Security Alert: “Biet tin gi chua, vao day coi di” Virus on Yahoo Messenger

April 18, 2010 | By | 2 Replies More

Reading time: 3 – 5 minutes

The Vietnamese phrase, “Biet tin gi chua, vao day coi di” may not sound familiar to you but once you get this message from one of your Yahoo Messenger contacts, then it would have been right if you’ll inform them that there was a virus sitting on their computer sending you this message automatically without them knowing it.

Yes, you’ve read it right. It was a virus and I got the same message via my messenger client and into my mobile phone as a text message when I was offline.

Yahoo Messenger Virus

Biet tin gi chua, vao day coi di through Google Translate in English means, “Know what sour news, the day regarded mobile” although I’m not sure if it was the correct translation, only native Vietnamese speakers can actually make the correction. Whether the translated phrase literally makes sense or not, technically it does because you have to advice your contact that he needs some serious PC disinfecting job to do.

It’s weird that this issue can be traced back 2 years ago yet it still comes back to this day hunting innocent users.

If your ever received this message which normally comes with a link to a certain website, don’t fret because your PC is safe (unless you didn’t click on the link) but your contact’s isn’t.

Let them know that they need some total computer scanning to do but may have to update their antivirus first. If the threat isn’t detected after the scan, they may have to edit the registry although I don’t recommend doing it. If you’re not sure of what you’re doing, you may do it at your own risk so be extra careful.

A certain forum cited some steps however the language is in Malay so I opted to translate the text through Google and here it is:

Firstly to remove the virus: –
»Disable System Restore
»Try to update anti-virus scan online or in www.bitdefender.com (use internet explorer)
»Complete virus scan if still available …then reboot in safe mode computer press F8.
»Go to Start» Run »type regedit» OK
navigate to this value: –

find and delete the value.

HKEY_ALL_USERS »Software» Microsoft »Windows» Current Version »Run [last directory]
see the right value »” Yahoo Messenger “=” C: WINDOWS system32 SSVICHOSST.exe “

with

HKEY_LOCAL_MACHINE »Software» Microsoft »Windows» Current Version »Winlogon [last directory] see the right value»
“Shell” = “Explorer.exe SSVICHOSST.exe”

note: SSVICHOSST.exe <- worm

then .. restore the default registry value ..
navigate to

HKEY_ALL_USERS »Software» Microsoft »Windows» Current Version »Policies» System [last dir] »set value” DisableTaskMgr “=” 1 ”
HKEY_ALL_USERS »Software» Microsoft »Windows» Current Version »Policies» System [last dir] »set value” DisableRegistryTools “=” 1 ”
HKEY_CURRENT_USER »Software» Microsoft »Windows NT» Current Version »Policies» Explorer [last dir] »set value” NofolderOptions “=” 1 “

exit regedit .. »Restart PC ..
I already remove this on windows XP… to make it easier for you when you open regedit use ctrl + f then type regedit SSVICHOSST.exe

See if you got this file or not … then follow the instructions.

The above instructions are copy-pasted “as is” with minor word editing for coherence.

Another word of advice, make sure you’re using a separate spyware program other than an antivirus for tougher protection.

Tags: , ,

Category: security-privacy

Comments (2)

Trackback URL | Comments RSS Feed

  1. Sire says:

    So the fact that someone receives this message means that the person where the message originated has an infected computer, ergo the message. I suppose it sent the same message to everyone in his address book?

    Good on you for posting this.
    .-= Sire´s last blog ..Taking The Time To Think Before Clicking Submit =-.

  2. Mathdelane says:

    Hi Sire,
    The message may or may not be sent to everyone’s contacts. I can’t provide any percentage about this.
    On the other hand, I normally think that it would be nice to spread the information for everyone’s awareness.

Leave a Reply