AIM Virus Spreading

Discussion in 'malware problems & news' started by dlevere, Apr 28, 2005.

Thread Status:
Not open for further replies.
  1. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    :(
    Seems like there is a AIM executable virus going around right now. With the message of: "hey check out this!" "this" is a link to *****************. It automatically links to a download; a file named "unknown@hotmail.com", a MS-DOS application that is 44kb.

    Do NOT click and download or open that .exe. It will spread sending that message via your buddy list and hopefully this isn't malicious but a little script kiddie pulling off a joke.

    Edit: My friend tried opening this up. It creates a system32 file, adds itself to bootup/startup. Then it connects itself to 70.84.222.146 through port 4367 with a process named minimsg.exe. Malicious indeed.

    Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-04-26 09:11 EDT
    Interesting ports on 146.70-84-222.reverse.theplanet.com (70.84.222.146):
    (The 1639 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    111/tcp open rpcbind
    135/tcp filtered msrpc
    136/tcp filtered profile
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    143/tcp open imap
    443/tcp open https
    445/tcp filtered microsoft-ds
    465/tcp open smtps
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    8080/tcp open http-proxy
    8081/tcp open blackice-icecap
    8082/tcp open blackice-alerts
    Device type: general purpose
    Running: FreeBSD 4.X, Linux 1.X
    OS details: FreeBSD 4.10-STABLE, Linux 1.3.20 (x86)
    Uptime 11.081 days (since Fri Apr 15 07:15:34 2005)

    Nmap run completed -- 1 IP address (1 host up) scanned in 14.599 seconds

    One more thing, here is some WHOIS info about the ip.

    OrgName: ThePlanet.com Internet Services, Inc.
    OrgID: TPCM
    Address: 1333 North Stemmons Freeway
    Address: Suite 110
    City: Dallas
    StateProv: TX
    PostalCode: 75207
    Country: US

    ReferralServer: rwhois://rwhois.theplanet.com:4321

    NetRange: 70.84.0.0 - 70.87.127.255
    CIDR: 70.84.0.0/15, 70.86.0.0/16, 70.87.0.0/17
    NetName: NETBLK-THEPLANET-BLK-13
    NetHandle: NET-70-84-0-0-1
    Parent: NET-70-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.THEPLANET.COM
    NameServer: NS2.THEPLANET.COM
    Comment:
    RegDate: 2004-07-29
    Updated: 2005-03-24

    TechHandle: PP46-ARIN
    TechName: Pathos, Peter
    TechPhone: +1-214-782-7800
    TechEmail: *****@theplanet.com

    OrgAbuseHandle: ABUSE271-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-214-782-7802
    OrgAbuseEmail: *****@theplanet.com

    OrgNOCHandle: TECHN33-ARIN
    OrgNOCName: Technical Support
    OrgNOCPhone: +1-214-782-7800
    OrgNOCEmail: ******@theplanet.com

    OrgTechHandle: TECHN33-ARIN
    OrgTechName: Technical Support
    OrgTechPhone: +1-214-782-7800
    OrgTechEmail: ******@theplanet.com
     
  2. tluskie

    tluskie Guest

  3. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I need to hurry up and release my ChatStop program. This wouldn't be as much of a problem if people can't run their Chat programs ;)
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.