[ATTENTION] Recent Email Scam

[Nikentic]

List of where you can find & delete it:
C:\Users\Jonathan\Documents\SYS
C:\Users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:/Users/<your username>/AppData/Local/Temp/cernel.exe

Check MSConfig for AARC

Open Regedit, go to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Remove AARC

[Zantas]

Thank you for reporting,

[Apoc]

A little more info from a cursory look through the exe:

It searches the SQLite database that Firefox uses. (Haven't checked if it looks through Chrome/IE yet)

With that in mind; if you have any stored passwords, I suggest changing them now.

Edit: It does look through Chrome and IE as well. (Looking for Opera now)

Edit: Filezilla is also on the list of things it checks.

It also grabs the windows XP key. Among other things.

[Kamon]

So..I got the email right before I left my dorm. I clicked the link and it looked like minecraft (something i am very familiar with) but I didn't have time to dick around with it and denied the java access. Am I infected?

[Nikentic]

Kamon, no you are lucky

[Kamon]

Ah, good.

Thinking about it..I might have MSE on my desktop...don't recall..heh. My paranoid side is going to make me scan when I get back to my room. Never hurts anything.

[darkpatato]

I have deleted the file.
Also your virus scanner will detect it!
I wanna haz a cookie!

[darkpatato]

SORRY FOR DOUBLE POST BUT!

A recent email was sent out from [email protected].

It is a scam, and was not sent from us. Please disregard the email. If you did open the page, I highly suggest you scan your computer immediately.

Kaspersky is known to find the virus coming from the page, as well as Microsoft Security Essentials.

Also, open up your task manager, and search for 'cernel.exe' and kill the process.

You'll find the downloaded exe in C:/Users/<your username>/AppData/Local/Temp/cernel.exe

I do apologize for the intrusion attempt. (I take responsibility for this one, I wasn't quite fast enough to load the virus in a sandbox earlier)

If you have any other questions, please don't hesitate to ask.

Additional info:

The IP address who took advantage of our system has been banned. (Unfortunately, a little too slow)
Other measures have been put in place to avoid this happening again in the future.

We are NOT affiliated with the website mentioned in the email. If you want to play the REAL game, you may visit www.minecraft.net to play. (Yes, it's legit. And yes, it requires Java.)


Prevention & Deletion:

Remove the cernel.exe from your /AppData/*/Temp folders.
Remove the 'SYS' folder from C:/Users/<Your username>/ folder. (It only contains cernel.exe)

Start -> Run -> msconfig -> Startup Tab -> Untick 'AARC' and any other startup items that show 'cernel.exe' in the Command location.

Last notes:

Just because I found it funny. The 'virus' is a VB.NET application.

i will post a guide with photo's tomorrow btw

[psychobandit]

This may come across as rude but I swear I don't mean it to be. But I have got to ask!
Why on earth are so many of you clicking on the link in this e-mail? I mean, with all the virus/adware/spyware out there & the many many identity theft e-mails that get sent out, I thought it was pretty much clear that if you receive an unsolicited e-mail, even from a trusted source, you never ever click the link until you at least verify it is legitimate.

[wac]

Dear Psychobandit.

How can they know it's an 'unsolicited' e-mail? It appears to be from the MMOwned Admin, geez.
And how can you verify it's legitimate before you open it?

Please take this with some salt, as I haven't checked my mail and I haven't seen the link.

But whatever, people who got infected got infected. People who didn't GZ .
Great handling btw Apoc. <3

[Dragonshadow]

You're an idiot for clicking on a .tk link >.>

[7itanium]

I didnt get an email

if I had I most likely woulda known it was fake immediately as I always check the file extension etc. But I can certainly see how it coulda been misleading.. we all consider MMOwned staff to be a trusted source when it comes to downloading things.

Apoc did an epic job vanquishing this beast. so thanks for that


To those of you who havent checked, or havent removed this yer I suggest you do so now as it has the potential to wreak havok on pretty much every aspect of your online environment. Also be sure to change EVERY password that you can possibly think of, since it has the qualities of a cookiestealer this is crutial.

[XC4T4LY5TX]

Thx for saving the day again Apoc

[[Pat]]

good reason why I block all emails that arent from newegg, blizzard and a few trusted sources that I need.

[Confucius]

Glad I didn't get this would be hard changing all my passwords from stuff about pandas, thanks for the warning apoc!