[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <994F36A600A6D41196AB00508BDFEA9E050914F7@CWUS-DTW-EXT02>
From: Jill.Treu at compuware.com (Treu, Jill)
Subject: CD-ROM drive opens
Perhaps this could be the issue causing the CD-ROM drive to open?
W32/Magold-D is a memory resident worm that uses email, IRC channels,
network shared drives and P2P network shares to spread.
The worm arrives in an email message with subject line and message text of
non-Roman characters.
If the viral attachment is run W32/Magold-D displays the message box
"DirectX Error! Address:19851022" and copies itself to
C:\<Windows>\dreAd.exe, C:\<Windows>\dreAd\Maya Gold.scr, C:\<Windows>\Maya
Gold.scr and C:\<System>\wdread.exe
During the execution of the email routine, the worm sends a notification
message to the virus writer containing the IP address, username, computer
name and available shares of the infected machine.
W32/Magold-D uses the Windows Address Book and HTML files found on the local
drive to retrieve email addresses that will be used to send the worm
message. All addresses found are stored in the file ravec.txt that will be
saved by the worm in the Windows folder.
The worm may create a folder dreAd in the Windows folder and attempt to
register the folder in the registry as one used as a file repository for a
number of P2P clients.
W32/Magold-A searches for and terminates processes that belong to several
anti-virus products.
The worm changes the following registry entries so that the worm file
dreAd.exe is run before any file with the extension EXE, PIF, COM, SCR and
BAT:
HKCR\exefile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\scrfile\shell\open\command
W32/Magold-A also creates the registry entry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raVe
so that the worm file dreAd.exe is run on Windows startup.
The registry entry HKLM\Software\dreAd is used by the worm to store data
used internally by the worm.
The worm contains several randomly triggered payload routines such as
opening the CD-ROM drive tray, changing the Windows colour scheme,
restricting the movement of the mouse pointer to the lower part of the
screen, opening the web page http://www.offspring.com, writing the text
"=:-) OFFSPRING is coOL =:-) PUNK'S NOT DEAD =:-)" to the caption area of
the topmost window and creating a large number of zero-byte text files on
the Desktop.
W32/Magold-D may also send a Hungarian text to be printed on the default
printer and may attempt to delete all files with the extension BMP, GIF and
JPG from the hard drive.
The worm may attempt to copy itself to all local drives, shared network
drives and floppy disks (if one is in the floppy disk drive) as Maya
Gold.scr and may create the file autorun.inf so that the worm file is run
automatically when the drive is opened using Explorer if the autorun feature
is enabled.
On an infected computer, the two copies of the worm dreAd.exe and wdread.exe
run in the background as processes and monitor each other so that if one is
terminated, the other restarts it immediately. Furthermore, the registry
entries created above are also monitored such that a registry value is
immediately restored if it was changed.
-----Original Message-----
From: petard
To: Muhstik Botha
Cc: full-disclosure@...ts.netsys.com
Sent: 6/23/03 8:23 AM
Subject: Re: [Full-Disclosure] (no subject)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, Jun 22, 2003 at 07:42:01PM -0700, Muhstik Botha wrote:
> I just accessed a page which ejects my CD-ROM tray. Is this
consider privacy or security breaching? I'm no expert on pertinent
subject. For me, i don't like ppl be able to fool around with my CDROM
tray when i open their website. Any comments? Thanks.
>
While ejecting your CD-ROM is both annoying and disturbing, I doubt
that it poses any serious threat to either your privacy or your
security. The very fact that it is possible might make you think that
more serious breaches are possible, and you'd be correct:
http://www.pivx.com/larholm/unpatched/
Not only can people eject your CDROM tray when you open their website,
they can most probably execute any code they want, reading and writing
any data that you yourself can. This is because you use defective
software running on a defective operating system to access the internet
and view untrusted (or wrongfully trusted) content. Because software in
general comes with no warantee, you have little recourse. If you don't
like the fact these breaches are possible, you should use a better
browser, preferably on a better OS, to view untrusted content. And don't
trust any content coming from other people you don't know and trust.
HTH
petard
- --
"I'm not a robot like you. I don't like having disks crammed into me...
unless they're Oreos, and then only in the mouth."
-- Fry (Futurama)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (NetBSD)
iD8DBQE+9vEkgkiZ59A0kiQRAvTbAJ4gWyt3lgENfx1PqQZrH5UHqBju3wCfU2dp
sj76+1r1HWWUJrpOhsvSGQ8=
=fH3R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.
Powered by blists - more mailing lists