MSN Messenger Users Warned of Internet Virus - Rodok Worm

Discussion in 'malware problems & news' started by javacool, Oct 10, 2002.

Thread Status:
Not open for further replies.
  1. javacool
    Offline

    javacool BrightFort Moderator

    (Quoted from securitynewsportal.com)
    BitDefender has posted information regarding this worm:
    http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=102

    -Javacool
  2. Technodrome
    Offline

    Technodrome Security Expert

    It also known as Fleming!

    The Internet worm "Fleming" has been detected stealing registration information from computer games.

    Kaspersky Labs, an international data-security software developer, announces the detection of a multi-component malicious program spreading itself via the popular Windows (.NET) Messenger program. The harmful code contains a "trojan" that hijacks registration information from the computer games Counter-Strike and Half-Life. Fleming also tries to download and launch other mal-intended programs from the Internet. At this time multiple infections have been registered.

    The Fleming Internet worm is a 32-bit Windows application (.exe file) with a size of 53,248 bytes and written in Visual Basic. The worm spreads via the Windows (.NET) Messenger Internet chat program that is built into Windows XP. The worm circulates a message written in English that proposes recipients download a program supposedly developed by the message's author.

    The message appears as follows:

    http://www.avp.ru/imagesen/news/fleming.gif
    The Internet address appearing in the message (http://home.no.net/downlxad/BR2002.exe) contains a copy of the worm.

    Fleming does not install itself into the system and is triggered into action only if users launch its code (for example, double-clicking on the program icon in Windows Explorer). When launched, Fleming attempts to download two files from the Internet site "http://home.no.net/downlxad/". The names and save locations of these two files are:


    C:\update35784.exe
    C:\hehe2397824.exe

    Next the worm connects with Windows (.NET) Messenger and waits for incoming messages. When it receives certain messages from the user "styggefolk@hotmail.com", Fleming sends out a reply containing registration information (CD-Keys) from Counter-Strike and Half-Life.
    Fleming also finds the Windows (.NET) Messenger contact list and sends its message to each entry.

    According to Kaspersky Labs, at this time, the Internet resource "http://home.n0.net/downl0ad/BR2002.exe" is locked.

    source: http://www.avp.ru



    Technodrome
Thread Status:
Not open for further replies.