"check out this!" AIM Virus
(a.k.a Oscarbot, Opanki, or Doyorg)
You may also wish to download Anti-Vir antivirus from http://free-av.com and see if it can help you remove this. New virus variants are released constantly, so AIMFix may not remove a specific variant you may be infected with. If so, just send me a HijackThis log and I will use it to update AIMFix to remove any new variants.
CHANGE YOUR PASSWORD! The virus steals passwords and usernames for
some people, so change your password immediately and verify the email
address for your account is not changed! If your account is stolen, I cannot help you
get it back - AOL is the only one who controls passwords.
This worm is also known as Oscarbot or Opanki.worm if you are a McAfee user, and Symantec has named it Backdoor.Doyorg, and Kaspersky is calling it Backdoor.Win32.Agent.jn
First reported case of this virus was from April 26, 2005:
The virus sends the Instant Messages with the following text (or similar):
- hey check out this!
- hey check out this
- This is cool check it out news!
- lol have you seen this?
- hey check out my new pictures
- This is cool. Check it out
- check this out, is this you?
- check out these hot pics
- lol i think this is you
- CHECK http://www.hayattan.com/pictures/beach_foto_packet.pif
- rofl look at this lol: http://media.ebaumsworld.com/archives/jun/video8.wmv
- this picture won't work for me, can you tell me if it works for you? http://www.yahoo.com/pictures/bored.jpg
- rofl this is hilarious http://media.ebaumsworld.com/if_he_only_knew.wmv
- hehe :) i found this funny movie
- don't forget to watch this video http://media.ebaumsworld.com/videos/nerds.wmv
- damn this is weird lol http://pictures.msn.com/vib/f/current/soldier.jpg
- damn this looks just like me lol http://www.xanga.com/index.aspx?user105.jpg
- isn't this you? http://budypic.com/users/user_3918/picture1.gif
- lol this looks just
like you http://www.users.muohio.edu/reberak/pic.pif
- how do they do this
The text contains a link to any of the following, or similar pages:
- http://sapwr.net/mysite/gallery/pictures.php
- http://write-a-white-paper.com/gallery/pictures.php
- http://adwordsvideo.com/gallery/pictures.php
- http://home.wanadoo.nl/dorisstuger/cd.exe
- http://suite9.t35.com/gallery.com
- http://cesaraceves.com/gallery/gallery.com
- http://homepage.hispeed.ch/dashomepage/proto.com
- http://hostingwarehouse.net/home/funnypics.com
- http://jon.xavia.org/aim.com
- http://home.comcast.net/~coolrite/funnyhits.com
- http://83hj.t35.com/pictures.com
- http://transmissiondirectory.com/views.php?dir=media&file=1477&data=celld
- http:/imo.cniweb.net/aim.com
- http://mccam.com/mypic.com
- http://home.comcast.net/~dvsrocks/media-24.exe
- http://theharp.net/aol.com
- http://the-guardians-empire.net/mypic.com
- http://pics.hosting4friends.com/pics.php?pic=034122.jpg
- http://www.jetslide.com/funnypic.com
- http://viewpic.bounceme.net/views.php?dir=pics§ion=hot&clip=14
- http://hersinc.net/gallery/
- http://files.superwwwhost.com/get.php?pic=553231.jpg
- http://205.209.167.43/~temp/pics.php?pic=nakedsex.jpg
- http://dbserver.hanyang.ac.kr/pictures.pif
- www.hayattan.com/pictures/beach_foto_packet.pif
- http://chadickandassociates.com/picture2.com
- http://newpeople.no-ip.info/album.com
- http://imgshack.us/pics/recent/asm54.jpg
- http://videos.ne1.net/main.php?selection=if_he_only_knew.wmv
- http://freewebs.com/omgoose5/yourpictures.com
- http://uploadz.100free.com/untitled.com
- http://mars.walagata.com/w/legi0n/untitled.com
- http://stammtischrantanplan.de/ideas.php?ttl=34121
AIMFix will remove this if you have the most recent version. You will need to run AIMFix twice...run it, then reboot, then run it again. I suggest that you boot into Safe Mode without networking before running AIMFix to ensure it has no trouble removing the virus (download it to your Desktop before rebooting). CHANGE YOUR PASSWORD! The virus steals passwords and usernames for some people, so change your password immediately and verify the email address for your account is not changed!
If AIMFix still does not remove the virus for you, please contact me with a log file from HijackThis so I can update AIMFix to help you out.
Please remember to follow the spyware removal steps to remove spyware installed by the virus, and then get a good antivirus (free) to remove any other viruses you have on your computer. These are very important to remove any after-effects of other files that you still have infecting your system.
Manual Removal Instructions:
The manual removal should be entirely unnecessary, as AIMFix works for
almost every single person. However, if it does not work for you, you
can follow these steps:
Please note: for the purposes of these instructions, it is assumed that you have Windows installed to C:\, also known as your "C drive". If you for some reason have Windows installed elsewhere, obviously, you will need to substitute that drive letter (such as F, or Y or whatever) for "C" in the directions. Also, if you run windows 2000, it may be Winnt in place of the Windows folder. (Each "\" after a folder name means it's a folder inside that folder. So, C:\Windows\System means a folder called System, inside a folder called Windows, inside the "C" drive)
- You will need to first download the removal tool, which is provided HERE.Please do NOT select "open" when you click the link, but save it to your hard drive, preferably to your desktop so that you can find it later.
- Run the removal tool (you may wish to try this twice if it fails the first time). After running the removal tool, please boot into Safe Mode (without networking) and try running the tool in safe mode. It should remove the final file. For instructions on booting into Safe Mode, click here.
- For manual removal of the virus files, you will need to first make sure you are in Safe Mode (see above). Now you will need to download HijackThis to remove a setting created by the virus. In HijackThis there will be an entry referring to System.ini:svchost.exe or similar. Fix this item by checking it in HijackThis and selecting "Fix selected items". Reboot the computer to take this file out of running processes, and boot back into Safe Mode without networking again.
- Next, you will need to show all hidden files, since most virus files are marked hidden so they are not visible to you normally.
- To unhide files, click on the Tools menu in Explorer, then click Folder Options, and go to the View tab. (if you are on 98 this will be in the View menu) Now check the box next to "show hidden files and folders" and uncheck the "Hide protected operating system files" box. Now choose "apply to all folders" and click apply. The files are usually located in C:\Windows\System or C:\Windows\System32, though it varies on computer to computer.
- In this case, delete any of the following files:
- wsaupdater.exe
- C:\Windows\find.exe
- ab.exe
- wup.exe
- sys.exe
- WMINUDP.exe
- winlogin.exe
- svcnet.exe
- fntldr.exe
- winimsg.exe
- Nail.exe
- windows.exe
- safe.exe
- svcproc.exe
- funnypics.com
- proto.com
- gallery.com
- mypic.com
- pictures.com
- cd.exe
- media-24.exe
- aim.com
- supervisor.exe
- mshard.exe
- cnghod.exe
- schost.exe
- ssfphvo.exe
- hcpd.exe
- aim2.exe
- zonealarm.exe (don't delete this if it's actually in a Zonealarm folder)
- svcmgr32.exe
- elitecwo32.exe
- elitelgl32.exe
- W32SWS.exe
- shost.exe
- scmsg.exe
- procmsg.exe
- hostw.exe
- win.exe
- run.exe
- sbl.exe
- msvc.exe
- C:\windows\svchost.exe (NOT C:\windows\system32\svchost.exe - that's a valid windows file!)
- Unless I give a specific path to the file, like C:\Path\To\Someplace\virusfile.exe, then the files are probably in C:\Windows or Windows\System32 - again, unhide the files and look around, or use the file search, but be aware that on Windows XP it will not search hidden files or System directories by default, you need to enable that in the advanced options for searching.
IMPORTANT: after removing the virus, you will probably have spyware that needs to be removed. See the spyware page for detailed instructions on removing spyware.
LEGAL STUFF: I am not affiliated with the makers of this virus in any way, nor am I affiliated with any anti-virus company. I merely provide this as a service for those who have been infected. I take no responsibility for any damage done by the virus or by those incorrectly following these removal steps, or those using my removal tools.
