RE: AIM-based worm?

From: MH Michael Hammer (5304) (MHammer@ag.com)
Date: 09/27/02


From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: 'Troy Ablan' <bugtraq@pinchaser.com>, incidents@securityfocus.com
Date: Fri, 27 Sep 2002 09:08:56 -0400

Troy,

To answer your questions:

1) It is rather trivial to add someone to a remote users buddy list (or add
a group). I don't remember the exact syntax and I don't remember where I
stashed the sample code I had. You might want to try searching on
securityfocus or doing a google search.

2)Don't know why you had a problem viewing the source of the page. Other
than the fact it was all on one line, nothing unusual about it. In any
event, here it is....

<html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh"
content="1;
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser
Plugin Required:</h1><br>You may need to restart your browser for changes to
take affect.<br>Security Certificate by <a
href="http://www.verisign.com">Verisign</a> 2002.<br>MD5:
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose
"Run" to install.</body></html>

-----Original Message-----
From: Troy Ablan [mailto:bugtraq@pinchaser.com]
Sent: Thursday, September 26, 2002 3:52 PM
To: incidents@securityfocus.com
Subject: AIM-based worm?

A coworker of mine (Tim) recently found a buddy on his buddy list who he
didn't know (JDogg786). When Tim sent a message to him/her, he got a
response back "Hmmmm.. http://24.74.206.239:8180/"

When he clicked on the link, it took him to a page which redirected to a
download of a file ending in .com, which he promptly alerted me to and
did not run it.

I tried to go to this link, it tried to download the file. I hit cancel,
then I tried to view the source of the page. From the View menu, or right
clicking on the page, and clicking View Source, nothing happened.

I eventually got the source using wget, which is shown below.

Question 1: Is there a way a web page can add a buddy to your AIM list
without your knowledge?

Question 2: How was I prevented from viewing the source of the HTML page
in IE?

I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well
for anyone who wants to look at it, just in case the above link does not
work any more.

-- BEGIN SOURCE --

<html><head><title>Browser Plugin Requried</title><meta
http-equiv="refresh" content="1;
url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser
Plugin Required:</h1><br>You may need to restart your browser for changes
to take affect.<br>Security Certificate by <a
href="http://www.verisign.com">Verisign</a> 2002.<br>MD5:
9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a
href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose
"Run" to install.</body></html>

-- END SOURCE --

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: PDL anti-spam blacklist
    ... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Linux Kernel Exploits / ABFrag
    ... There have been lots of rumors ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Bind 9.2.X exploit???
    ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... >>> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: "Code Red" worm questions
    ... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ...
    (Incidents)
  • RE: Ip spoof from 0.0.0.0
    ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)