MSN worm / virus g00d-stuff.com epidemic launch

This page describes the http://g00d-stuff.com MSN virus/worm (also known as PICS FOR MSN FRIENDS), that has been activated on Aug 14th, it's sources and methods of infection, vulnerable platforms/browsers, methods of removal of http://g00d-stuff.com and similar MSN viruses/worms.

1. Information about http://g00d-stuff.com and similar sites
2. http://g00d-stuff.com sources
3. Malicious linked website forms and variations
4. Vulnerable platforms/browsers
5. First things to do
6. How to remove http://g00d-stuff.com MSN virus from your system
7. References

Information about http://g00d-stuff.com and similar sites

g00d-stuff.com is an MSN worm that spreads through MSN instant messenger with provoking text description, encouraging users to follow the attached link.

Sources of infection

MSN user receives a text message from one of the users in his contact list. A message can sometimes contain a provoking text and always contains a link to a site, containing a virus.

Provoking message can be one (but not limited to) of these:

• "Album photo.zip"
• oh you and me? nah its me the clown again"
• "lool someone put ur photo here: D"
• "i want you to swim with me! send this file to swim with me!"
• "lool someone put ur photo here: D"
• "lol someone has put your photo here: D"

Embedded link can be one of these:

• g00d-stuff.com
• username.bl1ng.info
• username.jumphost.info
• username.n1cestuff.info
• checkdiz.info
• username.awes0me.info
• username.ther1ng.info
• username.snapsh0t.info
• username.da-real-deal.info
• username.ch33se.info
• c0ol-th1ng.info
• imgeshack.info
• m0bil3.info
• imageloko.info
• imagedino.info
• imagealina.info
• hostapic.info
• holyimage.info
• imagrshak.info
• get-that-stuff.info
• coooool.info
• datsyou.com
• is-thatt-you.com
• is-dat-u.com
• thatzyou.com

After visiting, the virus uses an unknown yet vulnerability of Firefox/Internet Explorer to infect the victims machine and distribute  itself by sending links to further contacts.

Malicious website forms and variations

There are two known forms of g00d-stuff MSN worm page: The PICS FOR MSN FRIENDS phishing page and "FREE RINGTONES, WALLPAPERS, JAVA-GAMES" page etc.

PICS FOR MSN PAGE will look similar to MSN login interface and will ask you to enter your MSN login credentials to proceed. DO NOT enter your credentials there under any circumstances.

"FREE RINGTONES, WALLPAPERS, JAVA-GAMES" page looks like this (photo from Switzerland):

Both pages are heavily booby trapped with viruses and exploits, and if you use Windows and Firefox lower then version 3.0 or Internet Explorer - you are probably already infected.

Vulnerable platforms/browsers

List of known vulnerable platforms:

• Windows 95/98/Me/2000/XP/2003/Vista

List of known vulnerable browsers:

• Internet Explorer
• Firefox 2.0

First things to do

1. First of all - DON'T PANIC! :)
2. It really helps not to open the link, enclosed in the text message. However, you have probably already opened it - and that's why you are here
3. Try to notify your friends and warn them not to open any links they will receive.
4. You can also set a warning message as your status in MSN
5. And if you didn't open the link - you are pretty much done :) If you actually did and you notice that you keep sending links to other people - proceed to g00d-stuff removal instructions

How to remove http://g00d-stuff.com MSN virus from your system

1. Download MSNFix utility (yes, it is safe - I can clearly state it after checking the batch file code and finding other reputable sources linking to it (like this site with 34 thousands subscribers)).
2. Extract the contents into some directory on your hard drive (for example, C:\MSNFix)
3. Run MSNFix.bat
4. Choose your language
5. Press R to start virus scan

(Update: Author of MSNFix has left a comment here, asking for submission of all non-detected modifications of virus to http://upload.changelog.fr/. There you can leave your nickname, url where you've gotten the virus, your comment, and an infected file - so it will be analyzed and MSNFix will be updated to be able to cure your modification of MSNFix as well (Just in case: the button for download is marked Envoyer, not Annuler)).

After test and removal is performed (so you don't have any spyware/malware/keyloggers on your machine), you will need to reclaim your MSN account:

1. Go to http://login.live.com web page and click on Forgot Your Password.
2. Type in your MSN e-mail address, type the characters that appear in the Picture box, and click Continue.
3. Click Send yourself a password reset e-mail message.
4. Click Send Message.
5. Click Done on the confirmation page.
6. Open your e-mail and follow the link in the e-mail message to reset your password.
7. On the Confirm your e-mail address page, type your e-mail address, and then click Continue.
8. Type your new password two times, and then click Continue.
9. If you want to enter an “alternate” e-mail address, type the address two times, and then click Continue. If you do not want to enter an “alternate” e-mail address, click Skip.
10. When you receive the “You’ve changed your password” message, click Done.



If you want to receive updates about the g00d-stuff virus activity and methods of removal, subscribe to my rss feed - I will keep an eye on that one since couple of my friends are still infected.

References

• First report of a new g00d-stuff form of known PICS FOR MSN FRIENDS virus (French)
• Description and removal instructions page (French) (doesn't look very trustworthy to me to be honest)
• MSNFix - MSN virus removal tool (zip file, 772kb)
• PICS FOR MSN FRIENDS description (English) - quite good and informative source
• Relevant Yahoo! Answers thread (Italian) - good for watching for updates
  
  

This article has received hundreds of hits from Google by "g00d-stuff"-related queries in first hours after being published, meaning it has became a real threat due to unknown before vulnerability of Firefox. Judging by geographical locations of requests through the day (over a thousand), I can say that the most affected countries are USA, Canada, China, Hong Kong and Australia.

0 said thank you for this page

Liked this article? Bookmark/share it with others: Digg It del.icio.us StumbleUpon Other Email this

Didn't like the article, found a mistake or just want to express your own opinion? Post a comment!