new AIM virus...sends IMs. EDIT: CNN coverage

[minus1972]

hey all...didn't see a post on this yet and it seems like it's just popping up. A friend at school got the following IM and decided to open it up:

xxxxxxx: check this out: http://www.wgutv.com/osama_capture.php?WAjb

(DISCLAIMER: if you go there and are dumb enough to accept the file download, I can't be held responsible)

it proceeded to send itself to everyone on his buddy list and is now coming back around from everyone who clicks and downloads. any ideas on how to get this off of his machine or am I going to have to wait for a fix?

2/11/04: there seems to be a new version with Saddam replacing Osama. still no official fixes.
2/12/04: story on CNN

 

[rutchtkim]

got it today, didnt download anything though. figured it was a virus

 

[ShotgunSteven]

That's why I set it to block IM's from people not on my list.

 

[Doggiedog]

I just got this warning at work too.

 

[Warthog912]

That's why I don't use AIM.

Granted I only have one person on my Messenger list-

 

[Dufman]

i could see this virus spreading rather quickly

 

[minus1972]

I think it could be bad, but it could definately be a lot worse. Imagine a similar virus disguised as a warning with a link pointing to a microsoft address using that IE exploit? disaster. Rest of my day = fixing 20 computers around campus.

 

[rutchtkim]

Originally posted by: ShotgunSteve
That's why I set it to block IM's from people not on my list.

This comes from people on ur list

 

[MaxDepth]

Got one sunday pooping the corporate network. Being all paranoid and such I rejected it too, It came from "AOL system admin."

 

[niwi7]

hmmmmmmmmmm

i got this from a stupid friend who always sends me dumb stuff like this so i figured it was not a virus or anything so yea i clicked it and hit yes yea i know im stupid


how can i get rid of it?

 

[MartyMcFly3]

yeah one of my floormates got it and sent it to everyone on the floor..... i didnt care enough to see "osama caught" and when it said you had to install something i figured something was up..

 

[BHeemsoth]

Originally posted by: MaxDepth
Got one sunday pooping the corporate network. Being all paranoid and such I rejected it too, It came from "AOL system admin."

The AOL system admin messages come up if you sign on in two different places at the same time. they are legit

 

[Krugger]

if any anti virus sites update for this, post the link to the thread please. thanks.

 

[Krugger]

It's all part of www.buddylinks.net and http://www.psdtools.com
don't see the promised uninstaller, but on buddylinks their is an optout, which may or may not work.
to be fair, it's not a virus per say. and the page it sends you to, contains a TERMS, which when read shows:
Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or ?buddy? list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the ?buddylinks.net? entry in your ?Start Menu?, selecting the ?buddylinks.net Configuration? item, and unchecking the appropriate option. You may also refer to PSD Tools? website at http://www.psdtools.com for an uninstaller.

 

[Krugger]

go into add/remove programs and see if you see anything called buddylinks or psdtools if so get rid of it. uninstalling and reinstalling AIM might work, i dunno.
this is what THEY say, but i dont know if its true:
Uninstalling the Software. In order to uninstall the Software, you will need to run the removal executable. You can get this program by contacting Support@PSDTools.com You may also be able to remove the program using any of the following methods:
Via ?Add/Remove Programs?:
Click ?Start?, Settings, Control Panel
Click ?Add/Remove Programs?
Locate the ?buddylinks.net Messaging Integration? option and click ?Remove?.
Click ?Yes? on the prompt.
Via a website link:
Navigate to http://www.buddylinks.net/uninstall.exe
Choose ?Run? or ?Open? when the download window appears.

The uninstallation process should take effect immediately though in rare cases it may be necessary to restart your Instant Messaging Client or computer.

Disabling the Software. You may also choose to leave the program on your computer but disable its behavior at any time:

Navigate to ?Start?, ?Programs?, ?buddylinks.net?, ?buddylinks.net Configuration?
Uncheck the ?Use buddylinks.net technology to send fun links to my friends!? box, if checked
Click ?Close?

To re-enable the buddylinks.net technology, navigate to the same link, check the aforementioned box and click ?Close?.

 

[yukichigai]

Buddylinks.net eh.

I wonder if they're related to CoolWebSearch.com. Sounds like the same M.O.

 

[JoPh]

yeah i am begining to get these ims now. its rather annoying.

 

[Krugger]

Originally posted by: yukichigai
Buddylinks.net eh.

I wonder if they're related to CoolWebSearch.com. Sounds like the same M.O.

no, same idea though. psdtools, buddylinks, and the site in the Original Post are all registered to the same person. it's psdtools' software, that buddylinks uses, and they scam ppl into installing it by sending them to that OP site. and then make it hard to get rid off. (i dont know if add/remove works, i haven't heard back yet)

 

[jessieqwert]

Yep, I clicked.

Current removal instructions from information known as of this posting:

It installs two programs onto the computer:
PSD Tools ChannelUP v1.0 and one of the following: PSDT Messaging Integration or BuddyLinks Messaging Integration

An APS Trojan was found in the system restore folder on one of our RCCs' computers after downloading/installing the program. McAfee successfully removed the Trojan. It seems that the Trojan may come with the BuddyLinks Messaging Integration rather than the PSDT Messaging Integration program.

 

[BigJ]

Came back from being away and got 17 IMs at once. I figured something was up.

 

[DaWhim]

got this on my mobile AIM a few times from the same person.
couldn't click on the link because I saw the message on my cellphone.

 

[minus1972]

nothing on symantec yet...haven't tried to remove anything yet. keep the thread updated.

 

[Amorphus]

trillian hasn't given me any problems yet.

 

[EMPshockwave82]

thank you ATOT, a friend just sent me the link and i knew not to click it

and i use Trillian 2.0

 

[wiredspider]

I have somehow sending this to everyone . I know I wouldn't click yes to install any of this stuff...