Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Lame Aim Worm

  1. #1
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724

    Lame Aim Worm

    I got a message from some obscure, probobly random person on my buddy list, telling me to click here..i know the person the link came from (or at least i think i do)... so i click.. (I have already known by this time that the link is obviously not a real picture, as the IM described) so i choose to save it as a txt... instead of its default .COM.

    So its prolly some MS-Dos file. I read the file as txt and cant find much.

    Anyone else experience this?

    I am going to attach the file as a txt. If you guys check it out maybe you can find a cure. As I was writing this, my girlfriend IMs me saying that she just got the same link, prior to me getting the message, and she opened the file.. which explains why i got the IM in the first place...i am just wondering what else it has done to her computer that she cant see..

    BEWARE, dont put this back to .com and run it... it is live... and will do something you dont want it to do.
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  2. #2

    Re: Lame Aim Worm

    Originally posted here by Dr Toker
    I got a message from some obscure, probobly random person on my buddy list, telling me to click here..i know the person the link came from (or at least i think i do)... so i click.. (I have already known by this time that the link is obviously not a real picture, as the IM described) so i choose to save it as a txt... instead of its default .COM.

    So its prolly some MS-Dos file. I read the file as txt and cant find much.

    Anyone else experience this?

    I am going to attach the file as a txt. If you guys check it out maybe you can find a cure. As I was writing this, my girlfriend IMs me saying that she just got the same link, prior to me getting the message, and she opened the file.. which explains why i got the IM in the first place...i am just wondering what else it has done to her computer that she cant see..

    BEWARE, dont put this back to .com and run it... it is live... and will do something you dont want it to do.
    I accidently ran it> (clicked the link that said "http://LifeyPicy.idleplay.net/show.php"). It seemed to go through each of the people on the buddy list and a window would come up and then close, figured it was some kind of worm. People started responding what is this, i just told them not to open it and apologized, the 'person' who accidently sent it to me had no clue. It seemed that closing aim and reopening it ended the sending, however I went back and looked at the file. It listed the file on my computer as "img552.com" . It's icon is an .exe and the type of file is MS-DOS Application. Set to autostart. Running Scans now and it seems to have found 12 virii so far. It starts itself again at setup. The power went out so, it seems to have multiplied. I'm totally guessing, there is nothing in all of google about this. That is wierd that it showed up on my boyfriends box as picture007 and img552 on mine... <shrugs> any ideas on how to make sure it's gone are welcome, Thanks

  3. #3
    This is where the beauty of the mouseover comes into play. Whenever someone sends you a link mouseover the link and see where it points. Most of the time these worms are sloppy and show that the file points to a .scr file but just recently I got sent this same IM from someone that pointed to a PHP file. Most of these worms also rely on the fact that you're on AIM. Solution? Use Trillian. Also make sure you have UP TO DATE antivirus, a good spyware package and a good head on your shoulders. By that last part I mean you must have enough awareness not to click/open everything that comes your way even if its sent by someone you know. If you need help cleaning your PC I wrote a tutorial:


    http://www.antionline.com/showthread...r=1#post837790
    And so at last the beast fell and the unbelievers rejoiced. But all was not lost, for from the ash rose a great bird. The bird gazed down upon the unbelievers and cast fire and thunder upon them. For the beast had been reborn with its strength renewed, and the followers of Mammon cowered in horror. -from The Book of Mozilla, 7:15

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    My brother got hit by this less than a week ago. I know becuase I got a IM from him with similar link. I found over 10 different viruses and trojans on his PC along with a crap load of spyware. I finally kicked him off my LAN. This is at LEAST the 10th time he's crapped up his PC and I always have to deal with it. I figured... if he has no internet on that PC... he can't screw it up and I don't have to fix it.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Bleh, thanks for the heads up. AIM's worms are starting to bug the crap out of me. I think I'm going to have to make some changes 'round here concerning that (like getting rid of AIM or finding a more secure version/app).

    /me run's off like Batman to the Batmobile
    Space For Rent.. =]

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK, this is what I got:

    ArcaVir: Trojan.Rbot.Agh
    Kaspersky: Backdoor.Win32.Rbot.agh
    Nod32: Win32/Oscarbot.AN

    Hope that helps

  7. #7
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    awesome, Yeah i figured since it was sent to me, others would have gotten this same deal. But with me, there was no link to a php script.. it was a direct link to the file.


    What i was wondering... is how to decompile this file to see exactly what it does..obviously not as easy as renaming it as a .txt...
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi "MrHerb"

    I believe that you can get a time limited trial of Winhex that has decompiling capabilities. Otherwise just google for "rbot.agh" and you will get links to AV company analyses of it. Kaspersky usually has quite detailed ones.

    It looks like someone just snagged a copy of the bot and used a social engineering style of delivery?


  9. #9
    http://www.trendmicro.com/vinfo/viru...TROJ_ROOTKIT.H ...
    this is what it found ... seems to be ok now, thanks

  10. #10
    yea... this thing has been going on for a little while. It seems like most end users just look at it and save it.

    I was trying to get the source to it to check it out and see everything it does.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •