lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Law11-OE35UXfsCO6Ny0001ea29@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED

morning_wood
morning_wood@...loitlabs.com
http://exploitlabs.com


Analysis of "Update880.exe" W32.gibe - Trojan / Worm

Overview:
--------------------

 Update880.exe arrives as email, claiming to be a new Microsoft update.
It is a virus, class KaZZA Droper. This is a different variant than
identified by Symantic in March 2003. This is a small analysis of
of this variants binary.

References:
--------------------

references to to "p214537.exe"
http://www.arnes.si/news/archive/si.org.arnes/msg02077.html

report of html body code ( mine was blank)
http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt


reference to "Coded ...by Begbie, Slovakia"
http://www.eset.sk/scriptless/pedia/cervy/clausa.htm
http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm


aka: Q216309.exe


Coded ...by Begbie, Slovakia
AutMSUpdate     =   p214537 MSUpdate
MSUpdate KaZaA uploDropper


Binary Text Extract:
--------------------

Installing Microsoft Update


wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1
 Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ...
LicenseForm  License Form1 Command2 Text1


This product is protected by copyright laws and international  copyright
treaties,
 as well as other intellectual property laws and  treaties.
ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE  PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers
hereby disclaim all warranties  and conditions with regard to this
information,
including all warranties  and conditions of merchantability, whether
express, implied
 or  statutory, fitness for a particular purpose, title and
non-infringement.
Microsoft does not warrant that the functions for the software or code  will
meet
 your requirements, or that the operation of the software or  code will
be uninterrupted or error-free, or that defects in the software
or code can be corrected.  Furthermore, Microsoft does not warrant
or make any representations regarding the use or the results of the
use of the software, code or related documentation in terms of their
correctness, accuracy, reliability, or otherwise. No oral or written
information or advice given by Microsoft or its authorized  representatives
shall create a warranty or in any way increase the  scope of this warranty.
Should the software or code prove defective  after Microsoft has delivered
the same, you, and you alone,  shall assume the entire cost associated with
all necessary servicing,  repair or correction. In no event shall Microsoft
and/or its respective  suppliers be liable for any special, indirect or
consequential damages  or any damages whatsoever resulting from loss
of use, data or profits,  whether in an action of contract,
negligence or other tortious action,  arising out of or in connection
with the use or performance of  software, documents, provision of or
failure to provide services, or  information available from the services.
COPYRIGHT NOTICE. Copyright   2003
Microsoft Corporation, One Microsoft Way,
  Redmond, Washington U.S.A.
All rights reserved.


Command1 Label2
Do you accept all of the terms of the preceding License Agreement?
 If you choose No, Install will close. To install you must accept this
agreement.

Label1

Please read the following license agreement. Press the Page Down key to see
the rest
 of the agreement.


Installation:
--------------------


\AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messenger

 Setup .... by Begbie

 Microsoft Internet Update Pack Coded

 REG_SZ This will install Microsoft Security Update.


Code Stuff: (filenames)
------------------

DxLoad
\DX3DRndr.exe
\gibe.dll
\MSBugAdv.exe
\MSWinsck.ocx
\WMSysDx.bin

ZipName

Code Stuff:(functions)
-------------------


 Email Address Not found
LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was
cancelled. This update has been successfully installed.



ProgramFilesDir
pdate A -EP
WinRAR.exe -min -e -o
WinZip.exe

App Paths\ Outlook.Application
GetNamespace Version
GetDefaultFolder Items
Email1Address
Email2Address
Folders \MailViews.db
AddressLists
AddressEntries
Count Address
SOFTWARE\Microsoft\Wab\WAB4\Wab


File Name Software\Kazaa
\LocalContent
DisableSharing 012345: Dir99
LocalContent
Transfer
DownloadDir DlDir0
\mirc \mirc32 \mirc.ini \script.ini [script] Service n1=  /if ( $nick ==
$me ) { halt } n2=  /.dcc send $nick


Code Stuff: (keywords)
--------------------

IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick
Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking
with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program


\Software\Microsoft\Internet Account Manager\Accounts
\Identities
\Identities\

SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server
Microsoft  Internet  Engine Automat Robot Daemon Disp Name :[prior]
\Start menu\Programs\Startup \Documents and Settings\
\Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType
RootFolder Windows WinMe Win95 Win98 \All Users
BuildPath
FolderExists \WebLoader.exe
CopyFile All Users Default User Administrator \TempRes.dat

Identification:
--------------------

FileInfo Translation StringFileInfo 040904B0
 CompanyName Microsoft Corporation
 FileDescription Microsoft Security Patch for Windows
 LegalCopyright  1981-2003 Microsoft Corporation
 LegalTrademarks  is a registered trademark of Microsoft Corporation.
Windows is a trademark of Microsoft Corporation.
 ProductName MSUpdate
 FileVersion 9.31.2541
 ProductVersion 9.31.2541
 InternalName p214537
 OriginalFilename p214537.exe


 This is a non technical report of a windows32 binary of an unknown type and
function at the
time of aquisition. Information is provided for identification and the type
of functions, keywords
and registry entries of W32.gibe virus.


Conclusion:
--------------------

 While this is a known virus, it's method of delivery and masqurading of a
legitimate
updat makes this particulary unsuspecting attatchment that is easily
mistaken by the
general internet user as a legitimate Microsoft update. As well the main
program has
been modified to redude detection.


Credits:
--------------------
morning_wood
http://exploitlabs.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Update880.exe
Type: application/x-msdownload
Size: 155648 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030524/ff445c55/Update880.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ