New AIM Virus?

Andvari · May 1, 2005

I've been getting some IMs lately from friends with the message "Hey check out this." I clicked on the link the first time I got the message, not thinking anything of it since it was from a friend. I then he didn't actually send it, but I guess I might be sending it out to people now too. =

I don't know what the virus is or does, and couldn't seem to find it with scans. Anybody else know anything about this?

Nohr · May 1, 2005

There was just a thread over in Off Topic about this too.

I believe this is the culprit. Virus information: W32/Spybot-W

mechBgon · May 1, 2005

Might be W32.Allim.B EDIT: or it might be Backdoor.Doyorg, aka W32/Oscarbot.

W32.Allim.B is a worm that spreads through America Online Instant Messenger (AIM) and drops a variant of Backdoor.Sdbot.

...

Sends the following message to all the AIM contacts on the compromised computer:

Body: hey check out this!

Notes:
Where "this!" is a link to http:/ /s[domain removed]et/mysite/gallery/pictures.php.
A recipient must click on the link and download and execute the file.

What antivirus product and firewall hardware/software were you running at the time of the attack?

MrBond · May 1, 2005

I feel like such an idiot - I got the same messege from a friend and clicked on the link too. I was typing a thread for FS/T at the time and wasn't thinking.

Only it linked me to a gallery.com file on some web page. IE picked up the click and launched the site - which gave me a 404 error. Running a full scan with AVG now - I hope that's enough. I've got my fingers crossed that I didn't actually get the virus - I didn't download or install anything and I think my patches are all current, so hopefully I'm OK.

mechBgon · May 1, 2005

AVG is not that hot on the detection of some types of stuff. You might run Kaspersky's scanner overnight (it's slow, but probably rather thorough):

http://www.kaspersky.com/beta?product=161744315

If you have a router, consider locking down all the unneeded ports too: http://www.omnicast.net/~tmcfadden/guides/build/router.html

MrBond · May 1, 2005

Thanks MB - trying the online scanner now.

At the SA forums, someone said that AVG picked it up for them after they updated, this was last Wednesday and my copy is updated since then. It found no infected files in a full scan of my C: partition.

I've got my fingers crossed that the hosting providor for the site I went to pulled the plug on their service to stop the spread. Hopefully that's the source of the 404 error - it wasn't an immediate 404 error, it did seem like it was trying to find the site before it tossed that back to me - kind of like you get when we hit a site with the AT effect

mechBgon · May 1, 2005

Just to shed some extra light, the worm that Allim tries to drop might vary, and there are new flavors of Backdoor, SDbot/Gaobot/Agobot every day. One day last week, McAfee's daily DAT update contained more than sixty new viruses. In one day. Fun.

If you don't have your antivirus updating every day (or more frequently) then it would be good to set it up that way.

If you want free antivirus software that's got better detection, you might check out AntiVir, but you have to update it manually is the tradeoff. http://www.free-av.com/ and check the detection rates at http:/www.av-comparatives.org for one perspective on what's good.

MrBond · May 1, 2005

AVG is usually very good for me - it updates and scans every day. Honestly, this is the first virus I've EVER had that's been my own fault (and it looks more and more like I got lucky and didn't actually get a virus). I hadn't read the threads about it here, so when I got the IM from my friend, I assumed it was some photos or something from a concert we both went to. When I saw the address, I freaked out a little bit and headed here to see what it was.

mechBgon · May 1, 2005

Something I would do if it were me, is to run my IM program from a Limited account (called a Restricted User account in Win2000). If the exploit gains a foothold on a Computer Administrator account, it has the power to do anything. With a Limited account, it has the power to... oh... maybe change your wallpaper and stuff

but can't write to the Windows directory, modify your HOSTS file, take down your Windows Firewall, install software, or set itself up in your Registry to run at the next startup. A very sensible precaution, although there can be unwanted side effects. my suggestions for ironing out the side effects.

Also, it's a good idea to run Microsoft Baseline Security Analyzer and address stuff that it takes issue with, like weak/blank passwords.

Andvari · May 1, 2005

I clicked the link, but the page didn't load. I noticed the link had no http:// nor a www., so I thought my friend was actually trying to send me to a website. I googled the site that was in the link, "write a white paper" and it looked like a legit site. So I copied the link and pasted it into my browser, and that time it prompted me to download an MS-DOS executable. I downloaded it, and opened it with notepad to see what it looked like. It had, amongst the jibberish, some actual english that sounded pretty innocent and actually pertained to writing a white paper (whatever that is). Still not sure though, I then deleted the file and never actually ran it.

(Opening it in notepad doesn't count as running it, correct?)

mechBgon · May 1, 2005

Update: here's one that just popped up on Symantec's new-threat page: Backdoor.Doyorg, using the same MO.

Search

New AIM Virus?

Andvari

Senior member

Nohr

Diamond Member

mechBgon

Super Moderator<br>Elite Member

MrBond

Diamond Member

mechBgon

Super Moderator<br>Elite Member

MrBond

Diamond Member

mechBgon

Super Moderator<br>Elite Member

MrBond

Diamond Member

mechBgon

Super Moderator<br>Elite Member

Andvari

Senior member

mechBgon

Super Moderator<br>Elite Member

TRENDING THREADS