Name this Nastyware

[Ratman2]

talking on AIM to someone just now and I see this: hehe, (Insert URL here) I know this is nastywhere but what is it?

I aplogize to all my fellow AO'ers for leaving the URL in. A major case of brain fade

[MrLinus]

There was discussion of this on Bugtraq's Devel list. IIRC, the link installs stuff on your machine without approval or knowledge. (http://online.securityfocus.com/arch...9/2002-10-05/2)

From what I've understood since the first posting is that the link connects to a site that puts the Adore (?) Worm on the machine (windows platform). One of the things I find irritating about this whole thing is that it plays on the "luser" who is foolish enough to click on a link provided by someone they don't know.

Curiosity killed the cat.

[Ratman2]

Originally posted here by MsMittens
There was discussion of this on Bugtraq's Devel list. IIRC, the link installs stuff on your machine without approval or knowledge. (http://online.securityfocus.com/arch...9/2002-10-05/2)

From what I've understood since the first posting is that the link connects to a site that puts the Adore (?) Worm on the machine (windows platform). One of the things I find irritating about this whole thing is that it plays on the "luser" who is foolish enough to click on a link provided by someone they don't know.

Curiosity killed the cat.

Not THIS cat

[allenb1963]

You know, it would be nice if you placed a disclaimer in your original post warning people of the consequences of following that link....

[Common_Exploit]

I didn't click that link, but what does it do? I was told it was something bad, so before I click it, I wanna know what's inside. Sorry for the caution, I'm at work and don't want anything graphic or bad to show up/happen.

[Ratman2]

problem fixed....sorry hope no one got infected

[Guus]

From the bugtraq discussion:
Hmm.. when I go to that link, my antivirus triggers on VBS/Aplore-A and it
won't let me view source as a result. The 'virus' (actually a worm) is found
in the webpage itself. The attachment, when downloaded, detects as
W95/Aplore-A, so I think it's pretty safe to say that this is the Aplore
worm. Reading up on this worm, the VBS 'variant' is actually part of the
replication code for the worm. This worm's writeup says it uses an IRC
connection; perhaps this is a new variant that uses AIM?

Sophos.com has this to say about VBS/Aplore-A:

VBS/Aplore-A is a component of the W32/Aplore-A worm. Please see the description for W32/Aplore-A for further details.

And it says this about W32/Aplore-A

W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to spread. It copies itself into the Windows system directory as explorer.exe and
psecure20x-cgi-install6.01.bin.hx.com and adds the following value to the registry to run itself on Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
"<windows system folder>\explorer.exe"

When run, the worm drops and runs the VBScript email.vbs which attempts to send an email with the worm files attached to all contacts from the Outlook address book.

These emails have the following characteristics:

Subject line:
.

Message body:
.

Attached file:
psecure20x-cgi-install.version6.01.bin.hx.com

W32/Aplore-A also contains an IRC client and an HTTP server. Before the internal web server is started, the worm drops the file index.html which acts as a homepage for the server. When the server is started, it listens for a connection on port 8180.

The IRC client attempts to connect to an IRC server and join several channels with a nickname randomly chosen from a list of female names stored in the worm code. The worm sends messages containing a link to the infected computer's web server to the IRC channels. The messages sent to the IRC channel contain the text "FREE PORN:" and the IP address of the infected computer.

If a user attempts to connect to the server then the server sends the previously dropped index.html.

Remember, for up to date information, visit the links I provided. Information may have been changed/adjusted since I copied it.

[Common_Exploit]

Originally posted here by Ratman2


Not THIS cat

Not this one either . I don't usually fall for people who give me links to something weird, especially when I don't know them. Even if I do know them, it's all a matter of trust if you ask me. Btw, I'm happy you removed the link, it coulda caused some serious problems.

[problemchild]

I learned something about myself and my habits from this thread.

I (somewhat stupidly) clicked the link earlier today without doing any investigation, but it turned out OK since I was using a Linux browser and it just nicely asked me where to save the bad boy. I've grown into the habit of assuming that these things won't affect me because I use Linux, and that's a very bad habit. Just because it turned out OK this time doesn't mean it will next time. I realize now that using Linux has fostered a false sense of security in me that will one day jump up and bite me.

Thanks for the wake-up call.

[Tedob1]

I just grabbed this off of a computer in my ip block:

<html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser Plugin Required:</h1>
You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3

Click HERE and choose "Run" to install.</body></html>