Browse: Home / , , , , / [SOLUTIE] Virusul http://ow.ly/****=http://facebook.com/photo.php

[SOLUTIE] Virusul http://ow.ly/****=http://facebook.com/photo.php

By Radu FaraVirusi(com) on June 28, 2010

De cateva ore se raspandeste pe Yahoo! Messenger un nou virus, din familia Palevo, din cate se pare.
Metoda este cea clasica: trimite un link “perfid” care induce in eroare utilizatorul si dupa click i se ofera un virus spre descarcare.

Mesajul este unul din urmatoarele:



Your pic? http://wong.to/images321.php
foto http://hi5-viewz.net/profile.php

http://youtube-images.net/profile.php

http://www.facebook.tiitacs.com/facebook_image.php?image=IMG002508902010.JPG

http://fajcesbook.com/album.php

http://facebookim.net/profile.php

http://facebook.toptout.com/photo_id.php

is this you on pic? http://yo-picture.net/photos.php
foto http://www.facebook-vidz.com/photo_id.php
foto http://yeapic.net/photos.php

http://hi5-z.net/photos.php

foto http://alliancelink.info/photos.php
foto http://latrigalle.com/photos.php
foto http://faidebook.com/photos.php
foto http://fan-serial.ru/photos.php
is this you? http://your-photoz.net/photos.php
is this you? http://troschool.com/id.php
is this you photo? http://rurl.org/31e2?=www.facebook.com
is this you http://m-yfacebook.net/id.php
is this you? http:// facebookhit.com/photos.php
is this you? http://msnhot.net/photos.php
is this you? http://msndumpphoto.com/photos.php
is this you? http://artistspace1.com/photos.php
is this you? http://photospace2.com/photos.php
is this you on pic? http://caponemaygofree.com/profile.php
is this you on pic? http://madbomberfireworks.com/photos.php

http://facebook.vjwlimited.com/photos.php

is this you on pic? http://tinyurl.com/myspaces-JPG
foto :D www.dirbay.net/photos.php?=www.FaceBook.com/profile-6658.php

http://www.proelectrocasa.com/view.php

http://myn-spacing.net/photos.php

http://4url.cc/3cq?=www.facebook.com/photo.php

Is this you on pic? http://myfrcebooks.net/photo.php
Funny photo hahah :D http://u.nu/9f5vd?=www.facebook.com/profile.php?id=
SUMMER? yeaaaaaaahh http://u.nu/8njud?=www.facebook.com/profile.php?id=
Foto? haha http://u.nu/7rhud?=www.facebook.com/profile.php?id=

http://www.mostcashfast.com/view.php?image=

http://ow.ly/2fSaJ?=www.facebook.com/photo.php

LOL!! Is this u? http://ow.ly/2eQiw?=www.facebook.com/profile.php?id=
LOL!! Is this u? http://ow.ly/2eM7L?=www.facebook.com/profile.php?id=
is this you on pic? http://64.202.120.38/525684446636-JPG-www.facebook.com.exe
i can’t believe this is you http://67.19.9.75/444446636-JPG-www.facebook.com.exe
is this you on pic? http://ow.ly/2ei1n?=www.facebook.com/photo.php
is this you on pic? http://ow.ly/2eFvB?=www.facebook.com/photo.php
is this you on pic? http://ow.ly/2eAeK?=www.facebook.com/photo.php
is this you on pic? http://ow.ly/2eohl?=www.facebook.com/photo.php
is this you on pic? http://ow.ly/2eovc?=www.facebook.com/photo.php
is this you on pic? http://ow.ly/2e6NU?=www.facebook.com/photo.php
is is you on this pic? http://ow.ly/2dWT4?=www.facebook.com/photo.php
is it you on this pic? http://ow.ly/2dHV4?=www.facebook.com/photo.php
foto :D http://ow.ly/2bmMb?=www.facebook.com/photo.php
foto :D http://ow.ly/2d3aB?=www.facebook.com/photo.php
foto :D http://ow.ly/2cWs2?=www.facebook.com/photo.php
foto :D http://ow.ly/2dHV4?=www.facebook.com/photo.php
foto :D http://ow.ly/2dOyA?=www.facebook.com/photo.php
foto :D http://ow.ly/2cTes?=www.facebook.com/photo.php
foto :D http://ow.ly/2c4Kd?=www.facebook.com/photo.php
foto :D http://ow.ly/2bgwQ?=www.facebook.com/photo.php
foto :D http://ow.ly/2b7Xp?=www.facebook.com/photo.php
foto :D http://ow.ly/2aY8W?=www.facebook.com/photo.php
foto :D http://ow.ly/2anHr?=www.facebook.com
foto :D http://ow.ly/2aG6r?=www.facebook.com
foto :D http://ow.ly/2anHr?=www.facebook.com
foto :D http://eliotson.yourfreehosting.net/FaceBook.php
foto :D http://ow.ly/29Bpi?=http://www.facebook.com/photo.php
foto :D http://ow.ly/291IF?=http://www.facebook.com/photo.php
foto :D http://ow.ly/291db?=http://www.facebook.com/photo.php
foto :D http://ow.ly/291aV?=http://www.facebook.com/photo.php
foto :D http://ow.ly/290Cl?=http://www.facebook.com/photo.php
foto :D http://ow.ly/27K04?=http://www.facebook.com/photo.php
foto :D http://ow.ly/27rnj?=www.facebook.com/photo.php
foto :D http://ow.ly/27gE2?=www.facebook.com/photo.php
foto :D http://ow.ly/2752E?=http://www.facebook.com/photo.php
foto :D http://ow.ly/26x6I?=http://www.facebook.com/photo.php
foto :D http://ow.ly/23U3V?=http://facebook.com/photo.php

Adresa facebook.com de la final induce pe cei mai mult in eroare, site-ul fiind cu totul altul de fapt, iar virusul se incarca de pe http://julietgardiner.com/photo.php.
Fisierul descarcat pretinde ca este o poza, dar are extensia finala .exe si doar icon-ul imita pe cel al unei poze.

Odata rulat creeaza fisierul C:\WINDOWS\jusched.exe, care va porni odata cu PC-ul si va trimite mesaje in mod automat tuturor prietenilor din lista Yahoo! messenger.

Mai sunt create fisierele: c:\do.exe, c:\wos.exe, c:\tolo.exe, %userprofile%\local settings\temp\rnk.exe, c:\windows\rgemua.exe
Detectia lui este una foarte mica: doar 4 din 40 de Antivirusi de pe VirusTotal.com. Felicitari Comodo pentru promptitudine.

Iata care sunt solutiile pentru DEVIRUSARE:

1. Descarcati Malwarebytes Anti-Malware. Scanati PC-ul rapid (sau complet daca nu functioneaza scanarea rapida) si stergeti la final infectiile gasite apasand Remove selected.

2.Descarcati ComboFix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Creati un fisier nou de tip .txt cu Notepad si scrieti in el ce e mai jos in citat:

File::
C:\Users\Public\jusched.exe
C:\WINDOWS\jusched.exe

Denumiti-l CFScript.txt si trageti-l peste ComboFix, asa cum este aratat in poza de mai jos:

jusched.exe poza


Apoi asigurati-va ca ati inchis toate programele care ruleaza (yahoo messenger, firefox, etc)
Dezactivati temporar protectia Antivirus!
Rulati apoi ComboFix. Va va intreba daca sa inceapa curatirea. Confirmati cu Yes de fiecare data. Nu-l opriti in timp ce scaneaza si dezinfecteaza sistemul. E posibil ca in timpul rularii lui desktop-ul sa dispara.

Daca ai reusit sa cureti aceasta infectie, iti recomand sa cumperi versiunea PRO a Malwarebytes Anti-Malware pentru a te proteja si pe viitor de astfel de amenintari, avand in vedere ca nu au fost detectate\eliminate de antivirusul tau actual.

Posted in , , , , | 19 Responses

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

19 responses to “[SOLUTIE] Virusul http://ow.ly/****=http://facebook.com/photo.php”

  1. B.valentin
    B.valentin
    June 28, 2010 at 5:56 PM | | Reply

    Exact aseara il trimitea cnva prin lista ca mass.L-am luat intentionat (am kaspersky I.S 2011 + Hitman 3.5)…La prima scanare nici unul nu il detecta.L-am pus pe Virus Total si era detectat de Bitdefender , Comodo, Gdata + altele care nu sunt foarte raspandite.L-am oprit prin “Proactive Defense” si am dat o scanare online cu Bitdefender(care l-a gasit si l-a sters).Sunt sigur ca daca il iau azi il detecteaza aman2…(Kis si Hitman)…

  2. Cosmyn
    Cosmyn
    June 28, 2010 at 6:30 PM | | Reply

    Uita-te si tu ce contine “Combofixu’ ” tau
    http://www.virustotal.com/analisis/e8051a6ee427793fb1c6cd6c6db8c7f8a180358d7fd3995a9a0436e195509580-1277738548
    Apropo,nu merge asta am incercat la un prieten,si,cred ca ar fi mai usor sa intrati in C:WINDOWSjusched.exe si sa stergeti executabilul :P

    1. Radu FaraVirusi(com)
      Radu FaraVirusi(com)
      June 29, 2010 at 12:24 PM | | Reply

      @Cosmyn: ComboFix-ul contine utilitare folosite in devirusare. Unele parti din el pot fi folosite si ca virusi in anumite situatii. ComboFix-ul este un utilitar eficient in a curata malware-ul.

  3. Cosmyn
    Cosmyn
    June 28, 2010 at 6:45 PM | | Reply

    Ma scuzi,m-am grabit cu faptul ca nu merge,am aflat ca anulase procesul inainte sa se termine,deci de-aia nu mergea,totusi,mai bine le spui sa intre direct sa stearga executabilul ;)

  4. Virus Yahoo http://ow.ly/23U3V?=http://facebook.com/photo.php | Tutoriale PC
    Virus Yahoo http://ow.ly/23U3V?=http://facebook.com/photo.php | Tutoriale PC
    June 28, 2010 at 10:48 PM |

    [...] alta metoda de devirusare gasiti si aici. AKPC_IDS += "1622,";Popularity: 1% [?] Posted in SECURITATE Tags: SECURITATE, yahoo [...]

  5. Devirusare
    Devirusare
    June 28, 2010 at 10:54 PM | | Reply

    Ultima detectie:

    http://www.virustotal.com/analisis/2fb7808eb05bee0673be08fd4c2e537635ccd0b06d21390a39b21832ca434ac5-1277754721

  6. Costin
    Costin
    June 28, 2010 at 11:21 PM | | Reply

    @Radu
    Iti multumesc pentru atentionare si as vrea sa te intreb daca este bun si MBAM pentru DEVIRUSARE?(inca nu am primit asa ceva pe mess , INCA )

    1. Radu FaraVirusi(com)
      Radu FaraVirusi(com)
      June 28, 2010 at 11:23 PM | | Reply

      @Costin: Cred ca au adaugat detectia intre timp. Le-am trimis virusul si link-ul de download.

  7. Noul Virus Pe Yahoo Messenger « Nebunie de blog!
    Noul Virus Pe Yahoo Messenger « Nebunie de blog!
    June 29, 2010 at 2:21 PM |

    [...] : http://www.FaraVirusi.com Categories: Cate ceva despre Yahoo Messenger Etichete:Noul Virus Pe Yahoo Messenger [...]

  8. Cojocaru Silviu
    Cojocaru Silviu
    June 29, 2010 at 3:47 PM | | Reply

    http://www.virustotal.com/analisis/eef52b77b06b6531e39222aafee218fe410703bd53b2f8d990a77947fa151ac8-1277815260

    1. Radu FaraVirusi(com)
      Radu FaraVirusi(com)
      June 29, 2010 at 3:51 PM | | Reply

      @Cojocaru Silviu: S-a imbunatatit detectia, dar de aici vedem ca antivirusii nu sunt chiar atat de prompti: doar 15 din 40.

  9. Solutie virus yahoo « Biscuim Măria Ta!
    Solutie virus yahoo « Biscuim Măria Ta!
    July 9, 2010 at 11:07 AM |

    [...] Ucide rama acum!!!! [...]

  10. News » Blog Archive » Cum sa scapi de noul virus YM!
    News » Blog Archive » Cum sa scapi de noul virus YM!
    July 12, 2010 at 5:00 AM |

    [...] Ghid preluat de pe Faravirusi.com [...]

  11. Daniel
    Daniel
    July 15, 2010 at 12:29 AM | | Reply

    daca aveti virusu acela care trimite mass-uri in toata lista cu acest fisier scapati de el testat functioneaza 100% pe windows xp daca aveti win vista sau 7 si aveti virusu ala incercati nushtiu daca functioneaza

    http://depositfiles.com/files/vergn3fma

  12. [Solutie Virus] Niste poze interesante cu tine in arhiva asta…astept raspuns sa vad ce parere ai :))
    [Solutie Virus] Niste poze interesante cu tine in arhiva asta…astept raspuns sa vad ce parere ai :))
    July 28, 2010 at 11:08 AM |

    [...] dori sa te abonezi la feed-ul RSS pentru a primi noutatile de pe aceasta pagina.Adoptand tehnica virusului Palevo, care se raspandeste prin Yahoo! messenger, a aparut un nou virus autohton, care trimite de data [...]

  13. anamaria
    anamaria
    August 14, 2010 at 1:53 PM | | Reply

    o captura de desktop cu fisierul notepad sa vada si cei afoni exact cum arta inainte de a fi denumit si salvat ….adica trebuie sa scrii si ” File:: ” ?

  14. alina
    alina
    September 29, 2010 at 1:37 AM | | Reply

    pai eu una care nus chiar atat de experimmentata in chestiile aste cum sa fac????

    1. Radu FaraVirusi(com)
      Radu FaraVirusi(com)
      September 29, 2010 at 10:04 AM | | Reply

      @alina: Ce anume nu intelegi din acest ghid?

  15. andrei
    andrei
    March 2, 2011 at 8:44 AM | | Reply

    daca formatez pc’ul scap de acest virus?

Leave a Reply