News Items
Jun 02, 2005 07:45PM
Apparently, there is some kind of confusion, at least with one particular person. I received the following in an email this afternoon from a fake email address:
DONT CHANGE MY BUDDY INFO AGAIN OR I SWEAR TO GOD I WILL GET UR WEBSITE DELETED
I'm not sure who sent this or why, but they appear to be under the mistaken impression that I or AIMFix is somehow magically changing their profile information. To clarify, in case anyone else has gotten this into their head somehow, AIMFix only changes your buddy info ONCE, when you run it, and then ONLY if it finds a virus file and removes it. As long as you don't run AIMFix again, or all known virus files are removed, the buddy info/profile will not be affected. The note left in the edited profile also says:
Please note: this is simply to notify you that the virus has been removed. You may delete this from your profile at any time
I'm not sure how this was confusing, but evidently it was to at least one person, so in case it is for anyone else, I thought I'd post a note here. If you have an AIMFix-created message in your profile, all you have to do is remove the message and it will never bother you again, unless you run AIMFix a second time to remove another virus file.
-Jay
Jun 01, 2005 02:41PM
Not sure what's been happening, but there seems to be a new set of AIM viruses out, judging by the emails I have been receiving the past 48 hours. However, most of them are turning out to have viruses that are already removed by AIMFix. I have a suspicion that someone out there is serving up copies of AIMFix from their own website instead of linking directly to me, causing out-dated copies of AIMFix to be distributed. Please only download AIMFix from http://webdefenders.net/AIMFix.exe or http://jayloden.com/AIMFix.exe
If you are a webmaster, please do NOT mirror my tools or webpage information. They change far too frequently for you to keep up with and I would much prefer that people get the information and the tools from the original source. That way if I release a new update, everyone gets the updated version and I get less email.
If you are a person seeking help with a virus, PLEASE run the current AIMFix from my website BEFORE you email me or
contact me.
-Jay
May 28, 2005 10:34PM
I've gotten four emails in the past few days from people having trouble with AIMFix removing a virus for them. I'd guess this means there's a new variant of the virus out, but I can't tell. Not one person has sent me a HijackThis log file, so I can't tell what (if anything) needs to be added to AIMFix to take care of it.
Just to recap: if AIMFix can't detect a virus on your computer (i.e. you're still sending out virus links, and AIMFix doesn't detect anything), download HijackThis and run it. Click the button to run a scan and save a log file, and Notepad will open showing the log information. Copy and paste it and send it to me in an email or through the contact form. That's normally all it takes for me to be able t update AIMFix and take care of the problem, but I can't do it without the info!
-Jay
May 25, 2005 03:46PM
In researching the previous news post, I discovered some more
information about the current virus, which I had previously found
referred to as Gabba-A. It is apparently also known as Oscarbot or Opanki.worm if you
are a McAfee user, and Symantec has named it Backdoor.Doyorg, and Kaspersky is calling it
Backdoor.Win32.Agent.jn
These are all the same virus, and as usual, the anti virus vendors have about one 100th of the information posted on their sites. They only mention one variant of the worm, and nothing about the dozens of variants that followed it that I've got in AIMFix. In addition, I would like to point out that both McAfee and Symantec added it to their virus definitions on May 02, 2005 - I had my first reported case on April 26, 2005 (and updated AIMFix within a few hours).
Honestly, I'd love to know why it is that McAfee, Symantec and the rest of the crew are so behind on this? I would really rather that I DIDN'T have to keep updating AIMFix, to be honest. There are plenty of things that rank higher on my list. I'm debating sending out virus reports to the major companies with information so they can update their definitions, but it takes a bunch more work for me to do that than to update AIMFix, so I haven't yet done so. I know they've got lots of other things to worry about but it's a bit distressing that AIMFix appears to be the only existing removal tool for hundreds of variations of virus files.
Anyway, I'll add links to the info page for the sake of completeness.
-Jay
May 25, 2005 03:32PM
Ok, I've been getting way too many questions about this, so I'm adding it as a news item, putting it on the contact page, and adding it to the virus info page as well.
If you are having trouble signing onto AIM after being infected with the Gabba-A "check this out" virus, there are two probably causes.
- AOL has suspended your account for sending out virus links, and you
will have to get it unsuspended. The AIM terms of service do not allow
the sending of virus links or mass IMs, and if you were infected with
the virus, you were spamming other people with IMs and sending out
virus links. Therefore, some people have had their account suspended by
AOL for doing so. More information about this at eWeek.
- The virus also can change passwords and email accounts associated with your AIM screen name and thereby hijack the account. If this happens, there is no way to fix it with AIMFix, because the password is not stored on your computer. It is on AOL's servers, and the only people who have control over this are AOL's admins. You can try and contact them and see if they will help, but it is unlikely they can since you no longer have the password or contact info for the account.
Sorry to be the bearer of bad news here, but there's just nothing I or anyone else can do about this one.
-Jay
