lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: sgmasood at yahoo.com (S G Masood)
Subject: Swen/Gibe.F Worm - Some New Info (was RE: Web counter in the new Swen/Gibe.F worm)

LoL. Just found the worm even has a nice GUI! (I am
attaching a sample extracted resource of a dialog)

Once executed, it presents installation dialogs to the
users (with EULA and all) and installs as a legitimate
program/patch would install. It doesn't try to be
discreet in any way.

The malicious message to which this worm was attached
posed as a *very* convincing MS patch. 

The author probably thinks it's better to ask users
directly for info, posing as a legitimate program,
than try to be discreet in its function(See attached
text). This way it tries to exploit certain
assumptions that users have about
malware(sneaky,encryted,packed,no nice GUI :),etc). I
think lots of people, otherwise paranoid and careful,
will fall for this worm. Believe me, Swen *very*
convincingly upsets users' assumptions and this is its
biggest USP...


--
Regards,
S.G.Masood.

Hyderabad,
India.
--




8<-------------SAMPLE EXTRACTED RESOURCE FROM SWEN
WORM BEGINS---------------



101 DIALOG 0, 0, 452, 201
STYLE DS_NOFAILCREATE | DS_MODALFRAME |
DS_SETFOREGROUND | DS_CENTER | WS_POPUP | WS_CAPTION |
WS_SYSMENU
CAPTION " MAPI32 Exception"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK
FONT 8, "MS Sans Serif"
{
   CONTROL "&Apply", 1005, BUTTON, BS_PUSHBUTTON |
WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 169,
182, 54, 14 
   CONTROL "Cancel", 1006, BUTTON, BS_PUSHBUTTON |
WS_CHILD | WS_VISIBLE, 228, 182, 54, 14 
   CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD |
WS_VISIBLE, 7, 44, 437, 131 
   CONTROL 104, -1, STATIC, SS_ICON | WS_CHILD |
WS_VISIBLE, 7, 7, 20, 20 
   CONTROL "An internal error has occurred in module
mapi32.dll", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE, 33, 6, 169, 8 
   CONTROL 103, -1, STATIC, SS_ICON | WS_CHILD |
WS_VISIBLE, 13, 54, 20, 20 
   CONTROL "In the edit box below, please enter your
name as you would like it to appear in the \"From\"
field of your outgoing message.", -1, STATIC, SS_LEFT
| WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 58, 198, 17 
   CONTROL "Your Name:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 81, 41, 9 
   CONTROL "", 1002, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89,
78, 126, 12 
   CONTROL "Please enter your email address. This
address will be the address other people use to send
email to you.", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 40, 97, 181, 17 
   CONTROL "Email Address:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 119, 47, 9 
   CONTROL "", 1003, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89,
117, 126, 12 
   CONTROL "Please enter the name of your outgoing
mail server in the edit box below.", -1, STATIC,
SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 137,
181, 16 
   CONTROL "SMTP Server:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 159, 47, 9 
   CONTROL "", 1004, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89,
156, 126, 12 
   CONTROL "Default mail account structure has a
damaged table of contents. It is recommended to newly
reconfigure your account records. MAPI32 needs these
informations in order to be able to send and receive
mail. Failure to do so may cause that some MAPI32",
-1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE |
WS_GROUP, 33, 18, 406, 17 
   CONTROL "(required)", -1, STATIC, SS_LEFTNOWORDWRAP
| WS_CHILD | WS_VISIBLE | WS_GROUP, 217, 120, 33, 8 
   CONTROL "(required)", -1, STATIC, SS_LEFTNOWORDWRAP
| WS_CHILD | WS_VISIBLE | WS_GROUP, 217, 160, 34, 8 
   CONTROL "Enter the name you will use to log into
this account.", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 261, 66, 169, 9 
   CONTROL "Login Name:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 81, 43, 8 
   CONTROL "", 1007, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 311,
78, 96, 12 
   CONTROL "Please enter the password for current
account.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE
| WS_GROUP, 261, 97, 167, 8 
   CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD
| WS_VISIBLE | WS_GROUP, 261, 114, 37, 8 
   CONTROL "", 1008, EDIT, ES_LEFT | ES_PASSWORD |
ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER |
WS_TABSTOP, 325, 109, 50, 12 
   CONTROL "Type in the full name of your incoming
mail server.", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 261, 146, 163, 8 
   CONTROL "POP3 Server:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 160, 46, 8 
   CONTROL "", 1009, EDIT, ES_LEFT | ES_PASSWORD |
ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER |
WS_TABSTOP, 325, 125, 50, 12 
   CONTROL "Retype password:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 128, 58, 8 
   CONTROL "", 1010, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 311,
156, 124, 12 
   CONTROL "dependent applications (such as Outlook or
Outlook Express) become non-functional.", -1, STATIC,
SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 33, 34,
294, 8 
}




8<---------------SAMPLE EXTRACTED RESOURCE FROM SWEN
WORM ENDS-------------









--- "B.K. DeLong" <bkdelong@...ox.com> wrote:
> At 02:31 PM 9/18/2003 -0400, you wrote:
> >Hi,
> >
> >Joe Stewart of Lurhq.com has made an interesting
> discovery about the new
> >Swen/Gibe.F worm that started circulating today: 
> When the worm infects
> >a new machine, it hits a Web counter.
> >
> >The URL of the counter is:
> >
> >
>
>http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
> >
> >If this URL wraps in your email reader, here's a
> shorter version:
> >
> >    http://tinyurl.com/nufo
> >
> >At 2:30 EST, the counter is about 615,000.
> >
> >Here's a bit more about the worm:
> >
> >    http://news.com.com/2100-7349_3-5078696.html
> >
> >The server log entries for this counter might prove
> interesting to virus
> >researchers.  These entries could provide data for
> a statistical study
> >of computer worm transmissions.  Perhaps the
> Vutbr.cz Web site would be
> >willing to go public with this information.
> 
> Is anyone storing sample virii somewhere for
> analysis? Or do we have to 
> wait for it to show?
> 
> 
> --
> B.K. DeLong
> bkdelong@...ox.com
> +1.617.797.2472
> 
> http://ocw.mit.edu                           Work.
> http://www.brain-stream.com               Play.
> http://www.the-leaky-cauldron.org        Potter.
> http://www.city-of-doors.com               Sigil
> 
> PGP Fingerprint:
> 38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ