Re: buddylinks worm

• Previous message: Dan Merillat: "Re: Something new? bind dos? exploit?"
• Maybe in reply to: Jason Yates: "buddylinks worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 18 Feb 2004 11:23:53 -0000
To: incidents@securityfocus.com

Disclaimer: This post is a compilation of posts/e-mails I have sent companies to give them more information about buddylinks.net and what I have discovered. It may not make sense because it is a compilation of these messages, but I've done my best to make it readable. I do not work for any of the companies listed in this post and do not accept
responsibility for anything you do with the information they provide.

A few months ago I used Trendmicro's online virus detection service and found TROJ_MENDWAR.A (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MENDWAR.A), as the file osse.exe under C:\Documents and
settings\Administrator\Application Data\. I Have been monitoring this virus for quite a while, just waiting for it to do something. It finally did.

This trojan had been reporting to the the IP address 66.150.193.111. This was a plain html web page with the IP address showing as the main body. Recently the virus vanished...

osse.exe was replaced about a week ago by a program named rrrb.exe, also reporting to 66.150.193.111. The program rrrb.exe was executed at startup and ran in the background. A new menu was added under Programs: Buddylinks. I opened rrrb.exe with a hexeditor and noticed a URL for www.buddylinks.net

The IP 66.150.193.111 now redirects you to http://63.251.131.235/index.php?, where the Osama game once was, now Sadam
Escapes. There were also some new files added: blengine.dll, blaim.dll, blengine.exe bldll.dll under c:\Program Files\Common
Files\PSD Tools\.

A search for !update.exe may find the program used to update the virus if you were infected before the IM outbreak, and a search for blengine*.* will find the directory for files you need to remove to get rid of this virus/ad-ware, if it hasn't already infected AIM, MSN IM, or ICQ. I do not know what files are added/modified when it has already hijacked these IM
clients. I currently do not run any IM programs because of the constant spam I was free of 6 years ago...

People have reported this program reinstalling itself after using the Add/Remove programs option. I believe this is because it comes, or did at one time, in on an open port, but I am unable to verify this at the moment because I have not been infected since removing the files. It is also possible that not all files are removed with the Add/Remove programs procedure.

http://securityresponse.symantec.com/avcenter/venc/data/adware.buddylinks.html Has more information on how to remove this virus/ad-ware as well, but I fear it may be wrong about methaod of transmission, "manual download."

My only theory is that this trojan was deployed so machines would hit this site every 2 hours to show that it had a good volume of traffic to possible investors, IF there are any for this domain.

I e-mailed support@buddylinks.net asking about the suspicious deployment of this program. The only response I received was a list of instructions to remove the program. I sent another e-mail and got no resonse.

Hopefully this information was helpful to you.

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

• Previous message: Dan Merillat: "Re: Something new? bind dos? exploit?"
• Maybe in reply to: Jason Yates: "buddylinks worm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]