Security Incidents mailing list archives
Re: buddylinks worm
From: Access Denied <trakeen3401 () hotmail com>
Date: 18 Feb 2004 11:23:53 -0000
In-Reply-To: <402953F1.6080509 () comcast net> Disclaimer: This post is a compilation of posts/e-mails I have sent companies to give them more information about buddylinks.net and what I have discovered. It may not make sense because it is a compilation of these messages, but I've done my best to make it readable. I do not work for any of the companies listed in this post and do not accept responsibility for anything you do with the information they provide. A few months ago I used Trendmicro's online virus detection service and found TROJ_MENDWAR.A (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MENDWAR.A), as the file osse.exe under C:\Documents and settings\Administrator\Application Data\. I Have been monitoring this virus for quite a while, just waiting for it to do something. It finally did. This trojan had been reporting to the the IP address 66.150.193.111. This was a plain html web page with the IP address showing as the main body. Recently the virus vanished... osse.exe was replaced about a week ago by a program named rrrb.exe, also reporting to 66.150.193.111. The program rrrb.exe was executed at startup and ran in the background. A new menu was added under Programs: Buddylinks. I opened rrrb.exe with a hexeditor and noticed a URL for www.buddylinks.net The IP 66.150.193.111 now redirects you to Http://63.251.131.235/index.php?, where the Osama game once was, now Sadam Escapes. There were also some new files added: blengine.dll, blaim.dll, blengine.exe bldll.dll under c:\Program Files\Common Files\PSD Tools\. A search for !update.exe may find the program used to update the virus if you were infected before the IM outbreak, and a search for blengine*.* will find the directory for files you need to remove to get rid of this virus/ad-ware, if it hasn't already infected AIM, MSN IM, or ICQ. I do not know what files are added/modified when it has already hijacked these IM clients. I currently do not run any IM programs because of the constant spam I was free of 6 years ago... People have reported this program reinstalling itself after using the Add/Remove programs option. I believe this is because it comes, or did at one time, in on an open port, but I am unable to verify this at the moment because I have not been infected since removing the files. It is also possible that not all files are removed with the Add/Remove programs procedure. http://securityresponse.symantec.com/avcenter/venc/data/adware.buddylinks.html Has more information on how to remove this virus/ad-ware as well, but I fear it may be wrong about methaod of transmission, "manual download." My only theory is that this trojan was deployed so machines would hit this site every 2 hours to show that it had a good volume of traffic to possible investors, IF there are any for this domain. I e-mailed support () buddylinks net asking about the suspicious deployment of this program. The only response I received was a list of instructions to remove the program. I sent another e-mail and got no resonse. Hopefully this information was helpful to you. --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: buddylinks worm, (continued)
- Re: buddylinks worm Dennis Cheung (Feb 12)
- Re: buddylinks worm falcon (Feb 12)
- Re: buddylinks worm Eric Trager (Feb 12)
- Re: buddylinks worm Mark Coleman (Feb 12)
- Re: buddylinks worm Alexander Kiwerski (Feb 13)
- RE: buddylinks worm Jeremy Junginger (Feb 10)
- Re: buddylinks worm Jason Yates (Feb 10)
- Re: buddylinks worm Clint Bodungen (Feb 12)
- Re: buddylinks worm Jason Yates (Feb 10)
- Re: buddylinks worm upallnight42 (Feb 12)
- Re: buddylinks worm Scott (Feb 12)
- Re: buddylinks worm Access Denied (Feb 18)
- Re: buddylinks worm Dennis Cheung (Feb 12)