Security Incidents mailing list archives

RE: AIM-based worm?

From: "Ralph Emery" <remery () guarded net>
Date: Fri, 27 Sep 2002 09:36:11 -0400

ok here is what I got for this...

http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=68



Win32.Aplore.A@mm 

 
Name: Win32.Aplore.A@mm
Aliases: W32.Aphex.A@mm
Type: Executable, Internet Worm
Size: 319488 bytes
Discovered: April 9, 2002
Detected: April 9, 2002; 11:00 (GMT+2)
Spreading: High 
Damage: Low 
ITW: Yes 
Symptoms:

- File explorer.exe and psecure20x-cgi-install.version6.01.bin.hx.com in the system directory (usually 
C:\Windows\System or C:\Winnt\System32)
- Files aphex.jpg and index.htm in the system directory

Technical description:

This virus is an Internet worm written in Delphi and packed with UPX. The original file size is about 690 Kbytes.
The virus comes as an attached file in an e-mail with this form:
Subject: . (a single dot)
Body: . (a single dot)
Attachment: psecure20x-cgi-install.version6.01.bin.hx.com

When the user executes the attachement it copies itself in the system directory as explorer.exe and as 
psecure20x-cgi-install.version6.01.bin.hx.com.
It adds the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Explorer "%System%\Explorer.exe"
(where %System% is the Windows System directory)

It drops a small VBS file which contains the script to send itself to all contacts from Outlook Address Book using 
Microsoft Outlook. The e-mail has the format shown above.
The script is executed by the virus, and is deleteing itself after trying to send the e-mails.

Also in the system directory it drops a file index.html which contains a link to the file 
psecure20x-cgi-install.version6.01.bin.hx.com which will try to be automatically executed. The page looks like this:

http://lockdowncorp.com/aphexworm.html

The W32 Aphex Worm is propagated through email, AIM and MSN Messenger and IRC.
Once infected, the Worm creates a web server on the victims computer and sends it's web page link to the victim(s). 
When the victim clicks on the link a file download will be offered. If the file is downloaded and executed the victim 
will also become infected.

 

-----Original Message-----
From: Troy Ablan [mailto:bugtraq () pinchaser com]
Sent: Thursday, September 26, 2002 3:52 PM
To: incidents () securityfocus com
Subject: AIM-based worm?



A coworker of mine (Tim) recently found a buddy on his buddy list who he 
didn't know (JDogg786).  When Tim sent a message to him/her, he got a 
response back "Hmmmm.. http://24.74.206.239:8180/";  

When he clicked on the link, it took him to a page which redirected to a 
download of a file ending in .com, which he promptly alerted me to and 
did not run it.

I tried to go to this link, it tried to download the file.  I hit cancel, 
then I tried to view the source of the page.  From the View menu, or right 
clicking on the page, and clicking View Source, nothing happened.

I eventually got the source using wget, which is shown below.

Question 1:  Is there a way a web page can add a buddy to your AIM list 
without your knowledge?

Question 2:  How was I prevented from viewing the source of the HTML page 
in IE?

I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well 
for anyone who wants to look at it, just in case the above link does not 
work any more.


-- BEGIN SOURCE --

<html><head><title>Browser Plugin Requried</title><meta 
http-equiv="refresh" content="1; 
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser 
Plugin Required:</h1><br>You may need to restart your browser for changes 
to take affect.<br>Security Certificate by <a 
href="http://www.verisign.com";>Verisign</a> 2002.<br>MD5: 
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a 
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose 
"Run" to install.</body></html>

-- END SOURCE --




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

AIM-based worm? Troy Ablan (Sep 26)
- Re: AIM-based worm? De Velopment (Sep 27)
  - Re: AIM-based worm? Troy Ablan (Sep 27)
    - Re: AIM-based worm? Midkaemia (Sep 29)
- Re: AIM-based worm? Adam Young (Sep 27)
- <Possible follow-ups>
- RE: AIM-based worm? webbi (Sep 27)
- RE: AIM-based worm? Ralph Emery (Sep 27)
- RE: AIM-based worm? MH Michael Hammer (5304) (Sep 27)
- RE: AIM-based worm? x x (Sep 27)
  - Re: AIM-based worm? skipper (Sep 28)
- RE: AIM-based worm? Ron Yount (Sep 27)