Re: buddylinks worm

[Access Denied <trakeen3401 () hotmail com>]

In-Reply-To: <402953F1.6080509 () comcast net>

Disclaimer:  This post is a compilation of posts/e-mails I have sent companies to give them more information about 
buddylinks.net and what I have discovered.  It may not make sense because it is a compilation of these messages, but 
I've done my best to make it readable.  I do not work for any of the companies listed in this post and do not accept 
responsibility for anything you do with the information they provide.

A few months ago I used Trendmicro's online virus detection service and found TROJ_MENDWAR.A 
(http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MENDWAR.A), as the file osse.exe under 
C:\Documents and 
settings\Administrator\Application Data\.  I Have been monitoring this virus for quite a while, just waiting for it to 
do something.  It finally did.  

This trojan had been reporting to the the IP address 66.150.193.111. This was a plain html web page with the IP address 
showing as the main body. Recently the virus vanished...  

osse.exe was replaced about a week ago by a program named rrrb.exe, also reporting to 66.150.193.111. The program 
rrrb.exe was executed at startup and ran in the background.  A new menu was added under Programs: Buddylinks.  I opened 
rrrb.exe with a hexeditor and noticed a URL for www.buddylinks.net  

The IP 66.150.193.111 now redirects you to Http://63.251.131.235/index.php?, where the Osama game once was, now Sadam 
Escapes.  There were also some new files added: blengine.dll, blaim.dll, blengine.exe bldll.dll under c:\Program 
Files\Common 
Files\PSD Tools\.

A search for !update.exe may find the program used to update the virus if you were infected before the IM outbreak, and 
a search for blengine*.* will find the directory for files you need to remove to get rid of this virus/ad-ware, if it 
hasn't already infected AIM, MSN IM, or ICQ. I do not know what files are added/modified when it has already hijacked 
these IM 
clients. I currently do not run any IM programs because of the constant spam I was free of 6 years ago... 

People have reported this program reinstalling itself after using the Add/Remove programs option. I believe this is 
because it comes, or did at one time, in on an open port, but I am unable to verify this at the moment because I have 
not been infected since removing the files. It is also possible that not all files are removed with the Add/Remove 
programs procedure.

http://securityresponse.symantec.com/avcenter/venc/data/adware.buddylinks.html Has more information on how to remove 
this virus/ad-ware as well, but I fear it may be wrong about methaod of transmission, "manual download."

My only theory is that this trojan was deployed so machines would hit this site every 2 hours to show that it had a 
good volume of traffic to possible investors, IF there are any for this domain.

I e-mailed support () buddylinks net asking about the suspicious deployment of this program. The only response I 
received was a list of instructions to remove the program.  I sent another e-mail and got no resonse.


Hopefully this information was helpful to you.

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------