[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE27zDskqC5Et0001ee7d@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
no it doesnt... I dont use one, I know my system enuf to clean if i do. The
system I am typing this on is runnig a final beta gold copy of WinXP (opk )
installed before the release of XP. I have not reinstalled once in that time
( 2yr ) or ran setup / system restore ( its off ) etc. I investigage many
viri / trojans / rats etc as well and hav had backup copys of my archives
destroyes by so called anti virus programs, even with exclusions set. Time
to time I do run a online scan of selected things to verify my integrity but
nothing else. I also host a httpd, ftpd, ircd and otherstuff on my home
network, and have not had any issuess to date with intrusions or viri /
trojans. BTW if anyone knows how to fix a broken windowssXP installer i
could use the help ( no a reinstall wont help ). Despite the claims of many,
I have found XP to be ok as an OS.
mrwood
----- Original Message -----
From: "William Warren" <hescominsoon@...lphia.net>
To: <full-disclosure@...ts.netsys.com>
Sent: Saturday, May 24, 2003 1:21 PM
Subject: Re: [Full-Disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS
ATACHED
> question is..does yours?
>
> :)
>
>
> morning_wood wrote:
> > oops' .. hey, that was cool... everyone's AV works ..
> >
> > wood
> >
> > ----- Original Message -----
> > From: "morning_wood" <se_cur_ity@...mail.com>
> > To: <incidents@...urityfocus.com>; <full-disclosure@...ts.netsys.com>
> > Sent: Saturday, May 24, 2003 9:04 AM
> > Subject: [Full-Disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS
ATACHED
> >
> >
> >
> >>morning_wood
> >>morning_wood@...loitlabs.com
> >>http://exploitlabs.com
> >>
> >>
> >>Analysis of "Update880.exe" W32.gibe - Trojan / Worm
> >>
> >>Overview:
> >>--------------------
> >>
> >> Update880.exe arrives as email, claiming to be a new Microsoft update.
> >>It is a virus, class KaZZA Droper. This is a different variant than
> >>identified by Symantic in March 2003. This is a small analysis of
> >>of this variants binary.
> >>
> >>References:
> >>--------------------
> >>
> >>references to to "p214537.exe"
> >>http://www.arnes.si/news/archive/si.org.arnes/msg02077.html
> >>
> >>report of html body code ( mine was blank)
> >>http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt
> >>
> >>
> >>reference to "Coded ...by Begbie, Slovakia"
> >>http://www.eset.sk/scriptless/pedia/cervy/clausa.htm
> >>http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm
> >>
> >>
> >>aka: Q216309.exe
> >>
> >>
> >>Coded ...by Begbie, Slovakia
> >>AutMSUpdate = p214537 MSUpdate
> >>MSUpdate KaZaA uploDropper
> >>
> >>
> >>Binary Text Extract:
> >>--------------------
> >>
> >>Installing Microsoft Update
> >>
> >>
> >>wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1
> >> Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files
...
> >>LicenseForm License Form1 Command2 Text1
> >>
> >>
> >>This product is protected by copyright laws and international copyright
> >>treaties,
> >> as well as other intellectual property laws and treaties.
> >>ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS"
> >>WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers
> >>hereby disclaim all warranties and conditions with regard to this
> >>information,
> >>including all warranties and conditions of merchantability, whether
> >>express, implied
> >> or statutory, fitness for a particular purpose, title and
> >>non-infringement.
> >>Microsoft does not warrant that the functions for the software or code
> >
> > will
> >
> >>meet
> >> your requirements, or that the operation of the software or code will
> >>be uninterrupted or error-free, or that defects in the software
> >>or code can be corrected. Furthermore, Microsoft does not warrant
> >>or make any representations regarding the use or the results of the
> >>use of the software, code or related documentation in terms of their
> >>correctness, accuracy, reliability, or otherwise. No oral or written
> >>information or advice given by Microsoft or its authorized
> >
> > representatives
> >
> >>shall create a warranty or in any way increase the scope of this
> >
> > warranty.
> >
> >>Should the software or code prove defective after Microsoft has
delivered
> >>the same, you, and you alone, shall assume the entire cost associated
> >
> > with
> >
> >>all necessary servicing, repair or correction. In no event shall
> >
> > Microsoft
> >
> >>and/or its respective suppliers be liable for any special, indirect or
> >>consequential damages or any damages whatsoever resulting from loss
> >>of use, data or profits, whether in an action of contract,
> >>negligence or other tortious action, arising out of or in connection
> >>with the use or performance of software, documents, provision of or
> >>failure to provide services, or information available from the
services.
> >>COPYRIGHT NOTICE. Copyright 2003
> >>Microsoft Corporation, One Microsoft Way,
> >> Redmond, Washington U.S.A.
> >>All rights reserved.
> >>
> >>
> >>Command1 Label2
> >>Do you accept all of the terms of the preceding License Agreement?
> >> If you choose No, Install will close. To install you must accept this
> >>agreement.
> >>
> >>Label1
> >>
> >>Please read the following license agreement. Press the Page Down key to
> >
> > see
> >
> >>the rest
> >> of the agreement.
> >>
> >>
> >>Installation:
> >>--------------------
> >>
> >>
> >>\AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet
Settings\Messeng
> >
> > er
> >
> >> Setup .... by Begbie
> >>
> >> Microsoft Internet Update Pack Coded
> >>
> >> REG_SZ This will install Microsoft Security Update.
> >>
> >>
> >>Code Stuff: (filenames)
> >>------------------
> >>
> >>DxLoad
> >>\DX3DRndr.exe
> >>\gibe.dll
> >>\MSBugAdv.exe
> >>\MSWinsck.ocx
> >>\WMSysDx.bin
> >>
> >>ZipName
> >>
> >>Code Stuff:(functions)
> >>-------------------
> >>
> >>
> >> Email Address Not found
> >>LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was
> >>cancelled. This update has been successfully installed.
> >>
> >>
> >>
> >>ProgramFilesDir
> >>pdate A -EP
> >>WinRAR.exe -min -e -o
> >>WinZip.exe
> >>
> >>App Paths\ Outlook.Application
> >>GetNamespace Version
> >>GetDefaultFolder Items
> >>Email1Address
> >>Email2Address
> >>Folders \MailViews.db
> >>AddressLists
> >>AddressEntries
> >>Count Address
> >>SOFTWARE\Microsoft\Wab\WAB4\Wab
> >>
> >>
> >>File Name Software\Kazaa
> >>\LocalContent
> >>DisableSharing 012345: Dir99
> >>LocalContent
> >>Transfer
> >>DownloadDir DlDir0
> >>\mirc \mirc32 \mirc.ini \script.ini [script] Service n1= /if ( $nick ==
> >>$me ) { halt } n2= /.dcc send $nick
> >>
> >>
> >>Code Stuff: (keywords)
> >>--------------------
> >>
> >>IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick
> >>Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver
Cooking
> >>with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program
> >>
> >>
> >>\Software\Microsoft\Internet Account Manager\Accounts
> >>\Identities
> >>\Identities\
> >>
> >>SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server
> >>Microsoft Internet Engine Automat Robot Daemon Disp Name :[prior]
> >>\Start menu\Programs\Startup \Documents and Settings\
> >>\Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType
> >>RootFolder Windows WinMe Win95 Win98 \All Users
> >>BuildPath
> >>FolderExists \WebLoader.exe
> >>CopyFile All Users Default User Administrator \TempRes.dat
> >>
> >>Identification:
> >>--------------------
> >>
> >>FileInfo Translation StringFileInfo 040904B0
> >> CompanyName Microsoft Corporation
> >> FileDescription Microsoft Security Patch for Windows
> >> LegalCopyright 1981-2003 Microsoft Corporation
> >> LegalTrademarks is a registered trademark of Microsoft Corporation.
> >>Windows is a trademark of Microsoft Corporation.
> >> ProductName MSUpdate
> >> FileVersion 9.31.2541
> >> ProductVersion 9.31.2541
> >> InternalName p214537
> >> OriginalFilename p214537.exe
> >>
> >>
> >> This is a non technical report of a windows32 binary of an unknown type
> >
> > and
> >
> >>function at the
> >>time of aquisition. Information is provided for identification and the
> >
> > type
> >
> >>of functions, keywords
> >>and registry entries of W32.gibe virus.
> >>
> >>
> >>Conclusion:
> >>--------------------
> >>
> >> While this is a known virus, it's method of delivery and masqurading of
a
> >>legitimate
> >>updat makes this particulary unsuspecting attatchment that is easily
> >>mistaken by the
> >>general internet user as a legitimate Microsoft update. As well the main
> >>program has
> >>been modified to redude detection.
> >>
> >>
> >>Credits:
> >>--------------------
> >>morning_wood
> >>http://exploitlabs.com
> >>
> >>
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
> --
> May God Bless you and everything you touch.
>
> My "foundation" verse:
> Isaiah 54:17 No weapon that is formed against thee shall prosper; and
> every tongue that shall rise against thee in judgment thou shalt
> condemn. This is the heritage of the servants of the LORD, and their
> righteousness is of me, saith the LORD.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists