OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ralph Emery (remery_at_guarded.net)
Date: Fri Sep 27 2002 - 08:36:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ok here is what I got for this...

    http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=68

    Win32.Aplore.Amm

     
    Name: Win32.Aplore.Amm
    Aliases: W32.Aphex.Amm
    Type: Executable, Internet Worm
    Size: 319488 bytes
    Discovered: April 9, 2002
    Detected: April 9, 2002; 11:00 (GMT+2)
    Spreading: High
    Damage: Low
    ITW: Yes
    Symptoms:

    - File explorer.exe and psecure20x-cgi-install.version6.01.bin.hx.com in the system directory (usually C:\Windows\System or C:\Winnt\System32)
    - Files aphex.jpg and index.htm in the system directory

    Technical description:

    This virus is an Internet worm written in Delphi and packed with UPX. The original file size is about 690 Kbytes.
    The virus comes as an attached file in an e-mail with this form:
    Subject: . (a single dot)
    Body: . (a single dot)
    Attachment: psecure20x-cgi-install.version6.01.bin.hx.com

    When the user executes the attachement it copies itself in the system directory as explorer.exe and as psecure20x-cgi-install.version6.01.bin.hx.com.
    It adds the key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer "%System%\Explorer.exe"
    (where %System% is the Windows System directory)

    It drops a small VBS file which contains the script to send itself to all contacts from Outlook Address Book using Microsoft Outlook. The e-mail has the format shown above.
    The script is executed by the virus, and is deleteing itself after trying to send the e-mails.

    Also in the system directory it drops a file index.html which contains a link to the file psecure20x-cgi-install.version6.01.bin.hx.com which will try to be automatically executed. The page looks like this:

    http://lockdowncorp.com/aphexworm.html

    The W32 Aphex Worm is propagated through email, AIM and MSN Messenger and IRC.
    Once infected, the Worm creates a web server on the victims computer and sends it's web page link to the victim(s). When the victim clicks on the link a file download will be offered. If the file is downloaded and executed the victim will also become infected.

     

    -----Original Message-----
    From: Troy Ablan [mailto:bugtraqpinchaser.com]
    Sent: Thursday, September 26, 2002 3:52 PM
    To: incidentssecurityfocus.com
    Subject: AIM-based worm?

    A coworker of mine (Tim) recently found a buddy on his buddy list who he
    didn't know (JDogg786). When Tim sent a message to him/her, he got a
    response back "Hmmmm.. http://24.74.206.239:8180/"

    When he clicked on the link, it took him to a page which redirected to a
    download of a file ending in .com, which he promptly alerted me to and
    did not run it.

    I tried to go to this link, it tried to download the file. I hit cancel,
    then I tried to view the source of the page. From the View menu, or right
    clicking on the page, and clicking View Source, nothing happened.

    I eventually got the source using wget, which is shown below.

    Question 1: Is there a way a web page can add a buddy to your AIM list
    without your knowledge?

    Question 2: How was I prevented from viewing the source of the HTML page
    in IE?

    I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well
    for anyone who wants to look at it, just in case the above link does not
    work any more.

    -- BEGIN SOURCE --

    <html><head><title>Browser Plugin Requried</title><meta
    http-equiv="refresh" content="1;
    url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser
    Plugin Required:</h1><br>You may need to restart your browser for changes
    to take affect.<br>Security Certificate by <a
    href="http://www.verisign.com">Verisign</a> 2002.<br>MD5:
    9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
    href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose
    "Run" to install.</body></html>

    -- END SOURCE --

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com