AIM Virus Spreading

Discussion in 'malware problems & news' started by dlevere, Apr 28, 2005.

Thread Status:
Not open for further replies.
  1. dlevere

    dlevere Registered Member

    Nov 7, 2002
    Philadelphia, PA
    Seems like there is a AIM executable virus going around right now. With the message of: "hey check out this!" "this" is a link to *****************. It automatically links to a download; a file named "", a MS-DOS application that is 44kb.

    Do NOT click and download or open that .exe. It will spread sending that message via your buddy list and hopefully this isn't malicious but a little script kiddie pulling off a joke.

    Edit: My friend tried opening this up. It creates a system32 file, adds itself to bootup/startup. Then it connects itself to through port 4367 with a process named minimsg.exe. Malicious indeed.

    Starting nmap 3.75 ( ) at 2005-04-26 09:11 EDT
    Interesting ports on (
    (The 1639 ports scanned but not shown below are in state: closed)
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    111/tcp open rpcbind
    135/tcp filtered msrpc
    136/tcp filtered profile
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    143/tcp open imap
    443/tcp open https
    445/tcp filtered microsoft-ds
    465/tcp open smtps
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    8080/tcp open http-proxy
    8081/tcp open blackice-icecap
    8082/tcp open blackice-alerts
    Device type: general purpose
    Running: FreeBSD 4.X, Linux 1.X
    OS details: FreeBSD 4.10-STABLE, Linux 1.3.20 (x86)
    Uptime 11.081 days (since Fri Apr 15 07:15:34 2005)

    Nmap run completed -- 1 IP address (1 host up) scanned in 14.599 seconds

    One more thing, here is some WHOIS info about the ip.

    OrgName: Internet Services, Inc.
    OrgID: TPCM
    Address: 1333 North Stemmons Freeway
    Address: Suite 110
    City: Dallas
    StateProv: TX
    PostalCode: 75207
    Country: US

    ReferralServer: rwhois://

    NetRange: -
    NetHandle: NET-70-84-0-0-1
    Parent: NET-70-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.THEPLANET.COM
    NameServer: NS2.THEPLANET.COM
    RegDate: 2004-07-29
    Updated: 2005-03-24

    TechHandle: PP46-ARIN
    TechName: Pathos, Peter
    TechPhone: +1-214-782-7800
    TechEmail: *****

    OrgAbuseHandle: ABUSE271-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-214-782-7802
    OrgAbuseEmail: *****

    OrgNOCHandle: TECHN33-ARIN
    OrgNOCName: Technical Support
    OrgNOCPhone: +1-214-782-7800
    OrgNOCEmail: ******

    OrgTechHandle: TECHN33-ARIN
    OrgTechName: Technical Support
    OrgTechPhone: +1-214-782-7800
    OrgTechEmail: ******
  2. tluskie

    tluskie Guest

  3. Capp

    Capp Registered Member

    Oct 16, 2004
    United States
    I need to hurry up and release my ChatStop program. This wouldn't be as much of a problem if people can't run their Chat programs ;)
Thread Status:
Not open for further replies.