I’ve always been creating awareness to users so that everyone will watch out for those fake MSN messages sent by your friends from contact list. At first it was the PICS FOR MSN FRIENDS, then came VERIFY WHO BLOCKED YOU ON THEIR MSN CONTACT LIST. Those fake messages are sent by an automated system created by the phishers that got hold of your MSN login and password. It is unclear what the phishers will do to your MSN accounts but they seemed to be harvesting a lot of accounts.

Recently I’ve been getting new type of MSN fake messages sent by my friend from my contact list. As usual they will be offline when you get that message and if they are online, most probably they’ve sent that message earlier as an offline message to you. The message only contains one sentence “hi. this is your photo?” followed by a smiley and a 5 random generated letters. At the next line, it has a URL link that changes all the time.

hi. this is your photo?

Previously if you clicked on the link, it will present you a page to enter your MSN login information but this time, it will auto prompt you to download a file “Picture_2525.exe” 1.8MB in size which IS a virus.


If you accidentally run the file, you should see a small window that says “bedava Film indir. Hemen TIKLA 7” which I have no idea what is that since Google Translate does not support Azerbaijani. Clicking on that window will open an advertising page on your default browser.
edava Film indir. Hemen TIKLA 7

I’ve analyzed the Picture_2525.exe file by running it on my test computer and I found out that it drops a few files to your system32 folder and installs a service to auto startup the file when Windows is booted up. It also changes your Internet Explorer start up page to point to www.googlesayfa.com/en which looks very similar to the official Google Search page except that it has a Google Adsense advertisement at the bottom and a sentence that says “this website unofficial Google Search Fan website”. Other than that, it also creates a connection to a US IP 67.228.41.155 and port 6772.

I uploaded the Picture_2525.exe to VirusTotal and 33 out of 41 antivirus is able to detect this file as a threat. Fortunately this virus is not hard to clean because it is not “persistent”. I could create a batch file to auto clean it but you can just run the commands below to get rid of it.

1. Open Windows Task Manager (press Ctrl+Shift+Esc simultaneously), go to the Processes tab and right click at the processes below and select End Process:

svlost.exe
svlostSrv.exe
tasman.exe

2. Then simultanously press Win+R to bring up the Run window and type the following command.

sc delete svlostServices

3. Delete the files listed below in Windows\System32 folder.

libeay32.dll
ssleay32.dll
svlost.exe
svlosta.dll
svlostb.dll
svlostSrv.exe
tasman.exe

4. Again simultanously press WIN+R to bring up Run window and type the two commands below. Type once, hit enter and then continue to the second one.

  • reg delete "hkcu\software\microsoft\internet explorer\main" /v default_page_url /f
  • reg delete "hkcu\software\microsoft\internet explorer\main" /v "Start Page" /f

    • The virus has been completely removed from your computer. However, I’d still advice you to change your MSN password just to be on the safe side. I did a Reverse IP search using my DomainTools account on the domain that I received from the MSN message and it showed me that there are 52 more domains that is hosted under the same server.
    domaintools reverse ip
    You should avoid visiting all the websites below.

  • Ahvalimsn.info
  • Ankemsn.info
  • Arabiamarabia.info
  • Arabimsnks.info
  • Asmsnas.info
  • Azrrufi.info
  • Baemsn.info
  • Burdamsns.info
  • Demlikciheymsn.info
  • Denimenter.info
  • Dubaimsn.info
  • Ehlenselamam.info
  • Elmsnulblock.info
  • Gerwhymsn.info
  • Habibimwhos.info
  • Habibmsnd.info
  • Habibulmsn.info
  • Hakmsns.info
  • Haydari.info
  • Heymanat.info
  • Hombilmombil.info
  • Kimbenibans.info
  • Kimbitr.info
  • Kimpetek.info
  • Leyyamsn.info
  • Lovemsnlove.info
  • Lovepoemswhy.info
  • Maishemsn.info
  • Menzilmsn.info
  • Msnbut.info
  • Msniblock.info
  • Msniblocki.info
  • Msnminepr.info
  • Msnmsntsn.info
  • Msnsenm.info
  • Mustarabis.info
  • Myfedorea.info
  • Mysoutchests.info
  • Nerdenmsns.info
  • Patlirafan.info
  • Peyamnetsd.info
  • Pirinces.info
  • Reddumsn.info
  • Senmsnen.info
  • Seyyarmsn.info
  • Seyyarmsnn.info
  • Tayyarmsn.info
  • Thisallfreegetit8.info
  • Turustum.info
  • Vasilios.info
  • Wheremerewhy.info
  • Zlanmsnm.info
  • Karamsns.info

    • If any of your friend sends you such message, tell them to come to this page on how to clean up the virus that is on their computer.

    Related posts:

  • Beware of PICS FOR MSN FRIENDS Phishing Websites
  • Beware of VERIFY WHO BLOCKED YOU ON THEIR MSN CONTACT LIST Websites
  • Remove ANY MSN Virus with MSN Virus Removal Software and MSNFix
  • Kaspersky Offers FREE Tool to Scan and Remove Virus
  • Instantly Get a FREE 6 Months Kaspersky Anti-Virus 2009 License Key by YuvaYantra