|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
webbi_at_sapc.edu
Date: Fri Sep 27 2002 - 06:16:29 CDT
Hmm.. when I go to that link, my antivirus triggers on VBS/Aplore-A and it
won't let me view source as a result. The 'virus' (actually a worm) is found
in the webpage itself. The attachment, when downloaded, detects as
W95/Aplore-A, so I think it's pretty safe to say that this is the Aplore
worm. Reading up on this worm, the VBS 'variant' is actually part of the
replication code for the worm. This worm's writeup says it uses an IRC
connection; perhaps this is a new variant that uses AIM?
-----Original Message-----
From: Troy Ablan [mailto:bugtraq
pinchaser.com]
Sent: Thursday, September 26, 2002 3:52 PM
To: incidentssecurityfocus.com
Subject: AIM-based worm?
A coworker of mine (Tim) recently found a buddy on his buddy list who he
didn't know (JDogg786). When Tim sent a message to him/her, he got a
response back "Hmmmm.. http://24.74.206.239:8180/"
When he clicked on the link, it took him to a page which redirected to a
download of a file ending in .com, which he promptly alerted me to and
did not run it.
I tried to go to this link, it tried to download the file. I hit cancel,
then I tried to view the source of the page. From the View menu, or right
clicking on the page, and clicking View Source, nothing happened.
I eventually got the source using wget, which is shown below.
Question 1: Is there a way a web page can add a buddy to your AIM list
without your knowledge?
Question 2: How was I prevented from viewing the source of the HTML page
in IE?
I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well
for anyone who wants to look at it, just in case the above link does not
work any more.
-- BEGIN SOURCE --
<html><head><title>Browser Plugin Requried</title><meta
http-equiv="refresh" content="1;
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser
Plugin Required:</h1><br>You may need to restart your browser for changes
to take affect.<br>Security Certificate by <a
href="http://www.verisign.com">Verisign</a> 2002.<br>MD5:
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose
"Run" to install.</body></html>
-- END SOURCE --
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]