PIF virus or not virus?

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

I got this sent to me via MSN by a friend:

omg this is funny! http://jose.rivera4.home.att.net/cute.*

(replaced * with pif for security reasons)

I noticed it was a MS-DOS executable and didn't accept/open it and
immediately warned everybody on my MSN list.

I then downloaded the file and accidently ran it! I wanted to open it in
Notepad but I accidently "opened" it and it ran!!

Now I need to know what cute.pif really did, what's its purpose? Is it a
virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
came up negative. I tried searching on the web and could not find one single
imformation about this file.

HELP!
3 answers Last reply
More about virus virus
  1. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Kevin C. wrote:
    > I got this sent to me via MSN by a friend:
    >
    > omg this is funny! http://jose.rivera4.home.att.net/cute.*
    >
    > (replaced * with pif for security reasons)
    >
    > I noticed it was a MS-DOS executable and didn't accept/open it and
    > immediately warned everybody on my MSN list.
    >
    > I then downloaded the file and accidently ran it! I wanted to open it in
    > Notepad but I accidently "opened" it and it ran!!
    >
    > Now I need to know what cute.pif really did, what's its purpose? Is it a
    > virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
    > came up negative. I tried searching on the web and could not find one single
    > imformation about this file.
    >
    > HELP!

    Probably a virus or spyware. Run your antivirus and antispyware
    software NOW!
  2. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    According to ISC(Internet Storm Center)...
    http://isc.sans.org///index.php
    ....this looks to be an Instant Messanger malware attack IDed by Anti-Virus
    engines as the following malware:

    Backdoor.Win32.IRCBot.y
    IM-Worm.Win32.Kelvir.a
    Win32/Bropia.Variant!Worm

    ISC states:
    ------------------------------------------
    "The malware appears as a message from another person with a teaser such as
    "hot pic!!" or "OMG look at this!!!" Following that line is a URL pointing to
    a PIF file such as

    parishilton.pif
    cute.pif

    If a user clicks the link (executes the .pif) then the infected machine will
    send copies of the link to the user's IM buddies, and could cause additional
    damage to the user's computer. Removal instructions are available on several
    AV vendor's web sites.
    ------------------------------------------

    So a visit to your Anti-virus service of choice seems in order. Hope this is
    helpful in solving your issue.
    Bob123


    "Kevin C." wrote:

    > I got this sent to me via MSN by a friend:
    >
    > omg this is funny! http://jose.rivera4.home.att.net/cute.*
    >
    > (replaced * with pif for security reasons)
    >
    > I noticed it was a MS-DOS executable and didn't accept/open it and
    > immediately warned everybody on my MSN list.
    >
    > I then downloaded the file and accidently ran it! I wanted to open it in
    > Notepad but I accidently "opened" it and it ran!!
    >
    > Now I need to know what cute.pif really did, what's its purpose? Is it a
    > virus? Or harmless fun? I tried doing a AVG virus scan on the file and it
    > came up negative. I tried searching on the web and could not find one single
    > imformation about this file.
    >
    > HELP!
    >
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    trend micro sent me this today, sounds like what your dealing with.

    As of March 7, 2005, 3:05 AM (GMT - 08:00), TrendLabs has declared a Medium
    Risk Virus Alert to control the spread of WORM_KELVIR.B and WORM_FATSO.A.
    TrendLabs has received numerous infection reports indicating that this
    malware is spreading in Korea and the United States of America.

    .. WORM_KELVIR.B:
    This new worm is very similar to WORM_KELVIR.A, in that it also propagates
    via MSN messenger. It attempts to send the following instant message to all
    online MSN messenger contacts of an affected user:

    "http://home.ea<BLOCKED>link.net/gallery10/omg.pif lol! see it! u'll like
    it"

    When the user clicks the given URL, this worm downloads a copy of itself,
    named OMG.PIF, from the given URL. When this downloaded copy is executesd,
    it downloads another malware file from the Internet, which Trend Micro
    detects as WORM_SDBOT.AUI.


    .. WORM_FATSO.A

    This memory-resident worm arrives on a system via MSN messenger, a popular
    instant messaging application. It spreads copies of itself to all online MSN
    messenger contacts of an affected system by sending an instant message
    conataining a link, which when clicked, downloads a copy of this worm into
    the recipient's system. This worm also has the ability to propagate via
    eMule, a known peer-to-peer (P2P) file sharing application.

    This worm is capable of redirecting infected users to a certain Web site,
    which as of this writing, is already not available. It does this whenever
    the user accesses Web sites that are associated with antivirus and security
    companies.

    It may also terminate certain running processes, and disallow them from
    executing while this worm resides in the memory.


    TrendLabs will be releasing the following EPS deliverables:

    TMCM Outbreak Prevention Policy 154
    Official Pattern Release 2.476.00
    Damage Cleanup Template 550


    For more information on WORM_KELVIR.B and WORM_FATSO.A, you can visit our
    Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KELVIR.B
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_FATSO.A


    --
    EasyFeelings
    A+
    MCP
    MCSA

    "When your computer is working good, That's an EasyFeeling"
Ask a new question

Read More

MSN Virus Microsoft Windows XP