insomniac84
join:2002-01-03
Schererville, IN
| Aim Virus
www.wgutv.com/osama_capture.php?XxCC
I got this link from a trusted friend and installed the game like an idiot. This thing goes down your buddy list IMing everyone the above link without you knowing its doing it or seeing anything happen. It installed something called buddylinks and I think also something called psd tools. |
|
ToastGod S
join:2001-11-24
Bloomington, IN | Silly kids...
I really don't want my lunch break to end. I'm looking at the queue and it's full. I work tech support for a university and people are already calling us about this.
I've got no info on it yet myself... bump for justice. |
|
longbeach32
join:2003-02-20
Downingtown, PA | reply to insomniac84
yeah, I got this too..
btw, still no info on it though |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | The site downloads a cab file, which I'm attempting to break apart now (why no cab extractor in Win2K/XP?) sheesh... building a cab extractor for Linux as I speak... |
|
bradleym
join:2002-08-05
Dunfermline, IL | reply to insomniac84
Has anybody told that site's owner that he's hosting this crap?
Drew Williams
1770 Mass. Ave #213
Cambridge, MA 02140
US
Phone: 6176614664 |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH | Neither Win98 cab extractor nor the linux one I downloaded will open this thing. Any other ideas (besides opening the link in IE and infecting myself?)  |
|
Schouw
Premium
join:2003-05-29
Netherlands | reply to insomniac84
Why doesn't the link work for me?
kpatz, mind IMing me the link to the cab file? |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to insomniac84
WinRAR v3.30 can extract the files from the cab file.
This ActiveX component ShellInstaller.ocx from inside ShellInstaller.cab then downloads file game_dl.exe, which then attempts to connect to the internet. I've submitted the files to Kaspersky for evaluation. |
|
Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs:
1 edit | reply to insomniac84
Can you please download and run Hijack This from here: »www.merijn.org/files/hijackthis.zip
On the opening screen, click the scan button, then choose save log file, save it somewhere, open the log file with a text editor and copy and paste the contents here.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"? |
|
ToastGod S
join:2001-11-24
Bloomington, IN
| reply to insomniac84
I contacted the NOC for the hosting group that housed the machine. Looks like it's been taken down. Score!
The NOC at internap.com was real quick to get on this one. Good work on their part.  |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to insomniac84
The file game_dl.exe downloads file named ChannelUp.exe to C:\Program Files\Common Files\PSD Tools. This one is detected by KAV as AdvWare.PurityScan.b. ChannelUp is set to start after every start=up using the HKCU//...//RUN key.
Also a directory C:\Program Files\buddylinks.net\Games\Saddam Game is created in the process and file shell.exe is executed from there. This is probably the game itself. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| I redownloaded the cab, using Firefox instead of Lynx and was able to extract it with winrar. I was hoping it would have an embedded URL to download the .exe but it doesn't, and my wife is nagging me so I have to duck out... looks like Tablet et al. have things under control. |
|
Tablet
Premium
join:2003-01-15
Czech
1 edit | reply to insomniac84
All downloaded files including the ActiveX component are from this address: h ttp://download.buddylinks.net/. Someone should put this site offline as soon as possible. |
|
Alcohol
Premium
join:2003-05-26
Somerset, NJ | reply to insomniac84
One of my friends got it. After he ran adware he was told people weren't getting that IM from him anymore..
Does adware solve the problem? |
|
ssj4android
Redefining Reality
join:2002-04-14
Wyoming, MI
| reply to insomniac84
Actually, this does look like adware.
quote:
Services; Modifications to Your Instant Messaging Client. The Software provides you the opportunity to access Content for no charge. In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to PSD Tools by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your Computer and programs that may alter your home page to offer you Content. In addition, the Software will interoperate with your current instant messaging client so as to permit the automatic sending of advertising messages originating from your Computer to your contact or “buddy” list regarding Content offered by PSD Tools or its suppliers. If you desire to stop this activity, you may elect to stop the messages by navigating to the “buddylinks.net” entry in your “Start Menu”, selecting the “buddylinks.net Configuration” item, and unchecking the appropriate option. You may also refer to PSD Tools’ website at »www.psdtools.com for an uninstaller.
|
|
mrchris
We don't miss you Bush
Premium
join:2002-10-01
North Babylon, NY
1 edit | reply to insomniac84
I got that same link from someone on my AIM list...told him to run AV, AS and AT programs to find and kill it. I didn't click the link thankfully |
|
ssj4android
Redefining Reality
join:2002-04-14
Wyoming, MI
1 edit | reply to insomniac84
There's an uninstall, either in the add/remove programs or at »www.buddylinks.net/uninstall.exe
EDIT (since I don't want another reply): I've played that game somewhere, at newgrounds probably. Maybe I should go give it a bad review for using this scumware. |
|
Rob181
join:2002-09-07
Bethlehem, PA
| reply to insomniac84
To the people that got this virus did you actually have to click yes to download the file or did it download automatically in the background. I clicked this link froma friend but when i went to the website it did not load properly and i did not click to download anything so i am not sure if i got this or not - ROb |
|
Tablet
Premium
join:2003-01-15
Czech
| said by Rob181  :
To the people that got this virus did you actually have to click yes to download the file or did it download automatically in the background. I clicked this link froma friend but when i went to the website it did not load properly and i did not click to download anything so i am not sure if i got this or not - ROb
You would have to click on yet another link and then click YES on an ActiveX prompt.. so if you hadn't done this you are safe. |
|
DavisPhotog
Flyingphotog
Premium,MVM
join:2001-08-26
Oakland, CA
clubs:
| reply to insomniac84
said by insomniac84 :
www.wgutv.com/osama_capture.php?XxCC
I got this link from a trusted friend and installed the game like an idiot. This thing goes down your buddy list IMing everyone the above link without you knowing its doing it or seeing anything happen. It installed something called buddylinks and I think also something called psd tools.
You know what? It did that to everybody online on my buddy list as well. I got many irate IM's back from people about this, it's spreading horribly. How do we get rid of it?
The ONLY reason why I knew the content of the link is because it sent it to people who had cell phone contacts on my list, and my own phone was one of them.
--
only the good die young |
|
