Interesting People mailing list archives
BEWARE! It's a WORM! Re: IP: The next step in malicious spam
From: David Farber <dfarber () earthlink net>
Date: Sat, 09 Mar 2002 13:44:32 -0400
-----Original Message----- From: Ari Ollikainen <Ari () OLTECO com> Date: Sat, 09 Mar 2002 09:20:13 To: farber () cis upenn edu Subject: BEWARE! It's a WORM! Re: IP: The next step in malicious spam
-----Original Message----- From: Joe Faber <joefaber () alumni princeton edu> Date: Sat, 09 Mar 2002 11:28:46 To: <farber () cis upenn edu> Subject: The next step in malicious spam Dave, I'm used to ignoring spam, but this morning I woke up to find that I received no fewer than three 160K+ .exe attachments in my inbox purporting to be from Microsoft. The were from the "Microsoft Corporation Security Center" and used "Internet Security Update" as their subject heading. The email explains that the attached patch is the "5 Mar 2002 Cumulative Patch which eliminates all Ms Outlook/Express as well as six new vulnerabilities" [sic]. It goes on to list some of the specific vulnerabilities and system requirements. They even provide a link to a Microsoft security website (where I couldn't find any mention of the patch).
Read the following http://zdnet.com.com/2100-1105-853235.html and act accordingly. "... Gibe worm poses as a Microsoft update By Robert Vamosi ZDNet Reviews & Solutions March 6, 2002, 9:00 AM PT What appears to be a new security update from Microsoft is actually a clever attempt by a virus writer to spread a worm. Gibe (w32.gibe@mm) is a nondestructive worm written in Visual Basic that attempts to mass-mail itself to everyone in an address book. Fortunately, the infected e-mail is plagued with spelling errors and should be easy to spot. Because this worm is not destructive and only sends e-mail to others, Gibe ranks as a 4 on the ZDNet Virus Meter. [...] The attached file is q216309.exe (122,880 bytes), which appears to be a Microsoft Knowledge Base entry (it is not). Users of non-Windows systems are not affected by this worm. If a Windows user opens the attached file, Gibe will make the following changes to the Registry: HKLMSoftwareAVTechSettingsDefault Address = (default address) HKLMSoftwareAVTechSettingsDefaultServer = (default server) HKLMSoftwareAVTechSettingsInstalled = ...by Begbie HKLMSoftwareMicrosoftWindows CurrentVersionRun3dfx Acc = (path to gfxacc.exe) HKLMSoftwareMicrosoftWindows CurrentVersionRunLoadDBackup = (path to bctool.exe) These changes allow Gibe to install a backdoor Trojan horse that becomes active every time the computer is rebooted. Gibe will also create the following files in the Windows directory: bctool.exe (32,768 bytes) - the mass-mailing component winnetw.exe (20,480 bytes)- e-mail address finding component q216309.exe (122,880 bytes - a copy of the worm vtnmsccd.dll (122,880 bytes) - a copy of the worm gfxacc.exe (20,480 bytes) - the Trojan horse component The file gfxacc.exe is the backdoor Trojan horse that could allow malicious users into a PC. Alert users who monitor their systems with a firewall may notice unusual traffic on port 12387 as a result of Gibe. Prevention Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the EXE attachment included with Gibe. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Gibe. Removal A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see McAfee, Sophos, Symantec, and Trend Micro..." --------------------------------------------------------------------- Dilbert's words of wisdom #18: Never argue with an idiot. They drag you down to their level then beat you with experience. --------------------------------------------------------------------- OLTECO Ari Ollikainen P.O. BOX 20088 Networking Architecture and Technology Stanford, CA Ari () OLTECO com 94309-0088 415.517.3519 For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- BEWARE! It's a WORM! Re: IP: The next step in malicious spam David Farber (Mar 09)