AIM-based worm?

From: Troy Ablan (
Date: 09/26/02

Date: Thu, 26 Sep 2002 15:51:47 -0400 (EDT)
From: Troy Ablan <>

A coworker of mine (Tim) recently found a buddy on his buddy list who he
didn't know (JDogg786). When Tim sent a message to him/her, he got a
response back "Hmmmm.."

When he clicked on the link, it took him to a page which redirected to a
download of a file ending in .com, which he promptly alerted me to and
did not run it.

I tried to go to this link, it tried to download the file. I hit cancel,
then I tried to view the source of the page. From the View menu, or right
clicking on the page, and clicking View Source, nothing happened.

I eventually got the source using wget, which is shown below.

Question 1: Is there a way a web page can add a buddy to your AIM list
without your knowledge?

Question 2: How was I prevented from viewing the source of the HTML page
in IE?

I wgetted the file as well
for anyone who wants to look at it, just in case the above link does not
work any more.


<html><head><title>Browser Plugin Requried</title><meta
http-equiv="refresh" content="1;"></head><body><h1>Browser
Plugin Required:</h1><br>You may need to restart your browser for changes
to take affect.<br>Security Certificate by <a
href="">Verisign</a> 2002.<br>MD5:
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
href="">HERE</a> and choose
"Run" to install.</body></html>


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: