New AIM Spammer, watch out!

[RichC]

Do not open any links from any of your AIM buddies that links you to the site www.wgutv.com. It's a new type of spam program disguised as a game. What it will do is it will send itself to everybody on your AIM buddy
list. This info is all preliminary, but me and a few friends think this is how it works. It's from a site called www.buddylinks.net. There's a game in there and if you run the game, it will send a link to everybody on your buddy list without your knowledge. If your friends click that link, it'll send them to the same game, which will start another wave of spam IM's. Let me know if any of you have any additional information. Please spread this news around (although the act of spreading this news will also create spam, but at least we have some control over it).

 

[RhythmAddict]

I got an IM from this earlier today...
The exact URL it pointed me to was "http://www.wgutv.com/osama_capture.php?MVqz" It asks you to DL the applet or whatever and it is a thawte signed cert....I actually got about 20% done, and thought it was fishy so I cancelled. THerefore I can't conclusively state whether or not this does install whatever buddlinks.net software, although it certainly does sound like it. I have gotten numerous IM's today telling me to follow that link...Any futher info people?

 

[Woodie]

Yes...we're seeing lots of activity here. Shutting down AIM for the moment.

Any info on affected versions? (I'm using Trillian, and haven't seen it)

 

[RhythmAddict]

Yep...Went over to the server room and blocked 63.251.131.235 - which is the address that buddlinks.net and wgutv.com both resolve to...

<snip>
Organization:
buddylinks
Drew Williams
1770 Mass Ave #213
Cambridge, MA 02140
US
Phone: 617 661 4664
Email: support@buddylinks.net

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: BUDDYLINKS.NET

Created on..............: Fri, Jan 09, 2004
Expires on..............: Sun, Jan 09, 2005
Record last updated on..: Tue, Feb 10, 2004

Administrative Contact:
buddylinks
Drew Williams
1770 Mass Ave # 213
cambridge, MA 02140
US
Phone: 617 661 4664
Email: support@buddylinks.net

Technical Contact:
Buddylinks
Drew Williams
1770 Mass Ave # 213
Cambridge, MA 02140
US
Phone: 617 661 4664
Email: support@buddylinks.net

Zone Contact:
Buddylinks
Drew Williams
1770 Mass Ave
Cambridge, MA 02140
US
Phone: 617 661 4664
Email: support@buddylinks.net

Domain servers in listed order:

NS1.BSN.PNAP.NET 63.251.129.1
NS2.BSN.PNAP.NET 63.251.129.33
</snip>

AND...

<snip>
Organization:
wgutv
Drew Williams
1770 Mass. Ave #213
Cambridge, MA 02140
US
Phone: 6176614664
Email: support@wgutv.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: WGUTV.COM

Created on..............: Tue, Dec 09, 2003
Expires on..............: Thu, Dec 09, 2004
Record last updated on..: Tue, Feb 10, 2004

Administrative Contact:
wgutv
Drew Williams
1770 Mass. Ave # 213
Cambridge, MA 02140
US
Phone: 6176614664
Email: support@wgutv.com

Technical Contact:
wgutv
Drew Williams
1770 Mass. Ave #213
Cambridge, MA 02140
US
Phone: 6176614664
Email: support@wgutv.com

Zone Contact:
wgutv
Drew Williams
1770 Mass. Ave # 213
Cambridge, MA 02140
US
Phone: 6176614664
Email: support@wgutv.com

Domain servers in listed order:

DNS11.REGISTER.COM 216.21.234.76
DNS12.REGISTER.COM 216.21.226.76
</snip>

 

[martind1]

so do we have an action to rid ourselves of this?

 

[Matthias99]

<mafia>Does youse wants I should drive over to Drew's place and have a few, uh, words wit' him? That oughta solve our problem real quick-like.</mafia>

Seriously, though, I'd email AOL and tell them about this. They probably have enough muscle to make his ISP pull the plug.

 

[RhythmAddict]

Originally posted by: Matthias99
<mafia>Does youse wants I should drive over to Drew's place and have a few, uh, words wit' him? That oughta solve our problem real quick-like.</mafia>

Seriously, though, I'd email AOL and tell them about this. They probably have enough muscle to make his ISP pull the plug.

I second that...

For now, I think the best move is to just block that IP. Then the users will click on the link nothing will happen, so they'll complain about that instead
I'm pretty sure this will only successfully work through AIM - but i'm not sure?
Does anyone know if the buddylinks.net software (whatever that may be/is known as) is on the adaware/spybot S&D remove list?? I guess I have to assume that's the only resolution, unless of course you can just go to add/remove programs and erase it - something gives me the feeling that won't happen though.

 

[Buzzman151]

Originally posted by: RhythmAddict

Originally posted by: Matthias99
<mafia>Does youse wants I should drive over to Drew's place and have a few, uh, words wit' him? That oughta solve our problem real quick-like.</mafia>

Seriously, though, I'd email AOL and tell them about this. They probably have enough muscle to make his ISP pull the plug.

I second that...

For now, I think the best move is to just block that IP. Then the users will click on the link nothing will happen, so they'll complain about that instead
I'm pretty sure this will only successfully work through AIM - but i'm not sure?
Does anyone know if the buddylinks.net software (whatever that may be/is known as) is on the adaware/spybot S&D remove list?? I guess I have to assume that's the only resolution, unless of course you can just go to add/remove programs and erase it - something gives me the feeling that won't happen though.

not as of this morning. it will probably take adaware a couple days and it seems spybot only gets updated every couple months


on a side note... i had a friend convinced last night it was a virus.... omg watching him soil his pants over aim has to be one of the funniest things i've seen in some time

 

[martind1]

I live and work around boston, looks like i am going to have to take an extended lunch ...

 

[Woodie]

Extended lunch.... took me a minute

Go for it!

 

[Poohbee]

I spent close to a couple hours trying to help a friend get rid of this thing..

Apparently it goes into the registry and changes some stuff in there and then puts a program called ShellInstaller.ocx

To see if you have been infected open up a DOS Command prompt (START > RUN > type CMD) And enter the following command "dir /s %SYSTEMDRIVE%\shellinstaller.ocx" (without the quotes). If it finds anything you are infected. :frown:

BTW, that worm also downloads other nasties and changes your Internet Explorer config to Install things without your permission when you go to a website.

To remove that Worm/Virus Follow the link:

AIM Worm/VIRUS Removal Instructions

EDIT: Hmm it seems like this one gets rid of another type of worm similar to the one described by the OP.

Try this forum where they talk about the worm: (Scroll down to JizJizJiz's posting)

Alternate AIM Worm/Virus Removal Link

Hope one or both of these work out for you all.

Enjoy

 

[perry]

Originally posted by: martind1
I live and work around boston, looks like i am going to have to take an extended lunch ...

I know someone that checked in to that... Address goes to Mailboxes Etc, phone number is for a bagel shop near by.

 

[martind1]

mmmm bagels

 

[martind1]

hmm perhaps looking for a drew williams in cambridge woudl help ...


http://www.whatsworking.biz/full_story.asp?ArtID=75

although I would almost bet that that name is not the correct one.


My guess is that an MIT kid is responsible for this.

and bingo, there is an undergrad at MIT Andre Williams ...
http://web.mit.edu/bin/cgicso?query=williams