Shoutbox

Virus Alert! W32.Allim.A@mm - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Virus Alert! W32.Allim.A@mm (/showthread.php?tid=43708)

Virus Alert! W32.Allim.A@mm by Dane on 04-27-2005 at 02:09 AM

Users of Messenger Plus! Zone Outbreak Alert will receive this alert via there system tray with in 1 hour.

This virus spreads through AOL instant messenger and is similar to the one I got for MSN Messenger.  I thought i'd post it here though so that everyone was aware of it.

quote:
Originally posted by Symantec

When W32.Allim.A is executed, it performs the following actions:

Sends the following message to all the AIM contacts on the compromised computer:

Body: hey check out this!


Notes:
Where "this!" is a link to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php
A recipient must click on the link "this!", download the file [email address], and then execute the file.
The file is downloaded as [email address] (the default email address as set in Internet Explorer) and is a variant of W32.Spybot.Worm.


Copies the W32.Spybot.Worm variant as %System%\winimsg.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Adds the value:

"Windows iMessenger Messenger" = "winimsg.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

so that the W32.Spybot.Worm variant runs every time Windows starts.


Modifies the values:

"DisableRegistryTools" = "0x31"
"DisableTaskMgr" = "0x31"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

so that the registry editing tools and task manager are disabled.


The W32.Spybot.Worm variant can perform any of the following actions:


Open a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Attempt to terminate processes and services.
Use the compromised computer as a traffic relay or proxy.


RE: Virus Alert! W32.Allim.A@mm by prashker on 04-27-2005 at 02:44 AM

thanks for the info!!