Virus Alert! W32.Allim.A@mm - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Virus Alert! W32.Allim.A@mm (/showthread.php?tid=43708)
Virus Alert! W32.Allim.A@mm by Dane on 04-27-2005 at 02:09 AM
Users of Messenger Plus! Zone Outbreak Alert will receive this alert via there system tray with in 1 hour.
This virus spreads through AOL instant messenger and is similar to the one I got for MSN Messenger. I thought i'd post it here though so that everyone was aware of it.
quote:
Originally posted by Symantec
When W32.Allim.A is executed, it performs the following actions:
Sends the following message to all the AIM contacts on the compromised computer:
Body: hey check out this!
Notes:
Where "this!" is a link to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php
A recipient must click on the link "this!", download the file [email address], and then execute the file.
The file is downloaded as [email address] (the default email address as set in Internet Explorer) and is a variant of W32.Spybot.Worm.
Copies the W32.Spybot.Worm variant as %System%\winimsg.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Adds the value:
"Windows iMessenger Messenger" = "winimsg.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
so that the W32.Spybot.Worm variant runs every time Windows starts.
Modifies the values:
"DisableRegistryTools" = "0x31"
"DisableTaskMgr" = "0x31"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
so that the registry editing tools and task manager are disabled.
The W32.Spybot.Worm variant can perform any of the following actions:
Open a back door on the compromised computer allowing a remote attacker to have unauthorized access.
Attempt to terminate processes and services.
Use the compromised computer as a traffic relay or proxy.
RE: Virus Alert! W32.Allim.A@mm by prashker on 04-27-2005 at 02:44 AM
thanks for the info!!