talking on AIM to someone just now and I see this: hehe, (Insert URL here) I know this is nastywhere but what is it?
I aplogize to all my fellow AO'ers for leaving the URL in. A major case of brain fade :(
Printable View
talking on AIM to someone just now and I see this: hehe, (Insert URL here) I know this is nastywhere but what is it?
I aplogize to all my fellow AO'ers for leaving the URL in. A major case of brain fade :(
There was discussion of this on Bugtraq's Devel list. IIRC, the link installs stuff on your machine without approval or knowledge. (http://online.securityfocus.com/arch...9/2002-10-05/2)
From what I've understood since the first posting is that the link connects to a site that puts the Adore (?) Worm on the machine (windows platform). One of the things I find irritating about this whole thing is that it plays on the "luser" who is foolish enough to click on a link provided by someone they don't know.
Curiosity killed the cat.
Not THIS cat :DQuote:
Originally posted here by MsMittens
There was discussion of this on Bugtraq's Devel list. IIRC, the link installs stuff on your machine without approval or knowledge. (http://online.securityfocus.com/arch...9/2002-10-05/2)
From what I've understood since the first posting is that the link connects to a site that puts the Adore (?) Worm on the machine (windows platform). One of the things I find irritating about this whole thing is that it plays on the "luser" who is foolish enough to click on a link provided by someone they don't know.
Curiosity killed the cat.
You know, it would be nice if you placed a disclaimer in your original post warning people of the consequences of following that link....
I didn't click that link, but what does it do? I was told it was something bad, so before I click it, I wanna know what's inside. Sorry for the caution, I'm at work and don't want anything graphic or bad to show up/happen.
problem fixed....sorry hope no one got infected :)
Sophos.com has this to say about VBS/Aplore-A:Quote:
From the bugtraq discussion:
Hmm.. when I go to that link, my antivirus triggers on VBS/Aplore-A and it
won't let me view source as a result. The 'virus' (actually a worm) is found
in the webpage itself. The attachment, when downloaded, detects as
W95/Aplore-A, so I think it's pretty safe to say that this is the Aplore
worm. Reading up on this worm, the VBS 'variant' is actually part of the
replication code for the worm. This worm's writeup says it uses an IRC
connection; perhaps this is a new variant that uses AIM?
And it says this about W32/Aplore-AQuote:
VBS/Aplore-A is a component of the W32/Aplore-A worm. Please see the description for W32/Aplore-A for further details.
Remember, for up to date information, visit the links I provided. Information may have been changed/adjusted since I copied it.Quote:
W32/Aplore-A is a Win32 worm which uses Microsoft Outlook to spread. It copies itself into the Windows system directory as explorer.exe and
psecure20x-cgi-install6.01.bin.hx.com and adds the following value to the registry to run itself on Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer =
"<windows system folder>\explorer.exe"
When run, the worm drops and runs the VBScript email.vbs which attempts to send an email with the worm files attached to all contacts from the Outlook address book.
These emails have the following characteristics:
Subject line:
.
Message body:
.
Attached file:
psecure20x-cgi-install.version6.01.bin.hx.com
W32/Aplore-A also contains an IRC client and an HTTP server. Before the internal web server is started, the worm drops the file index.html which acts as a homepage for the server. When the server is started, it listens for a connection on port 8180.
The IRC client attempts to connect to an IRC server and join several channels with a nickname randomly chosen from a list of female names stored in the worm code. The worm sends messages containing a link to the infected computer's web server to the IRC channels. The messages sent to the IRC channel contain the text "FREE PORN:" and the IP address of the infected computer.
If a user attempts to connect to the server then the server sends the previously dropped index.html.
Not this one either :D. I don't usually fall for people who give me links to something weird, especially when I don't know them. Even if I do know them, it's all a matter of trust if you ask me. Btw, I'm happy you removed the link, it coulda caused some serious problems.Quote:
I learned something about myself and my habits from this thread.
I (somewhat stupidly) clicked the link earlier today without doing any investigation, but it turned out OK since I was using a Linux browser and it just nicely asked me where to save the bad boy. I've grown into the habit of assuming that these things won't affect me because I use Linux, and that's a very bad habit. Just because it turned out OK this time doesn't mean it will next time. I realize now that using Linux has fostered a false sense of security in me that will one day jump up and bite me.
Thanks for the wake-up call.
I just grabbed this off of a computer in my ip block:
<html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser Plugin Required:</h1>
You may need to restart your browser for changes to take affect.
Security Certificate by Verisign 2002.
MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3
Click HERE and choose "Run" to install.</body></html>
Just as an additional thought, if you use AIM make sure you have the latest version and in the options check off the "Only receive messages from those on my contact list" option. This is one of the ways that these guys are getting people. Because some will allow anyone to send them a message they take advantage of this. (most people will take a message from anyone).
I believe MSN and ICQ also have these features. You'll find a marked decrease in the amount of pr0n messages and other hoax messages you receive (the classic ICQ Hoax comes to mind -- "forward this message to 2000000000 people or AOL will charge 5 cents a message!" .. oh. the. horror.)
As for the member who clicked the link (and asked for the disclaimer) you have learned an important lesson of security: just because someone puts a link forth does not mean you should go and click it. ;) Be paranoid and treat everything with suspicion.
Somebody clicked on it oh man. The title of the pst was Nastyware. once agian AO'ers I'm so sorry for leaving the link in :)Quote:
Originally posted here by MsMittens
Just as an additional thought, if you use AIM make sure you have the latest version and in the options check off the "Only receive messages from those on my contact list" option. This is one of the ways that these guys are getting people. Because some will allow anyone to send them a message they take advantage of this. (most people will take a message from anyone).
I believe MSN and ICQ also have these features. You'll find a marked decrease in the amount of pr0n messages and other hoax messages you receive (the classic ICQ Hoax comes to mind -- "forward this message to 2000000000 people or AOL will charge 5 cents a message!" .. oh. the. horror.)
As for the member who clicked the link (and asked for the disclaimer) you have learned an important lesson of security: just because someone puts a link forth does not mean you should go and click it. ;) Be paranoid and treat everything with suspicion.
Update to the story:
I finally got a hold of the person infected. She didn't even know it. I tried to get her to run Housecall but the box kept locking up so I'm trying AVG now
ok, i feel stupid. yesterday i clicked on it, and a download thing came up. but i didn't click save or whatever... there is no way i can get this bug right?
Fuzzy...I'd run a virus scan just to make sure...you can't ever be too safe these days...
Yeah, I didn't click it because Im kinda paranoid when it come's to internet downloads and links but Fuzzy, I'd run a virus scan just to make sure. I'm happy I didn't click it, btw.
ok damn.... i wasn't even thinkin. i was like hey look a link... i usally dont do stuff like that.. but oops... thanks tho.......
Fuzzy: Hey, no problem. It was an accident, maybe a little too much trust on your part, but that's okay. Just do a few scan's to make sure you don't have it though. Oh and if it help's, I'm sure your not the only person who clicked on it. :)