Joel Stringfellow (njyoder) wrote in thequestionclub,
Joel Stringfellow
njyoder
thequestionclub

LJ virus?

What's this nonsense about an LJ virus? I'm getting very confusing messages over AIM that appear to be a result of AIM screennames being switched around. That is, I'm getting messages through what appears to be one screenname, but it's actually multiple people from differen screennames who are having their messages altered somehow to appear to be from one screenname. One of the messages I got through that screenname was from a bot. Other messages were saying that some guy had his files deleted. One of the people messaged something about thequestionclub and an LJ virus causing it, but that seems unlikely.

I know none of the people messaging me (one of them told me his real screenname) and their only relation to me is that they use LJ and are members of thequestionclub (although I don't have it friended).

So, does anyone know about some strange vulnerability with AIM clients or servers that would could cause this?

Here are some of the stranger messages I got:
[03:33:03] kawaiidezu: [HELLO OP TO BASE RETURN 9a427BA0]
[03:34:04] kawaiidezu: [OP MSG USER PLEASE END CONVERSATION, WE NEED THIS LINE FOR MAINTENANCE END CODE 4A9C22]

[03:40:26] kawaiidezu: god I dont' remember, the guys name was www.livejournal.com/users/icurfriendsonly
[03:40:45] kawaiidezu: he infected everyone with something to see their friends only entries and other fucked up stuff before getting suspendied

[03:52:29] kawaiidezu: all my files are gone!!! wiped out!!!

[04:13:52] kawaiidezu: fistfuck niggercock fuckshit loldongs!
[04:13:57] njyoder: who are you?
[04:14:35] kawaiidezu: I put your grandma's cuntflaps in a ricecooker with hollaindaise sauce!

NOTE: These are all from the same screenname and apparently from different people who think they're messaging under their normals screennames. Someone else used dongul8r to message people.

EDIT: New guess, this isn't any virus/worm AT ALL. Instead, someone registered a few new usernames like kawaiidezu. Then they redirected messages from various people under the screennames to other people. That is, they started messaging person A, then took the replies from A and used the kawaiidezu account to relay it to person B. I don't know WHY someone would do that, as it just causes confusion. Nonetheless, it's not that difficult to create an AIM bot that only relays messages.

EDIT[2]: Ok, apparently this guy was reading friends only entries on LJ from what I found out from other sources. This leads me to believe that it's an AIM relay bot which ALSO infects people's computers with some vulnerability in the official AIM software or through MSIE. So it infects the computer, then sets it up as an AIM relay bot. Of course, these may actually be two seperate malicious acts and I'm incorrectly connecting the two.

FINAL EDIT?: I found out that it was a now-fixed cross-site scripting vulnerability. They are using about 20 AIM bots at a given time (out of hundreds they have) to randomly relay messages between users. They screen scraped hundreds of thousands (allegeldy) of AIM screennames off of LJ and used them to relay messages. Some developer, who made a now deleted post, almost got fired from his LJ developer job for posting about the cross-site scripting vulnerability. If true, this is ridiculous, the other people running htte software need to know so they can update their sites.
Subscribe
  • Post a new comment

    Error

    Comments allowed for members only

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 12 comments