ICQ user, beware!

Straight_ManStraight_Man Geeky, in my own wayNaples, FL Icrontian
edited February 2004 in Science & Tech
If you get an ICQ offer to visit a website, be very wary of clicking or going there. More info below, including the contents of a free email newsletter from Kaspersky about it, they are calling this an ICQ worm epidemic with about 50,000 reports of infection.

The problem, this beast propagates by ICQ using computers that it infects and then USES THE ICQ PROGRAM to spread. The original website vector was pulled off teh web 4 hours after it as discovered, but this Bizex thing has the capability to spread itself via ICQ. Note the programs that are not effected and should not allow this malware to spread to your box, they include Trillian.

IF you have an old ICQ program sittign around, please do not use it, and if you have used it, make sure your box is not infected, please.

Courtesy Kaspersky Labs news email list:

'Bizex' worm attacks ICQ users

First global epidemic of an ICQ worm detected
Kaspersky Labs has
detected Bizex, a new Internet worm which caused the first global
epidemic among users of ICQ, the Internet instant messaging system. At
the moment, messages about infection are coming in from almost all
corners of the globe. A preliminary estimate is that approximately
50,000 are infected.

A computer becomes infected if the user visits a hacker web-site.
Invitations to visit this site are being circulated by ICQ. As
camouflage, when the web-site is viewed, the user is shown the Joe
Cartoon site; Joe Cartoon is the creator of a popular American cartoon
series. At the same time, the malicious program attacks the computer on
two fronts: firstly, by using a breach in Internet Explorer
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-047.asp),
and secondly, by using a breach in Windows.
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp)
The result of this is that a special file is downloaded to the computer,
without the user noticing anything; this file downloads the file which
contains Bizex and launches it on the victim computer.

Once this has been done, Bizex begins the process of infecting the
victim computer. It creates a folder named SYSMON in the Windows system
directory, copies itself to this folder under the name SYSMON.EXE and
registers this file in the system registry auto-run key. The worm will
therefore be uploaded to the computer memory each time the operating
system is started.

Once this process is completed, Bizex starts to propagate using ICQ. The
worm extracts a number of system libraries which are used with the
instant messaging system from itself, and installs them in the Windows
system directory. Using these libraries, Bizex gains access to the ICQ
contact list, disconnects the active ICQ client, and establishes an new
connection to the server in the name of the user of the infected
machine. It then sends, as if from the user, a link to the web site
shown above to all contacts found.

It should be noted that the worm only attacks original ICQ programs
(with the exception of Web ICQ), and alternative instant messaging
systems, such as Miranda and Trillian, are immune.

Bizex has a range of payloads, all of which are dangerous, and which can
lead to the leaking of confidential information. Specifically, the worm
scans the infected computer, and harvests information on payment systems
which are installed. Then, unnoticed by the user, it sends these details
to a remote anonymous server. The list of vulnerable payment systems
includes: Wells Fargo American Express UK Barclaycard Credit Lyonnais
Bred.fr Lloyds E-gold Additionally, Bizex intercepts information
transmitted by HTTPS (an encrypted communications protocol, which is
used, in particular, to transmit financial transactions) and also log in
details for a range of email systems e.g. Yahoo. This information is
also sent to the remote anonymous server.

'We see this as a bare-faced attempt to make money. The new method of
penetration, the fact that ICQ has not been used for such an attack
before, and the wide range of spy functions - this combination is sure
to reap huge profits for the author of Bizex, in spite of the fact that
the site was closed down four hours after the start of the outbreak,'
said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs.
'Users should be very cautious about visiting suspicious sites, and
should install updates for Internet Explorer and Windows immediately.'

Protection against all the malicious components in Bizex has already
been added to the Kaspersky Anti-Virus database.

A more detailed description
(http://www.viruslist.com/eng/viruslist.html?id=1029528) of this
malicious program can be found in the Virus Encyclopaedia.

John D.

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited February 2004
    Yet another reason to use a non-IE browser, and also use Sun's JavaVM as opposed to Microsoft's.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited February 2004
    Also note that the patch for that first exploit has been available since August of 2003. Anyone who gets this virus has no excuse - they should have run WindowsUpdate every month.
  • mmonninmmonnin Centreville, VA
    edited February 2004
    Suns Java Sucks ass.

    And why would anyone click on some spam from an IM program anyway. They deserve the crap that comes with it then.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited February 2004
    mmonnin wrote:
    Suns Java Sucks ass

    I was never able to get that feature working right.. :confused:
  • kanezfankanezfan sunny south florida Icrontian
    edited February 2004
    they invented java, how could they not make it right dude? blame microsoft who purposely makes it break. and if i only knew i could get my salad tossed by sun's java.....
  • mmonninmmonnin Centreville, VA
    edited February 2004
    I had it once but it would never display Statsman'a pages right. Never went back.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited February 2004
    primesuspect wrote:
    Also note that the patch for that first exploit has been available since August of 2003. Anyone who gets this virus has no excuse - they should have run WindowsUpdate every month.

    Yup, but not all enthusiasts are hyperenthusiastic about updating. Lots of old ICQ stuff is still around, and some ISPs that are not majors offer mIRC-- mIRC can ICQ. The users who are older folks and chat online with ICQ to contact grandkids, are legion down here.

    What is good about Microsoft WindowsUpdate is that most of the patches work first time, and do not walk on other patches by accident. What is bad about it, is when a user reloads a box they are faced with all the accumulated updates to get and patch again unless they archived them or have an update snapshot CD to get to certain time frame, then they get to pick up the rest of the patches. Since Microsoft now has a free criticals patch CD, with free shipping, folks might want to get that-- I posted about this in another thread I started, and you can bet I ordered one on a high priority basis. Link to that thread is below:

    http://www.short-media.com/forum/showthread.php?t=10220

    I will say this, given this current wbe climate-- if I have a wonky-acting box that can still be booted, get on web, and get to WidnowsUpdate or TechNet, I grab an archive of the fixes for the Widnows version on the box. If not, I use what I have for that version of windows to minimize the web access time and install time. If I build a new box, it comes preUpdated to customer. I also will demand they buy an AV product if they do not have one registered. I would rather take half an hour "selling" this point and make it part of terms of sale than have the box back one week later so messed up it is unusable-- and have a customer who expects a warranty reload.
Sign In or Register to comment.