Be careful using AIM & all Instant Messengers

TheMSsForum.com: The Microsoft Software Forum

Worm appears as Microsoft antipiracy program
http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html

<QP>
Security analysts have detected a new piece of malware that appears to run
as a Microsoft program used to detect unlicensed versions of its operating
system.

The malware has been classified as a worm and spreads through AOL's Instant
Messenger program, said Graham Cluley, senior technology consultant for
Sophos, a security vendor.

Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of
malware. The worm has a range of malicious functions. After it's installed,
the worm immediately tries to connect to two Web sites, a sign it may try to
download other bad programs on the machine.

Cuebot-K can disable other software, shut off the Windows firewall, download
new malicious programs, perform basic DDOS (distributed denial of service)
attacks, scan local files and spawn a command prompt, Sophos said.

Worms that spread through instant messaging programs often appear as
messages or links sent from friends, which trick a user into executing the
program. Cuebot-K propagates by sending itself as a file named "wgavn.exe"
to more people in the user's "Buddy List" but without a message, Cluley
said.
</QP>
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org
Top

Re: Be careful using AIM & all Instant Messengers by David

David
Fri Jun 30 16:48:16 CDT 2006

From: "PA Bear" <PABearMVP@gmail.com>

| Worm appears as Microsoft antipiracy program
| http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html
|
| <QP>
| Security analysts have detected a new piece of malware that appears to run
| as a Microsoft program used to detect unlicensed versions of its operating
| system.
|
| The malware has been classified as a worm and spreads through AOL's Instant
| Messenger program, said Graham Cluley, senior technology consultant for
| Sophos, a security vendor.
|
| Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of
| malware. The worm has a range of malicious functions. After it's installed,
| the worm immediately tries to connect to two Web sites, a sign it may try to
| download other bad programs on the machine.
|
| Cuebot-K can disable other software, shut off the Windows firewall, download
| new malicious programs, perform basic DDOS (distributed denial of service)
| attacks, scan local files and spawn a command prompt, Sophos said.
|
| Worms that spread through instant messaging programs often appear as
| messages or links sent from friends, which trick a user into executing the
| program. Cuebot-K propagates by sending itself as a file named "wgavn.exe"
| to more people in the user's "Buddy List" but without a message, Cluley
| said.
| </QP>

Kudos goes to MS MVP MowGreen !

It actually is a variant of an IRC BOT.

AntiVir 6.35.0.19 06.30.2006 Worm/IRCBot.7643
Authentium 4.93.8 06.30.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus
Avast 4.7.844.0 06.29.2006 no virus found
AVG 386 06.30.2006 no virus found
BitDefender 7.2 06.30.2006 BehavesLike:Trojan.FWDisable
CAT-QuickHeal 8.00 06.30.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.30.2006 no virus found
DrWeb 4.33 06.30.2006 no virus found
eTrust-InoculateIT 23.72.53 06.30.2006 no virus found
eTrust-Vet 12.6.2283 06.30.2006 no virus found
Ewido 3.5 06.30.2006 Backdoor.IRCBot.st
Fortinet 2.77.0.0 06.30.2006 W32/IRCBot.ST!tr.bdr
F-Prot 3.16f 06.30.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus
Ikarus 0.2.65.0 06.30.2006 Backdoor.Win32.IRCBot.BV
Kaspersky 4.0.2.24 06.30.2006 Backdoor.Win32.IRCBot.st
McAfee 4797 06.30.2006 W32/Opanki.worm.gen
Microsoft 1.1481 06.30.2006 Backdoor:Win32/IRCbot.R
NOD32v2 1.1635 06.30.2006 a variant of Win32/IRCBot.OO
Norman 5.90.21 06.30.2006 W32/Suspicious_M.gen
Panda 9.0.0.4 06.30.2006 W32/Oscarbot.IV.worm
Sophos 4.07.0 06.30.2006 W32/Cuebot-K
Symantec 8.0 06.30.2006 no virus found
TheHacker 5.9.8.167 06.30.2006 no virus found
UNA 1.83 06.30.2006 no virus found
VBA32 3.11.0 06.30.2006 Backdoor.Win32.IRCBot.st
VirusBuster 4.3.7:9 06.30.2006 no virus found

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


Top

Re: Be careful using AIM & all Instant Messengers by MAP

MAP
Fri Jun 30 19:34:51 CDT 2006

Thanks for the heads up!
--
Mike Pawlak


PA Bear wrote:
> Worm appears as Microsoft antipiracy program
> http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html
>
> <QP>
> Security analysts have detected a new piece of malware that appears
> to run as a Microsoft program used to detect unlicensed versions of
> its operating system.
>
> The malware has been classified as a worm and spreads through AOL's
> Instant Messenger program, said Graham Cluley, senior technology
> consultant for Sophos, a security vendor.
>
> Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot
> family of malware. The worm has a range of malicious functions. After
> it's installed, the worm immediately tries to connect to two Web
> sites, a sign it may try to download other bad programs on the
> machine.
>
> Cuebot-K can disable other software, shut off the Windows firewall,
> download new malicious programs, perform basic DDOS (distributed
> denial of service) attacks, scan local files and spawn a command
> prompt, Sophos said.
>
> Worms that spread through instant messaging programs often appear as
> messages or links sent from friends, which trick a user into
> executing the program. Cuebot-K propagates by sending itself as a
> file named "wgavn.exe" to more people in the user's "Buddy List" but
> without a message, Cluley said.
> </QP>



Top

Re: Be careful using AIM & all Instant Messengers by PA

PA
Sun Jul 02 18:14:41 CDT 2006



David H. Lipman wrote:
> From: "PA Bear" <PABearMVP@gmail.com>
>
> > Worm appears as Microsoft antipiracy program
> > http://www.infoworld.com/article/06/06/30/HNwormmsantipiracy_1.html
> >
> > <QP>
> > Security analysts have detected a new piece of malware that appears to
> > run as a Microsoft program used to detect unlicensed versions of its
> > operating system.
> >
> > The malware has been classified as a worm and spreads through AOL's
> > Instant Messenger program, said Graham Cluley, senior technology
> > consultant for Sophos, a security vendor.
> >
> > Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family
> > of malware. The worm has a range of malicious functions. After it's
> > installed, the worm immediately tries to connect to two Web sites, a
> > sign it may try to download other bad programs on the machine.
> >
> > Cuebot-K can disable other software, shut off the Windows firewall,
> > download new malicious programs, perform basic DDOS (distributed denial
> > of service) attacks, scan local files and spawn a command prompt,
> > Sophos said.
> >
> > Worms that spread through instant messaging programs often appear as
> > messages or links sent from friends, which trick a user into executing
> > the program. Cuebot-K propagates by sending itself as a file named
> > "wgavn.exe" to more people in the user's "Buddy List" but without a
> > message, Cluley said.
> > </QP>
>
> Kudos goes to MS MVP MowGreen !

Indeed! Please /do/ pay attention to that man behind the curtain! cf.
http://aumha.net/viewtopic.php?t=20300
--
~PA Bear

> It actually is a variant of an IRC BOT.
>
> AntiVir 6.35.0.19 06.30.2006 Worm/IRCBot.7643
> Authentium 4.93.8 06.30.2006 Possibly a new variant of
> W32/Threat-HLLIM-based!Maximus Avast 4.7.844.0 06.29.2006 no virus found
> AVG 386 06.30.2006 no virus found
> BitDefender 7.2 06.30.2006 BehavesLike:Trojan.FWDisable
> CAT-QuickHeal 8.00 06.30.2006 (Suspicious) - DNAScan
> ClamAV devel-20060426 06.30.2006 no virus found
> DrWeb 4.33 06.30.2006 no virus found
> eTrust-InoculateIT 23.72.53 06.30.2006 no virus found
> eTrust-Vet 12.6.2283 06.30.2006 no virus found
> Ewido 3.5 06.30.2006 Backdoor.IRCBot.st
> Fortinet 2.77.0.0 06.30.2006 W32/IRCBot.ST!tr.bdr
> F-Prot 3.16f 06.30.2006 Possibly a new variant of
> W32/Threat-HLLIM-based!Maximus Ikarus 0.2.65.0 06.30.2006
> Backdoor.Win32.IRCBot.BV
> Kaspersky 4.0.2.24 06.30.2006 Backdoor.Win32.IRCBot.st
> McAfee 4797 06.30.2006 W32/Opanki.worm.gen
> Microsoft 1.1481 06.30.2006 Backdoor:Win32/IRCbot.R
> NOD32v2 1.1635 06.30.2006 a variant of Win32/IRCBot.OO
> Norman 5.90.21 06.30.2006 W32/Suspicious_M.gen
> Panda 9.0.0.4 06.30.2006 W32/Oscarbot.IV.worm
> Sophos 4.07.0 06.30.2006 W32/Cuebot-K
> Symantec 8.0 06.30.2006 no virus found
> TheHacker 5.9.8.167 06.30.2006 no virus found
> UNA 1.83 06.30.2006 no virus found
> VBA32 3.11.0 06.30.2006 Backdoor.Win32.IRCBot.st
> VirusBuster 4.3.7:9 06.30.2006 no virus found

Top