Yahoo Messenger Michael Jackson virus

dead_smileyA friend of mine got infected via Yahoo Messenger. The virus, spreads via mass messaging the following message:

HAHA Michael Jackson Gay 😀 >> http://looool.machiaeljack**

The link takes you to something that looks like a picture, but because the file name ends with what appears to the user as a web adress the final extension is .com not .jpg – and so you get tricked into running an executable.

Automatic removal can be done with the Kaspersky Virus Removal tool.

Manual removal is as follows:

Remove these files (use unlocker if needed)

C:Documents and Settings<user>Local SettingsTemp174094.exe
C:Documents and Settings<user>Local SettingsTempMichaelJackson_SUCKS.PIF (or any other similar file .pif and containing Michael Jackson in the name)
C:Documents and Settings<user>Local SettingsTempsvchost32.exe
C:Documents and Settings<user>Local SettingsTempvshost32.exe

The last two will be on every partition your system has. Reboot and after starting go to My computer and DON’T double click the disks; Right click and choose explore and erase vshost.exe and autorun.inf from every partition in your system.

Also remove the following registry key:

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] “BootMgr”=”C:\DOCUME~1\\LOCALS~1\Temp\svchost32.exe”