"Hey, is this really you?" MSN virus - how to be sure the trojan is gone?

buglawton

Again, MSN chat viruses/Trojans are spreading. My son fell for the 'Hey, is this really you?' one, he saved the file that he though was a picture then clicked on it. This meant he executed the DOS file and we know the virus was active as it attempted to send the message to my MSN Live Messenger too.

Scanning with up to date AVG Free and Hijack This failed to detect it, even though I could see the file! I tried a few online scans and Bitdefender quickly identified it as backdoor.IRCBot.ABTK for which there may be the alias IRCBot-1972. However these names to not come up in a search of Bitdefender's Virus Encyclopedia.

Bitdefender's online scan promptly deleted the .com file that had been saved then detected the same virus in the Program Files/MSN folder as an MSN component though could not delete it. Told my son to uninstall then reinstall MSN Live Messenger.

The real question is this: Bitdefender did not locate any further instances in the full 100% scan. So where is the backdoor that was probably part of the payload (installed when clicking on the file)? Which tool is likely to find this?

I may post this on a more specialist forum too, will report back if I get any other answers.

Fishcake_Random

Hey,

My little sister has just put this on my computor to and now i can`t log in to either my email or my msn. I get an error message saying the security certificate has expired. Just off to scan with bitdefender and will be watching this post with interest.

thanks
fishcake

o_c99

If you are able to access the internet, type in the name of the virus: backdoor.IRCBot.ABTK
in to a search engine like Google.

There is normally advice about how to remove them on many techie websites. Sometimes, advice from well-known companies such as Symantec (Norton) and McAfee appears at the top of the results.

Not all virus scanners can pick up every virus, trojan etc as new ones appear every day sadly. No one product is best.

buglawton

Yes done the above already and could get no more info (in English) than the name by which Bitdefender identified it. So, curious why Bit defender did not find any registry entries or other hiding places for this virus.

Looking at a Danish page on this topic now.

UPDATE:

Translated the Danish page and it points to a removal tool at http://www.csis.dk/dk/forside/ircbot-ab.zip
Checked out the website www.csis.dk (choose English language) it seems kosher, only you cannot seem to find the tool listed by entering their site first.

Will report back on how the tool works.

o_c99

Try this link out. It is about the IRC Bot.

I typed in IRC Bot into Google and there are many variants like yours and many results too.

http://www.symantec.com/security_response/writeup.jsp?docid=2003-100713-2421-99&tabid=3

MystycKhan

That link you provided, the cleaner didn't work. I found it also at Major Geeks.com.
http://www.majorgeeks.com/Norman_Malware_Cleaner__d5450.html

buglawton

Many variants, though in the csis website I linked to above, they identified the virus by a name that matched exactly it's Bitdefender ID and provided a tool.