MSN Messenger Users Warned of Internet Virus - Rodok Worm

Discussion in 'malware problems & news' started by javacool, Oct 10, 2002.

Thread Status:
Not open for further replies.
  1. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,101
    (Quoted from securitynewsportal.com)
    BitDefender has posted information regarding this worm:
    http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=102

    -Javacool
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    It also known as Fleming!

    The Internet worm "Fleming" has been detected stealing registration information from computer games.

    Kaspersky Labs, an international data-security software developer, announces the detection of a multi-component malicious program spreading itself via the popular Windows (.NET) Messenger program. The harmful code contains a "trojan" that hijacks registration information from the computer games Counter-Strike and Half-Life. Fleming also tries to download and launch other mal-intended programs from the Internet. At this time multiple infections have been registered.

    The Fleming Internet worm is a 32-bit Windows application (.exe file) with a size of 53,248 bytes and written in Visual Basic. The worm spreads via the Windows (.NET) Messenger Internet chat program that is built into Windows XP. The worm circulates a message written in English that proposes recipients download a program supposedly developed by the message's author.

    The message appears as follows:

    http://www.avp.ru/imagesen/news/fleming.gif
    The Internet address appearing in the message (http://home.no.net/downlxad/BR2002.exe) contains a copy of the worm.

    Fleming does not install itself into the system and is triggered into action only if users launch its code (for example, double-clicking on the program icon in Windows Explorer). When launched, Fleming attempts to download two files from the Internet site "http://home.no.net/downlxad/". The names and save locations of these two files are:


    C:\update35784.exe
    C:\hehe2397824.exe

    Next the worm connects with Windows (.NET) Messenger and waits for incoming messages. When it receives certain messages from the user "styggefolk@hotmail.com", Fleming sends out a reply containing registration information (CD-Keys) from Counter-Strike and Half-Life.
    Fleming also finds the Windows (.NET) Messenger contact list and sends its message to each entry.

    According to Kaspersky Labs, at this time, the Internet resource "http://home.n0.net/downl0ad/BR2002.exe" is locked.

    source: http://www.avp.ru



    Technodrome
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.