AIM Virus?
There appears to be some (new?) AIM virus going around. From what I can tell it spreads using the IE ActiveX installer (isn’t that thing just so great?)
Once infected, at the very least it overrides the user’s AIM profile and replaces it with the URL to the site with the virus, and sends a mass-chatroom-invite to everyone on the buddylist.
The first thing I noticed was a bunch of friendly people offering to tell me why i’m here, which I found to be very strange because I happened to be wondering just that! ;) So I checked out one of the user’s profiles…
Hm, it’s my lucky day! I’ve found a secret website! =)
So since Firefox doesn’t allow fully-encoded URLs it seems (I’m not complaining!) I went to google and found a little script to decode urls.
The url is: http://server.s3connections.com/
So I wget’d the site and then wget’d a few scripts and other pages it references, to sum it up it looks like I was right, it definetly uses the ActiveX isntaller. The whole source is encoded so I’ll update this post once I have time to go through and decode it all.
All the pages are archived here.
The complete conversation log from the chatroom is here. At least the night wasnt a total loss, I got to watch a group of 13 year olds discuss school and guys, woopee.
Categorized as Technology