funsec mailing list archives
Re: Unknown virus on AIM
From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 18 Jan 2006 10:35:21 -0500
Todd Towles wrote:
Hey guys, This virus must not be new, but I have looked at two anti-virus sites (sophos and norton) and can't seem to pin it down. A young lady sent me a message last night ("should I add these pics of us on my myspace or facebook?) then it had a link The URL was a photobucket link, but it really linked to some prettyinpink webiste...I closed the message so I don't have the exact sentence. I attempted to download the file but it was no longer up and working, so no sample to look at.
Just another AIM-bot (bot itself sends whatever string the controller specifies to everyone in the victim's buddy list). You probably saw this one (this one came out of a zombie at colorado.edu): #(4 - 966) [2006-01-17 23:18:28] [snort/1] Tagged Packet IPv4: 128.138.6.233 -> 172.20.91.254 hlen=5 TOS=0 dlen=477 ID=50215 flags=0 offset=0 TTL=115 chksum=45677 TCP: port=5190 -> dport: 3001 flags=***AP*** seq=1786591149 ack=2451626560 off=5 res=0 win=64048 urp=0 chksum=21705 Payload: length = 437 000 : 3A 5B 44 30 39 7C 55 53 41 7C 39 33 30 35 37 5D :[D09|USA|93057] 010 : 21 58 50 2D 35 32 34 38 40 31 35 30 2E 31 38 32 !XP-5248@150.182 020 : 2E 31 38 34 2E 32 32 31 20 4A 4F 49 4E 20 3A 23 .184.221 JOIN :# 030 : 67 0D 0A 3A 68 75 62 2E 38 30 38 39 2E 63 6F 6D g..:hub.8089.com 040 : 20 33 33 32 20 5B 44 30 39 7C 55 53 41 7C 39 33 332 [D09|USA|93 050 : 30 35 37 5D 20 23 67 20 3A 2E 61 69 6D 20 73 68 057] #g :.aim sh 060 : 6F 75 6C 64 20 69 20 70 75 74 20 74 68 65 73 65 ould i put these 070 : 20 70 69 63 74 75 72 65 73 20 6F 66 20 75 73 20 pictures of us 080 : 6F 6E 20 6D 79 73 70 61 63 65 20 6F 72 20 66 61 on myspace or fa 090 : 63 65 62 6F 6F 6B 3F 20 3C 41 20 48 52 45 46 3D cebook? <A HREF= 0a0 : 22 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 "http://download 0b0 : 2E 70 69 6E 6B 69 65 73 70 61 6C 61 63 65 2E 6E .pinkiespalace.n 0c0 : 65 74 2F 70 69 63 74 75 72 65 30 31 2E 70 69 66 et/picture01.pif 0d0 : 22 3E 68 74 74 70 3A 2F 2F 70 68 6F 74 6F 62 75 ">http://photobu 0e0 : 63 6B 65 74 2E 63 6F 6D 2F 4E 65 77 50 69 63 74 cket.com/NewPict 0f0 : 75 72 65 73 2F 70 69 63 32 30 2E 6A 70 67 3C 2F ures/pic20.jpg</ 100 : 41 3E 0D 0A 3A 68 75 62 2E 38 30 38 39 2E 63 6F A>..:hub.8089.co 110 : 6D 20 33 33 33 20 5B 44 30 39 7C 55 53 41 7C 39 m 333 [D09|USA|9 120 : 33 30 35 37 5D 20 23 67 20 63 6F 6D 70 65 74 65 3057] #g compete 130 : 6E 43 65 20 31 31 33 37 35 35 37 32 37 35 0D 0A nCe 1137557275.. 140 : 3A 68 75 62 2E 38 30 38 39 2E 63 6F 6D 20 33 35 :hub.8089.com 35 150 : 33 20 5B 44 30 39 7C 55 53 41 7C 39 33 30 35 37 3 [D09|USA|93057 160 : 5D 20 40 20 23 67 20 3A 5B 44 30 39 7C 55 53 41 ] @ #g :[D09|USA 170 : 7C 39 33 30 35 37 5D 20 0D 0A 3A 68 75 62 2E 38 |93057] ..:hub.8 180 : 30 38 39 2E 63 6F 6D 20 33 36 36 20 5B 44 30 39 089.com 366 [D09 190 : 7C 55 53 41 7C 39 33 30 35 37 5D 20 23 67 20 3A |USA|93057] #g : 1a0 : 45 6E 64 20 6F 66 20 2F 4E 41 4D 45 53 20 6C 69 End of /NAMES li 1b0 : 73 74 2E 0D 0A st... Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Unknown virus on AIM Todd Towles (Jan 18)
- Re: Unknown virus on AIM Jeff Kell (Jan 18)
- <Possible follow-ups>
- RE: Unknown virus on AIM Todd Towles (Jan 18)
- Fwd: Re: Unknown virus on AIM Nicholas Albright (Jan 18)
- RE: Unknown virus on AIM Blanchard, Michael (InfoSec) (Jan 18)
- Re: Unknown virus on AIM Valdis . Kletnieks (Jan 18)
- RE: Unknown virus on AIM Todd Towles (Jan 18)
- Re: Unknown virus on AIM Gadi Evron (Jan 18)