Re: AOL IM Worm

[Nick FitzGerald <nick () virus-l demon co uk>]

"Justin Baldini" <jbaldini () newmassmedia com> wrote:

> There appears to be an AOL IM worm going around.

It's arguably not a worm (many say fully automated spread is a 
requirement for such).  It _is_ very like FriendGreetings but using AOL 
IM rather than SMTP as its "advertising medium".

> It's coming in as a link to here...
>
> http://www.wgutv.com/osama_capXXXture.php?nLRj
> (Without the XXX)

...and the bit after the "?" is variable/random.

> When run, it appears to load up some fake game, ...

Well, it is an ".SWF game".

> ... installs a bunch of shit,
> and then sends itself to everyone on your IM list.

What you so inelgantly missed is that when you visit the IM-spammed URL 
you referred to, you are prompted to download and install an ActiveX 
control.  If you accept it's "game over" (security-wise -- no pun 
intended...).  Intelligent admins whose advice is appreciated and acted 
on won't have users running IE, so this won't be an issue for them but 
the remaining 99.973% of Windows machines are likely to have some 
exposure.  However, clueful Windows admins who have to watch over 
hoards of the great unwashed and have been forced, against their better 
judgement, to allow or even encourage or -- gak! -- _require_ the use 
of IE, will at least have locked out said hoard with an "only run  
administrator approved ActiveX controls" policy.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html