Another one bites the dust

May 14, 2003
By: Kalyan Varma

So today another one of those outlook virus/worm whatever breaks out. I did not hear it till tariquesani pinged me about it. Though I get paged for ddos attacks or worms like the Slammer ones, I did not know about this at all.

Anyway this new virus apparently connects to a Geocities site and gets regular updates for itself. I was pretty suprised coz I had not received any mails about it. So after contacting Kaspersky Labs, I came to know the site was this. Pretty Interesting because this site does not exist and the username was never created with Yahoo!.

Still Investigating ….

<update>
Since the account was still up for grabs, I went and registered and got that account. Now I have uploaded the file to match the url in the worm. So now all I need to do is, sit back and collect the stats and make sence from the logs.
</update>

7 Comments

raghav · May 14, 2003 Reply

I’m suffering the wrath of something called VBS/Redolf its eating my machine thru’ and thru’
ravi · May 14, 2003 Reply

The page just got a hit from dyn-wireless-169-149.Concordia.CA, but because I’m following links from your blog, rather than being afflicted with the virus (or atleast, I believe so). Guess you gotta factor in those hits … ;/
khorgath · May 14, 2003 Reply

hmm… no remote linking…
tariquesani · May 14, 2003 Reply

Oye! looks like you cannot give directly link to JPEGs on geocities like http://www.geocities.com/spkyupdate/upd1.jpg [you are supposed to know this?]

Could you verify the rumour on the worm having its own SMTP and IRC engine? Does it use AIM and YM too?
admin · May 15, 2003 Reply

Could you verify the rumour on the worm having its own SMTP and IRC engine? Does it use AIM and YM too?

yep. Its having many modes. But its controlled well. Its being cleaned on IRC channels now. The bot actually connects to another URL : http://www.geocities.com/updatesparky/sp1.7ls

So I actually have the email address of the guy who wrote the bot.( from the alternate mail ID ). Right now I have handed the account to the “Fizzer Task Force”, and they are talking care of the worm. Check out

ceejayoz · May 16, 2003 Reply

uhh…

It would appear you’re misinformed. The actual URL is:

http://www.geocities.com/updatesparky/

The file is:

http://www.geocities.com/updatesparky/sp1.7ls
admin · May 16, 2003 Reply

I got hold of the second URL a bit late. The 1st url was never used by the worm, though the second is one is being actively used.

7 Comments

Leave a Reply