MySpace AIM Virus Making Rounds

[Jeff]

JCMets reports on Webdefenders that a new AIM virus has been making the rounds. This one shows up as the following instant message:

you wouldnt mind if I put this picture of us on my myspace default page? :-) http://www.neoweb.fr/media/picture21.com

If you get this message from one of your contacts, do not click the link and do not download picture21.com. This will takeover your AIM program, resending this message to everyone on your contact list.

The originating website appears to be run by a group that calls itself the "Islamic Defenders Team," though the specific significance is not known.

If you suspect that your copy of AIM is infected, or are contacted by someone who is infected, send them to www.jayloden.com to download a copy of AIMfix, which will remove this and most other AIM viruses.

[MrEggsalad]

Oh man oh man have I seen this one by oh too many of my friends. In case you didn't know, .com is not a picture extention, sorry.

[Aitrus]

This is an intresting thing I ran across. I posted screenshots and the actual link below. Another virus sweeping in Myspace attempting to appear as the new "My Space Messenger" while my spaces messenger ( if and when working ) is an online messenger and not a download...

Warnig I submitted that file to symantec myself, as it was not detectable by my vurrent definitions. They detected it as a virus and did release definitions for it.

Here was my submittage to myspace


During usage of myspace someone attempted to add me as a friend by the name of Naomi, when I clicked the name to view the profile, the link it took me to was this...

http://www.space-im.com/

I did download the file , and scanned it with Symantec, it is not infected, however I believe the file is something that will compromise a users system. ( The file IS infected with a trojan )

Also the page it links you to is all fake, only the download links work.

I also provided some screenshots to help you in case this link is gone by the time you read this...

http://img519.imageshack.us/img519/7831/invalidup8.jpg

http://img519.imageshack.us/img519/8413/invalid2zp6.jpg

http://img45.imageshack.us/img45/7058/invalid3gk5.jpg

http://img73.imageshack.us/img73/2918/invalid4nh2.jpg

Please investigate this matter, as it may cause myspace some damage. I myself am a college graduate in Cisco Networking, so I am familiar with security issues. However the everyday user will fall for that stuff...

Daniel



A few days later

***********************

This message is an automatically generated reply. This system is designed to analyze and process virus submissions into the Symantec Security Response and cannot accept correspondence or inquiries.
Please contact your Technical Support representative if more detailed information about your submission is required. Do not reply to this message.

Below is a status update on your virus submission:

Date: July 18, 2006

Daniel
none



Dear Daniel,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\Documents and Settings\user\Desktop\myspaceIM.exe
machine:
result: This file is detected as Trojan.Emcodec.B. http://www.symantec.com/avcenter/ven...emcodec.b.html

Developer notes:
C:\Documents and Settings\user\Desktop\myspaceIM.exe is non-repairable threat. NAV with the latest available definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest available definitions.

this is a fake install dropping a trojan.

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

Downloading and Installing RapidRelease Definitions:
1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Copy and paste the address ftp://ftp.symantec.com/public/englis...ease/sequence/ into the address bar of your Web browser and then press Enter.(this could take a minute or so if you have a slow connection)
3. Now select 56440 folder or a higher. Open the folder.
4. Select the file symrapidreleasedefsi32.exe
5. When a download dialog box appears, save the file to the Windows desktop.
6. Double-click the downloaded file and follow the prompts.


Virus definition detail:

Sequence Number: 56440
Defs Version: 80718u
Extended Version: 07/18/2006 rev.21
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

Should you have any questions about your submission, please contact
our regional technical support from the Symantec website
(http://www.symantec.com/techsupp/)
and give them the tracking number in the subject of this message.