Worm masquerades as "windows update"
you might want to notify your well meaning but (DON"T OPEN ATTACHMENTS!) less than (DON"T OPEN ATTACHMENTS!) well informed (DON"T OPEN ATTACHMENTS!) users...
W32.HLLP.Sharpei@mm
Discovered on: February 26, 2002
Last Updated on: February 27, 2002 at 09:57:35 AM PST
W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft Outlook address book by using a VBS component. The attachment is MS02-010.exe.
Type: Virus, Worm
Infection Length: 12288
(LiveUpdateTM): February 27, 2002
Threat Assessment:
Wild: Low
Damage: Low
Distribution:
Medium
Payload:
Large scale e-mailing: Yes
Modifies files: Yes
Distribution:
Subject of email: Important: Windows update
Name of attachment: MS02-010.exe
Size of attachment: 12,288
Technical description:
The virus arrives as an email message that has the following characteristics:
Subject : Important: Windows update
Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
Attachment: Ms02-010.exe
When the attachment is executed, the virus does the following:
It makes a copy of itself as C:\Ms02-010.exe.
It drops the file Sharp.vbs, which then performs the mass-mailing routine, sending the previously described message. Sharp.vbs then deletes itself.
another one in the same vein
I got this from my corporate IT folks today
A new worm -- W32/Gibe@MM -- is circulating via an
e-mail attachment: q216309.exe disguised as a security alert from
Microsoft.
---------------------------------------------------------------------
---------------------------------------------------------------------
Method of infection: Email worm
Attachment name: q216309.exe.
Subject line: Internet Security Update
Message body:
Microsoft Customer,
This is the latest version of security update, the update which eliminates
all known security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities, and is discussed in
Microsoft Security Bulletin MS02-005. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow an
attacker to run code on your computer.
----------------------------------------------------------------------
----------------------------------------------------------------------
If you receive this message, DELETE IT IMMEDIATELY! Do NOT
attempt to open it!
Detailed information on the W32/Gibe@mm worm can be found at:
http://www.sophos.com/virusinfo/analyses/w32gibea.html
If you inadvertently opened the message or have difficulties deleting
the e-mail, please immediately contact your local IT support or call
sumdumguy
(oops.. just had to slip one in there :D )
(excerpt from the link above)
If q216309.exe is run it will display the message "This will install Microsoft Security Update. Do you wish to continue ? ". It then copies itself to q216309.exe in the Windows folder and vtnmsccd.dll in the Windows system folder. It also drops and executes bctool.exe, winnetw.exe and gfxacc.exe in the Windows folder and creates the file 02_n803.dat in which it stores information about email recipients.
Bctool.exe and winnetw.exe attempt to send out the emails as described above. Gfxacc.exe runs as a background process and opens port 12387, which could allow an intruder to gain remote access and control over the machine.
The worm sets the following registry keys:
HKLM\Software\AVTech\Settings\Default Address = <default address>
HKLM\Software\AVTech\Settings\DefaultServer = <default server>
HKLM\Software\AVTech\Settings\Installed = ...by Begbie
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\3dfx Acc = <path to gfxacc.exe>
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\LoadDBackup = <path to bctool.exe>