this helps.
 
Incidetnally, check with www.symantec.com or some other virus company for information on the virus you caught - there may very well be a repair tool you can download.
 
I have not seen anything new in the last week that does this.

The closest thing is VBS.Ptnet.A@mm from 2001 that has the filename Britney.jpg.vbs and uses IRC to spread.

This one sounds more like point of infection was a webpage.

If you could provide more details that would be good.
 
back!

just installed a new os folder :)
go here at your own risk (good thing i log irc chats :p)
link removed ;)

be aware of it though its where i got the virus.. once you get infected i found out it sends to irc channels without the user knowing.. do not go there unless you know alot of virus or what ever..


mods if you want me to take it out i will or if you could edit its up to you.. maybe it will give more info on what is going on though
 
FireBird is not affected. it is indeed an infected file, as firebird says its broken, so it tries to execute something other than normal picture.
 
Originally posted by X-Istence
FireBird is not affected. it is indeed an infected file, as firebird says its broken, so it tries to execute something other than normal picture.

Just one more reason to use Firebird! :cool: Or any non-Microsoft browser.
 
Re: back!

Originally posted by moooo
just installed a new os folder :)
go here at your own risk (good thing i log irc chats :p)
link removed ;)

be aware of it though its where i got the virus.. once you get infected i found out it sends to irc channels without the user knowing.. do not go there unless you know alot of virus or what ever..


mods if you want me to take it out i will or if you could edit its up to you.. maybe it will give more info on what is going on though

Never post live exploits on the forum. You can PM them to the appropriate person. Never live link anything like this!

As for the exploit it uses a WMP flaw. It replaces wmplayer.exe with a trojan, downloader.trojan in a similar instance, don't know about this one but i imagine its the same. Downloader.trojan (its not one single trojan but a class of them) is a small trojan used to download a bigger one which could be anything.

In a simular example this was used for home page hijacking and nothing more.

When i just attempted to capute the trojan it downloaded, executed but was 1) Removed by WFP 2) A 16-bit app that crashed before complete execution.
 
i won't link again, i msg'd you on irc and another mod, + put beware in the info :(
won't do it again, sorry
 
Dont worry about it :) I'll speak to you on IRC in a moment.
 
Have a few more details now. Just been reading a couple more threads elsewhere.

Firstly the link that was above has now been made safe and the account hosting the binary suspended. Secondly the worm deletes key system files and changes the system registry.

The worm also spams the URL of the worm into IRC channels.

This ones damage is huge and at this time is undetected and the flaw that enables this is unpatched.

Use extreme caution while online! At this time i have disabled scripting. I have posted info in the security section about this and some toggle controls that make it easy.
 
Well a simular issue was patched earlier this year so two things could have happened 1) The patch did not work 2) This is new in which case MS wont know.

Trying to see if any POC for this kind of issue has been published.

KAV now detects this worm as "IRC-Worm.Fagot". No other vendor is listed as detecting this yet.

This is a real mean virus. I hope it does not become widespread.

Check this out:

http://support.microsoft.com/default.aspx?scid=kb;en-us;828026

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MediaPlayer\Preferences

Note If a value does not exist, the default data value is used.
PlayerScriptCommandsEnabled: Turns on or off URL script commands in the stand-alone player. The default value is 0 (off).
WebScriptCommandsEnabled: Turns on or off URL script commands in the embedded player. The default value is 1 (on).
URLAndExitCommandsEnabled: Turns on or off URLAndExit script commands. The default value is 1 (on).

Turn them all off if they are on.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back