Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: AIM-based worm?

From: webbi () sapc edu
Date: Fri, 27 Sep 2002 07:16:29 -0400
Hmm.. when I go to that link, my antivirus triggers on VBS/Aplore-A and it
won't let me view source as a result. The 'virus' (actually a worm) is found
in the webpage itself. The attachment, when downloaded, detects as
W95/Aplore-A, so I think it's pretty safe to say that this is the Aplore
worm. Reading up on this worm, the VBS 'variant' is actually part of the
replication code for the worm. This worm's writeup says it uses an IRC
connection; perhaps this is a new variant that uses AIM?

-----Original Message-----
From: Troy Ablan [mailto:bugtraq () pinchaser com] 
Sent: Thursday, September 26, 2002 3:52 PM
To: incidents () securityfocus com
Subject: AIM-based worm?


A coworker of mine (Tim) recently found a buddy on his buddy list who he 
didn't know (JDogg786).  When Tim sent a message to him/her, he got a 
response back "Hmmmm.. http://24.74.206.239:8180/";  

When he clicked on the link, it took him to a page which redirected to a 
download of a file ending in .com, which he promptly alerted me to and 
did not run it.

I tried to go to this link, it tried to download the file.  I hit cancel, 
then I tried to view the source of the page.  From the View menu, or right 
clicking on the page, and clicking View Source, nothing happened.

I eventually got the source using wget, which is shown below.

Question 1:  Is there a way a web page can add a buddy to your AIM list 
without your knowledge?

Question 2:  How was I prevented from viewing the source of the HTML page 
in IE?

I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well 
for anyone who wants to look at it, just in case the above link does not 
work any more.


-- BEGIN SOURCE --

<html><head><title>Browser Plugin Requried</title><meta 
http-equiv="refresh" content="1; 
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser 
Plugin Required:</h1><br>You may need to restart your browser for changes 
to take affect.<br>Security Certificate by <a 
href="http://www.verisign.com";>Verisign</a> 2002.<br>MD5: 
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a 
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose 
"Run" to install.</body></html>

-- END SOURCE --




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: