-
February 27th, 2002, 10:24 PM
#1
Worm masquerades as "windows update"
you might want to notify your well meaning but (DON"T OPEN ATTACHMENTS!) less than (DON"T OPEN ATTACHMENTS!) well informed (DON"T OPEN ATTACHMENTS!) users...
W32.HLLP.Sharpei@mm
Discovered on: February 26, 2002
Last Updated on: February 27, 2002 at 09:57:35 AM PST
W32.HLLP.Sharpei@mm is a virus that targets .exe files under the Microsoft .NET Framework. The replication code of the virus is written in C# and compiled to MSIL. The virus also mass emails itself to all contacts in the Microsoft Outlook address book by using a VBS component. The attachment is MS02-010.exe.
Type: Virus, Worm
Infection Length: 12288
(LiveUpdateTM): February 27, 2002
Threat Assessment:
Wild: Low
Damage: Low
Distribution:
Medium
Payload:
Large scale e-mailing: Yes
Modifies files: Yes
Distribution:
Subject of email: Important: Windows update
Name of attachment: MS02-010.exe
Size of attachment: 12,288
Technical description:
The virus arrives as an email message that has the following characteristics:
Subject : Important: Windows update
Message: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
Attachment: Ms02-010.exe
When the attachment is executed, the virus does the following:
It makes a copy of itself as C:\Ms02-010.exe.
It drops the file Sharp.vbs, which then performs the mass-mailing routine, sending the previously described message. Sharp.vbs then deletes itself.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
February 27th, 2002, 10:30 PM
#2
Senior Member
Damn outlook,
Why people continue to use OE is way beyond me.
But thanks Zigar for the info on it.
It seams there is a new virus, bug, exploit, etc. arriveing in those inboxes every week. Or is it just me?
\"To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.\"
-Unknown
-
February 27th, 2002, 10:33 PM
#3
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
February 27th, 2002, 10:43 PM
#4
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
February 27th, 2002, 10:45 PM
#5
Thanks zigar, have a newly infected system on my bench today matter of fact.
This particular client is fantastic, I maintain his small network (home and biz under one roof) and after looking at the business computers then moving onto the kids systems I seriously began to wonder if it's easier supporting 500 users in a corp environment or keeping these teenagers up and running.
-
February 27th, 2002, 10:54 PM
#6
Good heads up!
[shadow]uraloony, Founder of Loony Services[/shadow]
Visit us at
[gloworange]http://www.loonyservices.com/[/gloworange]
-
February 28th, 2002, 01:15 AM
#7
Thanks, Zigar.....it brings a tear to my eye seeing virus/worm alerts at AO....Sure beats the stuff that's been showing up here lately....
R_A_.....that conspiracy planet signature was mine I tells ya! Mine!!
-
March 5th, 2002, 10:19 PM
#8
another one in the same vein
I got this from my corporate IT folks today
A new worm -- W32/Gibe@MM -- is circulating via an
e-mail attachment: q216309.exe disguised as a security alert from
Microsoft.
---------------------------------------------------------------------
---------------------------------------------------------------------
Method of infection: Email worm
Attachment name: q216309.exe.
Subject line: Internet Security Update
Message body:
Microsoft Customer,
This is the latest version of security update, the update which eliminates
all known security vulnerabilities affecting Internet Explorer and MS
Outlook/Express as well as six new vulnerabilities, and is discussed in
Microsoft Security Bulletin MS02-005. Install now to protect your computer
from these vulnerabilities, the most serious of which could allow an
attacker to run code on your computer.
----------------------------------------------------------------------
----------------------------------------------------------------------
If you receive this message, DELETE IT IMMEDIATELY! Do NOT
attempt to open it!
Detailed information on the W32/Gibe@mm worm can be found at:
http://www.sophos.com/virusinfo/analyses/w32gibea.html
If you inadvertently opened the message or have difficulties deleting
the e-mail, please immediately contact your local IT support or call
sumdumguy
(oops.. just had to slip one in there )
(excerpt from the link above)
If q216309.exe is run it will display the message "This will install Microsoft Security Update. Do you wish to continue ? ". It then copies itself to q216309.exe in the Windows folder and vtnmsccd.dll in the Windows system folder. It also drops and executes bctool.exe, winnetw.exe and gfxacc.exe in the Windows folder and creates the file 02_n803.dat in which it stores information about email recipients.
Bctool.exe and winnetw.exe attempt to send out the emails as described above. Gfxacc.exe runs as a background process and opens port 12387, which could allow an intruder to gain remote access and control over the machine.
The worm sets the following registry keys:
HKLM\Software\AVTech\Settings\Default Address = <default address>
HKLM\Software\AVTech\Settings\DefaultServer = <default server>
HKLM\Software\AVTech\Settings\Installed = ...by Begbie
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\3dfx Acc = <path to gfxacc.exe>
HKLM\Software\Microsoft\Windows\
CurrentVersion\Run\LoadDBackup = <path to bctool.exe>
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|