AIM worm and AV...

Published: 2005-11-20
Last Updated: 2005-11-21 11:53:57 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
We received a file called pics.exe from one of our readers. This file was appearing in a url from one of those AIM worms...nothing new, right? Almost...the thing with this file is:
- It is a RAR file, which contatins 4 different files, which will be installed at C:WINDOWSmsupd
    - rep.exe - an SDBot variant
    - 1004270.exe - Cheats Explorer Add-on (toolbar for IE)
    - YSBAgree.exe - Is the one which will start all the others...(as referenced at the RAR file:  Setup=C:WINDOWSmsupdYSBAgree.exe)
    - iS.exe - looks like the one which will send the messages to the users at the AIM. Messages like the following:

->let me know if you can open this:<Snip>/pics.exe
->this doesn't work for me, does it work for you?<Snip>/pics.exe
->let me know what you think:<Snip>/pics.exe
->holy cow...this girl is going crazy:<Snip>/pics.exe
->these are pretty nice, maybe you should take a look -<Snip>/pics.exe
->are these of you? they look just like you -<Snip>/pics.exe
->this girl is nuts, I can't believe she did this -<Snip>/pics.exe
->wow...check this out, you have to see it:<Snip>/pics.exe
->this deleted all my viruses and spyware -<Snip>/clean.exe
->I can't believe this acutally fixed my computer:<Snip>/clean.exe
->I didn't think it would work, but it fixed everything on my computer -<Snip>/clean.exe

Did I mention that from all files, the big pack one called pics.exe, rep.exe, 1004270.exe, YSBAgree.exe and iS.exe, only the rep.exe is alreayd identified by some AV vendors at VirusTotal? careful and pay attention...!

As I sent them to my personal AV vendors email list, most of them are already detecting them! Good work!

Pedro Bueno - pbueno //%%// isc. sans. org
0 comment(s)


Diary Archives