BEWARE! There's a new virus that nailed me... And now I'm AIMless for a time...

If you get a message from anyone that says "How do they do this (www.warboards.org)?" DON'T CLICK IT!

I've had a nasty run in, due to my parents using my system, since theirs was "Strange acting," so when I was at work, I got a copy of it... Great... That's what I get for not passwording my system...

But yea, I need help on removal, please... I've googled a bit, and found the source, but I'm not sure if I'm clean... Can someone google (while I'm at work) and see if it'll affect Trillian at all? If not, I might be switching back for a time, until this virus passes over...

Thanks ahead of time!

~Larry "Geno" Meyers
- BI's RP forum Aide

P.S. My apologies to anyone on my friends list that got a copy of the message... Didn't mean to... >.<

I found http://forums.techguy.org/t377433.html in regard to removal. I don't know how trustworthy his advice is, but you can crossreference his hijack this advice with someone here.

I cannot find any instances of someone reporting being infected through trillian, however if it involves clicking a link, I don't see how trillian could prevent it unless you change some settings to where you must copy/paste links rather than click them.

Damn, GEno! You (err... the bot) sent that to me, and I clicked it!
Though, It might still work with trillian...

Well for one I would uninstall AIM completely, upto and including straight deleting the program files folder after you uninstall it.

Then I would download a new version, see if its clean then.

THese aim viruses are so retarded :/ But from what I saw in his Hijack log there didnt seem to be anything active -- it may have just infected your current aim. I would also update whatever AV software you have and run a scan specifically on aim/around it, or to be safe a full system scan.

-Neo

EDIT: Does anyone know if these links specifically exploit something within AIM, or does it exploit something within IE?

EDIT2: After searching through my ims from Geno I recieved that to -- Its an IE exploit tries to force a download/open. Simple answer to this? don't use IE for ANY LINKS FROM AIM AT ALL.

SEARCH FOR AND DELETE THIS FILE: 1373395951.jpg.exe

Ah, good times :)

I troubleshooted this exact virus for a friend. I have details and a solution.

McAfee details:
http://vil.nai.com/vil/content/v_133397.htm
also http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=133397

My Removal Page:
http://home.earthlink.net/~bluemicrobyte/aimvirusremoval (http://home.earthlink.net/%7Ebluemicrobyte/aimvirusremoval)
also http://www.aimvirus.tk

Authors Site (that my site sumarizes):
http://jayloden.com/VirusClean.htm

I would also advise you take Neos advice and un-install AIM and get Firefox.



THese aim viruses are so retarded :/ But from what I saw in his Hijack log there didnt seem to be anything active -- it may have just infected your current aim. I would also update whatever AV software you have and run a scan specifically on aim/around it, or to be safe a full system scan.

-Neo

EDIT: Does anyone know if these links specifically exploit something within AIM, or does it exploit something within IE?


I beleive it infects one of the vital windows files something like explorer.exe or soemthing important. The virus connects to an IRC server and awaits instructions. The virus can then send a link to everyone on your buddy list, or sit dormant pretending to not exist until it wants to do something else.

For now, I'll be using Trillian. I'll be sure to fix it before I get my new computer parts put in on Sunday (YES!), and then I'll be good. Until then, though, expect my Trillian to do work for me, and expect few direct connections... 'Cause it doesn't ever work for me XD

~Larry "Geno" Meyers
- BI's RP forum Aide

alright, I'd still recomend scanning your system with various anti-spyware tools. Neos got a good thread on that which is stickied. I'd also run the aim virus removal tool I linked to just to be safe.

If you open the link with ie it forces you to download this file -- but with firefox it doesnt.

That was my only point, like: ie is evil stop using it.

-Neo