New AIM worm

Published: 2005-12-06
Last Updated: 2005-12-06 01:55:38 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
Malware authors just opened their own holiday season. We received couple of reports of a new AIM worm spreading.
The worm is simple and doesn't exploit any vulnerability; instead it relies on social engineering.

The user will receive the following AIM message:

"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM"

Instead of going to the AOLs site, this link actually points to a different site (http://<REMOVED>.<REMOVED>.134.156/My_Christmas_Card.COM) from which the user will download the worm.
This file is a SDBot variant and at the moment the most popular AV programs detect it generically.

Thanks to Joshua!

Update: Some readers have alerted us, and we have confirmed, that there is also a variant going around that redirects to the same IP, but downloads, My_Christmas_Card.SCR.  Note, that many of the AV vendors identify this as a variant of SDBot.

Keywords:
0 comment(s)

Malware Analysis Quiz 5

Published: 2005-12-05
Last Updated: 2005-12-05 11:03:11 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
For those following my quizes, today I released the results of the previous one and already posted the new one, the Malware Analysis Quiz 5, take a look and submit your answers!
Thanks for all the feedback received!
------------------------------------------------
Pedro Bueno (pbueno //&&// isc. sans. org)
Keywords:
0 comment(s)

Comments


Diary Archives