Name this Nastyware
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Name this Nastyware

  1. #1

    Name this Nastyware

    talking on AIM to someone just now and I see this: hehe, (Insert URL here) I know this is nastywhere but what is it?

    I aplogize to all my fellow AO'ers for leaving the URL in. A major case of brain fade

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    There was discussion of this on Bugtraq's Devel list. IIRC, the link installs stuff on your machine without approval or knowledge. (http://online.securityfocus.com/arch...9/2002-10-05/2)

    From what I've understood since the first posting is that the link connects to a site that puts the Adore (?) Worm on the machine (windows platform). One of the things I find irritating about this whole thing is that it plays on the "luser" who is foolish enough to click on a link provided by someone they don't know.

    Curiosity killed the cat.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Originally posted here by MsMittens
    There was discussion of this on Bugtraq's Devel list. IIRC, the link installs stuff on your machine without approval or knowledge. (http://online.securityfocus.com/arch...9/2002-10-05/2)

    From what I've understood since the first posting is that the link connects to a site that puts the Adore (?) Worm on the machine (windows platform). One of the things I find irritating about this whole thing is that it plays on the "luser" who is foolish enough to click on a link provided by someone they don't know.

    Curiosity killed the cat.
    Not THIS cat

  4. #4
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    You know, it would be nice if you placed a disclaimer in your original post warning people of the consequences of following that link....
    Al
    It isn't paranoia when you KNOW they're out to get you...

  5. #5
    Banned
    Join Date
    Sep 2002
    Posts
    108
    I didn't click that link, but what does it do? I was told it was something bad, so before I click it, I wanna know what's inside. Sorry for the caution, I'm at work and don't want anything graphic or bad to show up/happen.

  6. #6
    problem fixed....sorry hope no one got infected

  7. #7
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    From the bugtraq discussion:
    Hmm.. when I go to that link, my antivirus triggers on VBS/Aplore-A and it
    won't let me view source as a result. The 'virus' (actually a worm) is found
    in the webpage itself. The attachment, when downloaded, detects as
    W95/Aplore-A, so I think it's pretty safe to say that this is the Aplore
    worm. Reading up on this worm, the VBS 'variant' is actually part of the
    replication code for the worm. This worm's writeup says it uses an IRC
    connection; perhaps this is a new variant that uses AIM?
    Sophos.com has this to say about VBS/Aplore-A:
    VBS/Aplore-A is a component of the W32/Aplore-A worm. Please see the description for W32/Aplore-A for further details.
    And it says this about W32/Aplore-A
    W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to spread. It copies itself into the Windows system directory as explorer.exe and
    psecure20x-cgi-install6.01.bin.hx.com and adds the following value to the registry to run itself on Windows startup:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
    "<windows system folder>\explorer.exe"

    When run, the worm drops and runs the VBScript email.vbs which attempts to send an email with the worm files attached to all contacts from the Outlook address book.

    These emails have the following characteristics:

    Subject line:
    .

    Message body:
    .

    Attached file:
    psecure20x-cgi-install.version6.01.bin.hx.com

    W32/Aplore-A also contains an IRC client and an HTTP server. Before the internal web server is started, the worm drops the file index.html which acts as a homepage for the server. When the server is started, it listens for a connection on port 8180.

    The IRC client attempts to connect to an IRC server and join several channels with a nickname randomly chosen from a list of female names stored in the worm code. The worm sends messages containing a link to the infected computer's web server to the IRC channels. The messages sent to the IRC channel contain the text "FREE PORN:" and the IP address of the infected computer.

    If a user attempts to connect to the server then the server sends the previously dropped index.html.
    Remember, for up to date information, visit the links I provided. Information may have been changed/adjusted since I copied it.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  8. #8
    Banned
    Join Date
    Sep 2002
    Posts
    108
    Originally posted here by Ratman2


    Not THIS cat
    Not this one either . I don't usually fall for people who give me links to something weird, especially when I don't know them. Even if I do know them, it's all a matter of trust if you ask me. Btw, I'm happy you removed the link, it coulda caused some serious problems.

  9. #9
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    I learned something about myself and my habits from this thread.

    I (somewhat stupidly) clicked the link earlier today without doing any investigation, but it turned out OK since I was using a Linux browser and it just nicely asked me where to save the bad boy. I've grown into the habit of assuming that these things won't affect me because I use Linux, and that's a very bad habit. Just because it turned out OK this time doesn't mean it will next time. I realize now that using Linux has fostered a false sense of security in me that will one day jump up and bite me.

    Thanks for the wake-up call.
    Do what you want with the girl, but leave me alone!

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    I just grabbed this off of a computer in my ip block:

    <html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser Plugin Required:</h1>
    You may need to restart your browser for changes to take affect.
    Security Certificate by Verisign 2002.
    MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3

    Click HERE and choose "Run" to install.</body></html>
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •