Virus Baru Dikirim Lewat YM

Saya baru dapet info dari temen, dia baru saja kena virus setelah mengunjungisebuah website. Websitenya http://thecoolpics.net/who.jpg (jangan dikunjungi atau komputermu akan kacau balau). Setelah browsing saya dapet infonya yang cukup lengkap.


New Yahoo Messenger Hijacker Trojan – An Indepth Explanation And Solution

 


So today, like any other day, I logged on to Yahoo Messenger only to be stormed by PMs from about 7 of my clients (serious people, for that matter) with kiddish text, smilies and a link to a common site. It didn’t take time for me to realise that something was very-very wrong here.

I began exploring and researching about it and even tried the link on various browsers on an old machine I have. My research drew a few conclusion. A few of you might be interested to read on.

This apparently is a new trojan that infects Internet Explorer and is a bait to get ad revenue.

Conclusions (Confirmed)
1. It uses msinet.ocx and web browser control for communicating with websites or downloading more file.
2. It begins by adding an unusual taskkil.exe in your System32 directory, which is a program to kill System Processes.
3. Creates a batch script located at C:\killav.bat to kill antiviruses.
4. It accesses XXX, where the developer may enter commands for the application to update itselves.
5. It then begins access to XXXX, which shows adbrite ads when opened in Firefox, maybe there is an autoclicking feature encoded.
6. It downloads the executable from YYY which it then renames to svchost32.exe
7. It also downloads the executable at YYYY

The developer seems to want this trojan to be termed “Termex” since he owns the domain Mytermex(dot)com (Donot Visit this Site) and has directories named “Termex” on the server where he hosts his Executables!

The code is no doubt a good one, but I’d have preferred if he must’ve used this knowledge for good. Now apparently this doesn’t seem to affect FireFox/Mozilla and Opera Browsers (Note the apparently) but IE users are doomed.

I am Infected! Now what ?
Don’t Panic Tech Guru has written a nice tutorial to save yourself from this Trojan, I haven’t tried it yet, but from the look of it ,it appears that it’ll work. So go ahead and find it here
http://www.newsfactor.com/blog_article.php?aid=305161

How does this spread ?
I am not aware of the other mediums but yes, I mselves have witnessed this propogating through Yahoo Messenger, and there is a possibility that it may send your Yahoo ID/Password to the attacker.
Possible PMs that you may get are

 

Quote:

damn, she is so cute hxxp://nsl-school.org?id=miss_world (Donot Open this URL in your Browser)

 

Quote:

have you ever seen such a silly man like this ? hxxp://nsl-school.org?id=stories (Donot Open this URL in your Browser)

 

Quote:

Download Free MP3s at hxxp://nsl-school.org?id=mp3 (Donot Open this URL in your Browser)

These Message are generally very tempting and make you click on the link, but once you do, You’re doomed!

!!!WARNING DONOT OPEN THE URLS BELOW IN YOUR BROWSER OR YOU MAY GET INFECTED!!!
XXX = hxxp://giftshop.vn/update.txt
XXXX = hxxp://www.myglobal-news.com
YYY = hxxp://italiandirectory.com/termex/host2.exe
YYYY = hxxp://italiandirectory.com/termex/host.exe

Possible Domains Owned by the Developer of this Trojan
hxxp://www.nsl-school.org
hxxp://www.giftshop.vn
hxxp://www.myglobal-news.com
hxxp://www.italiandirectory.com

I have managed to accumulate the above data, and will go on updating this post as I find more stuff.

If you found this article then please DIGG IT

Original Article on my Blog

Abhishek

Diambil Dari : http://forums.digitalpoint.com/showthread.php?t=155986&highlight=im+virus+in+yahoo+messenger

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *