web analytics
yugatech x infinix pad

Yahoo Messenger virus on the loose!

I’ve been noticing that a lot of people on my YM list are sending me random messages with links to some sites. I’ve had this before and that time it was coming from my end so now I know people are just infected by a new worm somehow.

I also got this form one of my contacts:

PLS BE INFORMED IMMEDIATELY! A virus is on a rampage in Messengers. The virus name is WORM_SOHAND.I. It shows itself as an innocent IM with a link to a site and tells you it is about cool pictures. Whne the link is clicked, it takes control of your registry, changes your browsers homepage and disables you to change the homepage! after clicked it also sends itself to everyone in your messenger list. So if you recieve it, please remeber DO NOT CLICK THE LINK! just close the window or read the other offline messages. Warning: it may come from your closest friends to! PLEASE, PASS IT ON TO ALL

Anybody else experiencing this lately? I did a search and it’s not yet showing up anywhere but definitely it’s a virus/worm.

****Linky Goodness****

Free Norton Antivirus software download

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,116 other subscribers
Avatar for Abe Olandres

Abe is the founder and Editor-in-Chief of YugaTech with over 20 years of experience in the technology industry. He is one of the pioneers of blogging in the country and considered by many as the Father of Tech Blogging in the Philippines. He is also a technology consultant, a tech columnist with several national publications, resource speaker and mentor/advisor to several start-up companies.

53 Responses

  1. Avatar for Aya Aya says:

    How can I eliminate the virus, some of my friends notified me that I keep on giving them weird messages which I not aware of. Is it my YM app on CP or the account itself? I have tried deleting today my FB and YM account on my CP since both were linked.

  2. Avatar for chad chad says:

    .hey a problem here..@topic- i clicked and downloaded the link..stupid me i know..now my laptop doesnt start..its stuck on windows boot manager..what shall i do?..im gettin paranoid..please do tell..chady****@****.***..

  3. Avatar for rin rin says:

    thanks,gen orino….ur info really work to remove the virus =)

  4. Avatar for jessnoe jessnoe says:

    Good day to You..
    My computer is having a problem. It was started when i downloaded a file yesterday..
    Occassionaly when i try to open the mozilla firefox and the other icon on the windows.

    the result was this
    At night when i turn to open my computer this was the result

    =<Java Virtual machine launcher-Invalid or corrupt jarfile C:\Progaram files\ahead\lib\NMBg monitor.exe

    =<Java virtual machine launcher-Invalid or currupt C:\windows\systems32\ctfmon.exe

    =<Java virtual machine launcher-Invalid or currupt C:\yahoo.\Messenger\yahoo messenger.exe

    =<Java virtual machine launcher-Invalid or currupt C:\program files\USB Disk Security\USB Guard exe.

    =<Java virtual machine launcher-Invalid or currupt C:Program\ALWILS-I\Avast4\ash Disp.exe.

    =<Java virtual machine launcher-Invalid or currupt C:\program files\ Messenger\msmsgs.exe.

    As i understand about it,all the program and the system was corrupted.

    What does it mean?Thus it a virus?What should i do to get it back?Is there any solution aside for repormatting my computer?

    Please send me a reply……

    -When god make you-

  5. Avatar for curly curly says:

    i have a problem if i log in on my YM it makes may laptop froze i dont know what happen pls help me!!!!!!!!!!!

  6. Avatar for Rei Rei says:

    omg i have same issue too, mine is:

    i have problems with my YM coz i keeps sending languages* ang a link that i coudnt understand to my friendslist, and my friend sez that it was a virus then they recommend online scan. but when i visit “bitdefender.com, avast.com. the page cannot be displayed. can someone help me.

  7. Avatar for Nararanasan din ang nararanasan nyo Nararanasan din ang nararanasan nyo says:

    naranasan ko rin yan…. ngayon lang
    sabi nila dlt mo muna yahoo folder mo then dload mo ulit…

  8. Avatar for pandu pandu says:

    s even i’m facing the same problem

  9. Avatar for david david says:

    pa help nmn…my virus YM q peo hndi xa tgalog prang indonesian e,..ng se2nd 2 ol xa ng link…
    n de2tect nmn xa ng UST scandal remover q, peo pg bukas mu ul8 aun nndun nnmn…

  10. Avatar for PCSecurityExpert PCSecurityExpert says:

    Nearly all AIM’s are vulnerable because millions of people use then and few care about security. Programmers also concentrated more on design features than on security.

  11. Avatar for charles charles says:

    help po! un virus na AVI UST SCANDAL! badtrip una sa pc ko lng tpos un open ko laptop ko nagkaroon nadin ng gnun virus!!! help po nmn pano irecover to! email me at charlian****@****.*** i really need to know how to recover this virus thanks!

  12. Avatar for Joven Joven says:

    My computer is OK now. Download avast home edition and everything will be taken care of.

  13. Avatar for Joven Joven says:

    here is my email add nga pala josh7****@****.***

  14. Avatar for Joven Joven says:

    Help naman po I have the same AVI.Funny scandal virus. It is malfunctioning may Excel and printers.

  15. Avatar for A Piece of Idea A Piece of Idea says:

    What’s that YM virus tagalog version. My girlfriend actually got that virus also. Is there any way to get rid of it?

  16. Avatar for jason jason says:

    me i have also ym viruses tagalog version i cannot do want is the right , or how to remove that its that ” funny scandal” its my enemy virus of all?
    plz contact me at my ym at ” jasonblue2008″ plz help me how i can removre this

  17. Avatar for Farah L. Farah L. says:

    The other day I clicked on a file transfer that I thought was sent by my chatmate but I was wrong; the file is skyflake. What I did was download & save it to my desktop then run my anti virus on said file before I opened it. I just want to know if this is a virus coz last night I emailed some pics but I was told there’s one in those I sent that can’t be opened because something was attached to it that my chatmate’s anti virus won’t open. If this is a virus, did it already start to spread by attaching something to my attachments? Please, if anybody could tell me if this is the latest virus that plugs ym & suggest how to get rid of it, although I deleted the file already, would be most appreciated. TY.

  18. Avatar for michale guevarra michale guevarra says:

    hello po ulet just wanna share how i remove the AVI funny ust scandal on my pc. i just download the AVAST anti virus it realy working hard. so now i can used my pm in good condition again… i got the AVAST on this site www.avast.com

  19. Avatar for jake jake says:

    patulong nga….!!! ayaw kasing mawala ung scandal sa ym ko ito pala email ko..gomez.****@****.*** thanks…!!!

  20. Avatar for michale guevarra michale guevarra says:

    GOOD DAY TO ALL ABOUT AVI UST SCANDAL FILES, I ALREADY RESTORE MY PS TO THE DATE I KNOW IT WAS WORKING PROPERLY, BUT AFTER THE RESTORING I AGAING CHECK MY WINDOW & FREPETCH IT STILL THERE. STILL I CANT OPEN SYSTEM32 & RUN PROGRAM… PLEASE HELP ME I DONT KNOW WHAT TO DO WITH THIS FILE, I CANT USE MY PC PROPERLY… HELP ME PLEASE…
    XXX_STIFLER****@****.***

  21. Avatar for oobi oobi says:

    I found this pdf file that analyzed the malware:

    http://geocities.com/rahulmohandas/hacking_the_malware.pdf

    Regarding the AVIFunny file. This is also detected by AVG but is not healed by AVG. I was able to manually delete the malware files of a friend, but with difficulty. It has a self regenerating mechanism also as follows: registry autoloads (see above list and use edit find command in the regedit to be sure such registry entries are not stored anywhere else). It also put sporious lsas.exe and smss.exe files, in the windows directory (there are legitimate files of these names used by windows – under windows task manager, the legit files will shutdown windows if the process is stopped). Infected file in WINDOWS\system32\drivers\etc was also found. It created files in the windows/prefetch folder (some of these entries initially refused to be deleted (You may try to open it with notepad and if prompted that no such file exist, create one with the same name of your own just to be sure). malware files are also found in all other partition or separate hard disk. Search and delete carefully the malware files and cure registry settings while modem is unplugged and in safe mode. Run AVG again after (still unplugged to the internet, if still detected, repeat the process again).

  22. Avatar for Rain Rain says:

    that kind of virus was infected my pc (twice!!).. Solution: Restore my pc to the time when it is in good condition.. and after that, I scanned my registry using registry mechanic program. Just as simple as that.. if you have any comments about this, please email me @ rain_ra****@****.***
    http://rainrace.blogspot.com

  23. Avatar for michale guevarra michale guevarra says:

    please help me on how can i remove this AVI UST FUNNY SCANDAL. coz i’m afraid to open my yahoo messager now. coz i dont want any of my friends got this too. please email me herse my email add dy3_quicksi****@****.*** help me please

  24. Avatar for michale guevarra michale guevarra says:

    please help me on how can i reamove this AVIFUNNY UST SCANDAL to my pc. someone send me offline meessage but i didnt accept it coz im not sure what it is. but it already enter my pc how many times i delete it. but it still there i cant open now my RUN and system32.please if anyone can help me on how to remove it please reply…

  25. Avatar for jervin domingo jervin domingo says:

    how do i remove this kind of virus… my friend tells me i send this kind of message:

    ình di?n xi?c “r?n tóc gáy” freewebtown.com/gaigoitanbinh/index.html

    but on my end i am not sending any..

    please email me @ jervin_rod****@****.***

    i would really appreciate if you can email me on how to delete this.. thanks

  26. Avatar for gen orino gen orino says:

    download this security task manager!! it really worked for me.. you use it to detect and quarantine the dangerous files.. http://www.neuber.com/taskmanager/index.html?ref=file.net

  27. Avatar for oobi oobi says:

    Using Linux based messengers are safe, but if you are stucked to Windows you may try www.meebo.com for a web interface connection to YM. Yahoo also has a new web interface integrated with their mail service. YM’s interface has a launchcast cache of messages (from where the malware send the random messages), try to google how to clear it.

  28. Avatar for oobi oobi says:

    These malware calls a backup copy and reconstruct a partially healed pc. Not to mention that your default homepage may still pointing at the online malware site (while curing the pc, unplug your internet and make sure that it points to yahoo or google).

    You can compare the identified malware files from that which can be hiding as backup within other folders like the startup folder. Note the size and date of detected malware so you can delete backup copies. You have to kill/delete the running malware executible and other clone executible (usually under safe mode – to get around file locking mechanism). Files such as host.exe and host32.exe are said to be a backup according to one site I read. See also Smithfraudfix for possible solution.

    The registry keys you can check for possible reconstruction scripts are (using Regedit, It needs caution as you may touch sensitive data):
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Windows 95/98/ME registry includes the following seven keys:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

    or to be safe download IE Protector And Tracks Eraser or similar apps that has an option to disable automatically loading files.

  29. Avatar for Robert Robert says:

    Theres this another YM virus from vietnam, funni.exe. I have used many AVs but still couldnt detect the virus.

  30. Avatar for Ryan Ryan says:

    So, it’s a virus. I thought it was only some sort of spyware that plagues the messenger and whenever you click on the links, that’s the time that you get the virus.

    A secured browser is enough to at least prevent it.

  31. Avatar for problematic problematic says:

    In my case, after doing such, i used Avg to remove it. it worked somehow, then i did this reg thing.

    click, start then run then type

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

    or just copy everything

    then click run again then type

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

    The only problem with my case was that, i have an svchost.exe file in my windows system 32 but it was last modified, in 2004. so i was wondering if ever its the same things. If you guys could help me clear it up, if its a valid file, or a virus please email me. rs****@****.***.

    ANother thing,my task manager already works, however, i could not end the svchost process. Whenever i end it, my computer shuts down. I don’t know if its core, but the svchost file seems to be working together with other programs. and i couldn’t delete it, because it runs in several programs. Please help me, i really don’t know what to do about that

  32. Avatar for Joey Joey says:

    Once you open the link cool pics..then you already infected which was happen to my computer…same case above Disable Registry , using ctr+alt+del (Task manager disable by Admistration), Address home page change to cool pics and one that make me headache that when your infected yahoo messenger was open and your excel program / word program those link also paste on your document twice automatically. You cannot find the RUN command since this was already corrupted and even in Task/Start Menu also disappeared; question ,is reformatting of the Window XP home editon as alternative solution for 100% removal of those Virus…but one thing when i open guest user first it was okey and i follow your instruction but still the porblem exist on Yahoo messenger …thanks in advance

  33. Avatar for nelson nelson says:

    These may help you guys.

    Svchost.exe file from clean pc should be used to replace the infected file brought about by thecoolpics.net spyware. Also svchost32.exe that may exist in windows/system32 folder must be removed. See http://www.file.net/process/svchost32.exe.html for description of what it does.

    Also the ff may be helpful, in case certain changes were made by the said spyware:

    1. To Unlock Registry:

    Paste the line below to the command prompt (Start, all programs, accessories, command prompt) — >>
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

    2. To Enable TaskMgr: Paste the line below to the command prompt — >>

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

    3. To Unhide Run command: Paste the line below to the command prompt — >>

    REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

    4. To Unhide Folder Options: Paste the line below to the command prompt — >>

    REG add KLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f

    I hope this will help you. email me at: oo****@****.*** for other help.

  34. Avatar for nightfox nightfox says:

    @stuck – tried using another YM client? well, in case of viruses.. if you’re using Windows – that’s somewhat hard..

  35. Avatar for stuck stuck says:

    Yeah me too facing the same problem…is there any solution to this cool pics virus problem? Its spreading leaps and bounds day by day! Please advise.

  36. Avatar for stuck stuck says:

    Yeah me too facing the same problem…is there any solution to this cool pics virus problem? Its spreading leaps and bounds day by day!

  37. Avatar for nelson nelson says:

    I have encountered this and I was able to heal my computer. I will put together the steps to heal. Just remind me or email me, so I can send the steps and the links to some hijack removal software that are needed to be downloaded.

  38. Avatar for Pradeep Pradeep says:

    I was also affected by the problem. Norton real protection detected and deleted the malware files. But still I was not able to unlock the internet explorer homepage, registry editor and task manager. For that I just created a new user profile and deleted the old one. That solved the problem.

  39. Avatar for nightfox nightfox says:

    haha.. actually, i click anything, anywhere..

    Use Linux/Mac.

    (at least when there’s really a critical effect [from doing such things] on the system then that’ll surely challenge me and everyone in the Linux/Mac community to resolve it)

  40. Avatar for ralphot ralphot says:

    yeah, i’ve posted this a few weeks back. it’s really annoying. when i login the next day, i get close to a hundred offline messages of this nature.

    a few of my officemates got affected by this too. me kinalikot lang sila sa registry to turn this off.

  41. Avatar for eric eric says:

    i do get that offline messages from time to time. usually from contacts. but i never open these links since the offline messages appear to be very doubtful. mukhang hindi talaga galing sa contacts ang message.

  42. Avatar for GUrbi GUrbi says:

    Me, I also received that link in my YM and it brought me to a site where I got the virus. I have posted some suggestions on how to recover from Yahoo Messenger Virus. Visit my blog for more details…

  43. Avatar for Joseph Joseph says:

    I have that message whenever I open YM. But I never open the link because although the sender is on my list, we did not have a prior conversation/chat.

  44. Avatar for ade ade says:

    @ Jep[oy: even though we Firefox users are surfing safer, let’s not be complacent. ;)

  45. Avatar for ade ade says:

    Unfortunately, even though there were sufficient warnings, people still get infected.

  46. Avatar for jepoy jepoy says:

    firefox users are safe from that YM virus :)

  47. Avatar for Miguel Miguel says:

    I’m now using GAIM for YM and XMPP (our internal company IM). I was using it for Windows Live (or MSN Messenger) but I believe I lost a message so I dropped it.

  48. Avatar for DannyBoy DannyBoy says:

    I was warned early on that thru YM, virus exists. Good thing Im not using YM past days. So yup we got company.

  49. Avatar for jong jong says:

    ilang beses ko na experience eto. But i haven’t tried clicking the links because it is unusual for my friends to give a link with a random message and stuff…

  50. Avatar for Arbet Arbet says:

    Hi, check out Trend Micro’s description for the variant I http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOHANAD.I

    I had tried clicking on one of those links, and users of FireFox are somewhat safe from this. This virus shows a lot of messages and links.

Leave a Reply