Skype "lol is this your new pic?" Virus
Recent virus by Skype has been detected and have already corroupted many skype user. Cybercriminals are targeting Skype users. This time they are using ransomware and click fraud on their victims. Now what is this Ransomware? It restricts access to the computer it infects them either by encryption or locking the system and spamming the prompts. Whereas, Click fraud is a type of scam that occurs when someone or a program imitates a legitimate user by clicking on an ad for the purpose of generating revenue for another party. This Trojan sneaks in the system, opening a backdoor to download many other malicious components. Some of the signs of getting infected as usual, such as considerably slow or even stuck system running, flood of ads pop ups, search redirections and many more like this. Your installed antivirus has detected the presence of such infection, but when you try to delete it, notification will keep releasing after every reboot. This way you wont be able to scan it completely.
This virus displays a message on your Skype window like "lol is this your new pic? (some link or your name). Anyone with a common sense would be suspicious of this link. When you click on it, you suddenly see a list of of your friends to whom this same message will be sent. This is also the same case with MSN.
GFI detects the malware as Backdoor.Win32.Hupigon, Sophos detects it as Troj/Agent-YCW or Troj/Agent-YDC, and Trend Micro just calls it a variant of the Dorkbot worm (also known as NRGbot). If you click the link, you will end up with a zip file on your PC. Running the executable inside (skype_02102012_image.exe or skype_06102012_image.zip or skype_08102012_image.zip) will infect the PC and will leverage a Java exploit via BlackHole 2.0. Then there is some warning displayed.
The Trojan horse opens a backdoor, allowing the hacker to take control of your PC to communicate with a remote server via HTTP. Don't click on links sent to you via Skype or any other instant messaging services. Also make sure that you don't extract any of the zip file and open any file inside it. It has observed that when all this occurring, Windows warns you that “The publisher could not be verified, are you sure you want to run this software” – listen to it and click Cancel. Thanks to thenextweb.com for all this information
How to remove this virus:
There are many options available to remove this virus. The very first thing that you have do is to Change your Skype password immediately https://login.skype.com/account/password-reset-request
Try to use the PC which is not infected by this virus, to change your password.
1. Click Tools in Skype -> Options -> Advanced.
2. Choose "Manage Other Programs Access to Skype", and remove any unknown application (if any).
Then go to Windows Search Bar, and type %appdata%. Then select Roaming.
Delete the unnecessary file/folder. The name of the file/folder may vary. Then reboot the PC.
If you still having the problem, please use this method which i used when my pc was infected with a Live Security Platinum virus which is similar to this Skype virus.
Please follow the steps below to remove the virus from your system:
In the Registry Editor, find out all registry entries of Win32/Sirefef.FB.Gen and then removal them all.
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettings “net
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Inspector”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “[random].exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon [Trojan.Win32.Generic!BT]
This virus displays a message on your Skype window like "lol is this your new pic? (some link or your name). Anyone with a common sense would be suspicious of this link. When you click on it, you suddenly see a list of of your friends to whom this same message will be sent. This is also the same case with MSN.
GFI detects the malware as Backdoor.Win32.Hupigon, Sophos detects it as Troj/Agent-YCW or Troj/Agent-YDC, and Trend Micro just calls it a variant of the Dorkbot worm (also known as NRGbot). If you click the link, you will end up with a zip file on your PC. Running the executable inside (skype_02102012_image.exe or skype_06102012_image.zip or skype_08102012_image.zip) will infect the PC and will leverage a Java exploit via BlackHole 2.0. Then there is some warning displayed.
The Trojan horse opens a backdoor, allowing the hacker to take control of your PC to communicate with a remote server via HTTP. Don't click on links sent to you via Skype or any other instant messaging services. Also make sure that you don't extract any of the zip file and open any file inside it. It has observed that when all this occurring, Windows warns you that “The publisher could not be verified, are you sure you want to run this software” – listen to it and click Cancel. Thanks to thenextweb.com for all this information
How to remove this virus:
There are many options available to remove this virus. The very first thing that you have do is to Change your Skype password immediately https://login.skype.com/account/password-reset-request
Try to use the PC which is not infected by this virus, to change your password.
1. Click Tools in Skype -> Options -> Advanced.
2. Choose "Manage Other Programs Access to Skype", and remove any unknown application (if any).
Then go to Windows Search Bar, and type %appdata%. Then select Roaming.
Delete the unnecessary file/folder. The name of the file/folder may vary. Then reboot the PC.
If you still having the problem, please use this method which i used when my pc was infected with a Live Security Platinum virus which is similar to this Skype virus.
Please follow the steps below to remove the virus from your system:
1. To begin with, reboot your infected PC.
2. As your computer begins to boot, press the F8 key continuously. An screen will appear which says, "Advance Boot Option" or "Windows Advance Option Menu".
3. Using you arrow keys select the "Safe Mode with Networking" and press the 'Enter' button.
4. You will now be in Safe Mode with networking.
5. Now start Internet Explorer and go to Tool -> Internet Option.
6. From the Internet Option window select Connection tab and click on LAN Settings.
7. Uncheck the option Use a proxy server for your LAN.
This should remove the malicious proxy server and allow you to use the internet again.
8. Now download and install Malwarebytes Anti-Malware Free from this link.
(This link will open a download page in a new window from where you can download Malwarebytes Anti-Malware Free)
9. When the installation begins, keep following the prompts in order to continue with the setup process.
- Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware options checked.
- Then click on the Finish button. If Malwarebytes prompts you to reboot, please do not do so.
10. Malwarebytes Anti-Malware will now start and you’ll be prompted to start a trial period , please select ‘Decline‘ as we just want to use the on-demand scanner.
11. On the Scanner tab, select Perform full scan and then click on the Scan button to start scanning your computer.
12. Malwarebytes’ Anti-Malware will now start scanning your computer for malicious files as shown below.
13. When the scan is finished a message box will appear, click OK to continue.
- You will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected.
- Make sure that everything is Checked (ticked) and click on the Remove Selected button.
14. Malwarebytes’ Anti-Malware will now start removing the malicious files.
After completing this task it will display a message stating that it needs to reboot, please allow this request and then let your PC boot in Normal mode.
Manual Removal of Skype Virus:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionSettings “net
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Inspector”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “[random].exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon [Trojan.Win32.Generic!BT]
Note: Try the manual steps only if you are a pro in registry and knows all the in and out about it. Also don't forget to take backup of your registry before trying the above manual steps. Any wrong modifications to the Windows registry can lead to permanent or partial system crash.
Follow all the above given steps to remove this virus. If you encounter any problem please comment below for any help.
Cheers!!!
thanks Chintu :)
ReplyDelete