[VirusAlert] Worm.Win32.Bizex

Kaspersky Labs has detected Worm.Win32.Bizex which spreads via ICQ, using a vulnerability in ICQ and Internet Explorer.

An ICQ message is sent to victim computers issues an invitation to visit the hacker web-site 'jokeworld' with the addition ) LOL. Cartoons from the series Joecartoon are shown on the site, and during this demonstration, a Java virus penetrates the victim computer via a breach in ICQ. This virus changes the configuration of ICQ to send a link to all contacts in the ICQ contact list.

offtopic:
@Mods
En hierom draai ik dus geen ICQ..

This worm uses the Internet instant messaging system ICQ to spread via the Internet.

The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download and execute the malicious component of the worm on the victim computer.

On connecting to the site

http://www.jokeworld.xxx/xxx.html

(x here is used to replace certain characters) the CHM-exploit-a is used. The result of this is that a specially constructed CHM file will be automatically executed on the victim computer. This file contains another file named 'iefucker.html'; this file contains TrojanDropper, a type of Trojan written in script language. This Trojan extracts a file named WinUpdate.exe from itself to a range of system directories.

In Windows 2000 and Windows XP:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinUpdate.exe

and in Windows 98:

c:\windows\Start Menu\Programs\Startup\WinUpdate.exe

WinUpdate.exe is a Trojan program of the TrojanDownloader group, which downloads the main component of the worm from a remote site, and writes it to the temporary directory under the name aptgetupd.exe.

This file gains access to the ICQ contact list and sends the above link to all addresses found. Additionally, this component of the worm has a theft function which enables it to steal a range of financial information. More detailed information on this function will be available in the near future.

Other
In addition to the CHM exploit, when the link is opened, an attempt will be made to download and execute a Java archive, which contains a range of TrojanDownloaders (detected as Trojan.Java.Classloader and TrojanDownloader.Java.OpenConnection) which also attempt to download the components of the worm to the victim computer.

[ Voor 63% gewijzigd door Verwijderd op 24-02-2004 16:50 ]

Geen IE spreekt voor zich.

quote: http://kaspersky.com/news.html?id=4277566

First global epidemic of an ICQ worm detected.
Kaspersky Labs has detected Bizex, a new Internet worm which caused the first global epidemic among users of ICQ, the Internet instant messaging system. At the moment, messages about infection are coming in from almost all corners of the globe. A preliminary estimate is that approximately 50,000 are infected.

[ Voor 3% gewijzigd door Verwijderd op 24-02-2004 18:10 ]

Verwijderd schreef op 24 februari 2004 @ 18:13:
De originele website is al offline gehaald. Dat is het voordeel van een worm die afhangt van 1 bron.