Clan x86

Technical (Development, Security, etc.) => General Security Information => Topic started by: RoMi on October 03, 2005, 04:27:43 pm

Title: AIM Worm
Post by: RoMi on October 03, 2005, 04:27:43 pm
(21:08:04) *NAME*:  how do i look http://ip/~tashreba/pic1253.com
(21:08:21) *NAME*:  how do i look http://ip/~tashreba/pic1253.com
(21:08:49) *NAME* logged out.
(21:09:19) *NAME* logged in.
(07:03:29) *NAME*:  how do i look http://ip/~tashreba/pic1253.com
(07:03:54) *NAME* logged out.
(15:05:05) *NAME* logged in.
(15:09:56) *NAME*:  how do i look http://ip/~tashreba/pic1253.com

My friend got it, seems a lot like Newby's MSN Worm.
Title: Re: AIM Worm
Post by: Newby on October 03, 2005, 05:10:14 pm
I wonder if this thing installs a webserver on the victim's box... I swear this thing has more hosting than anything I've ever seen.
Title: Re: AIM Worm
Post by: RoMi on October 03, 2005, 05:45:15 pm
Now hopefully there is a way to remove this, since he is my friend I'd like to help him out.  If anybody finds anything about removal please post it here.
Title: Re: AIM Worm
Post by: Ergot on October 03, 2005, 06:52:45 pm
I've never seen it. I don't click links from strange people. Pictures that end in .com... lol :P. Commen sense is so the best defense! And uhh... you should disable those links (If they are real)... so someone doesn't accidently unleash it on themselves :O.
Title: Re: AIM Worm
Post by: Quik on October 03, 2005, 07:37:43 pm
There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.
Title: Re: AIM Worm
Post by: iago on October 03, 2005, 07:45:57 pm
Quote from: Quik on October 03, 2005, 07:37:43 pm
There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.

It's technically a worm in the same way that mydoom and such are worms.  There is a pretty blurred line between worms and other malware these days. 

It would be nice if you left the correct ip, just put a space somewhere so the link doesn't work (and it takes effort to get infected).. that way I could download it, scan it, and figure out what it is. 
Title: Re: AIM Worm
Post by: Quik on October 03, 2005, 08:38:23 pm
Quote from: iago on October 03, 2005, 07:45:57 pm
Quote from: Quik on October 03, 2005, 07:37:43 pm
There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.

It's technically a worm in the same way that mydoom and such are worms. There is a pretty blurred line between worms and other malware these days.

It would be nice if you left the correct ip, just put a space somewhere so the link doesn't work (and it takes effort to get infected).. that way I could download it, scan it, and figure out what it is.


It's self-replicating, assuming this one spammed the buddy lists by itself, but usually these things are malicious files that are sent with a harmless link as disguise, aka trojan.
Title: Re: AIM Worm
Post by: iago on October 03, 2005, 08:46:17 pm
A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware). 
Title: Re: AIM Worm
Post by: Newby on October 03, 2005, 09:12:01 pm
http://70.84.54.154 /~tashreba/pic1253.com
Title: Re: AIM Worm
Post by: Quik on October 03, 2005, 09:13:18 pm
Quote from: iago on October 03, 2005, 08:46:17 pm
A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).


Code: [Select]
<a href="http://www.evilhacker.org/malicious.exe">http://www.goodsite.com/image.jpg</a>
That's usually how it goes, hence my classification as "trojan".

Also, I thought viruses were self-replicating, more oft than worms? I know the definition is getting fuzzy, but there should be some give-aways, shouldn't there?
Title: Re: AIM Worm
Post by: Ergot on October 03, 2005, 09:25:16 pm
Uhh what does this "malicious program" do ?
Title: Re: AIM Worm
Post by: iago on October 03, 2005, 10:22:04 pm
Quote from: Quik on October 03, 2005, 09:13:18 pm
Quote from: iago on October 03, 2005, 08:46:17 pm
A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).


Code: [Select]
<a href="http://www.evilhacker.org/malicious.exe">http://www.goodsite.com/image.jpg</a>
That's usually how it goes, hence my classification as "trojan".

Also, I thought viruses were self-replicating, more oft than worms? I know the definition is getting fuzzy, but there should be some give-aways, shouldn't there?

No, that's not a trojan.  A Trojan is an innocent looking program, not link. 

Worms are self-spreading.  Viruses are self-replicating on the current system, and typically infect local files. 

Ergot -- Anything malicious.  Delete files, spread, infect files, log passwords, etc.
Title: Re: AIM Worm
Post by: Ergot on October 03, 2005, 10:31:05 pm
iago - Meaning you don't know yet ^_~
Title: Re: AIM Worm
Post by: Quik on October 03, 2005, 10:32:01 pm
That being the case, this would be more of a virus and not worm. However, some of these malicious AIM-related activities can be more defined as 'trojans'. I'd concider a worm to be something which spreads just by a computer user with a vulnerable version of the program, so that they can get infected without downloading and/or running outside files.
Title: Re: AIM Worm
Post by: Armin on October 03, 2005, 10:32:11 pm
Usually my entire personal buddy list is infected by some sort of AIM worm, so I scanned a couple of the files with http://www.virustotal.com. They're usually just trojans that spread through AIM by sending messages like the one posted in this topic to everyone on their buddy list. They probably range anywhere from keyloggers, to just giving users full access to the infected computer.

EDIT: I'm slow at posting. :-\
Title: Re: AIM Worm
Post by: iago on October 04, 2005, 10:01:32 am
Quote from: Quik on October 03, 2005, 10:32:01 pm
That being the case, this would be more of a virus and not worm. However, some of these malicious AIM-related activities can be more defined as 'trojans'. I'd concider a worm to be something which spreads just by a computer user with a vulnerable version of the program, so that they can get infected without downloading and/or running outside files.

If it infected the AOL executable so that every time you ran AOL it sent itself out, that's a virus. 

If it was a program that you ran, and it looked like a game, but it was really spreading secretly, then it's a trojan. 

The way it sits, it's a worm.  The same way Netsky and Mydoom and Bagel are worms. 
Title: Re: AIM Worm
Post by: iago on October 04, 2005, 10:02:30 am
Quote from: Newby on October 03, 2005, 09:12:01 pm
http://70.84.54.154 /~tashreba/pic1253.com

From VirusTotal:

Antivirus   Version   Update   Result
AntiVir   6.32.0.6   10.04.2005   no virus found
Avast   4.6.695.0   09.30.2005   no virus found
AVG   718   09.29.2005   no virus found
Avira   6.32.0.6   10.04.2005   no virus found
BitDefender   7.2   10.04.2005   Backdoor.Sdbot.ADQ
CAT-QuickHeal   8.00   10.04.2005   Trojan.Pakes
ClamAV   devel-20050917   10.04.2005   Trojan.Spybot-123
DrWeb   4.32b   10.02.2005   no virus found
eTrust-Iris   7.1.194.0   10.03.2005   no virus found
eTrust-Vet   11.9.1.0   10.04.2005   Win32.Seenbot.DY
Fortinet   2.48.0.0   10.04.2005   PossibleThreat
F-Prot   3.16c   10.04.2005   no virus found
Ikarus   0.2.59.0   10.04.2005   no virus found
Kaspersky   4.0.2.24   10.04.2005   Trojan.Win32.Pakes
McAfee   4595   10.03.2005   W32/Sdbot.worm.gen.h
NOD32v2   1.1240   10.03.2005   probably unknown NewHeur_PE virus
Norman   5.70.10   10.04.2005   no virus found
Panda   8.02.00   10.04.2005   Trj/Multidropper.AXJ
Sophos   3.98.0   10.04.2005   W32/Sdbot-ADQ
Symantec   8.0   10.03.2005   W32.Allim
TheHacker   5.8.2.117   10.03.2005   no virus found
VBA32   3.10.4   10.02.2005   no virus found
Title: Re: AIM Worm
Post by: RoMi on October 04, 2005, 03:33:32 pm
It in some way infects the actual AIM file because now when my friend logs on AIM it pops up with an IO error, but still works.