| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3ECFD449.8050302@adelphia.net>
From: hescominsoon at adelphia.net (William Warren)
Subject: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
question is..does yours?
:)
morning_wood wrote:
> oops' .. hey, that was cool... everyone's AV works ..
>
> wood
>
> ----- Original Message -----
> From: "morning_wood" <se_cur_ity@...mail.com>
> To: <incidents@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
> Sent: Saturday, May 24, 2003 9:04 AM
> Subject: [Full-Disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
>
>
>
>>morning_wood
>>morning_wood@...loitlabs.com
>>http://exploitlabs.com
>>
>>
>>Analysis of "Update880.exe" W32.gibe - Trojan / Worm
>>
>>Overview:
>>--------------------
>>
>> Update880.exe arrives as email, claiming to be a new Microsoft update.
>>It is a virus, class KaZZA Droper. This is a different variant than
>>identified by Symantic in March 2003. This is a small analysis of
>>of this variants binary.
>>
>>References:
>>--------------------
>>
>>references to to "p214537.exe"
>>http://www.arnes.si/news/archive/si.org.arnes/msg02077.html
>>
>>report of html body code ( mine was blank)
>>http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt
>>
>>
>>reference to "Coded ...by Begbie, Slovakia"
>>http://www.eset.sk/scriptless/pedia/cervy/clausa.htm
>>http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm
>>
>>
>>aka: Q216309.exe
>>
>>
>>Coded ...by Begbie, Slovakia
>>AutMSUpdate = p214537 MSUpdate
>>MSUpdate KaZaA uploDropper
>>
>>
>>Binary Text Extract:
>>--------------------
>>
>>Installing Microsoft Update
>>
>>
>>wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1
>> Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ...
>>LicenseForm License Form1 Command2 Text1
>>
>>
>>This product is protected by copyright laws and international copyright
>>treaties,
>> as well as other intellectual property laws and treaties.
>>ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS"
>>WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers
>>hereby disclaim all warranties and conditions with regard to this
>>information,
>>including all warranties and conditions of merchantability, whether
>>express, implied
>> or statutory, fitness for a particular purpose, title and
>>non-infringement.
>>Microsoft does not warrant that the functions for the software or code
>
> will
>
>>meet
>> your requirements, or that the operation of the software or code will
>>be uninterrupted or error-free, or that defects in the software
>>or code can be corrected. Furthermore, Microsoft does not warrant
>>or make any representations regarding the use or the results of the
>>use of the software, code or related documentation in terms of their
>>correctness, accuracy, reliability, or otherwise. No oral or written
>>information or advice given by Microsoft or its authorized
>
> representatives
>
>>shall create a warranty or in any way increase the scope of this
>
> warranty.
>
>>Should the software or code prove defective after Microsoft has delivered
>>the same, you, and you alone, shall assume the entire cost associated
>
> with
>
>>all necessary servicing, repair or correction. In no event shall
>
> Microsoft
>
>>and/or its respective suppliers be liable for any special, indirect or
>>consequential damages or any damages whatsoever resulting from loss
>>of use, data or profits, whether in an action of contract,
>>negligence or other tortious action, arising out of or in connection
>>with the use or performance of software, documents, provision of or
>>failure to provide services, or information available from the services.
>>COPYRIGHT NOTICE. Copyright 2003
>>Microsoft Corporation, One Microsoft Way,
>> Redmond, Washington U.S.A.
>>All rights reserved.
>>
>>
>>Command1 Label2
>>Do you accept all of the terms of the preceding License Agreement?
>> If you choose No, Install will close. To install you must accept this
>>agreement.
>>
>>Label1
>>
>>Please read the following license agreement. Press the Page Down key to
>
> see
>
>>the rest
>> of the agreement.
>>
>>
>>Installation:
>>--------------------
>>
>>
>>\AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messeng
>
> er
>
>> Setup .... by Begbie
>>
>> Microsoft Internet Update Pack Coded
>>
>> REG_SZ This will install Microsoft Security Update.
>>
>>
>>Code Stuff: (filenames)
>>------------------
>>
>>DxLoad
>>\DX3DRndr.exe
>>\gibe.dll
>>\MSBugAdv.exe
>>\MSWinsck.ocx
>>\WMSysDx.bin
>>
>>ZipName
>>
>>Code Stuff:(functions)
>>-------------------
>>
>>
>> Email Address Not found
>>LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was
>>cancelled. This update has been successfully installed.
>>
>>
>>
>>ProgramFilesDir
>>pdate A -EP
>>WinRAR.exe -min -e -o
>>WinZip.exe
>>
>>App Paths\ Outlook.Application
>>GetNamespace Version
>>GetDefaultFolder Items
>>Email1Address
>>Email2Address
>>Folders \MailViews.db
>>AddressLists
>>AddressEntries
>>Count Address
>>SOFTWARE\Microsoft\Wab\WAB4\Wab
>>
>>
>>File Name Software\Kazaa
>>\LocalContent
>>DisableSharing 012345: Dir99
>>LocalContent
>>Transfer
>>DownloadDir DlDir0
>>\mirc \mirc32 \mirc.ini \script.ini [script] Service n1= /if ( $nick ==
>>$me ) { halt } n2= /.dcc send $nick
>>
>>
>>Code Stuff: (keywords)
>>--------------------
>>
>>IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick
>>Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking
>>with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program
>>
>>
>>\Software\Microsoft\Internet Account Manager\Accounts
>>\Identities
>>\Identities\
>>
>>SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server
>>Microsoft Internet Engine Automat Robot Daemon Disp Name :[prior]
>>\Start menu\Programs\Startup \Documents and Settings\
>>\Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType
>>RootFolder Windows WinMe Win95 Win98 \All Users
>>BuildPath
>>FolderExists \WebLoader.exe
>>CopyFile All Users Default User Administrator \TempRes.dat
>>
>>Identification:
>>--------------------
>>
>>FileInfo Translation StringFileInfo 040904B0
>> CompanyName Microsoft Corporation
>> FileDescription Microsoft Security Patch for Windows
>> LegalCopyright 1981-2003 Microsoft Corporation
>> LegalTrademarks is a registered trademark of Microsoft Corporation.
>>Windows is a trademark of Microsoft Corporation.
>> ProductName MSUpdate
>> FileVersion 9.31.2541
>> ProductVersion 9.31.2541
>> InternalName p214537
>> OriginalFilename p214537.exe
>>
>>
>> This is a non technical report of a windows32 binary of an unknown type
>
> and
>
>>function at the
>>time of aquisition. Information is provided for identification and the
>
> type
>
>>of functions, keywords
>>and registry entries of W32.gibe virus.
>>
>>
>>Conclusion:
>>--------------------
>>
>> While this is a known virus, it's method of delivery and masqurading of a
>>legitimate
>>updat makes this particulary unsuspecting attatchment that is easily
>>mistaken by the
>>general internet user as a legitimate Microsoft update. As well the main
>>program has
>>been modified to redude detection.
>>
>>
>>Credits:
>>--------------------
>>morning_wood
>>http://exploitlabs.com
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
May God Bless you and everything you touch.
My "foundation" verse:
Isaiah 54:17 No weapon that is formed against thee shall prosper; and
every tongue that shall rise against thee in judgment thou shalt
condemn. This is the heritage of the servants of the LORD, and their
righteousness is of me, saith the LORD.
Powered by blists - more mailing lists