- !!! Trojan horse WARNING !!! - some AW cits do not know better than to spread trojans (Community)

- !!! Trojan horse WARNING !!! - some AW cits do not know better than to spread trojans // Community

1  |  


Jul 21, 2003, 4:43pm
If you get a telegram like this:

"Telegram from someone's name, sent Mo Jul 21, 2003 06:41:
My friend has made a cool little program for AW and it would mean a lot to
me if you helped him out and downloaded it and told me and him what you
think: www . twisted-inc . com / awtoolkit . exe "
(URL without blanks).

do NOT download and run the program.

How it installs on your system:

awtoolkit.exe immidiatly renames to c:\%win_root%\msagent\mslxlu.exe. It
creates at least 3 registry entries, which call the program whenever you
logon to windows and/or you start IE. Once mslxlu.exe it copies itself to
c:\%win_root%\system32\msrksd.com, which is also called when you logon to
windows or start IE. A third copy is made and copied to
c:\%win_root%\win32cmds.exe. Using your taskmanager (win2k/XP) will show you
this process once its running.

All instances are UPX compressed files. Norton does NOT recognize the

What it does:

1) It runs an IRC server on port 6666
2) It connects to ICQ using remote port 80
3) It tries to connect to hotmail.com to send off an email, using remote
port 25

I did not analyse the data it would try to send, though, as in- and outgoing
connections were blocked when I analysed it. It looks like the trojan is
even able to capture your screen.

In case one of you already got infected, please contact ActiveWorlds for
removal instructions.


Jul 21, 2003, 4:56pm
If you actually look at my post, you wouldnt need to post another topic..


Jul 21, 2003, 5:07pm
I acedenly downloaded a file from this server, it was a BIG mistake. my cit
was hacked, I could no longer log onto aw, then all of my cofiguration files
were eraced including my system config, to make a long story short I had to
format my computer.
Please do not click on any urls in tgrams that have been sent by me in the
last 2 days, or file requests. The post I posted to the NG about utilities
to the best of my knowledge dose not have any viruses or spyware on them.
I am very sorry for this if anyone has received any urls or links by me in
the last 2 days that have been infected.

[View Quote]


Jul 21, 2003, 5:46pm
chrispeg, report it to Norton.

Brock - 308723 - DE Leader
[View Quote]

crazy pills

Jul 21, 2003, 6:02pm
wait i accidentally clicked it hwo do i egt rid of it!!!!
[View Quote]


Jul 21, 2003, 6:04pm
rofl read what it does, and delete whats in msangent thing heh


Jul 21, 2003, 6:09pm
That is not enough, themask.

Please contact AW for removal instruction.

"themask" <admin at themask.3dhost.net> schrieb im Newsbeitrag
news:3f1c4764 at server1.Activeworlds.com...
> rofl read what it does, and delete whats in msangent thing heh


Jul 21, 2003, 6:10pm
Okay, I reported it to Norton.

btw: how are you brock ?

"brock" <BrockL at iceflare.net> schrieb im Newsbeitrag
news:3f1c42fe$1 at server1.Activeworlds.com...
> chrispeg, report it to Norton.
> --
> Brock - 308723 - DE Leader
[View Quote]


Jul 21, 2003, 6:40pm
Eh, and you think AW would know? I'd rather see what Norton gets.


Jul 21, 2003, 7:01pm
[View Quote] It's funny how everyone runs this. Even people who should know better
run it.


No of SETI units returned: 41
Processing time: 31 days, 9 hours.
(Total hours: 753)


Jul 21, 2003, 7:06pm
Good chris, good, long time no see.

Brock - 308723 - DE Leader
[View Quote]


Jul 21, 2003, 7:14pm
Can this thing do any damage if you're not under an Administrator account?


[View Quote]


Jul 21, 2003, 7:27pm
What are the names of the registry entries?
[View Quote]


Jul 21, 2003, 7:32pm
BTW, will deleting all of the files get rid of it sufficiently, or shoudl I
delete the registry entries too?
[View Quote]


Jul 21, 2003, 7:42pm
You just delete all the files and registry entries, right?
[View Quote]


Jul 21, 2003, 8:00pm
yeah, and I got the links in the telegram. Unfortuanetely your warning came
too late. Luckily I didn't lose my cit. Thanks anyway. Its no problem, its
not your fault.
[View Quote]


Jul 21, 2003, 8:01pm
rofl, I got it from matt through pineriver's cit. I clicked on it stupidly
because I trust pineriver, and didn't know the cit was stolen :-P sucks for
[View Quote]

r i c h a r d

Jul 21, 2003, 8:01pm
Id just like to know what kind of tool kit would be in around 50kb exe or
what installation comes in a 50kb exe?


Jul 21, 2003, 8:50pm
[View Quote] The executable was compressed with UPX, so it was probably originally larger than 50kb.



Jul 22, 2003, 1:36pm
my cit is hacked and guess who told me? OneSummer that hacker and now I cant
get on AW...
[View Quote]


Jul 22, 2003, 1:42pm
OneSummer is NOT a hacker....sheeesh.....

[View Quote]


Jul 22, 2003, 1:43pm
Its a bunch of punks on AWTeen doing it...They steal your cit then use it to
telegram your friends with the link

[View Quote]


Jul 22, 2003, 3:15pm
Trust me, OneSummer is *not* a hacker, cracker, or script kiddie. She is
always hosting community events and I host two bots for her in BluPearl
world. If she sent you a telegram, it was probably to warn you *not* to
click on a link or something. She's been a target of various "trouble
makers" (had to use your word, BinaryBud ;) in the past and hardly ever
is the cause of such problems. Another possibility is that she herself
clicked on the bot link and her account password was stolen and someone
else sent the telegram to you under her name.


[View Quote]


Jul 22, 2003, 3:53pm
confirmation the last scenario is correct. Everyone Be Careful.
On the net, it's NOT always who you think it is.


[View Quote]


Jul 22, 2003, 6:19pm
But my name is Bill Gates, and I own you all...

1  |  
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2024. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn