Full Disclosure mailing list archives
Swen/Gibe.F Worm - Some New Info (was RE: Web counter in the new Swen/Gibe.F worm)
From: S G Masood <sgmasood () yahoo com>
Date: Thu, 18 Sep 2003 17:38:15 -0700 (PDT)
LoL. Just found the worm even has a nice GUI! (I am attaching a sample extracted resource of a dialog) Once executed, it presents installation dialogs to the users (with EULA and all) and installs as a legitimate program/patch would install. It doesn't try to be discreet in any way. The malicious message to which this worm was attached posed as a *very* convincing MS patch. The author probably thinks it's better to ask users directly for info, posing as a legitimate program, than try to be discreet in its function(See attached text). This way it tries to exploit certain assumptions that users have about malware(sneaky,encryted,packed,no nice GUI :),etc). I think lots of people, otherwise paranoid and careful, will fall for this worm. Believe me, Swen *very* convincingly upsets users' assumptions and this is its biggest USP... -- Regards, S.G.Masood. Hyderabad, India. -- 8<-------------SAMPLE EXTRACTED RESOURCE FROM SWEN WORM BEGINS--------------- 101 DIALOG 0, 0, 452, 201 STYLE DS_NOFAILCREATE | DS_MODALFRAME | DS_SETFOREGROUND | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION " MAPI32 Exception" LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK FONT 8, "MS Sans Serif" { CONTROL "&Apply", 1005, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_DISABLED | WS_TABSTOP, 169, 182, 54, 14 CONTROL "Cancel", 1006, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE, 228, 182, 54, 14 CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, 7, 44, 437, 131 CONTROL 104, -1, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 7, 7, 20, 20 CONTROL "An internal error has occurred in module mapi32.dll", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE, 33, 6, 169, 8 CONTROL 103, -1, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 13, 54, 20, 20 CONTROL "In the edit box below, please enter your name as you would like it to appear in the \"From\" field of your outgoing message.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 58, 198, 17 CONTROL "Your Name:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 81, 41, 9 CONTROL "", 1002, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89, 78, 126, 12 CONTROL "Please enter your email address. This address will be the address other people use to send email to you.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 97, 181, 17 CONTROL "Email Address:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 119, 47, 9 CONTROL "", 1003, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89, 117, 126, 12 CONTROL "Please enter the name of your outgoing mail server in the edit box below.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 137, 181, 16 CONTROL "SMTP Server:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 40, 159, 47, 9 CONTROL "", 1004, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 89, 156, 126, 12 CONTROL "Default mail account structure has a damaged table of contents. It is recommended to newly reconfigure your account records. MAPI32 needs these informations in order to be able to send and receive mail. Failure to do so may cause that some MAPI32", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 33, 18, 406, 17 CONTROL "(required)", -1, STATIC, SS_LEFTNOWORDWRAP | WS_CHILD | WS_VISIBLE | WS_GROUP, 217, 120, 33, 8 CONTROL "(required)", -1, STATIC, SS_LEFTNOWORDWRAP | WS_CHILD | WS_VISIBLE | WS_GROUP, 217, 160, 34, 8 CONTROL "Enter the name you will use to log into this account.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 66, 169, 9 CONTROL "Login Name:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 81, 43, 8 CONTROL "", 1007, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 311, 78, 96, 12 CONTROL "Please enter the password for current account.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 97, 167, 8 CONTROL "Password:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 114, 37, 8 CONTROL "", 1008, EDIT, ES_LEFT | ES_PASSWORD | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 325, 109, 50, 12 CONTROL "Type in the full name of your incoming mail server.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 146, 163, 8 CONTROL "POP3 Server:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 160, 46, 8 CONTROL "", 1009, EDIT, ES_LEFT | ES_PASSWORD | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 325, 125, 50, 12 CONTROL "Retype password:", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 261, 128, 58, 8 CONTROL "", 1010, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 311, 156, 124, 12 CONTROL "dependent applications (such as Outlook or Outlook Express) become non-functional.", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 33, 34, 294, 8 } 8<---------------SAMPLE EXTRACTED RESOURCE FROM SWEN WORM ENDS------------- --- "B.K. DeLong" <bkdelong () pobox com> wrote:
At 02:31 PM 9/18/2003 -0400, you wrote:Hi, Joe Stewart of Lurhq.com has made an interestingdiscovery about the newSwen/Gibe.F worm that started circulating today:When the worm infectsa new machine, it hits a Web counter. The URL of the counter is:http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006If this URL wraps in your email reader, here's ashorter version:http://tinyurl.com/nufo At 2:30 EST, the counter is about 615,000. Here's a bit more about the worm: http://news.com.com/2100-7349_3-5078696.html The server log entries for this counter might proveinteresting to virusresearchers. These entries could provide data fora statistical studyof computer worm transmissions. Perhaps theVutbr.cz Web site would bewilling to go public with this information.Is anyone storing sample virii somewhere for analysis? Or do we have to wait for it to show? -- B.K. DeLong bkdelong () pobox com +1.617.797.2472 http://ocw.mit.edu Work. http://www.brain-stream.com Play. http://www.the-leaky-cauldron.org Potter. http://www.city-of-doors.com Sigil PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE _______________________________________________ Full-Disclosure - We believe in it. Charter:
http://lists.netsys.com/full-disclosure-charter.html __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Web counter in the new Swen/Gibe.F worm Richard M. Smith (Sep 18)
- Re: Web counter in the new Swen/Gibe.F worm B.K. DeLong (Sep 18)
- Re: Web counter in the new Swen/Gibe.F worm S G Masood (Sep 18)
- Swen/Gibe.F Worm - Some New Info (was RE: Web counter in the new Swen/Gibe.F worm) S G Masood (Sep 18)
- Re: Web counter in the new Swen/Gibe.F worm security (Sep 19)
- Re: Web counter in the new Swen/Gibe.F worm J. Race (Sep 19)
- Re: Web counter in the new Swen/Gibe.F worm Cael Abal (Sep 19)
- Re: Web counter in the new Swen/Gibe.F worm security (Sep 20)
- <Possible follow-ups>
- Re: Web counter in the new Swen/Gibe.F worm Timo Schoeler (Sep 18)
- Re: Web counter in the new Swen/Gibe.F worm security (Sep 19)
- Re: Web counter in the new Swen/Gibe.F worm B.K. DeLong (Sep 18)