Full Disclosure mailing list archives
Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
From: William Warren <hescominsoon () adelphia net>
Date: Sat, 24 May 2003 16:21:29 -0400
question is..does yours? :) morning_wood wrote:
oops' .. hey, that was cool... everyone's AV works .. wood ----- Original Message ----- From: "morning_wood" <se_cur_ity () hotmail com> To: <incidents () securityfocus com>; <full-disclosure () lists netsys com> Sent: Saturday, May 24, 2003 9:04 AM Subject: [Full-disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHEDmorning_wood morning_wood () exploitlabs com http://exploitlabs.com Analysis of "Update880.exe" W32.gibe - Trojan / Worm Overview: -------------------- Update880.exe arrives as email, claiming to be a new Microsoft update. It is a virus, class KaZZA Droper. This is a different variant than identified by Symantic in March 2003. This is a small analysis of of this variants binary. References: -------------------- references to to "p214537.exe" http://www.arnes.si/news/archive/si.org.arnes/msg02077.html report of html body code ( mine was blank) http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt reference to "Coded ...by Begbie, Slovakia" http://www.eset.sk/scriptless/pedia/cervy/clausa.htm http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm aka: Q216309.exe Coded ...by Begbie, Slovakia AutMSUpdate = p214537 MSUpdate MSUpdate KaZaA uploDropper Binary Text Extract: -------------------- Installing Microsoft Update wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1 Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ... LicenseForm License Form1 Command2 Text1 This product is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. Microsoft does not warrant that the functions for the software or codewillmeet your requirements, or that the operation of the software or code will be uninterrupted or error-free, or that defects in the software or code can be corrected. Furthermore, Microsoft does not warrant or make any representations regarding the use or the results of the use of the software, code or related documentation in terms of their correctness, accuracy, reliability, or otherwise. No oral or written information or advice given by Microsoft or its authorizedrepresentativesshall create a warranty or in any way increase the scope of thiswarranty.Should the software or code prove defective after Microsoft has delivered the same, you, and you alone, shall assume the entire cost associatedwithall necessary servicing, repair or correction. In no event shallMicrosoftand/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of software, documents, provision of or failure to provide services, or information available from the services. COPYRIGHT NOTICE. Copyright 2003 Microsoft Corporation, One Microsoft Way, Redmond, Washington U.S.A. All rights reserved. Command1 Label2 Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement. Label1 Please read the following license agreement. Press the Page Down key toseethe rest of the agreement. Installation: -------------------- \AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\MessengerSetup .... by Begbie Microsoft Internet Update Pack Coded REG_SZ This will install Microsoft Security Update. Code Stuff: (filenames) ------------------ DxLoad \DX3DRndr.exe \gibe.dll \MSBugAdv.exe \MSWinsck.ocx \WMSysDx.bin ZipName Code Stuff:(functions) ------------------- Email Address Not found LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was cancelled. This update has been successfully installed. ProgramFilesDir pdate A -EP WinRAR.exe -min -e -o WinZip.exe App Paths\ Outlook.Application GetNamespace Version GetDefaultFolder Items Email1Address Email2Address Folders \MailViews.db AddressLists AddressEntries Count Address SOFTWARE\Microsoft\Wab\WAB4\Wab File Name Software\Kazaa \LocalContent DisableSharing 012345: Dir99 LocalContent Transfer DownloadDir DlDir0 \mirc \mirc32 \mirc.ini \script.ini [script] Service n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick Code Stuff: (keywords) -------------------- IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program \Software\Microsoft\Internet Account Manager\Accounts \Identities \Identities\ SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server Microsoft Internet Engine Automat Robot Daemon Disp Name :[prior] \Start menu\Programs\Startup \Documents and Settings\ \Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType RootFolder Windows WinMe Win95 Win98 \All Users BuildPath FolderExists \WebLoader.exe CopyFile All Users Default User Administrator \TempRes.dat Identification: -------------------- FileInfo Translation StringFileInfo 040904B0 CompanyName Microsoft Corporation FileDescription Microsoft Security Patch for Windows LegalCopyright 1981-2003 Microsoft Corporation LegalTrademarks is a registered trademark of Microsoft Corporation. Windows is a trademark of Microsoft Corporation. ProductName MSUpdate FileVersion 9.31.2541 ProductVersion 9.31.2541 InternalName p214537 OriginalFilename p214537.exe This is a non technical report of a windows32 binary of an unknown typeandfunction at the time of aquisition. Information is provided for identification and thetypeof functions, keywords and registry entries of W32.gibe virus. Conclusion: -------------------- While this is a known virus, it's method of delivery and masqurading of a legitimate updat makes this particulary unsuspecting attatchment that is easily mistaken by the general internet user as a legitimate Microsoft update. As well the main program has been modified to redude detection. Credits: -------------------- morning_wood http://exploitlabs.com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- May God Bless you and everything you touch. My "foundation" verse:Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED morning_wood (May 24)
- Suspicious Attachment jgarcia (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED morning_wood (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED William Warren (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED morning_wood (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED William Warren (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED morning_wood (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED William Warren (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED morning_wood (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED w g (May 24)
- RE: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED JT (May 24)
- SV: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED Peter Kruse (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED morning_wood (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED northern snowfall (May 24)
- Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED William Warren (May 24)