Got this e-mail the other day warning me that i was sending out virii. Firstly here is the text of the mail.
Mail server report.
Our firewall determined the e-mails containing worm copies are being sent from your computer.
Nowadays it happens from many computers, because this is a new virus type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses
Please install updates for worm elimination and your computer restoring.
Best regards,
Customers support service
Obviously this mail won't catch anyone with a bit of computer security sense but it is the type of mail that could cause a minor headache in a company where the users havent been traumatised enought by the IT department. The virus is of course in the zip file that the customer support has kindly attached.
One of the things I find interesting is that "they" have changed the presentation slightly. The malicious e-mails are been sent by the computer and not the person. That way it is not the users fault. They explain what the virii are doing and how they are doing it so that it is unnoticable to the end user. Once again it is not the users fault. Haveing said that the user can simply fix the problem by installing the required patch which is kindly supplied. Without having to call the geeks in computer support.
Of course for most anglophones the fact that the mail have a few obivious grammer mistakes would start warning bells ringing for non anglophones the mail would seem correct. It is no worst than a lot of mail I see from non aglophone support sites and it is a few steps up form the usual mail of this type.
Ok this is an old style attempt to infect a computer. Still an old trick with new users works more often than we like.
It also needs the user to install the "patch". We all know there nothing more dangerous than a user being smarter than their tech support.
Nothing really new here but sometimes it is good to be reminded of the basics.
cheers
Muracu.
Ps if any one wants the virus to study it or reverse engineer it let me know and i may attach it.
Also on the topic what tools do you use to study virii?
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
Following on from HT's post, the attached document is something I put together a while ago now about performing behavioural analysis of malicious files, it lists some simple tools and methodologies I have used.
I am sure I posted it here in the past but I tried to search for it and couldn't find it :-(
VirusTotal is definitely a good tool, should be in most security professionals bookmarks.
Since I'm at work and don't have access to my home box atm (I crashed it )... Does anyone have a copy of the stration virus... and if so could you
a) PM it to me
b) attach it to a website
c) zip/rar it repeatedly with a password and email it to me (I'll provide my email address as needed)...
This is sort of urgent so if anyone can get a hold of it it would be greatly helpful
I don't want to delete the above post in case people saw it and are looking to assist me... .However I wanted to let you know that I have found a copy on OffensiveComputing...
Thats good i was about to send you a copy. i.e. the one that was attached to the e-mail. Going to let it infect an unpatched box to see the results. It will be my first attempt at disecting a virus so if any one has already done I would be interested in seeing the results of your invrstigation.
Cheers,
Muracu.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
I highly recommend reading my post if you haven't.. but even if you don't get time, check the above link out... If you want to test your malware I'd say submit it to CWSandbox and check out the results... I used Stration.B in my tests..
Reply With Quote
Originally Posted by MURACU
)... Does anyone have a copy of the stration virus... and if so could you 