Hmm.. when I go to that link, my antivirus triggers on VBS/Aplore-A and it won't let me view source as a result. The 'virus' (actually a worm) is found in the webpage itself. The attachment, when downloaded, detects as W95/Aplore-A, so I think it's pretty safe to say that this is the Aplore worm. Reading up on this worm, the VBS 'variant' is actually part of the replication code for the worm. This worm's writeup says it uses an IRC connection; perhaps this is a new variant that uses AIM? -----Original Message----- From: Troy Ablan [mailto:bugtraqat_private] Sent: Thursday, September 26, 2002 3:52 PM To: incidentsat_private Subject: AIM-based worm? A coworker of mine (Tim) recently found a buddy on his buddy list who he didn't know (JDogg786). When Tim sent a message to him/her, he got a response back "Hmmmm.. http://24.74.206.239:8180/" When he clicked on the link, it took him to a page which redirected to a download of a file ending in .com, which he promptly alerted me to and did not run it. I tried to go to this link, it tried to download the file. I hit cancel, then I tried to view the source of the page. From the View menu, or right clicking on the page, and clicking View Source, nothing happened. I eventually got the source using wget, which is shown below. Question 1: Is there a way a web page can add a buddy to your AIM list without your knowledge? Question 2: How was I prevented from viewing the source of the HTML page in IE? I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well for anyone who wants to look at it, just in case the above link does not work any more. -- BEGIN SOURCE -- <html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser Plugin Required:</h1><br>You may need to restart your browser for changes to take affect.<br>Security Certificate by <a href="http://www.verisign.com">Verisign</a> 2002.<br>MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose "Run" to install.</body></html> -- END SOURCE -- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 15:31:16 PDT