Re: New AOL Instant Messenger virus/trojan???

From: anonymous coward (newanonymous2000_at_yahoo.com)
Date: 02/12/04 

Date: 11 Feb 2004 17:30:49 -0800

Here's the whois info on the website:

      wgutv
      Drew Williams
      1770 Mass. Ave # 213
      Cambridge, MA 02140
      US
      Phone: 6176614664
      Email: support@wgutv.com

onsdfUSEdashNETubvef@hotmail.com (onsdfUSEdashNETubvef) wrote in message news:<95ed2a27.0402110936.18644072@posting.google.com>...
> This is a pretty nasty browser hijacker / downloader / AOL instant
> messenger takeover program. When you visit the url
> "http://www.wgutv.com/osama_capture.php?2TYl" you are given an install
> dialog box and then this orange buddy links thing fills up your
> screen. It loads itself into HKEY_LOCAL_MACHINE run under two
> different exe files. I think one of the exe file names is PowerUp.exe
> It uses your instant messenger client to invisibly instant message all
> your buddy list people. You don't see this happening. You might get
> replies back such as, what is this link? What are you sending me? This
> is how you know your PC is infected with a trojan. The only way people
> are getting infected is because of the replication via your buddies
> clicking on the IM link that you send them, and then their buddies
> getting attack from the newly infected machine. And anyway. thats it.
> bye. Oh yea, the buddylinks website has an uninstaller program. And
> the add/remove programs has 3 separate entries for this program. It's
> called STD tools or something.
>
> Here is the url the browser downloads the bad plugin /trojan from:
> http://download.buddylinks.net/ShellInstaller.cab
>
> Search your registry for this class ID:
> FDDCE9FF-1FC6-413c-80B1-37B101FDA1D4
>
>
> text from virus / trojan website is pasted below:
>
>
>
> Osama Captured!
>
> ONLY WEEKS AFTER SADDAM WHICH FOUND
>
>
>
>
> OSAMA FOUND
> Click here ton play it, then follow the directions
>
>
> By clicking here , your computer wants ask if you want ton install the
> file from News Player by displaying A window like the one shown ton
> the right.
>
>
>
> Click the "YES" button highlighted below tons complete the install and
> play the file.
>
>
> term and privacy policy
>
>
> Brought ton you by BuddyLinks .
> If you DO emergency wish ton receive any more BuddyLinks content,
> visit our support PAGE .
> Note: This is emergency on actual news story. This is the prologue
> tons of A Flash video game.
> Term & conditions | Privacy Policy | What is BuddyLinks? | Contact
>
>
>
> mermogoat@cox.net (Scott) wrote in message news:<88bce512.0402101814.40958dcb@posting.google.com>...
> > Hey, I got a link from a friend that said something along the lines of
> > "Sadaam Escaped" and took me to some buddylinks.net videogame. I
> > didn't think anything of it until all my friends seemed to be getting
> > links to the game that I did not send. Does anyone know about this
> > virus/trojan and how to remove it? The Buddylinks.net thing appeared
> > both in my start menu and my add/remove programs but it did not remove
> > them when I tried. Thanks
> >
> > Scott

Loading