RE: AIM-based worm?

From: Ron Yount (ronyat_private)
Date: Fri Sep 27 2002 - 08:22:03 PDT

Next message: Valdis.Kletnieksat_private: "Re: Modap Worm Infection and Subsequent Scanning"

Previous message: Troy Ablan: "Re: AIM-based worm?"
Maybe in reply to: Troy Ablan: "AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just another virus working as advertised.
W32/Aplore

For more information see:
http://vil.nai.com/vil/content/v_99437.htm 
http://lockdowncorp.com/aphexworm.htmlfor 
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=68

Ron

-----Original Message-----
From: Troy Ablan [mailto:bugtraqat_private]
Sent: Thursday, September 26, 2002 12:52 PM
To: incidentsat_private
Subject: AIM-based worm?



A coworker of mine (Tim) recently found a buddy on his buddy list who he 
didn't know (JDogg786).  When Tim sent a message to him/her, he got a 
response back "Hmmmm.. http://24.74.206.239:8180/"  

When he clicked on the link, it took him to a page which redirected to a 
download of a file ending in .com, which he promptly alerted me to and 
did not run it.

I tried to go to this link, it tried to download the file.  I hit cancel, 
then I tried to view the source of the page.  From the View menu, or right 
clicking on the page, and clicking View Source, nothing happened.

I eventually got the source using wget, which is shown below.

Question 1:  Is there a way a web page can add a buddy to your AIM list 
without your knowledge?

Question 2:  How was I prevented from viewing the source of the HTML page 
in IE?

I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well 
for anyone who wants to look at it, just in case the above link does not 
work any more.


-- BEGIN SOURCE --

<html><head><title>Browser Plugin Requried</title><meta 
http-equiv="refresh" content="1; 
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser 
Plugin Required:</h1><br>You may need to restart your browser for changes 
to take affect.<br>Security Certificate by <a 
href="http://www.verisign.com">Verisign</a> 2002.<br>MD5: 
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a 
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose 
"Run" to install.</body></html>

-- END SOURCE --




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: Modap Worm Infection and Subsequent Scanning"
Previous message: Troy Ablan: "Re: AIM-based worm?"
Maybe in reply to: Troy Ablan: "AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 16:02:50 PDT