AIM Virus Spreading

Seems like there is a AIM executable virus going around right now. With the message of: "hey check out this!" "this" is a link to *****************. It automatically links to a download; a file named "unknown@hotmail.com", a MS-DOS application that is 44kb.

Do NOT click and download or open that .exe. It will spread sending that message via your buddy list and hopefully this isn't malicious but a little script kiddie pulling off a joke.

Edit: My friend tried opening this up. It creates a system32 file, adds itself to bootup/startup. Then it connects itself to 70.84.222.146 through port 4367 with a process named minimsg.exe. Malicious indeed.

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-04-26 09:11 EDT
Interesting ports on 146.70-84-222.reverse.theplanet.com (70.84.222.146):
(The 1639 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
6666/tcp open irc-serv
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
Device type: general purpose
Running: FreeBSD 4.X, Linux 1.X
OS details: FreeBSD 4.10-STABLE, Linux 1.3.20 (x86)
Uptime 11.081 days (since Fri Apr 15 07:15:34 2005)

Nmap run completed -- 1 IP address (1 host up) scanned in 14.599 seconds

One more thing, here is some WHOIS info about the ip.

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 70.84.0.0 - 70.87.127.255
CIDR: 70.84.0.0/15, 70.86.0.0/16, 70.87.0.0/17
NetName: NETBLK-THEPLANET-BLK-13
NetHandle: NET-70-84-0-0-1
Parent: NET-70-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate: 2004-07-29
Updated: 2005-03-24

TechHandle: PP46-ARIN
TechName: Pathos, Peter
TechPhone: +1-214-782-7800
TechEmail: *****@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: *****@theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: ******@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: ******@theplanet.com

 

Here is an article AND the fix tool to get rid of it. The article tells you all about it and how it works.

The tool also gets rid of other AIM Viruses as well.


http://www.jtlusk.com/2005/05/new-aim-virus-hey-check-out-this-scam.html

 

I need to hurry up and release my ChatStop program. This wouldn't be as much of a problem if people can't run their Chat programs