Full Disclosure mailing list archives

Swen/Gibe.F Worm - Some New Info (was RE: Web counter in the new Swen/Gibe.F worm)

From: S G Masood <sgmasood () yahoo com>
Date: Thu, 18 Sep 2003 17:38:15 -0700 (PDT)

LoL. Just found the worm even has a nice GUI! (I am
attaching a sample extracted resource of a dialog)

Once executed, it presents installation dialogs to the
users (with EULA and all) and installs as a legitimate
program/patch would install. It doesn't try to be
discreet in any way.

The malicious message to which this worm was attached
posed as a *very* convincing MS patch. 

The author probably thinks it's better to ask users
directly for info, posing as a legitimate program,
than try to be discreet in its function(See attached
text). This way it tries to exploit certain
assumptions that users have about
malware(sneaky,encryted,packed,no nice GUI :),etc). I
think lots of people, otherwise paranoid and careful,
will fall for this worm. Believe me, Swen *very*
convincingly upsets users' assumptions and this is its
biggest USP...


--
Regards,
S.G.Masood.

Hyderabad,
India.
--




8<-------------SAMPLE EXTRACTED RESOURCE FROM SWEN
WORM BEGINS---------------



101 DIALOG 0, 0, 452, 201
STYLE DS_NOFAILCREATE | DS_MODALFRAME |
DS_SETFOREGROUND | DS_CENTER | WS_POPUP | WS_CAPTION |
WS_SYSMENU
CAPTION " MAPI32 Exception"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK
FONT 8, "MS Sans Serif"
{
   CONTROL "&Apply", 1005, BUTTON, BS_PUSHBUTTON |
WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 169,
182, 54, 14 
   CONTROL "Cancel", 1006, BUTTON, BS_PUSHBUTTON |
WS_CHILD | WS_VISIBLE, 228, 182, 54, 14 
   CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD |
WS_VISIBLE, 7, 44, 437, 131 
   CONTROL 104, -1, STATIC, SS_ICON | WS_CHILD |
WS_VISIBLE, 7, 7, 20, 20 
   CONTROL "An internal error has occurred in module
mapi32.dll", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE, 33, 6, 169, 8 
   CONTROL 103, -1, STATIC, SS_ICON | WS_CHILD |
WS_VISIBLE, 13, 54, 20, 20 
   CONTROL "In the edit box below, please enter your
name as you would like it to appear in the \"From\"
field of your outgoing message.", -1, STATIC, SS_LEFT
| WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 58, 198, 17 
   CONTROL "Your Name:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 81, 41, 9 
   CONTROL "", 1002, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89,
78, 126, 12 
   CONTROL "Please enter your email address. This
address will be the address other people use to send
email to you.", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 40, 97, 181, 17 
   CONTROL "Email Address:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 119, 47, 9 
   CONTROL "", 1003, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89,
117, 126, 12 
   CONTROL "Please enter the name of your outgoing
mail server in the edit box below.", -1, STATIC,
SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 137,
181, 16 
   CONTROL "SMTP Server:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 159, 47, 9 
   CONTROL "", 1004, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89,
156, 126, 12 
   CONTROL "Default mail account structure has a
damaged table of contents. It is recommended to newly
reconfigure your account records. MAPI32 needs these
informations in order to be able to send and receive
mail. Failure to do so may cause that some MAPI32",
-1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE |
WS_GROUP, 33, 18, 406, 17 
   CONTROL "(required)", -1, STATIC, SS_LEFTNOWORDWRAP
| WS_CHILD | WS_VISIBLE | WS_GROUP, 217, 120, 33, 8 
   CONTROL "(required)", -1, STATIC, SS_LEFTNOWORDWRAP
| WS_CHILD | WS_VISIBLE | WS_GROUP, 217, 160, 34, 8 
   CONTROL "Enter the name you will use to log into
this account.", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 261, 66, 169, 9 
   CONTROL "Login Name:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 81, 43, 8 
   CONTROL "", 1007, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 311,
78, 96, 12 
   CONTROL "Please enter the password for current
account.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE
| WS_GROUP, 261, 97, 167, 8 
   CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD
| WS_VISIBLE | WS_GROUP, 261, 114, 37, 8 
   CONTROL "", 1008, EDIT, ES_LEFT | ES_PASSWORD |
ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER |
WS_TABSTOP, 325, 109, 50, 12 
   CONTROL "Type in the full name of your incoming
mail server.", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 261, 146, 163, 8 
   CONTROL "POP3 Server:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 160, 46, 8 
   CONTROL "", 1009, EDIT, ES_LEFT | ES_PASSWORD |
ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER |
WS_TABSTOP, 325, 125, 50, 12 
   CONTROL "Retype password:", -1, STATIC, SS_LEFT |
WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 128, 58, 8 
   CONTROL "", 1010, EDIT, ES_LEFT | ES_AUTOHSCROLL |
WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 311,
156, 124, 12 
   CONTROL "dependent applications (such as Outlook or
Outlook Express) become non-functional.", -1, STATIC,
SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 33, 34,
294, 8 
}




8<---------------SAMPLE EXTRACTED RESOURCE FROM SWEN
WORM ENDS-------------









--- "B.K. DeLong" <bkdelong () pobox com> wrote:

At 02:31 PM 9/18/2003 -0400, you wrote:

Hi,

Joe Stewart of Lurhq.com has made an interesting

discovery about the new

Swen/Gibe.F worm that started circulating today:

When the worm infects

a new machine, it hits a Web counter.

The URL of the counter is:


http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006


If this URL wraps in your email reader, here's a

shorter version:


   http://tinyurl.com/nufo

At 2:30 EST, the counter is about 615,000.

Here's a bit more about the worm:

   http://news.com.com/2100-7349_3-5078696.html

The server log entries for this counter might prove

interesting to virus

researchers.  These entries could provide data for

a statistical study

of computer worm transmissions.  Perhaps the

Vutbr.cz Web site would be

willing to go public with this information.


Is anyone storing sample virii somewhere for
analysis? Or do we have to 
wait for it to show?


--
B.K. DeLong
bkdelong () pobox com
+1.617.797.2472

http://ocw.mit.edu                           Work.
http://www.brain-stream.com               Play.
http://www.the-leaky-cauldron.org        Potter.
http://www.city-of-doors.com               Sigil

PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE

_______________________________________________
Full-Disclosure - We believe in it.
Charter:

http://lists.netsys.com/full-disclosure-charter.html


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Web counter in the new Swen/Gibe.F worm Richard M. Smith (Sep 18)
- Re: Web counter in the new Swen/Gibe.F worm B.K. DeLong (Sep 18)
  - Re: Web counter in the new Swen/Gibe.F worm S G Masood (Sep 18)
  - Swen/Gibe.F Worm - Some New Info (was RE: Web counter in the new Swen/Gibe.F worm) S G Masood (Sep 18)
- Re: Web counter in the new Swen/Gibe.F worm security (Sep 19)
  - Re: Web counter in the new Swen/Gibe.F worm J. Race (Sep 19)
  - Re: Web counter in the new Swen/Gibe.F worm Cael Abal (Sep 19)
  - Re: Web counter in the new Swen/Gibe.F worm security (Sep 20)
- <Possible follow-ups>
- Re: Web counter in the new Swen/Gibe.F worm Timo Schoeler (Sep 18)
  - Re: Web counter in the new Swen/Gibe.F worm security (Sep 19)