Thursday, August 14, 2008

MSN worm / virus g00d-stuff.com epidemic launch

This page describes the http://g00d-stuff.com MSN virus/worm (also known as PICS FOR MSN FRIENDS), that has been activated on Aug 14th, it's sources and methods of infection, vulnerable platforms/browsers, methods of removal of http://g00d-stuff.com and similar MSN viruses/worms.

  1. Information about http://g00d-stuff.com and similar sites
  2. http://g00d-stuff.com sources
  3. Malicious linked website forms and variations
  4. Vulnerable platforms/browsers
  5. First things to do
  6. How to remove http://g00d-stuff.com MSN virus from your system
  7. References

Information about http://g00d-stuff.com and similar sites

g00d-stuff.com is an MSN worm that spreads through MSN instant messenger with provoking text description, encouraging users to follow the attached link.

Sources of infection

MSN user receives a text message from one of the users in his contact list. A message can sometimes contain a provoking text and always contains a link to a site, containing a virus.

Provoking message can be one (but not limited to) of these:

  • "Album photo.zip"
  • oh you and me? nah its me the clown again"
  • "lool someone put ur photo here: D"
  • "i want you to swim with me! send this file to swim with me!"
  • "lool someone put ur photo here: D"
  • "lol someone has put your photo here: D"
Embedded link can be one of these:

  • g00d-stuff.com
  • username.bl1ng.info
  • username.jumphost.info
  • username.n1cestuff.info
  • checkdiz.info
  • username.awes0me.info
  • username.ther1ng.info
  • username.snapsh0t.info
  • username.da-real-deal.info
  • username.ch33se.info
  • c0ol-th1ng.info
  • imgeshack.info
  • m0bil3.info
  • imageloko.info
  • imagedino.info
  • imagealina.info
  • hostapic.info
  • holyimage.info
  • imagrshak.info
  • get-that-stuff.info
  • coooool.info
  • datsyou.com
  • is-thatt-you.com
  • is-dat-u.com
  • thatzyou.com
After visiting, the virus uses an unknown yet vulnerability of Firefox/Internet Explorer to infect the victims machine and distribute  itself by sending links to further contacts.




Malicious website forms and variations

There are two known forms of g00d-stuff MSN worm page: The PICS FOR MSN FRIENDS phishing page and "FREE RINGTONES, WALLPAPERS, JAVA-GAMES" page etc.

PICS FOR MSN PAGE will look similar to MSN login interface and will ask you to enter your MSN login credentials to proceed. DO NOT enter your credentials there under any circumstances.

"FREE RINGTONES, WALLPAPERS, JAVA-GAMES" page looks like this (photo from Switzerland):

g00d-stuff.com virus-infected page appearance for swiss users

Both pages are heavily booby trapped with viruses and exploits, and if you use Windows and Firefox lower then version 3.0 or Internet Explorer - you are probably already infected.







Vulnerable platforms/browsers

List of known vulnerable platforms:

  • Windows 95/98/Me/2000/XP/2003/Vista
List of known vulnerable browsers:

  • Internet Explorer
  • Firefox 2.0

First things to do

  1. First of all - DON'T PANIC! :)
  2. It really helps not to open the link, enclosed in the text message. However, you have probably already opened it - and that's why you are here
  3. Try to notify your friends and warn them not to open any links they will receive.
  4. You can also set a warning message as your status in MSN
  5. And if you didn't open the link - you are pretty much done :) If you actually did and you notice that you keep sending links to other people - proceed to g00d-stuff removal instructions





How to remove http://g00d-stuff.com MSN virus from your system

  1. Download MSNFix utility (yes, it is safe - I can clearly state it after checking the batch file code and finding other reputable sources linking to it (like this site with 34 thousands subscribers)).
  2. Extract the contents into some directory on your hard drive (for example, C:\MSNFix)
  3. Run MSNFix.bat
  4. Choose your language
  5. Press R to start virus scan
(Update: Author of MSNFix has left a comment here, asking for submission of all non-detected modifications of virus to http://upload.changelog.fr/. There you can leave your nickname, url where you've gotten the virus, your comment, and an infected file - so it will be analyzed and MSNFix will be updated to be able to cure your modification of MSNFix as well (Just in case: the button for download is marked Envoyer, not Annuler)).

After test and removal is performed (so you don't have any spyware/malware/keyloggers on your machine), you will need to reclaim your MSN account:

1. Go to http://login.live.com web page and click on Forgot Your Password.
2. Type in your MSN e-mail address, type the characters that appear in the Picture box, and click Continue.
3. Click Send yourself a password reset e-mail message.
4. Click Send Message.
5. Click Done on the confirmation page.
6. Open your e-mail and follow the link in the e-mail message to reset your password.
7. On the Confirm your e-mail address page, type your e-mail address, and then click Continue.
8. Type your new password two times, and then click Continue.
9. If you want to enter an “alternate” e-mail address, type the address two times, and then click Continue. If you do not want to enter an “alternate” e-mail address, click Skip.
10. When you receive the “You’ve changed your password” message, click Done.



If you want to receive updates about the g00d-stuff virus activity and methods of removal, subscribe to my rss feed - I will keep an eye on that one since couple of my friends are still infected.



References

This article has received hundreds of hits from Google by "g00d-stuff"-related queries in first hours after being published, meaning it has became a real threat due to unknown before vulnerability of Firefox. Judging by geographical locations of requests through the day (over a thousand), I can say that the most affected countries are USA, Canada, China, Hong Kong and Australia.
0
said thank you for this page

Liked this article? Bookmark/share it with others: Didn't like the article, found a mistake or just want to express your own opinion? Post a comment!

6 comments:

bianca said...

Please, can you translate the french txt for me, for all your visitors.
I'm infected by it, just the way you describe.

Eterniel said...

On first site user complains that he is infected and keeps sending the link to his contacts.
The virus is not detected by any modern antivirus software.
Operating system is Windows XP and browser is Firefox 2.0 - Apparently, Firefox is also vulnerable.

Now, to the next page.

Anonymous said...

whiffy

Eterniel said...

What do you mean by that? :)

Anonymous said...

I have a mac, and while is doesn't do anything on my computer, I keep sending links to my contacts. And didn't find any help for mac users.
Can someone help me out, thanks

Laurent said...

Hello,

If MSNFix don't remove the infection please send me a sample http://upload.changelog.fr and / or the message send by MSN to your friend.

Thanks for your help.

Laurent

Post a Comment

Have anything to say? Leave a comment!
Too shy or got a too private question? Email me
Alternatively, you can drop me a line on Twitter