Edit (April 30/07): This post has been generating a lot of traffic as the described worm virus spreads. For those looking for a solution, jump to here.
When you manage a group of PCs in an Internet-connected network, one of the top concerns always ends up being security. This is no easy task, since there is an enormous amount of effort in the underground community to create software that can defeat whatever software you’re using to keep it out.
We’ve all heard the stories of how hackers exploit holes in the Windows operating system, and Microsoft’s solution to this (with Vista) is to prompt the user for nearly everything – which brings me to today’s point. Even the best designed security system can (and likely will) fail at the user level.
There’s a virus worming itself around the Internet at the moment that exploits this relatively well. On an infected system it hijacks MSN Messenger, sending a message to all users on the contact list with rather innocent seeming text. It asks them if they are appearing in a particular picture on a website with a URL that seems to plausibly point to a social networking or photo hosting site. With the rising popularity of these kinds of sites (such as Facebook or MySpace) it’s almost forgivable to be duped by this. The particular message is ‘is that you on this photo [url not included] 
’.
Of course, once the link is clicked and Internet Explorer loads the URL, an application is downloaded and executed on the victim’s system – instantly hooking itself into the operating system and loading a bundle of adware, virus and malware onto the PC. It then hijacks MSN on the new host PC and continues to spread in the same manner.
If your Windows PC is up to date with service packs and updates, Explorer will prompt you, asking if you want to execute this application – clicking ‘no’ leaves your PC unaffected.
Clicking ‘yes’ will run an application named ‘oo.exe’ which will place itself in multiple locations on the hard-drive, as well as a file called ‘Net’ that looks like an application installer.
For non-technical people, here’s where things get really ugly. Instantly the adware starts loading pop-ups on your screen, the malware attacks MSN and attaches itself into your OS, and finally a couple of viruses start stealing your personal information and trying to open a back door into the system to enable remote control of the PC. Other than the pop-ups, you’d have no way of knowing this was happening.
Some of the virus activity will be detected by Norton Antivirus (or other available product) and deleted, however the other components (particularly the hook into the OS) go undetected. The virus that gets deleted will invariably reloaded within a half-hour if you’re still connected online.
The easy solution? Immediately pull the plug on your Internet connection, back up your data to a CD, and perform a system restore before your PC joins the zombie army.
Anyone who has had to do this before knows it’s a huge pain to doing a Windows restore, re-install your applications and recover your data. Now, before I get into the nitty-gritty geek details of the more difficult solution, let me just make a little prediction – with the shift in security focus from software to user on Vista, we’re going to see a lot more of these evil programs faking their way through, using the user themselves as the weakest link.
Ok, so you’ve got things to do and feel technically competent enough to take over where your security software failed. What follows is how I removed this particular threat from two PCs under my care. I make no guarantee that this will work for you, and cannot stress enough that you should make a backup of anything you don’t want to lose – one mistake and you could render your system unusable and be doing a system restore anyways!
Step 1) Reduce the Threat
Go to the Add or Remove Programs in the Control Panel and uninstall Messenger. Next, you need to open the Task Manager (by pressing ctrl-alt-delete) and kill all running processes related to MSN Messenger (generally ‘msnmsgr.exe’). Follow this by opening your Program Files folder and renaming all MSN Messenger related folders to something else. Since we can’t easily shutdown the virus on a live system (more on that in a minute) we need to do the next best thing and prevent it from being able to spread or reactivate itself further.
Step 2) Track Down the Source
From the Internet Options in the Control Panel, you need to clear your temporary files.
Next – you’re going to need is a copy of a program called ‘HijackThis!’. Scan your system – look for a strangely named .dll file in the c:\windows\system32\ directory that is listed as both a BHO (browser helper object) and further down as being part of ‘Winlogon Notify:‘. If you’re not familiar with the system32 directory they will all look like strange names – make sure it appears in the two listed places above, on a normal system that would not be the case.
Write down the name of this file. These entries also gave me a clue as to how this threat operates.
Step 3) Know Thine Enemy
By hooking into ‘winlogon.exe‘, the virulent .dll tricks Windows into protecting it from deletion – even in safe mode. This key component to the Windows operating system is even used in safe mode the same as normal. You cannot terminate the ‘winlogon.exe‘ process without the system crashing or restarting, so Windows prevents you from doing this. Since you can’t terminate the process, you can’t delete the file while the system is running. Since you can’t delete it, it loads with the OS at startup no matter what you do.
Step 4) Take a cue from the Daleks: EXTERMINATE!
Now, here’s where things get a little tricky – you need to restart the PC with a Windows XP install CD. If you’re running a brand name PC, you likely don’t have one, you’ll have a restore CD instead… This is not the same thing, and will be of no use for this purpose.
Be very-very careful at this point – selecting an incorrect option could render your system unusable, or erase all of your data!
Make sure you’re booting from the CD-ROM or DVD-ROM, not your hard-disc. Once everything is loaded you’ll be on a blue screen with three options – we want the second one, the Recovery Console. This will ask you which Windows installation you want to work with – in most cases there is just one, and you’ll enter 1, followed by your Administrator password when prompted.
This brings us to a command line reminiscent of DOS. Many old DOS commands work and will be used. First off, you need to type ‘cd system32′. Remember that file name we wrote down from ‘HijackThis!‘ … type ‘del {filename.dll}’. That effectively kills the virus’ OS hook. Type ‘exit’ and reboot normally.
Step 5) Cross Your Fingers
After you logon, it might appear to take a little longer than usual – this is OK, Windows is looking for the file we deleted and happily cannot find it.
Step 6) Clean Up Afterwards
Now that we’re back up, run ‘HijackThis!’ again, and click a check in the box beside the two entries from before. Click ‘fix’ and when it’s done, run a scan again. If those two entries are gone, congratulations! Make sure your anti-virus is up-to-date and run a full system scan. If they didn’t go away, it’s likely you have either a different virus, or other issues as well.
Running a complete spyware scan with one or many utilities available would likely be prudent at this point as well.
You’ll have to download and reinstall Messenger to be able to use it again. Although I’ve tried to be as basic and concise about these instructions, if you have doubts about any of these steps – just do the System Restore.
Step 6) Where To Go From Here
A few final technical notes – the virus generates several files in the system32 folder, which you’ll likely want to remove as well. Assuming you’re doing this right away after discovering the virus, sorting the files (in details view) by date should pop the recently created files to the top (or bottom) – check each one’s properties – if it doesn’t say it was created by Microsoft and was made on the same day or after you got the infection, you can (probably) delete it. You will also want to do a search for ‘oo.exe’ – open the folder each occurrence appears in and delete it as well as the Net application.
Did this help? I’ve recently edited the solution for clarity. Please leave a comment.
Comments (0) 
I have an install disc for Windows XP, and an upgrade license. I actually have all of the original discs for the upgrade path still. I have even been diligent enough to remove it from previous PCs when I have done a major platform upgrade.
As a technical analyst and general computer busybody I tend to get a chance to play with Microsoft’s operating systems as they come out. I recieved upgrade versions of Windows ME and Windows XP from Microsoft sales representatives while working retail, and now I’m using Windows Vista at work to test our software.
Themocracy