AIM virus

I saw an interesting virus yesterday on my roommate’s computer. (Need I mention that it’s a Windows XP box?) It hooks into AIM and sends messages to all the people on the Buddies list. Each message says something like “Nice picture:” or “Check this out!” and includes a link to a .COM file on a temporary website, in this case earthlink.net accounts. In this case, it sent me the former: “nice picture: http://home.earthlink.net/~kriskay3126/IMG00030.com“. I have to admit that I did click on it, though in the back of my mind some warning bells were going off. My computer asked me, “What do you want to do with this file? The MIME-type indicates that it is a Windows executable.” Unfortunately, I declined to download it, so I won’t have a chance to dissect it. I fired off a note in response, letting him know what was up, and temporarily blocked him (It kept sending me messages).

When I got back to the room, he was working on removing the virus. He had already run Sophos and Microsoft Anti-Spyware, as well as uninstalled and reinstalled AOL several times. It was still there: “hilarious: http://home.earthlink.net/~iwearponchos/IMAGE00090.com“. I booted to safe mode, installed and updated AVG, and that found a Trojan of some sort, but nothing else. Sophos was acting buggy in safe mode, but on the second boot it ran and found nothing. I think it might be corrupted. Incidentally, upon the first boot into safe mode, his touchpad failed, so we had to use my USB mouse. Fun computer.

I also found a skeevy entry in his Add/Remove Programs list: “Search Plugin”. Warning signs:

  1. generic name
  2. suggests browser integration
  3. no icon or description
  4. uninstall dialog required use of a captcha (to prevent automated removal)

A quick search revealed that it is indeed spyware or adware of some sort, though with a well-behaved uninstall procedure. Out with that one.

I think my next tactic would be to reinstall Sophos from safe mode, or run some sort of online scanner. But I won’t. I’ve suggested replacement software like Gaim, but he’s not interested. If he wants to stick with AOL software, that’s his own hell to enjoy. “LOOK!!!!!!!!!! http://home.earthlink.net/~keconnell/picture05.com


No comments yet. Commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can email me and I can manually add comments. Feed icon