Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED

[William Warren <hescominsoon () adelphia net>]

question is..does yours?

:)


morning_wood wrote:
> oops' .. hey, that was cool... everyone's AV works ..
>
> wood
>
> ----- Original Message -----
> From: "morning_wood" <se_cur_ity () hotmail com>
> To: <incidents () securityfocus com>; <full-disclosure () lists netsys com>
> Sent: Saturday, May 24, 2003 9:04 AM
> Subject: [Full-disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED
>
>
>
> > morning_wood
> > morning_wood () exploitlabs com
> > http://exploitlabs.com
> >
> >
> > Analysis of "Update880.exe" W32.gibe - Trojan / Worm
> >
> > Overview:
> > --------------------
> >
> > Update880.exe arrives as email, claiming to be a new Microsoft update.
> > It is a virus, class KaZZA Droper. This is a different variant than
> > identified by Symantic in March 2003. This is a small analysis of
> > of this variants binary.
> >
> > References:
> > --------------------
> >
> > references to to "p214537.exe"
> > http://www.arnes.si/news/archive/si.org.arnes/msg02077.html
> >
> > report of html body code ( mine was blank)
> > http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt
> >
> >
> > reference to "Coded ...by Begbie, Slovakia"
> > http://www.eset.sk/scriptless/pedia/cervy/clausa.htm
> > http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm
> >
> >
> > aka: Q216309.exe
> >
> >
> > Coded ...by Begbie, Slovakia
> > AutMSUpdate     =   p214537 MSUpdate
> > MSUpdate KaZaA uploDropper
> >
> >
> > Binary Text Extract:
> > --------------------
> >
> > Installing Microsoft Update
> >
> >
> > wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1
> > Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ...
> > LicenseForm  License Form1 Command2 Text1
> >
> >
> > This product is protected by copyright laws and international  copyright
> > treaties,
> > as well as other intellectual property laws and  treaties.
> > ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE  PROVIDED "AS IS"
> > WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers
> > hereby disclaim all warranties  and conditions with regard to this
> > information,
> > including all warranties  and conditions of merchantability, whether
> > express, implied
> > or  statutory, fitness for a particular purpose, title and
> > non-infringement.
> > Microsoft does not warrant that the functions for the software or code
>
> will
>
> > meet
> > your requirements, or that the operation of the software or  code will
> > be uninterrupted or error-free, or that defects in the software
> > or code can be corrected.  Furthermore, Microsoft does not warrant
> > or make any representations regarding the use or the results of the
> > use of the software, code or related documentation in terms of their
> > correctness, accuracy, reliability, or otherwise. No oral or written
> > information or advice given by Microsoft or its authorized
>
> representatives
>
> > shall create a warranty or in any way increase the  scope of this
>
> warranty.
>
> > Should the software or code prove defective  after Microsoft has delivered
> > the same, you, and you alone,  shall assume the entire cost associated
>
> with
>
> > all necessary servicing,  repair or correction. In no event shall
>
> Microsoft
>
> > and/or its respective  suppliers be liable for any special, indirect or
> > consequential damages  or any damages whatsoever resulting from loss
> > of use, data or profits,  whether in an action of contract,
> > negligence or other tortious action,  arising out of or in connection
> > with the use or performance of  software, documents, provision of or
> > failure to provide services, or  information available from the services.
> > COPYRIGHT NOTICE. Copyright   2003
> > Microsoft Corporation, One Microsoft Way,
> >  Redmond, Washington U.S.A.
> > All rights reserved.
> >
> >
> > Command1 Label2
> > Do you accept all of the terms of the preceding License Agreement?
> > If you choose No, Install will close. To install you must accept this
> > agreement.
> >
> > Label1
> >
> > Please read the following license agreement. Press the Page Down key to
>
> see
>
> > the rest
> > of the agreement.
> >
> >
> > Installation:
> > --------------------
> >
> >
> > \AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messeng
>
> er
>
> > Setup .... by Begbie
> >
> > Microsoft Internet Update Pack Coded
> >
> > REG_SZ This will install Microsoft Security Update.
> >
> >
> > Code Stuff: (filenames)
> > ------------------
> >
> > DxLoad
> > \DX3DRndr.exe
> > \gibe.dll
> > \MSBugAdv.exe
> > \MSWinsck.ocx
> > \WMSysDx.bin
> >
> > ZipName
> >
> > Code Stuff:(functions)
> > -------------------
> >
> >
> > Email Address Not found
> > LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was
> > cancelled. This update has been successfully installed.
> >
> >
> >
> > ProgramFilesDir
> > pdate A -EP
> > WinRAR.exe -min -e -o
> > WinZip.exe
> >
> > App Paths\ Outlook.Application
> > GetNamespace Version
> > GetDefaultFolder Items
> > Email1Address
> > Email2Address
> > Folders \MailViews.db
> > AddressLists
> > AddressEntries
> > Count Address
> > SOFTWARE\Microsoft\Wab\WAB4\Wab
> >
> >
> > File Name Software\Kazaa
> > \LocalContent
> > DisableSharing 012345: Dir99
> > LocalContent
> > Transfer
> > DownloadDir DlDir0
> > \mirc \mirc32 \mirc.ini \script.ini [script] Service n1=  /if ( $nick ==
> > $me ) { halt } n2=  /.dcc send $nick
> >
> >
> > Code Stuff: (keywords)
> > --------------------
> >
> > IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick
> > Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking
> > with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program
> >
> >
> > \Software\Microsoft\Internet Account Manager\Accounts
> > \Identities
> > \Identities\
> >
> > SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server
> > Microsoft  Internet  Engine Automat Robot Daemon Disp Name :[prior]
> > \Start menu\Programs\Startup \Documents and Settings\
> > \Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType
> > RootFolder Windows WinMe Win95 Win98 \All Users
> > BuildPath
> > FolderExists \WebLoader.exe
> > CopyFile All Users Default User Administrator \TempRes.dat
> >
> > Identification:
> > --------------------
> >
> > FileInfo Translation StringFileInfo 040904B0
> > CompanyName Microsoft Corporation
> > FileDescription Microsoft Security Patch for Windows
> > LegalCopyright  1981-2003 Microsoft Corporation
> > LegalTrademarks  is a registered trademark of Microsoft Corporation.
> > Windows is a trademark of Microsoft Corporation.
> > ProductName MSUpdate
> > FileVersion 9.31.2541
> > ProductVersion 9.31.2541
> > InternalName p214537
> > OriginalFilename p214537.exe
> >
> >
> > This is a non technical report of a windows32 binary of an unknown type
>
> and
>
> > function at the
> > time of aquisition. Information is provided for identification and the
>
> type
>
> > of functions, keywords
> > and registry entries of W32.gibe virus.
> >
> >
> > Conclusion:
> > --------------------
> >
> > While this is a known virus, it's method of delivery and masqurading of a
> > legitimate
> > updat makes this particulary unsuspecting attatchment that is easily
> > mistaken by the
> > general internet user as a legitimate Microsoft update. As well the main
> > program has
> > been modified to redude detection.
> >
> >
> > Credits:
> > --------------------
> > morning_wood
> > http://exploitlabs.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


--
May God Bless you and everything you touch.

My "foundation" verse:
Isaiah 54:17 No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html