I almost got infected by a Instant Messenger Worm today.
This evening I signed into Yahoo Messenger.
A few moments later, a good friend of mine logged in and sent me this seemingly harmless link, but before I could respond/click, this person logged out !
In and out in less than 30 seconds ? That's not like them...
I felt odd... so, I looked at the message/link carefully.
The accompanying message told me that it would lead to screenshots of a popular operating system. This message seemed ok to me as this friend of mine knows that I like computers :)
Looking at the link.. something did not feel right. Remembering the set of IM worms that have been around, I decided to try to search the web for some information. But what do I search for ?
The message text was too generic.. so, I decided to Google the name of the site that apparently the link pointed to...
and was I lucky...
This was an attempted infection by WORM_SOHANAD.AL.
A Win32 "Memory Resident Worm" , this worm attacks and propagates through Instant Messenging applications - specifically Yahoo Messenger and Windows Live Messenger/ Windows Messenger.
The said message contains a link to a remote copy of itself. When the recipient clicks the link, the copy is executed on the recipient's system.
The message it sends out has the following details:
-------Message: (any of the following)------------from trendmicro.com----
• :D who is beside you in this pic http://{BLOCKED}icknews.info/friendpic1.jpg so good-looking hot pics this week http://quicknews.info/hot.jpg :x
• ;) 1 of my vacation pictures http://{BLOCKED}icknews.info/vacation1.jpg <:-P
• ;) 1 of my vacation pictures http://{BLOCKED}icknews.info/vacation2.jpg <:-P
• Screenshot of new windows version _ Windows Vista http://{BLOCKED}icknews.info/vista.jpg so cool :D
• Images shot in Iraq _ The war will never end http://{BLOCKED}icknews.info/Iraqwar.jpg << :( • oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}icknews.info/mylottery.jpg <<
• never click into the links like something in this image http://{BLOCKED}icknews.info/dontclick.jpg #:-S !!!
• :( the page cannot be displayed http://{BLOCKED}icknews.info/error.jpg Something was wrong !!!
• :( the page cannot be displayed http://{BLOCKED}icknews.info/error.jpg Something was wrong !!! Check it again and tell me later. THanks
• Do you realize who is in this image: http://{BLOCKED}icknews.info/who.jpg . Just think for a moment and tell me soon ;))
---------end messages-------------
This worm also replaces the status of the affected user with any of the abovementioned messages. For more indepth look at this worm, visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOHANAD%2EAL&VSect=T
So that explained it. Looks my friend's got this worm on their machine :(
I've sent them an email informing them of this.
Hope they fix it.
Luckily I escaped.
Moral of all this : "read before you click".
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment