Worm masquerades as "windows update"
Results 1 to 8 of 8

Thread: Worm masquerades as "windows update"

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    682

    Exclamation Worm masquerades as "windows update"

    you might want to notify your well meaning but (DON"T OPEN ATTACHMENTS!) less than (DON"T OPEN ATTACHMENTS!) well informed (DON"T OPEN ATTACHMENTS!) users...




    W32.HLLP.Sharpei@mm
    Discovered on: February 26, 2002
    Last Updated on: February 27, 2002 at 09:57:35 AM PST

    W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft Outlook address book by using a VBS component. The attachment is MS02-010.exe.

    Type: Virus, Worm
    Infection Length: 12288
    (LiveUpdateTM): February 27, 2002

    Threat Assessment:

    Wild: Low
    Damage: Low
    Distribution:
    Medium

    Payload:
    Large scale e-mailing: Yes
    Modifies files: Yes
    Distribution:

    Subject of email: Important: Windows update
    Name of attachment: MS02-010.exe
    Size of attachment: 12,288

    Technical description:


    The virus arrives as an email message that has the following characteristics:

    Subject : Important: Windows update

    Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.

    Attachment: Ms02-010.exe

    When the attachment is executed, the virus does the following:

    It makes a copy of itself as C:\Ms02-010.exe.

    It drops the file Sharp.vbs, which then performs the mass-mailing routine, sending the previously described message. Sharp.vbs then deletes itself.
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    120
    Damn outlook,
    Why people continue to use OE is way beyond me.
    But thanks Zigar for the info on it.
    It seams there is a new virus, bug, exploit, etc. arriveing in those inboxes every week. Or is it just me?
    \"To follow the path:
    look to the master,
    follow the master,
    walk with the master,
    see through the master,
    become the master.\"
    -Unknown

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    It's just you.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  5. #5
    TechieChick
    Guest
    Thanks zigar, have a newly infected system on my bench today matter of fact.

    This particular client is fantastic, I maintain his small network (home and biz under one roof) and after looking at the business computers then moving onto the kids systems I seriously began to wonder if it's easier supporting 500 users in a corp environment or keeping these teenagers up and running.

  6. #6
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514
    Good heads up!
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at
    [gloworange]http://www.loonyservices.com/[/gloworange]

  7. #7
    Thanks, Zigar.....it brings a tear to my eye seeing virus/worm alerts at AO....Sure beats the stuff that's been showing up here lately....



    R_A_.....that conspiracy planet signature was mine I tells ya! Mine!!

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210

    another one in the same vein

    I got this from my corporate IT folks today

    A new worm -- W32/Gibe@MM -- is circulating via an
    e-mail attachment: q216309.exe disguised as a security alert from
    Microsoft.

    ---------------------------------------------------------------------
    ---------------------------------------------------------------------
    Method of infection: Email worm

    Attachment name: q216309.exe.

    Subject line: Internet Security Update

    Message body:

    Microsoft Customer,


    This is the latest version of security update, the update which eliminates
    all known security vulnerabilities affecting Internet Explorer and MS
    Outlook/Express as well as six new vulnerabilities, and is discussed in
    Microsoft Security Bulletin MS02-005. Install now to protect your computer
    from these vulnerabilities, the most serious of which could allow an
    attacker to run code on your computer.
    ----------------------------------------------------------------------
    ----------------------------------------------------------------------


    If you receive this message, DELETE IT IMMEDIATELY! Do NOT
    attempt to open it!

    Detailed information on the W32/Gibe@mm worm can be found at:

    http://www.sophos.com/virusinfo/analyses/w32gibea.html

    If you inadvertently opened the message or have difficulties deleting
    the e-mail, please immediately contact your local IT support or call
    sumdumguy
    (oops.. just had to slip one in there )

    (excerpt from the link above)
    If q216309.exe is run it will display the message "This will install Microsoft Security Update. Do you wish to continue ? ". It then copies itself to q216309.exe in the Windows folder and vtnmsccd.dll in the Windows system folder. It also drops and executes bctool.exe, winnetw.exe and gfxacc.exe in the Windows folder and creates the file 02_n803.dat in which it stores information about email recipients.

    Bctool.exe and winnetw.exe attempt to send out the emails as described above. Gfxacc.exe runs as a background process and opens port 12387, which could allow an intruder to gain remote access and control over the machine.

    The worm sets the following registry keys:

    HKLM\Software\AVTech\Settings\Default Address = <default address>
    HKLM\Software\AVTech\Settings\DefaultServer = <default server>
    HKLM\Software\AVTech\Settings\Installed = ...by Begbie
    HKLM\Software\Microsoft\Windows\
    CurrentVersion\Run\3dfx Acc = <path to gfxacc.exe>
    HKLM\Software\Microsoft\Windows\
    CurrentVersion\Run\LoadDBackup = <path to bctool.exe>


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides