Virus Is Using Skype

[wolfmanjack]

My skype popped open and sent a message to every contact I had. The messages were a virus from facebook. One was the "you have been tagged in this photo" and the other was the "this is so funny" message that give you a virus if you open the file. the thing is i never ever opened these files on facebook so I do not know how they got on my computer. Also i have no idea how a virus is opening my skype and sending these messages out. I have ran scans using several anti virus programs and they all claim to have deleted viruses. I immediately do another scan with the same program and find more viruses. Is my only option to format my drive and reload the OS?

[siamect]

Yet another good reason to skip both Skype and Windows...

Martin

[Latindancer]

Which antivirus programs did you use ?

Have you tried AVG or A-squared ? The latter is really very good.............................

[H2oDunc]

Yet another good reason to skip both Skype and Windows...

Martin

The guys after advice not smart arsed comments about how great <deleted> Apple is for crying out loud.PATHETIC!

Wolfman try running your virus scan in safe mode. Some virus's cannot be deleted or quarantined if they are running. To start in safe mod re boot and keep pressing the F8 button at the top. Select safe mode from the options. This loads just the basic drivers so the virus should not load.Scan in safe mode and see if that cures it Good luck

Edited February 13, 2010 by H2oDunc

[beano2274]

My friend had a similar problem on MSN, advice was change password, suggest you do the same, as all your contacts are getting pretty pi**ed off by now.

[siamect]

Yet another good reason to skip both Skype and Windows...

Martin

The guys after advice not smart arsed comments about how great <deleted> Apple is for crying out loud.PATHETIC!

Wolfman try running your virus scan in safe mode. Some virus's cannot be deleted or quarantined if they are running. To start in safe mod re boot and keep pressing the F8 button at the top. Select safe mode from the options. This loads just the basic drivers so the virus should not load.Scan in safe mode and see if that cures it Good luck

Sorry if anybody took my words as a "smart arsed comments about how great <deleted> Apple is".

It was not my intention at all.

I'm not an Apple user.

So far, with all respect to all the people responding to Wolfmans post, none of advice given in this thread, except the advice from me, give Wolfman nor anybody else, a stable long term solution.

My first advice to anyone who are having problems with viruses is to change to any non Microsoft OS.

I don't think that that is a bad advice and I don't expect people to shout PATHETIC after me because of that.

My second advice to avoid Skype is based on two main points:

1. Skype is used by this particular virus (or whatever it is). Removing Skype immediately would most likely put an end to the messages sent out and stop spreading this to others.

2. Skype is using a communication protocol that is not open to public review. The whole software package is also not open to public review. This makes it impossible to have any opinion at all on any security related issues with Skype. In fact you can't even have any opinion of the functionality of the program. There is no way you can know what the program is doing at all. Unfortunately this situation exist with just about any proprietary software.

About the advice from H2oDunc to run the machine in safe mode:

Before you recommend this to anybody, you have to make sure that the antivirus on-access scanner is still active in safe mode.

I know that for example AVG (Grisoft) is not active in safe mode. I suspect that this is quite common. In fact, I have yet to see an antivirus scanner that is doing its job in safe mode. If anybody know any antivirus program that keeps it's on access scanner alive in safe mode, please let me know and spread the word.

That means that in "safe mode" your computer is completely unprotected. So the "safe mode advice" must be surrounded with warnings and it should be used only as the last way out. If you use "safe mode", make sure you do only what is required to scan the computer. Don't do anything else... the reason is obvious...

I know that this method is recommended by antivirus software vendors. It is still a bad idea in most cases.

Martin

[sysmaster]

I just got a phone call from one of my customers, two of his notebooks show the same symptoms, and the virus seems to do more than just sending out stuff, he informed me that his Avira was now deactivated and he could not get it running anymore.

He also indicated that this afternoon the rest of his staff complained that their computers where sluggish... reason unknown, if the sluggishness was due to not being able to get onto the internet, then it could be understandable, this virus could be claiming all bandwidth on the ADSL, he had a similar one a few months ago that was constantly sending e-mails, but first tried to resolve the targets with a DNS resolution, thus jamming that track profoundly.

Anyway, I'll have my fun tomorrow morning.... and hopefully find a cure, but I'll keep you posted on the progress

[sysmaster]

Follow up....

The virus is according to "Prevx"

• Cloaked Malware
  
• Malware Dropper
  

also known as "QXZV5.EXE" or WCOREDT.EXE or DSC-NEWPICTURE017.JPEG_WWW.CRAZYPHOTOHOST.COM.

It places itself in system32 under one or both of the first two names, the later one is hidden, it also has reference links stored in the \WINDOWS\Prefetch and the there included .ini file. The WCOREDT is pretty early referred in the prefetch, long before any AV software is started.

Prevx claims to have a removal tool (buyware), no other AV's mention much reference, AVG will not find it when the computer is already infected, and in due course, the virus will disable any AV software, additionally block access to any website that might have a solution.

Spybot does not work either, trying to use Combofix ends in a BSOD.

Scanning the drives is probably useless, I found it because I removed the HDD from the notebook and had it scanned as an external drive

on a PC, then also AVG will recognize it.

More to follow...

[babuhavas]

I have a question

how to go safe mode?i seriously don't know this.

[sysmaster]

I have a question

how to go safe mode?i seriously don't know this.

when the computer boots, just after you see the bios information, press F5, then a selection screen should show up, the press F8, and you will then see the option to boot in Safe Mode.

However if this is related to this virus problem, forget it, it also ends in a BSOD.

SM...

[sysmaster]

A Fix,

{at least it seems to work on both notebooks I repaired}

!! you have to be in administrator rights !!

After windows is fully loaded, open "windows\prefetch"

find entries like "WCOREDT*.pf" and "QXVZ*.pf" and delete them

then open layout.ini in the same directory, and find those entries but now with the real path

"C:\WINDOWS\System32\...." and delete them in the .ini file (WCOREDT.exe will come first)

then save this layout.ini as layout.txt

rename the original layout.ini to layout.xxx, and afterward layout.txt to layout.ini.

Goto C:\WINDOWS\System32\ and find QXVZ*.exe, rename the extension to anything except

.exe, .dll, .com or so.

Reboot the computer immediately after your change.

After full reboot, got back to C:\WINDOWS\System32 and delete that renamed file.

Remove and re-install your usual AV software (some intermediate re-booting might be required)

Have the "new" AV do a full scan, it will probably find some entries in temporary internet file directory

and also the "WCOREDT.EXE" file !!( stay with it, it is possible that this virus will even be detected before

the scan starts and it will then be re-detected, as soon as it is detected (AVG pops-up a special window)

delete it immediately.

(You probably will have to reboot once more)

By the fact that the files are now detected with an AV, an attempted re-infection will also be detected...

it seems that his virus is also attaching or embedding itself in other programs..

(I had two occurrences that triggered the virus-shield of AVG, and I'm still running tests...)

Apparently there are no entries in the registry, at least not obvious ones, it all seems to be installed

via the windows prefetch (but no guarantees on this statement, it is still to early to say for sure)

All this as a temporary fix for this nasty beast. Anyway I now have two "properly" working notebooks again.

Good Luck

SM

Edited February 17, 2010 by sysmaster

[monapadu]

I have several computers have been infected with wcored*.exe.

Yesterday, I was able to delete the wcoredt.exe and wcoredp.exe from one of the computers. I have also deleted the registry entries. I have unchecked all unwanted applications that started (in msconfig) - especially conime.exe, which, when the virus is active, keeps reactivating itself.

Everything seemed all right, I could even run combofix which reported no problems. As AV, I uses ESET Smart Security.

But today, on the same computer, another file named wcoredg.exe appeared and, of course, it damaged the AV. So I believe that there is much more to it... unfortunately.

The only information about wcored* is on prev website, but I don't know anything about this antivirus. Did anyone checked it out?

If anyone finds a viable solution, please help...

[sysmaster]

Indeed there is more to it,

I cleaned two notebooks yesterday, tested them again this morning before bringing them back to the office, all clear.

within 4 minutes running in the office one of the was re-infected.

In the office there is a small fileserver (those small boxes) and on the public directory I found an autorun.inf of 500+ KB,

and some hidden ~tmp??? directory.

Deleted that stuff, and fixed that one NB again, and it seems to be working, the second NB was used after the file server fix and that

remained clean.

This thing is so new, practically no information is to be found, and the infection seems to differ.

We do detect the QXZ...exe but there seems to be another mechanism that is re-planting it. Merely quarantining it does not solve the problem, and if it manages to start again, the AV and spybot are disabled, among other AV tools.

So we are not at the end of it and it is spreading!!!

[residentgeek]

I found this forum while researching this virus. I've managed to clean it off of two computers so far. Here's what I did. Hopefully it will be helpful to someone. Even if you don't have a BartPE or Ubuntu disc, it might be possible to hook the drive up to another computer and do the same thing. This is the way it appeared on the two machines I worked on. It does seem to mutate a bit though.

This bug spreads through Instant Messenger programs by sending an IM from you to any contacts that are currently logged in and tries to get them to click on a link in the message. It also infects anything that autoruns like USB sticks or external hard drives. It disables antivirus programs - I couldn't get AVG or Malwarebytes to run at all, and it would blue screen with a 0xF4 stop error if I tried to run Combofix. It also hijacks your host file and encrypts it.

I had it infect a USB stick I was using to clean the machine with, then it infected my main machine because I put the same USB stick on it to load more cleaning software. I've disabled autorun for all drives on my PC to keep this from happening again (I know, I should have done that a long time ago).

CLEANUP STEPS:

Boot to BartPE disc.

Run Remote Registry Editor.

Remove the conime.exe entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Remove the conime.exe key in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options

Boot to Ubuntu disc (or other Linux live CD)

Delete these two files:

c:\windows\system32\conime.exe

c:\windows\system32\wcoredp.exe

or

c:\windows\system32\wcoredt.exe (I've seen both filenames)

Then delete c:\windows\system32\drivers\etc\hosts

Then delete everything in c:\documents and settings\username\local settings\temporary internet files\content.ie5 (except index.dat because it might not let you)

There is probably a simpler way to do all that, but this was the only way I could come up with to get rid of the stupid thing. The files are hidden which makes them more difficult to remove with a BartPE disc since BartPE respects Windows file attributes (not impossible, just more frustration than I had time for). Ubuntu doesn't really care about that for the most part, so the files are easier to remove using that. The Temporary Internet Files stuff is because I found a file hanging out there that was part of the infection. Plus a lot of junk seems to hang out there in general, so it never hurts to clean it out. Deleting the hosts file is the easiest thing in this situation. If Windows needs it (which most of the time it doesn't), it will recreate it.

Hope this is helpful or at least points someone in the right direction.

Edited February 19, 2010 by residentgeek

[sysmaster]

Hi residentgeek,

I've been applying a similar approach yesterday, I have a cd-bootable XP (Spybot has the tools and guideline to create such with spybot on the CD)

There is also a command window included, so that eases the access to the HDD.

To find those files in the system32: dir /a:rsh *.* will show all hidden, dir /a:rsh *.exe only executables, dir /a:rsh w*.* & dir /a:rsh q*.* the

nasties..

del /a:rsh {filename} will remove them. (also delete QXVZ*.exe, that one is a visible copy of the virus)

We are closing in on the beast, let's hope that it can be killed.....

(I've been running some searches through the WWW, some PC's in Germany are hit also.)

AVG does detect the virus and presumably removes it, but after rebooting it is back to square 1.

no useful information is found on the websites of AV engines...

If you have spybot installed, after removing the virus "remotely", in booting, Spybot's "teatimer" will pop-up with the Conime file ... deny change stops it.

Three more computers to go, and then re-check the others on Monday...

[sysmaster]

searching the registry produced several entries with wcoredt.exe and several with conime.exe....

search wit above names for data and value

[sysmaster]

even removing all occurrences of those files did not prevent it from re-installing...

I then renamed the ntosboot...pf to something useless, removed the virus files once more

and rebooted, now it did not re-create entries in the Prefetch.

I also found a task in the "scheduled tasks" via the Spybot CD secure shredder.

Killed that one and the related files.

Seems to be clean... AVG could not be re-installed, some registry-key could not be accessed,

after I fixed that, AVG is now installed and running a full scan, this completed, I will set it to

go for a deep scan.

WE will see....