Hi lads,

Today there is some real nasty fella spreading through MSN and Yahoo messengers. It is acting really fast, within 30 minutes i found everyone on my contact list infected. Fella is smart... it provides a code generated text along "hey, check this out" or "could you help me with this photo, maybe you can make it look better" or... "ricky martin gay fotos", and it's always followed by link to http://www.asdastory(dot)ws/uploadfiles/user0193/DVR-IMAGEN005.jpg.zip and information that you need to open it in Photoshop.


well, anyway it's foolin ppl around easily, including me (however I did'n fell for Ricky Martin thing ;) ), and it's acting fast, almost instantly resending itself to everyone from contact list, but what's worst it's disabling all security and security-related tools, - my PC Cillin and Spybot S&D went down instantly, and now I can't even open Sysinternals Process Explorer or HijackThis.
It's also hidng itself well from Windows Task Manager.

I don't know it it is related, but with netstat I was able to track process named - avirarkm.exe - which is connecting to 208.77.45.92:8764

well.... that's all i know now, running kaspersky online scanner at the moment and I'll keep ya updated.

cheers.

Kaspersky detected mentioned .exe as Backdoor.Win32.Delf.oax and looks like it dealt with it. However I still can't start antivirus software on PC

update: regedit is't starting, how fun...


update2: kaspersky didn't solve problem, program is still using messengers to resend itself,
looks like Backdoor.Win32.Delf.oax was just part of infection.

Hello beatwerk,

If you need help in removing an infection please follow the instructions in this link to produce a HJT log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where an analyst will advise you as soon as available.

Best regards.

toshi - sorry if I messed up and went against forum rules, but just wanted to inform ppl ASAP. Anyway, as you can see this fella is blocking HJT and all other anti-virus software from start, so can't even prepare logs that you asked.



UPDATE: I was able to access anti-virus tools after I rebooted and logged on as Guest and then launched Spybot S&R by "run as" and selected account with administrator rights.

Now really need to go sleep as gotta get up to work in hours - will continue fighting this fella tomorrow, but according to instrunctions from toshi - in separate thread.

Hi there,

Anyway, as you can see this fella is blocking HJT and all other anti-virus software from start, so can't even prepare logs that you asked.


If you post in the malware forum and say you cannot run HJT, an analyst can give instructions that may help. ;)

Please provide a link back to this thread.

Cheers.