IM Worm on a Rampage

Tags: | | | | | | | |
WORM_SOHANAD.I

Yahoo! Messenger is huge in the Philippines, and Filipinos love pictures, so this IM worm is spreading here like mono at a coed dorm.

From Trend Micro:

WORM_SOHANAD.I

This worm arrives as a downloaded file of VBS_ADODB.AE and JS_WONKA.N.

It spreads via the instant messaging applications Yahoo! Messenger, AOL Instant Messenger (AIM), and Windows Live Messenger. It sends an instant message to all contacts of an affected user. The said message contains a link that when accessed, downloads and executes a copy of itself.

The message below is an example of the instant message that this worm sends out:

😉 1 of my vacation pictures http://{BLOCKED}ecoolpics.com/vacation2.jpg <:-P " (Note: The URL mentioned in the message is purposely blocked.) This worm also changes the instant messaging application status of the affected user with any of the message strings it sends out. It modifies settings related to Yahoo! applications. It does the said action to get an affected user to mistakenly access a malicious Web site when executing targeted Yahoo! programs. It also disables Registry Editor and Task Manager. Moreover, it terminates several process related to antivirus and security applications. These routines help avoid its easy detection and consequent removal from the system. This worm changes the home page of the system's Internet browser so that it points to the Web site {BLOCKED}ecoolpics.com instead. Another browser-related routine that it does is the maximizing of the browser window when it detects a certain text string on the window title bar. It takes advantage of a vulnerability in Microsoft Data Access Components (MDAC) Function. More information on the said vulnerability is available in the following Web site: Microsoft Security Bulletin MS06-014

Once successfully exploited, the said vulnerability allows this worm to connect to the Web site http:// www.{BLOCKED}ecoolpics.com/INDEX.HTML to download and execute an embedded script detected by Trend Micro as JS_WONKA.N.

It also connects to the Web site http://{BLOCKED}rknaturephoto.com/Gallery/albums/Wood-ducks/photos to download files also detected by Trend Micro as WORM_SOHANAD.I.

Of course, I don’t care about that stuff. Firefox users are protected.

(Via Abe Olandres.)

Like This Post:

Share This Post:
Post to Twitter Tweet This Post
Post to Facebook Share on Facebook
Post to StumbleUpon Stumble This Post
Post to Reddit Post to Reddit
October 27, 2006

Comments

3 Comments on “IM Worm on a Rampage”
  1. SELaplana says:
    October 27, 2006 at 4:48 pm

    great new home. at last hindi na blogspot site….

    Reply
  2. Mike Abundo says:
    October 27, 2006 at 5:03 pm

    Yup. Glad you like it, Sustines. 🙂

    Reply
  3. Macnerdz says:
    December 10, 2007 at 10:57 am

    nice layout bro at red na red pa hehehe

    Reply

Post a Comment