Lock IT Down: Recovering from the MsgSprd instant messaging worm

How to recover from an instant messaging worm

Computer viruses come in all shapes, sizes, and potencies. They may be e-mail attachments or document macros. Some are designed to be a nuisance; others are aimed at bringing down entire networks. Amid this jungle of electronic subterfuge, one constant exists: As new technologies emerge, the hackers, crackers, script kiddies, and phone phreaks will find ways to exploit them. Such is the case with instant messaging. This article details my experience with the MsgSprd worm, which infected my laptop through MSN Messenger. I'll first walk through the process of how I detected the worm, and then I'll explain how I removed it.

It all started innocently enough
Not too long ago, while in a chat session, MSN Messenger alerted me that the person I was chatting with wanted to send me a picture. Asked if I would allow the transfer, I quickly accepted. I knew the person on the other end and never questioned the integrity of the exchange. Having sent and received pictures on the Messenger before, I didn’t think twice. But I should have.

Right after accepting the file transfer, the friend I was chatting with told me about a virus that was spreading via Messenger. My system seemed to be running fine—no obvious signs of infection. In fact, I wouldn’t have even known that my system had been infected if not for the emergence of a strange error message at startup (see Figure A).

Figure A
At first glance, I thought this message was a result of my recent uninstallation of several applications.

It took me several weeks to make the connection between the Messenger virus I thought I had avoided and this odd system error. And I wouldn’t have realized it if not for a little good fortune and computer luck. I had taken every course of action to fix the system problem, from deleting applications and cleaning up my hard drive to defragmentation and thorough file scans. My last resort was a complete overhaul to reformat the hard drive and try a fresh installation of Windows. And just as I was about to turn down this path, I discovered a strange directory on my C: drive.

I had no idea where it came from or when it had been created. The directory was named Messenger1324 and contained two things: a small-size application and a Notepad file, as shown in Figure B. With my interest piqued, I quickly opened the Notepad file and learned my computer was the latest victim of an instant messaging worm.

Figure B
The person who wrote this virus can't even spell the word "peace" correctly.

Removing the MsgSprd worm
Everything began to make sense now. That pesky error message did first appear around the time I had that odd instant messaging session. So I followed the directions outlined in the Notepad file and ran Msconfig. Although I know following the directions of someone who's sending a virus isn't the safest course of action, I already had a backup of my essential files because I had planned to reformat the hard drive. And the instructions didn't involve doing anything exceptionally irrational like deleting my Windows directory. I figured I'd give it a try.

Sure enough, under the Startup tab, I found the application MSN Messenger, as shown in Figure C.

Figure C
By deselecting all MSN Messenger entries, I was able to stop the annoying error message and prevent the MsgSprd from running at startup.

With a quick click of the mouse, I was able to stop the virus from running on startup. I was now free to erase the downloaded worm, the Notepad file, and the directory.

Unfortunately, this didn't clear the erroneous MSN Messenger entries from the Startup tab. And even though the Notepad file said the MsgSprd virus was harmless, I needed to know for sure. So I decided to check Symantec's Web site for more information.

A simple search for MsgSprd produced a detailed description of the W32.Annoying.Worm. Symantec offers information regarding how the worm is activated, how it makes contact, and most importantly, how to remove it. Now, I could really clean up my system. The process involves:
  • Terminating the application registered as MsgSprd.
  • Deleting the infected files.
  • Removing the registry value added by the worm.

Detailed removal instructions
For detailed instructions on removing the MsgSprd worm (W32.Annoying.Worm), including removing all relevant registry entries, check out this page on Symantec's Web site.

I followed these steps, being especially careful when editing the registry. The Regedit command can work wonders, but you must be sure not to edit or delete the wrong things. I downloaded the LiveUpdate of Norton AntiVirus to delete any infected files I may have missed in my earlier removal attempts. This would also bring my version of Norton AntiVirus up to date.

To my satisfaction, things were back to normal. No strange error messages, no mysterious picture auto-sending itself on MSN Messenger, and my registry was now clean. To be on the safe side, I decided to reformat my hard drive and reinstall Windows, like I had originally planned. After a reformat, a fresh installation of Windows, the updated Norton AntiVirus, and an upload of my backed-up files, my system was as good as new.

Be wary of IM
This experience has reminded me of one very important thing: You can't afford to let your guard down in the ever-changing world of the Internet. Luckily, I was the victim of a harmless virus designed to annoy rather than damage. More harmful and destructive viruses are created every day, many of which use instant messaging as the mode of delivery. Instant messaging, because of its increased usage and popularity—especially in the workplace—must be recognized as an IT security threat.

Keeping IM under control
Does your organization have an instant messaging policy? Does your organization dictate which IM client your employees can use? Do you block instant messaging spam? Post a comment to this article to let us know how you manage IM clients in your organization.


Editor's Picks