Another one bites the dust
So today another one of those outlook virus/worm whatever breaks out. I did not hear it till tariquesani pinged me about it. Though I get paged for ddos attacks or worms like the Slammer ones, I did not know about this at all.
Anyway this new virus apparently connects to a Geocities site and gets regular updates for itself. I was pretty suprised coz I had not received any mails about it. So after contacting Kaspersky Labs, I came to know the site was this. Pretty Interesting because this site does not exist and the username was never created with Yahoo!.
Still Investigating ….
<update>
Since the account was still up for grabs, I went and registered and got that account. Now I have uploaded the file to match the url in the worm. So now all I need to do is, sit back and collect the stats and make sence from the logs.
</update>
I’m suffering the wrath of something called VBS/Redolf its eating my machine thru’ and thru’
The page just got a hit from dyn-wireless-169-149.Concordia.CA, but because I’m following links from your blog, rather than being afflicted with the virus (or atleast, I believe so). Guess you gotta factor in those hits … ;/
hmm… no remote linking…
Oye! looks like you cannot give directly link to JPEGs on geocities like http://www.geocities.com/spkyupdate/upd1.jpg [you are supposed to know this?]
Could you verify the rumour on the worm having its own SMTP and IRC engine? Does it use AIM and YM too?
Could you verify the rumour on the worm having its own SMTP and IRC engine? Does it use AIM and YM too?
yep. Its having many modes. But its controlled well. Its being cleaned on IRC channels now. The bot actually connects to another URL : http://www.geocities.com/updatesparky/sp1.7ls
So I actually have the email address of the guy who wrote the bot.( from the alternate mail ID ). Right now I have handed the account to the “Fizzer Task Force”, and they are talking care of the worm. Check out
ceejayoz · May 16, 2003
-
admin · May 16, 2003
uhh…
It would appear you’re misinformed. The actual URL is:
http://www.geocities.com/updatesparky/
The file is:
http://www.geocities.com/updatesparky/sp1.7ls
I got hold of the second URL a bit late. The 1st url was never used by the worm, though the second is one is being actively used.