Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: AIM worm and AV... SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
AIM worm and AV...
We received a file called pics.exe from one of our readers. This file was appearing in a url from one of those AIM worms...nothing new, right? Almost...the thing with this file is:
- It is a RAR file, which contatins 4 different files, which will be installed at C:WINDOWSmsupd
    - rep.exe - an SDBot variant
    - 1004270.exe - Cheats Explorer Add-on (toolbar for IE)
    - YSBAgree.exe - Is the one which will start all the others...(as referenced at the RAR file:  Setup=C:WINDOWSmsupdYSBAgree.exe)
    - iS.exe - looks like the one which will send the messages to the users at the AIM. Messages like the following:

->let me know if you can open this: http://home.earthlink.net/<Snip>/pics.exe
->this doesn't work for me, does it work for you? http://home.earthlink.net/<Snip>/pics.exe
->let me know what you think: http://home.earthlink.net/<Snip>/pics.exe
->holy cow...this girl is going crazy: http://home.earthlink.net/<Snip>/pics.exe
->these are pretty nice, maybe you should take a look - http://home.earthlink.net/<Snip>/pics.exe
->are these of you? they look just like you - http://home.earthlink.net/<Snip>/pics.exe
->this girl is nuts, I can't believe she did this - http://home.earthlink.net/<Snip>/pics.exe
->wow...check this out, you have to see it: http://home.earthlink.net/<Snip>/pics.exe
->this deleted all my viruses and spyware - http://home.earthlink.net/<Snip>/clean.exe
->I can't believe this acutally fixed my computer: http://home.earthlink.net/<Snip>/clean.exe
->I didn't think it would work, but it fixed everything on my computer - http://home.earthlink.net/<Snip>/clean.exe

Did I mention that from all files, the big pack one called pics.exe, rep.exe, 1004270.exe, YSBAgree.exe and iS.exe, only the rep.exe is alreayd identified by some AV vendors at VirusTotal?
So...be careful and pay attention...!

UPDATE:
As I sent them to my personal AV vendors email list, most of them are already detecting them! Good work!

Pedro Bueno - pbueno //%%// isc. sans. org
http://handlers.sans.org/pbueno
Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!