Tuesday, February 27, 2007

Worm Hunting!!

I use YMSGR rarily ..cause I hate it , but once I recieved this message from a friend ,it was a link to Miss world something picture donno, I knew from the first glance(smart me) it was a stupid yahoo messenger now adays worms :)
The funny thing the attacker used a registered domain with .info .And again used a .jpg contained html to redirect the page to the index,where a series of decrypting and script constructing is done which was a javascript then the result will be in VB script to be executed using Microsoft.XMLHTTP vulnerability (not sure about it ,since it a scripting thing) to download and execute "YMworm.exe" and "worm2007.exe" files , well I adownloaded these files from that apparently doomed site :) lately ,and used :
to scan for these files resulted in some kind of this:

well after googling W32/Sohand.A I found a description on pspl.com , which seemd that the one I caught was some sort of another variant of it ,for me I regard it as a stupid worm cause it was obviousily programmed useing VB ... although I shouldnt call any worm that was able to reach me through spreading as stupid ,maybe the ppl were stupid clicked on that link I dont know about that too.
I put it in OllyDbg,but hey..I am having mid-year exams these days ,and another thing seriously debugging VB coded stuff is just a pian in the ass thingie :(

To remove the worm ,this link might help Click .

Labels: ,

Smilar pages


Post a Comment

<< Home