Fwd: Re: Unknown virus on AIM

[Nicholas Albright <nalbright () shadowserver org>]

Colorado University has filtered this IP Address. It was an infected dorm 
machine but they wont give me any more information. 


----------  
Forwarded Message  ----------

Subject: Re: [funsec] Unknown virus on AIM
Date: Wednesday 18 January 2006 08:35
From: Jeff Kell <jeff-kell () utc edu>
To: Todd Towles <toddtowles () brookshires com>
Cc: funsec () linuxbox org

Todd Towles wrote:
> Hey guys,
>
> This virus must not be new, but I have looked at two anti-virus sites
> (sophos and norton) and can't seem to pin it down. A young lady sent me
> a message last night ("should I add these pics of us on my myspace or
> facebook?) then it had a link
>
> The URL was a photobucket link, but it really linked to some
> prettyinpink webiste...I closed the message so I don't have the exact
> sentence. I attempted to download the file but it was no longer up and
> working, so no sample to look at.

Just another AIM-bot (bot itself sends whatever string the controller
specifies to everyone in the victim's buddy list).  You probably saw
this one (this one came out of a zombie at colorado.edu):

#(4 - 966) [2006-01-17 23:18:28] [snort/1]  Tagged Packet
IPv4: 128.138.6.233 -> 172.20.91.254
      hlen=5 TOS=0 dlen=477 ID=50215 flags=0 offset=0 TTL=115 chksum=45677
TCP:  port=5190 -> dport: 3001  flags=***AP*** seq=1786591149
      ack=2451626560 off=5 res=0 win=64048 urp=0 chksum=21705
Payload:  length = 437

000 : 3A 5B 44 30 39 7C 55 53 41 7C 39 33 30 35 37 5D   :[D09|USA|93057]
010 : 21 58 50 2D 35 32 34 38 40 31 35 30 2E 31 38 32   !XP-5248@150.182
020 : 2E 31 38 34 2E 32 32 31 20 4A 4F 49 4E 20 3A 23   .184.221 JOIN :#
030 : 67 0D 0A 3A 68 75 62 2E 38 30 38 39 2E 63 6F 6D   g..:hub.8089.com
040 : 20 33 33 32 20 5B 44 30 39 7C 55 53 41 7C 39 33    332 [D09|USA|93
050 : 30 35 37 5D 20 23 67 20 3A 2E 61 69 6D 20 73 68   057] #g :.aim sh
060 : 6F 75 6C 64 20 69 20 70 75 74 20 74 68 65 73 65   ould i put these
070 : 20 70 69 63 74 75 72 65 73 20 6F 66 20 75 73 20    pictures of us
080 : 6F 6E 20 6D 79 73 70 61 63 65 20 6F 72 20 66 61   on myspace or fa
090 : 63 65 62 6F 6F 6B 3F 20 3C 41 20 48 52 45 46 3D   cebook? <A HREF=
0a0 : 22 68 74 74 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64   "http://download
0b0 : 2E 70 69 6E 6B 69 65 73 70 61 6C 61 63 65 2E 6E   .pinkiespalace.n
0c0 : 65 74 2F 70 69 63 74 75 72 65 30 31 2E 70 69 66   et/picture01.pif
0d0 : 22 3E 68 74 74 70 3A 2F 2F 70 68 6F 74 6F 62 75   ">http://photobu
0e0 : 63 6B 65 74 2E 63 6F 6D 2F 4E 65 77 50 69 63 74   cket.com/NewPict
0f0 : 75 72 65 73 2F 70 69 63 32 30 2E 6A 70 67 3C 2F   ures/pic20.jpg</
100 : 41 3E 0D 0A 3A 68 75 62 2E 38 30 38 39 2E 63 6F   A>..:hub.8089.co
110 : 6D 20 33 33 33 20 5B 44 30 39 7C 55 53 41 7C 39   m 333 [D09|USA|9
120 : 33 30 35 37 5D 20 23 67 20 63 6F 6D 70 65 74 65   3057] #g compete
130 : 6E 43 65 20 31 31 33 37 35 35 37 32 37 35 0D 0A   nCe 1137557275..
140 : 3A 68 75 62 2E 38 30 38 39 2E 63 6F 6D 20 33 35   :hub.8089.com 35
150 : 33 20 5B 44 30 39 7C 55 53 41 7C 39 33 30 35 37   3 [D09|USA|93057
160 : 5D 20 40 20 23 67 20 3A 5B 44 30 39 7C 55 53 41   ] @ #g :[D09|USA
170 : 7C 39 33 30 35 37 5D 20 0D 0A 3A 68 75 62 2E 38   |93057] ..:hub.8
180 : 30 38 39 2E 63 6F 6D 20 33 36 36 20 5B 44 30 39   089.com 366 [D09
190 : 7C 55 53 41 7C 39 33 30 35 37 5D 20 23 67 20 3A   |USA|93057] #g :
1a0 : 45 6E 64 20 6F 66 20 2F 4E 41 4D 45 53 20 6C 69   End of /NAMES li
1b0 : 73 74 2E 0D 0A                                    st...

Jeff
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

-------------------------------------------------------

-- 
Nicholas Albright
http://www.shadowserver.org
mailto: nalbright () shadowserver org

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.