Support NeoGAF

[rs7k]

AntiVir (my freeware anti-virus app) detected a worm on ym computer, so I wanted to check what folder it was in. I opened up C:\, and to my surprise, I found a bunch of files that don't look really official, and that I know weren't put there by me.

Here's what the directory looks like:

As you can see, there's a bunch of files that have the VB icon. Not very official-looking, especially for a computer that's been formatted recently.

Anyways, I opened the 123 text file out of curiosity, and was very surprised by what I found.

What I blacked out are usernames/passwords, and the last part is a credit card number. At the top of the file is my userid for my POP email, and the resource type is Outlook Express, making me even more suspicious.

Anyways, am I right assuming there's something real fishy happening to my computer?

 

[Wario64]

Eh, that does not look good...

 

[shuri]

Hi. your identity has been stolen. I suggest that wipe out your system and change all your passwords and login names

 

[DMczaf]

Hi. your identity has been stolen. I suggest that wipe out your system and change all your passwords and login names

And I suggest doing it QUICKLY!

 

[mattx5]

Change all your login information NOW. All that information is in no way connected and should not be stored in a single file for any reason. Somebody's fucked you real good. Check your account history to make sure no withdrawals/purchases have been made with either your Paypal, credit card, etc. and then CANCEL ALL OF YOUR FUCKING ACCOUNTS.

 

[cloudwalking]

It looks to me like you have some sort of keylogger on your computer that has been plugging all your usernames and passwords into that TXT file, and then likely uploading it to someone with malicious intent.

Get in touch IMMEDIATELY with Paypal, Ebay, Royal Bank and any of the other organizations that appear in that file and thell them what has happened. Have them close any accounts you own and halt any activity.

 

[rs7k]

All those ID's and passwords aren't mine. The computer is shared between three people (me and my two roommates). I will definitely let my friend know that he should notify these companies, but is it really necessary to cancel the accounts? Poor guy has perfect feedback on eBay and he's been using the account for years.

 

[Ecrofirt]

shit man, if they aren't yours, post them on the board!

Spoiler

kidding... OR AM I?

 

[cloudwalking]

All those ID's and passwords aren't mine. The computer is shared between three people (me and my two roommates). I will definitely let my friend know that he should notify these companies, but is it really necessary to cancel the accounts? Poor guy has perfect feedback on eBay and he's been using the account for years.

Make sure you let everyone know what's going on. It's their decision wether or not to close the accounts, but keep in mind that a criminal could very well have access to all of these accounts and there could be some serious complications if he starts using them.

As for the Ebay feeback, I don't see how that could be more important than protceting your finances! I'm certain if your friend got in touch with Ebay they would gladly help him out. They don't want to get scammed either, I'm sure.

 

[BigJonsson]

OWNED

 

[pnjtony]

Was the worm that you detected part of this or did it just happen to lead you to your C:\ and you saw this?

If so...what worm was it?

 

[rs7k]

I don't know if it was part of it, but yeah, I was going to find out where the worm was located by browsing my hard drive and I stumbled upon this.

The worm's name is Worm/Wurmark.D.1

Found out it's a porn worm... I also found it in my roommate's folder. The computer also happens to be in my room.

 

[cloudwalking]

Hmm... when you pull up the Symantec page on the worm, it doesn't mention anything about keylogging or storing passwords. It might be something else that created that TXT file.

It wouldn't surprise me if your friend picked something like that up off of a porn site.

 

[maharg]

Just a note, that RBC one won't be a credit card number (it's a debit card number) and the royal bank page doesn't actually give you enough info to use a credit card listed on it (gives you name but not expiry date or security code). While the info is such that it could be used for identity hijacking, it's not that damning in itself.

However, the password needs to be changed right away because if someone has it they could change your address with the bank and apply for additional credit.

 

[shuri]

Identity hijacking by some asian gang is much more dramatic than having a kid buying 3tb worth of hard drive storage off newegg.com.

 

[ShadowRed]

Hmm... when you pull up the Symantec page on the worm, it doesn't mention anything about keylogging or storing passwords. It might be something else that created that TXT file.

It wouldn't surprise me if your friend picked something like that up off of a porn site.

yeah I was going to say the same. I found a couple articles about the worm and nothing mentioned keylogging. To be safe format and reinstall. Also get your own computer so you don't have to worry about some horny dumbass spreading your finacial information to the for corners.




Porn worm spreads as new year greeting
By Robert Jaques


Security experts have discovered a mass-mailing worm which offers an unusual happy new year message in the form of a pornographic photograph.

Wurmark-D (W32/Wurmark-D) travels as an attachment via email pretending to be a seasonal greeting, security firm Sophos warned.

If an unwitting recipient opens the file the virus is launched and begins by displaying a graphic image of nude men and women contorting to form the words 'happy new year'.

At this point the malicious worm is installing behind the scenes, and forwarding itself to other computer users.

"Once activated, this worm will harvest your computer hunting for other email addresses to send itself to, and try and turn off antivirus software," said Graham Cluley, senior technology consultant for Sophos.

"Anyone who forgets to exercise caution before running this unsolicited email attachment could be in for a rude awakening."

Emails sent by the Wurmark-D worm have the following characteristics:

Subject: HAPPY NEW YEAR!!!
Message body: All the best in new year from our family here is a litle attachment to make you smile in new year email me back haha...

Alternatively the worm may have the following wording:

Subject: MARY CHRISTMAS from our family
Message body: All the best in new year and christams from our family i was lauging like mad when i saw it!

Attached to the email is a Zip file containing a file with one of the following names: Sexy_new_year.scr, HOT_NEW_YEAR.scr, Marry_christmas.scr, with_love.scr, From_my_hart.scr, new_year.scr, and Hot_new_year.scr.

"People coming into work after an extended holiday, and possibly facing a few thousand emails in their inbox, should be careful not to fall for the confidence tricks often used by computer viruses," said Cluley.

Although there have only been a small number of reports of the Wurmark-D worm in the wild, security firms have warned that computer users must ensure that antivirus software is up-to-date

 

[rs7k]

Weird, I opened the bw.tmp file in Mozilla (it was clearly HTML when opened with notepad), and an IP masking webpage showed up, or at least I think that what it is.

http://www.no-ip.com