(21:08:04) *NAME*: how do i look http://ip/~tashreba/pic1253.com
(21:08:21) *NAME*: how do i look http://ip/~tashreba/pic1253.com
(21:08:49) *NAME* logged out.
(21:09:19) *NAME* logged in.
(07:03:29) *NAME*: how do i look http://ip/~tashreba/pic1253.com
(07:03:54) *NAME* logged out.
(15:05:05) *NAME* logged in.
(15:09:56) *NAME*: how do i look http://ip/~tashreba/pic1253.com
My friend got it, seems a lot like Newby's MSN Worm.
I wonder if this thing installs a webserver on the victim's box... I swear this thing has more hosting than anything I've ever seen.
Now hopefully there is a way to remove this, since he is my friend I'd like to help him out. If anybody finds anything about removal please post it here.
I've never seen it. I don't click links from strange people. Pictures that end in .com... lol :P. Commen sense is so the best defense! And uhh... you should disable those links (If they are real)... so someone doesn't accidently unleash it on themselves :O.
There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.
Quote from: Quik on October 03, 2005, 07:37:43 PM
There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.
It's technically a worm in the same way that mydoom and such are worms. There is a pretty blurred line between worms and other malware these days.
It would be nice if you left the correct ip, just put a space somewhere so the link doesn't work (and it takes effort to get infected).. that way I could download it, scan it, and figure out what it is.
Quote from: iago on October 03, 2005, 07:45:57 PM
Quote from: Quik on October 03, 2005, 07:37:43 PM
There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.
It's technically a worm in the same way that mydoom and such are worms. There is a pretty blurred line between worms and other malware these days.
It would be nice if you left the correct ip, just put a space somewhere so the link doesn't work (and it takes effort to get infected).. that way I could download it, scan it, and figure out what it is.
It's self-replicating, assuming this one spammed the buddy lists by itself, but usually these things are malicious files that are sent with a harmless link as disguise, aka trojan.
A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).
http://70.84.54.154 /~tashreba/pic1253.com
Quote from: iago on October 03, 2005, 08:46:17 PM
A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).
<a href="http://www.evilhacker.org/malicious.exe">http://www.goodsite.com/image.jpg</a>That's usually how it goes, hence my classification as "trojan".
Also, I thought viruses were self-replicating, more oft than worms? I know the definition is getting fuzzy, but there should be some give-aways, shouldn't there?
Uhh what does this "malicious program" do ?
Quote from: Quik on October 03, 2005, 09:13:18 PM
Quote from: iago on October 03, 2005, 08:46:17 PM
A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).
<a href="http://www.evilhacker.org/malicious.exe">http://www.goodsite.com/image.jpg</a>
That's usually how it goes, hence my classification as "trojan".
Also, I thought viruses were self-replicating, more oft than worms? I know the definition is getting fuzzy, but there should be some give-aways, shouldn't there?
No, that's not a trojan. A Trojan is an innocent looking
program, not link.
Worms are self-spreading. Viruses are self-replicating on the current system, and typically infect local files.
Ergot -- Anything malicious. Delete files, spread, infect files, log passwords, etc.
iago - Meaning you don't know yet ^_~
That being the case, this would be more of a virus and not worm. However, some of these malicious AIM-related activities can be more defined as 'trojans'. I'd concider a worm to be something which spreads just by a computer user with a vulnerable version of the program, so that they can get infected without downloading and/or running outside files.
Usually my entire personal buddy list is infected by some sort of AIM worm, so I scanned a couple of the files with http://www.virustotal.com. They're usually just trojans that spread through AIM by sending messages like the one posted in this topic to everyone on their buddy list. They probably range anywhere from keyloggers, to just giving users full access to the infected computer.
EDIT: I'm slow at posting. :-\
Quote from: Quik on October 03, 2005, 10:32:01 PM
That being the case, this would be more of a virus and not worm. However, some of these malicious AIM-related activities can be more defined as 'trojans'. I'd concider a worm to be something which spreads just by a computer user with a vulnerable version of the program, so that they can get infected without downloading and/or running outside files.
If it infected the AOL executable so that every time you ran AOL it sent itself out, that's a virus.
If it was a program that you ran, and it looked like a game, but it was really spreading secretly, then it's a trojan.
The way it sits, it's a worm. The same way Netsky and Mydoom and Bagel are worms.
Quote from: Newby on October 03, 2005, 09:12:01 PM
http://70.84.54.154 /~tashreba/pic1253.com
From VirusTotal:
Antivirus Version Update Result
AntiVir 6.32.0.6 10.04.2005 no virus found
Avast 4.6.695.0 09.30.2005 no virus found
AVG 718 09.29.2005 no virus found
Avira 6.32.0.6 10.04.2005 no virus found
BitDefender 7.2 10.04.2005 Backdoor.Sdbot.ADQ
CAT-QuickHeal 8.00 10.04.2005 Trojan.Pakes
ClamAV devel-20050917 10.04.2005 Trojan.Spybot-123
DrWeb 4.32b 10.02.2005 no virus found
eTrust-Iris 7.1.194.0 10.03.2005 no virus found
eTrust-Vet 11.9.1.0 10.04.2005 Win32.Seenbot.DY
Fortinet 2.48.0.0 10.04.2005 PossibleThreat
F-Prot 3.16c 10.04.2005 no virus found
Ikarus 0.2.59.0 10.04.2005 no virus found
Kaspersky 4.0.2.24 10.04.2005 Trojan.Win32.Pakes
McAfee 4595 10.03.2005 W32/Sdbot.worm.gen.h
NOD32v2 1.1240 10.03.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 10.04.2005 no virus found
Panda 8.02.00 10.04.2005 Trj/Multidropper.AXJ
Sophos 3.98.0 10.04.2005 W32/Sdbot-ADQ
Symantec 8.0 10.03.2005 W32.Allim
TheHacker 5.8.2.117 10.03.2005 no virus found
VBA32 3.10.4 10.02.2005 no virus found
It in some way infects the actual AIM file because now when my friend logs on AIM it pops up with an IO error, but still works.