PIF virus or not virus?

[Guest]

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I got this sent to me via MSN by a friend:

omg this is funny! http://jose.rivera4.home.att.net/cute.*

(replaced * with pif for security reasons)

I noticed it was a MS-DOS executable and didn't accept/open it and
immediately warned everybody on my MSN list.

I then downloaded the file and accidently ran it! I wanted to open it in
Notepad but I accidently "opened" it and it ran!!

Now I need to know what cute.pif really did, what's its purpose? Is it a
virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
came up negative. I tried searching on the web and could not find one single
imformation about this file.

HELP!

 

[Guest]

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Kevin C. wrote:
> I got this sent to me via MSN by a friend:
>
> omg this is funny! http://jose.rivera4.home.att.net/cute.*
>
> (replaced * with pif for security reasons)
>
> I noticed it was a MS-DOS executable and didn't accept/open it and
> immediately warned everybody on my MSN list.
>
> I then downloaded the file and accidently ran it! I wanted to open it in
> Notepad but I accidently "opened" it and it ran!!
>
> Now I need to know what cute.pif really did, what's its purpose? Is it a
> virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
> came up negative. I tried searching on the web and could not find one single
> imformation about this file.
>
> HELP!

Probably a virus or spyware. Run your antivirus and antispyware
software NOW!

 

[Bob123]

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

According to ISC(Internet Storm Center)...
http://isc.sans.org///index.php
....this looks to be an Instant Messanger malware attack IDed by Anti-Virus
engines as the following malware:

Backdoor.Win32.IRCBot.y
IM-Worm.Win32.Kelvir.a
Win32/Bropia.Variant!Worm

ISC states:
------------------------------------------
"The malware appears as a message from another person with a teaser such as
"hot pic!!" or "OMG look at this!!!" Following that line is a URL pointing to
a PIF file such as

parishilton.pif
cute.pif

If a user clicks the link (executes the .pif) then the infected machine will
send copies of the link to the user's IM buddies, and could cause additional
damage to the user's computer. Removal instructions are available on several
AV vendor's web sites.
------------------------------------------

So a visit to your Anti-virus service of choice seems in order. Hope this is
helpful in solving your issue.
Bob123


"Kevin C." wrote:

> I got this sent to me via MSN by a friend:
>
> omg this is funny! http://jose.rivera4.home.att.net/cute.*
>
> (replaced * with pif for security reasons)
>
> I noticed it was a MS-DOS executable and didn't accept/open it and
> immediately warned everybody on my MSN list.
>
> I then downloaded the file and accidently ran it! I wanted to open it in
> Notepad but I accidently "opened" it and it ran!!
>
> Now I need to know what cute.pif really did, what's its purpose? Is it a
> virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
> came up negative. I tried searching on the web and could not find one single
> imformation about this file.
>
> HELP!
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

trend micro sent me this today, sounds like what your dealing with.

As of March 7, 2005, 3:05 AM (GMT - 08:00), TrendLabs has declared a Medium
Risk Virus Alert to control the spread of WORM_KELVIR.B and WORM_FATSO.A.
TrendLabs has received numerous infection reports indicating that this
malware is spreading in Korea and the United States of America.

.. WORM_KELVIR.B:
This new worm is very similar to WORM_KELVIR.A, in that it also propagates
via MSN messenger. It attempts to send the following instant message to all
online MSN messenger contacts of an affected user:

"http://home.ea<BLOCKED>link.net/gallery10/omg.pif lol! see it! u'll like
it"

When the user clicks the given URL, this worm downloads a copy of itself,
named OMG.PIF, from the given URL. When this downloaded copy is executesd,
it downloads another malware file from the Internet, which Trend Micro
detects as WORM_SDBOT.AUI.


.. WORM_FATSO.A

This memory-resident worm arrives on a system via MSN messenger, a popular
instant messaging application. It spreads copies of itself to all online MSN
messenger contacts of an affected system by sending an instant message
conataining a link, which when clicked, downloads a copy of this worm into
the recipient's system. This worm also has the ability to propagate via
eMule, a known peer-to-peer (P2P) file sharing application.

This worm is capable of redirecting infected users to a certain Web site,
which as of this writing, is already not available. It does this whenever
the user accesses Web sites that are associated with antivirus and security
companies.

It may also terminate certain running processes, and disallow them from
executing while this worm resides in the memory.


TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 154
Official Pattern Release 2.476.00
Damage Cleanup Template 550


For more information on WORM_KELVIR.B and WORM_FATSO.A, you can visit our
Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KELVIR.B
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.A




--
EasyFeelings
A+
MCP
MCSA

"When your computer is working good, That's an EasyFeeling"