Tuesday, July 03, 2007

Windows Live Messenger, Infected.

First and foremost, let me apologize to whoever that got spammed, or worse, affected by accepting and running a particular file sent out by the Worm that infected my Windows Live Messenger (WLM) yesterday. I seek for your forgiveness, my deepest apologies to each and everyone.

Honestly, its truly embarassing that I, as an individual in the IT profession, to be infected in the first place, such display of carelessness is totally unacceptable. I shall punish myself by running around the office block for a hundred time. Actually, there's no one to be blamed but myself, to be tricked into executing the file (btw, the file I received was entitled photo-album, sent by the gf of a UniHouseMate). Fortunately, its nothing serious else I would definitely be in the deepest shit possible. Now for a little knowledge sharing session regarding the effect of executing the Worm (from my own understanding and research, do correct me if I've made any mistakes).

To be exact, its W32.SillyIRC, a variant of the W32.Silly family of worms that spread using IRC based applications. When executed, it begins to quickly spread to every single individual existing in your WLM contact list, by attaching itself to esent.dll (Server Database Storage Engine Library), one of the required system process in windows. The first thing to do when you found out you've been affected (WLM chatboxes rapidly popping-up, semi-hanging your machine) is to close off your Messenger. You can do so by pressing CTRL+ALT+DEL, then bring up the Task Manager and under the Processes tab, and kill off msnmsgr.exe.

Next, ensure that your Virus Definition File in your AntiVirus is up-to-date and run a full scan on your system drive (normally, that would be C drive). When done, you should be able to see the file W32.SillyIRC listed on the scan result; delete the file (some antivirus might have been set to automate the deletion/quarantine process). This should be sufficient as the source has already been removed but I took one step further by running a FULL uninstallation on WLM (including removal of the contacts folder) and then run a full system scan again on the machine, just because its company's property. I only reinstall WLM when the scan yielded a satisfying result.

For me, so far, so good *touch-wood*. Hope the above would be able to provide you with some lead/assistance, should you ever require them.

0 comments: