AIM Worm

[RoMi]

(21:08:04) *NAME*:  how do i look http://ip/~tashreba/pic1253.com
(21:08:21) *NAME*:  how do i look http://ip/~tashreba/pic1253.com
(21:08:49) *NAME* logged out.
(21:09:19) *NAME* logged in.
(07:03:29) *NAME*:  how do i look http://ip/~tashreba/pic1253.com
(07:03:54) *NAME* logged out.
(15:05:05) *NAME* logged in.
(15:09:56) *NAME*:  how do i look http://ip/~tashreba/pic1253.com

My friend got it, seems a lot like Newby's MSN Worm.

[Newby]

I wonder if this thing installs a webserver on the victim's box... I swear this thing has more hosting than anything I've ever seen.

[RoMi]

Now hopefully there is a way to remove this, since he is my friend I'd like to help him out.  If anybody finds anything about removal please post it here.

[Ergot]

I've never seen it. I don't click links from strange people. Pictures that end in .com... lol :P. Commen sense is so the best defense! And uhh... you should disable those links (If they are real)... so someone doesn't accidently unleash it on themselves :O.

[Quik]

There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.

[iago]

There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.

It's technically a worm in the same way that mydoom and such are worms.  There is a pretty blurred line between worms and other malware these days. 

It would be nice if you left the correct ip, just put a space somewhere so the link doesn't work (and it takes effort to get infected).. that way I could download it, scan it, and figure out what it is. 

[Quik]

There have been COUNTLESS AIM trojans. Google it for a fix, there's actually another topic on these forums where Towelie mentioned this. Not a worm, by the way.

It's technically a worm in the same way that mydoom and such are worms. There is a pretty blurred line between worms and other malware these days.

It would be nice if you left the correct ip, just put a space somewhere so the link doesn't work (and it takes effort to get infected).. that way I could download it, scan it, and figure out what it is.

It's self-replicating, assuming this one spammed the buddy lists by itself, but usually these things are malicious files that are sent with a harmless link as disguise, aka trojan.

[iago]

A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware). 

[Newby]

http://70.84.54.154 /~tashreba/pic1253.com

[Quik]

A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).

Code Select Expand

<a href="http://www.evilhacker.org/malicious.exe">http://www.goodsite.com/image.jpg</a>

That's usually how it goes, hence my classification as "trojan".

Also, I thought viruses were self-replicating, more oft than worms? I know the definition is getting fuzzy, but there should be some give-aways, shouldn't there?

[Ergot]

Uhh what does this "malicious program" do ?

[iago]

A trojan is something with a malicious payload piggybacked on an innocent looking program (kinda like Spyware).

Code Select Expand

<a href="http://www.evilhacker.org/malicious.exe">http://www.goodsite.com/image.jpg</a>

That's usually how it goes, hence my classification as "trojan".

Also, I thought viruses were self-replicating, more oft than worms? I know the definition is getting fuzzy, but there should be some give-aways, shouldn't there?

No, that's not a trojan.  A Trojan is an innocent looking program, not link. 

Worms are self-spreading.  Viruses are self-replicating on the current system, and typically infect local files. 

Ergot -- Anything malicious.  Delete files, spread, infect files, log passwords, etc.

[Ergot]

iago - Meaning you don't know yet ^_~

[Quik]

That being the case, this would be more of a virus and not worm. However, some of these malicious AIM-related activities can be more defined as 'trojans'. I'd concider a worm to be something which spreads just by a computer user with a vulnerable version of the program, so that they can get infected without downloading and/or running outside files.

[Armin]

Usually my entire personal buddy list is infected by some sort of AIM worm, so I scanned a couple of the files with http://www.virustotal.com. They're usually just trojans that spread through AIM by sending messages like the one posted in this topic to everyone on their buddy list. They probably range anywhere from keyloggers, to just giving users full access to the infected computer.

EDIT: I'm slow at posting. :-\