AIM virus/worm

[Update 10/12/04: If you are looking for info on the Funner worm that spreads on MSN Messenger, read this article or this page from Symantec. Funner sends itself to everyone on a user's contact list and may try to download content from www.78p.com. Links via Slashdot.]

[Update 6/21/04: A number of commenters are reporting a new version of an AIM virus that closes task manager before the process can be ended. If you have this problem, commenter Tony recommends a program called Security Task Manager that can be downloaded here. This program should allow you to find the files responsible (perhaps "netstatt.exe"), stop them from running, and then delete them. Jay Loden's AIMFix is also working for some people, but that site is facing heavy server traffic and is not always available. A mirror of the fix is up at ftp://metafero.elon.edu/AIMFix.exe.

Jay has also provided these manual removal instructions:
1) For manual removal of the virus files, you will need to first end the processes [Note: not all files will exist on all computers]:
“YahooMsngr.exe”, “NETSTATT.exe”, “YahooMsgr.exe”, “wintcp.exe”, “lansrv.exe”, “idctup20.exe”, “fpjlfrllddpnsi.exe”, “svcl.exe”, “exhhulashk.exe”, “OSNERAOUSGZDPV.exe”, “winampa.exe”, “Data”, “Debug”, “Slideshow.exe”, “Payload.exe”, “MSCVT.exe”, “service.exe”, “zzqh.exe”, “zzb.exe”, “snd332.exe”, “aim1.exe”, “lsas.exe”, “taskmanage.exe”, “winxp.exe”, “download_me.exe”, “windowsupdater.exe”, “wuaumqr.exe”, “winupdat.exe”, “blengine.exe”, “ChannelUp.exe”, “hpztsb05.exe”, “av.exe”, “b.exe”, “bbb.exe”, “wucaumqr.exe”, “winampa”, “xlroue.exe”, “A0L.exe”, “iexpl0re.exe”, “svehost.exe”, “bvjlxjs.exe”, “gxmryzf.exe”, or “aocyvou.exe” (there are more, but I didnt have them all available at the time of posting)using DS Software’s Taskill utility available from

http://members.ozemail.com.au/~nulifetv/freezip/freeware/taskill.exe

and open it to see a list of running programs. Choose the process and select “Kill”.

2) Now you will need to search through the hard drive for the files “YahooMsngr.exe”, “NETSTATT.exe”, “YahooMsgr.exe”, “wintcp.exe”, “lansrv.exe”, “idctup20.exe”, “fpjlfrllddpnsi.exe”, “svcl.exe”, “exhhulashk.exe”, “OSNERAOUSGZDPV.exe”, “winampa.exe”, “Data”, “Debug”, “Slideshow.exe”, “Payload.exe”, “MSCVT.exe”, “service.exe”, “zzqh.exe”, “zzb.exe”, “snd332.exe”, “aim1.exe”, “lsas.exe”, “taskmanage.exe”, “winxp.exe”, “download_me.exe”, “windowsupdater.exe”, “wuaumqr.exe”, “winupdat.exe”, “blengine.exe”, “ChannelUp.exe”, “hpztsb05.exe”, “av.exe”, “b.exe”, “bbb.exe”, “wucaumqr.exe”, “winampa”, “xlroue.exe”, “A0L.exe”, “iexpl0re.exe”, “svehost.exe”, “bvjlxjs.exe”, “gxmryzf.exe”, or “aocyvou.exe”. These files would be hidden, and will require you to enable viewing of hidden files and folders.

To do this, click on the Tools menu in Explorer, then click Folder Options, and go to the View tab. (if you are on 98 this will be in the View menu) Now check the box next to “show hidden files and folders” and uncheck the “Hide protected operating system files” box. Now choose “apply to all folders” and click apply.

The files are usually located in “C:”, “C:\Windows”, “C:\Winnt”, “C:\Windows\System”, “C:\Winnt\System”, “C:\Windows\System32″, “C:\Winnt\System32″, “C:\Program Files\PSD Tools”, “C:\Program Files\PSDTools” or C:\Documents and Settings\yourusername\Applicaton Data”, though it varies on computer to computer.

3) Delete any of the files if they exist.

4) Please don’t forget to take the link out of your profile]

[Update 2/11/04: From a comment posted today: "I got the osama version yesterday, and I removed it without a problem... First of all, the processes run by this version are called "blengine" and "ChannelUp", so those are the ones to kill if you get this... Removing this virus is pretty much the same procedure that has been posted [below].”]

[Update 2/10/04: Traffic to this website doubled today, which can only mean one thing: there's a new AIM virus going around. This one has a link reading "check this out: http://www.wgutv.com/osama_capture.php?JVFD". I know nothing about this one, but once again J Loden has a fix for it on his site. I haven't tried it out since I don't have the virus, but you can do so here.]

[Update 1/13/04: J Loden is working on a fix for the new virus that puts "an0th3r pr0fil3 0wN3d By b1Ld0" into your profile. Go to his page here for removal instructions and, soon, and automated fix.]

[Update 12/21/03: Comment 35 links to a site with several AIM virus removal tools and it looks legit. So if you don't want to proceed with manual removal, check out Jay Loden's page.]

[Update 12/04/03: There is a new version of this spreading through a link reading something like "I can't believe I found %n's picture here hahaha." The new file name is probably av.exe or a.exe. Just follow the original directions for removing b.exe below or click here for more info.]

I don’t know if this is best classified as a virus or a worm, but whatever it is is spreading via Instant Messenger. The link was in my profile for a while, so my apologies if you got it from me. The link reads “Whoaaa….look at what I found, click here”. Don’t do that! It takes you to a page called talkstocks.net and immediately installs software you don’t want.

But if you did click the link, here are some things you can do to fix the problem. Now I’m no computer expert, so I’m not going to vouch for any these methods. The one I tried worked for me, though.

I followed the directions in Reply 9 on this page. First, edit your AIM profile to delete the link. Then hit ctrl-alt-delete and end the task “b.exe” (may also be “bbb.exe”). Finally, find the same file on your computer (probably in a windows folder) and delete that. Reply 9 lists an additional step to take the file off of the list of start-up tasks, but on my computer that had apparently taken care of itself after I deleted the file. [Additional 11/20/03: some users may need to click "processes" after hitting ctrl-alt-delete.]

From what I can tell, this solves the problem of having the link reappearing on your AIM profile everytime you sign on. However, there are many other files installed as well, including spyware. This page lists the files and directions for deleting them. I haven’t tried the directions yet. I’m going to wait and see if any easier fixes get developed in the next few days, and if they haven’t I’ll try them then.

Again, I’m not a computer expert and can’t vouch for these methods, but hopefully the information above will be helpful if you have this problem.

Comments

  1. Quicksilver says:

    I have this fucking virus that puts up an away when im not typing for like 5 mins and it says “LOL LOOK http://home.comcast.net/~Ddaannaaee/pictures.pif

    HOW DO I GET RID OF THIS ANNOYING THING!!!!

    ALSO WHEN YOUR NOT ON AIM AND ITS EXITED IT WILL POP UP AND SAY THIS LINK THAT YOU HAVE CLICKED MEANS YOU HAVE TO BE SIGNED ON OR SOME BULLSHIT LIKE THAT HOW DO I GET RID OF IT!

  2. jennd says:

    i just got a virus from aim that said loool fat rocks and it had a link to go to and now everytime im online it ims everyone on my buddylist with that same thing

  3. jennd says:

    i just got a virus from aim that said loool fat rocks and it had a link to go to and now everytime im online it ims everyone on my buddylist with that same thing

  4. dan says:

    I have the same virus as post 251, someone help.

  5. Alicia says:

    I was online today, and was tricked into clicking on a link from my friend’s im (AIM and AOL) supposedly displaying pictures. Now my aim keeps creating an away message that says :LOL LOOK http://paramiliar.com/pictures.php?funny !!!
    how do I get rid of this?
    Please email me!

  6. Candace says:

    I have this same virus. Please if anyone knows how to get rid of it please let me know. It is driving me insane. I’m in college and I can’t go a day without my computer. I have to use it for all my classes. Please someone help.

  7. mike says:

    Hey can someone please help me i get the Aim virus that i get from onening one of those gay hey look..! messages and it now sent the message to all of my buddies like a million times and then changed my password can someone please help me ..if so send me a email at Qball27@comcast.net

  8. Shannon says:

    I cliked on a link that said “how do i look?” with a URL that looked lik snapfish or any one of those pic sites, from a friend. it automatically sent it to all my buddies and Norton identified it as a Hacking file, but couldn’t delete it – neither could spybot or adaware. my Setup window automatically popped up and something about mIPS…or something along those lines. anyway i shut off my comp before anything else happened. any idea?

  9. Kara says:

    I just got the same bug, the one with the picture file trick, i don’t know what to do with it. I’ve tried everything… some fishy things are happening with my computer but the worst of it is AIM won’t open. I hope that I can figure something out soon.

  10. nicole says:

    well i seem to have some sort of AIM virus also. i dont see anything related to it on here. so if ANY ONE knows anything about a “check this out” buddypic virus PLEASE help me out. if im online or signed on my screen name for a while then it starts to send it to people on my buddy list. someone please help me.

    kraziikolexo@hotmail.com is my email if someone can help

  11. adam says:

    this girl was telling me about her aim “signing off” even though it appears that she was still signed on and it appeared to me that she was still signed on but she could not recieve any IM’s that were sent to her and this would happen every 2-5 minutes…it would sign off and sign back on and in 2 more minuts it would happen… and about a month ago and i tried re-installing and different versions but it didnt work…HELP PLZ

Leave a Comment

*