AIM Virus Spreading

Discussion in 'malware problems & news' started by dlevere, Apr 28, 2005.

Thread Status:
Not open for further replies.
  1. dlevere

    dlevere Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    15
    Location:
    Philadelphia, PA
    :(
    Seems like there is a AIM executable virus going around right now. With the message of: "hey check out this!" "this" is a link to *****************. It automatically links to a download; a file named "unknown@hotmail.com", a MS-DOS application that is 44kb.

    Do NOT click and download or open that .exe. It will spread sending that message via your buddy list and hopefully this isn't malicious but a little script kiddie pulling off a joke.

    Edit: My friend tried opening this up. It creates a system32 file, adds itself to bootup/startup. Then it connects itself to 70.84.222.146 through port 4367 with a process named minimsg.exe. Malicious indeed.

    Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-04-26 09:11 EDT
    Interesting ports on 146.70-84-222.reverse.theplanet.com (70.84.222.146):
    (The 1639 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    1/tcp open tcpmux
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    111/tcp open rpcbind
    135/tcp filtered msrpc
    136/tcp filtered profile
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    143/tcp open imap
    443/tcp open https
    445/tcp filtered microsoft-ds
    465/tcp open smtps
    993/tcp open imaps
    995/tcp open pop3s
    3306/tcp open mysql
    6666/tcp open irc-serv
    8080/tcp open http-proxy
    8081/tcp open blackice-icecap
    8082/tcp open blackice-alerts
    Device type: general purpose
    Running: FreeBSD 4.X, Linux 1.X
    OS details: FreeBSD 4.10-STABLE, Linux 1.3.20 (x86)
    Uptime 11.081 days (since Fri Apr 15 07:15:34 2005)

    Nmap run completed -- 1 IP address (1 host up) scanned in 14.599 seconds

    One more thing, here is some WHOIS info about the ip.

    OrgName: ThePlanet.com Internet Services, Inc.
    OrgID: TPCM
    Address: 1333 North Stemmons Freeway
    Address: Suite 110
    City: Dallas
    StateProv: TX
    PostalCode: 75207
    Country: US

    ReferralServer: rwhois://rwhois.theplanet.com:4321

    NetRange: 70.84.0.0 - 70.87.127.255
    CIDR: 70.84.0.0/15, 70.86.0.0/16, 70.87.0.0/17
    NetName: NETBLK-THEPLANET-BLK-13
    NetHandle: NET-70-84-0-0-1
    Parent: NET-70-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.THEPLANET.COM
    NameServer: NS2.THEPLANET.COM
    Comment:
    RegDate: 2004-07-29
    Updated: 2005-03-24

    TechHandle: PP46-ARIN
    TechName: Pathos, Peter
    TechPhone: +1-214-782-7800
    TechEmail: *****@theplanet.com

    OrgAbuseHandle: ABUSE271-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-214-782-7802
    OrgAbuseEmail: *****@theplanet.com

    OrgNOCHandle: TECHN33-ARIN
    OrgNOCName: Technical Support
    OrgNOCPhone: +1-214-782-7800
    OrgNOCEmail: ******@theplanet.com

    OrgTechHandle: TECHN33-ARIN
    OrgTechName: Technical Support
    OrgTechPhone: +1-214-782-7800
    OrgTechEmail: ******@theplanet.com
     
  2. tluskie

    tluskie Guest

  3. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I need to hurry up and release my ChatStop program. This wouldn't be as much of a problem if people can't run their Chat programs ;)
     
Loading...
Thread Status:
Not open for further replies.