[Full-Disclosure] AOL IM Worm
nick at virus-l.demon.co.uk
Wed Feb 11 21:25:11 GMT 2004
"Justin Baldini" <jbaldini at newmassmedia.com> wrote:
> There appears to be an AOL IM worm going around.
It's arguably not a worm (many say fully automated spread is a
requirement for such). It _is_ very like FriendGreetings but using AOL
IM rather than SMTP as its "advertising medium".
> It's coming in as a link to here...
> (Without the XXX)
...and the bit after the "?" is variable/random.
> When run, it appears to load up some fake game, ...
Well, it is an ".SWF game".
> ... installs a bunch of shit,
> and then sends itself to everyone on your IM list.
What you so inelgantly missed is that when you visit the IM-spammed URL
you referred to, you are prompted to download and install an ActiveX
control. If you accept it's "game over" (security-wise -- no pun
intended...). Intelligent admins whose advice is appreciated and acted
on won't have users running IE, so this won't be an issue for them but
the remaining 99.973% of Windows machines are likely to have some
exposure. However, clueful Windows admins who have to watch over
hoards of the great unwashed and have been forced, against their better
judgement, to allow or even encourage or -- gak! -- _require_ the use
of IE, will at least have locked out said hoard with an "only run
administrator approved ActiveX controls" policy.
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure is hosted and sponsored by Secunia.