WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro

[aleph1 () securityfocus com]

It has come to our attention that a message claiming to come from
SecurityFocus' ARIS system and TrendMicro is being used to deliver
what looks like a trojan horse to unsuspecting users. These messages
do not come from us or TrendMicro, as a quick check of the headers
will reveal.

The messages come with an executable attachment named FIX_NIMDA.exe.
Do *NOT* run this attachment.

The name is similar to the one used by TrendMicro for their free
Nimda removal tool (FIX_NIMDA.com). To say the least we haven't ever
sent out any type of executable attachment claiming to be a fix
to any worm or vulnerability. And we certainly don't end out email
using the brain dead multipart/alternative MIME type.

We are still trying to determine what the code does. At first flag
it appears to include some type of zip file that when run creates
a directory with the called FIX_NIMDA, with the files FIX_NIMDA.exe,
readme.txt, SLIDE.DAT, and slide.exe.

The readme.txt file is copy of the file distributed by TrendMicro with
the their free Nimda disinfection tool. The FIX_NIMDA.exe file is
not the same as TrendMicro's but it appears to attempt to deceive
the user by printout out some output that makes it appear like it
working as advertised.

Bellow you can find a sample of the fake message being used to 
transmit this trojan. If you have receive a similar message we
would like to hear from you.

Common sense and best practices indicates that you should not execute
any code that come via email unless you can authenticate the source
of the message. Sadly, as previous worms make all to clear the will
be always people that do not follow safe computing practices.

Return-Path: <aris-report () securityfocus com>
Received: (qmail 24362 invoked from network); 30 Sep 2001 23:46:17 -0000
Received: from corderoatado.arnet.com.ar (HELO dominios2.arnet.com.ar) (200.45.0.3)
  by gate.bulinfo.net with SMTP; 30 Sep 2001 23:46:17 -0000
Received: from mcdark ([217.228.174.48]) by dominios2.arnet.com.ar  with Microsoft SMTPSVC(5.5.1877.357.35);
         Sun, 30 Sep 2001 20:45:05 -0300
Message-ID: <002901c14a09$f12b6a80$0100a8c0@mcdark>
From: <aris-report () securityfocus com>
To: <Teraton () sbline net>
Cc: <Teraton () bulinfo net>,
        <ktzenov () hotmail com>
Subject: Possible Nimda Worm infection
Date: Mon, 1 Oct 2001 01:45:03 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0025_01C14A1A.B058CFA0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Return-Path: aris-report () securityfocus com
Status: RO
Content-Length: 912884
Lines: 11932

This is a multi-part message in MIME format.

------=_NextPart_000_0025_01C14A1A.B058CFA0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_001_0026_01C14A1A.B058CFA0"


------=_NextPart_001_0026_01C14A1A.B058CFA0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,
This mail is from the ARIS Analyzer Service (Attack Registry and =
Intelligence=20
Service) from SecurityFocus in cooperation with Trend Micro =
Incorporated.
=20
As you are probably aware from the media, the Nimda worm started =
spreading.
It has come to our attention that your system(s),
listed below have been identified as being compromised by the Nimda =
Worm. =20
The Nimda Worm is rapidly spreading across the Internet.=20

The addresses identified as belonging to you are as follows:

Teraton () sbline net=20
Teraton () bulinfo net
ktzenov () hotmail com

You can find up to date information on the Nimda Worm at:

http://aris.securityfocus.com

It is very important that you are checking your Systems that have used =
with the identified addresses
with the special Anti Nimda Software that we send you with this mail. =
(FIX_NIMDA.EXE)

It is also important that you are updating all your systems.
For this please show at the following URL

http://www.microsoft.com/technet/security/bulletin/MS01-020.asp1-26.html



The SecurityFocus ARIS Analyst Team
aris-report () securityfocus com



------=_NextPart_001_0026_01C14A1A.B058CFA0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello,<BR>This mail is from the ARIS =
Analyzer=20
Service (Attack Registry and Intelligence <BR>Service) from =
SecurityFocus in=20
cooperation with Trend Micro Incorporated.<BR>&nbsp;<BR>As you are =
probably=20
aware from the media, the Nimda worm started spreading.<BR>It has come =
to our=20
attention that your system(s),<BR>listed below have been identified as =
being=20
compromised by the Nimda Worm.&nbsp; <BR>The Nimda Worm is rapidly =
spreading=20
across the Internet. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The addresses identified as belonging =
to you are as=20
follows:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"mailto:Teraton () sbline net">Teraton () sbline net</A> <BR><A=20
href=3D"mailto:Teraton () bulinfo net">Teraton () bulinfo net</A><BR><A=20
href=3D"mailto:ktzenov () hotmail com">ktzenov () hotmail com</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>You can find up to date information on =
the Nimda=20
Worm at:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://aris.securityfocus.com";>http://aris.securityfocus.com</A><=
/FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>It is very important that you =
are checking=20
your Systems that have used with the identified addresses<BR>with the =
special=20
Anti Nimda Software that we send you with this mail.=20
(FIX_NIMDA.EXE)</STRONG></FONT></DIV>
<DIV><STRONG></STRONG>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><STRONG>It is also important that you =
are updating=20
all your systems.<BR>For this please show at the following=20
URL</STRONG></FONT></DIV>
<DIV><STRONG></STRONG>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.microsoft.com/technet/security/bulletin/MS01-020.asp1-=
26.html">http://www.microsoft.com/technet/security/bulletin/MS01-020.asp1=
-26.html</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The SecurityFocus ARIS Analyst =
Team<BR><A=20
href=3D"mailto:aris-report () securityfocus com">aris-report@securityfocus.c=
om</A></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_001_0026_01C14A1A.B058CFA0--

------=_NextPart_000_0025_01C14A1A.B058CFA0
Content-Type: application/x-msdownload;
        name="FIX_NIMDA.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="FIX_NIMDA.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAABQRQAATAEGAN7mEzcAAAAAAAAAAOAACgELAQUAADYAAAAgAAAAAAAAgDEA
[ rest deleted ]
ilE0K1mq81gPxwAAANgAABMAAAAAAAAAAAAgAP+BRW0AAEZJWF9OSU1EQS9zbGlkZS5leGVQSwEC
FAAUAAAACAAjDEErh4jB8DkQAABdLQAAFAAAAAAAAAABACAAtoGFNAEARklYX05JTURBL3JlYWRt
ZS50eHRQSwECFAAKAAAAAAAqWz0rAAAAAAAAAAAAAAAACgAAAAAAAAAAABAA/0HwRAEARklYX05J
TURBL1BLBQYAAAAABQAFAEEBAAAYRQEAAAA=

------=_NextPart_000_0025_01C14A1A.B058CFA0--

-- 
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com