[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE70b6uIU1Gj00001ecad@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
oops' .. hey, that was cool... everyone's AV works ..
wood
----- Original Message -----
From: "morning_wood" <se_cur_ity@...mail.com>
To: <incidents@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
Sent: Saturday, May 24, 2003 9:04 AM
Subject: [Full-Disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
> morning_wood
> morning_wood@...loitlabs.com
> http://exploitlabs.com
>
>
> Analysis of "Update880.exe" W32.gibe - Trojan / Worm
>
> Overview:
> --------------------
>
> Update880.exe arrives as email, claiming to be a new Microsoft update.
> It is a virus, class KaZZA Droper. This is a different variant than
> identified by Symantic in March 2003. This is a small analysis of
> of this variants binary.
>
> References:
> --------------------
>
> references to to "p214537.exe"
> http://www.arnes.si/news/archive/si.org.arnes/msg02077.html
>
> report of html body code ( mine was blank)
> http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt
>
>
> reference to "Coded ...by Begbie, Slovakia"
> http://www.eset.sk/scriptless/pedia/cervy/clausa.htm
> http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm
>
>
> aka: Q216309.exe
>
>
> Coded ...by Begbie, Slovakia
> AutMSUpdate = p214537 MSUpdate
> MSUpdate KaZaA uploDropper
>
>
> Binary Text Extract:
> --------------------
>
> Installing Microsoft Update
>
>
> wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1
> Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ...
> LicenseForm License Form1 Command2 Text1
>
>
> This product is protected by copyright laws and international copyright
> treaties,
> as well as other intellectual property laws and treaties.
> ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers
> hereby disclaim all warranties and conditions with regard to this
> information,
> including all warranties and conditions of merchantability, whether
> express, implied
> or statutory, fitness for a particular purpose, title and
> non-infringement.
> Microsoft does not warrant that the functions for the software or code
will
> meet
> your requirements, or that the operation of the software or code will
> be uninterrupted or error-free, or that defects in the software
> or code can be corrected. Furthermore, Microsoft does not warrant
> or make any representations regarding the use or the results of the
> use of the software, code or related documentation in terms of their
> correctness, accuracy, reliability, or otherwise. No oral or written
> information or advice given by Microsoft or its authorized
representatives
> shall create a warranty or in any way increase the scope of this
warranty.
> Should the software or code prove defective after Microsoft has delivered
> the same, you, and you alone, shall assume the entire cost associated
with
> all necessary servicing, repair or correction. In no event shall
Microsoft
> and/or its respective suppliers be liable for any special, indirect or
> consequential damages or any damages whatsoever resulting from loss
> of use, data or profits, whether in an action of contract,
> negligence or other tortious action, arising out of or in connection
> with the use or performance of software, documents, provision of or
> failure to provide services, or information available from the services.
> COPYRIGHT NOTICE. Copyright 2003
> Microsoft Corporation, One Microsoft Way,
> Redmond, Washington U.S.A.
> All rights reserved.
>
>
> Command1 Label2
> Do you accept all of the terms of the preceding License Agreement?
> If you choose No, Install will close. To install you must accept this
> agreement.
>
> Label1
>
> Please read the following license agreement. Press the Page Down key to
see
> the rest
> of the agreement.
>
>
> Installation:
> --------------------
>
>
> \AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messeng
er
>
> Setup .... by Begbie
>
> Microsoft Internet Update Pack Coded
>
> REG_SZ This will install Microsoft Security Update.
>
>
> Code Stuff: (filenames)
> ------------------
>
> DxLoad
> \DX3DRndr.exe
> \gibe.dll
> \MSBugAdv.exe
> \MSWinsck.ocx
> \WMSysDx.bin
>
> ZipName
>
> Code Stuff:(functions)
> -------------------
>
>
> Email Address Not found
> LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was
> cancelled. This update has been successfully installed.
>
>
>
> ProgramFilesDir
> pdate A -EP
> WinRAR.exe -min -e -o
> WinZip.exe
>
> App Paths\ Outlook.Application
> GetNamespace Version
> GetDefaultFolder Items
> Email1Address
> Email2Address
> Folders \MailViews.db
> AddressLists
> AddressEntries
> Count Address
> SOFTWARE\Microsoft\Wab\WAB4\Wab
>
>
> File Name Software\Kazaa
> \LocalContent
> DisableSharing 012345: Dir99
> LocalContent
> Transfer
> DownloadDir DlDir0
> \mirc \mirc32 \mirc.ini \script.ini [script] Service n1= /if ( $nick ==
> $me ) { halt } n2= /.dcc send $nick
>
>
> Code Stuff: (keywords)
> --------------------
>
> IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick
> Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking
> with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program
>
>
> \Software\Microsoft\Internet Account Manager\Accounts
> \Identities
> \Identities\
>
> SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server
> Microsoft Internet Engine Automat Robot Daemon Disp Name :[prior]
> \Start menu\Programs\Startup \Documents and Settings\
> \Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType
> RootFolder Windows WinMe Win95 Win98 \All Users
> BuildPath
> FolderExists \WebLoader.exe
> CopyFile All Users Default User Administrator \TempRes.dat
>
> Identification:
> --------------------
>
> FileInfo Translation StringFileInfo 040904B0
> CompanyName Microsoft Corporation
> FileDescription Microsoft Security Patch for Windows
> LegalCopyright 1981-2003 Microsoft Corporation
> LegalTrademarks is a registered trademark of Microsoft Corporation.
> Windows is a trademark of Microsoft Corporation.
> ProductName MSUpdate
> FileVersion 9.31.2541
> ProductVersion 9.31.2541
> InternalName p214537
> OriginalFilename p214537.exe
>
>
> This is a non technical report of a windows32 binary of an unknown type
and
> function at the
> time of aquisition. Information is provided for identification and the
type
> of functions, keywords
> and registry entries of W32.gibe virus.
>
>
> Conclusion:
> --------------------
>
> While this is a known virus, it's method of delivery and masqurading of a
> legitimate
> updat makes this particulary unsuspecting attatchment that is easily
> mistaken by the
> general internet user as a legitimate Microsoft update. As well the main
> program has
> been modified to redude detection.
>
>
> Credits:
> --------------------
> morning_wood
> http://exploitlabs.com
>
>
Powered by blists - more mailing lists