F Secure have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:
lol check 🙂 http://peopleonline.pe.funpic.de/[REMOVED].pif
When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz
These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.
One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.
Licat.C, a variant of Licat, is a Trojan. Licat.C can send instant messages or contact certain websites to inform malware authors about certain events and allows downloading files on the infected computer. Licat.C tries to connect to certain websites on Internet.
Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.
The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system – detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer – detected as Softomate toolbar.
Use the following instructions to remove MSN Worm and associated adware and malware.
1. Using SuperAntispyware.
- Download SUPERAntiSpyware.
- Close all programs and Windows on your computer.
- Double Click SUPERAntiSpyware.exe to install the application.This will start the installation of SUPERAntiSpyware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing click on the Finish button.
- You will see a message stating that you should update the program before performing a scan. Click Yes. As SUPERAntiSpyware will automatically update itself.
- You will see SUPERAntiSpyware setup wizard. Follow the prompts. To close the Wizard press Finish.
- Protect home page dialog will be open. Click on the Protect Home Page button.
- You will now be at the main program.
- Click Scan your computer. Click Next.
- The scan may take some time to finish,so please be patient. When the scan is complete, result of scanning will be open, click OK.
- Click Next to start removing the found threats.
- If you are asked to reboot the machine, choose Yes.
2. Using Malwarebytes Anti-Malware.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
Note: Use both antispyware programs for maximum effect.
If you need help with the instructions, then post your questions in our Spyware Removal forum.
