Re: price.doc.exe

[barry.net () NTLWORLD COM (barry.net)]

Sent the file to CAI (http://www.antivirus.cai.com) and they come back:

Thank you for your E-mail and attached file,

Price.doc.exe was infected with Win32.PSW.Gip.112 trojan which will be
detected by IPE Viris Signature Update 360 due to be posted to our website
shortly.

A Trojan is a malicious program that masquerades as a legitimate program.
You should delete any file that IPE reports as a Trojan.

If the file is "in use" by the system, you will have to reboot the computer
with a "clean" bootable system disk and then delete the file from DOS.

A Trojan may look like it is a system file or a patch or even a game but
when activated, it runs some other malicious activity.

InoculateIT Personal Edition 5.1, will automatically delete Trojans when
they are detected if they are not "in use" by the system.

Thank you for sending us the file for checking.

Regards,

Steve Trusler

Systems Engineer

InoculateIT Personal Edition Support Team
Computer Associates Pty Ltd

Regards,
Philip Barry

----- Original Message -----
From: <illu5i0n () HUSHMAIL COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, May 19, 2000 11:43 PM
Subject: price.doc.exe

> This execuatable sets itself up to run as a service and appears to be a
> password stealing trojan.  It copies itself to the windows directory
(c:\winnt
> in my case).
>
> That's all I have for now.
>
> Illu5i0n
>
> At Thu, 18 May 2000 12:20:34 +0200, "Volker Werth [VWSoft]"
<VWerth () VWSOFT COM>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi folks!
> >
> > Well, I know this might be something for an antivirus vendor but I
> > thought it's of interest for the incidents list.....
> >
> > I received a mass email message from unknown (to me) source which had
> > a file attached to it.
> >
> > The MUA (Eudora in my case) showed this to be a .DOC file but in
> > truth this figured out to be an executable file. The guys did really
> > a good job to "hide" the real file extension.
> >
> > They used the following filename (paste from original mail):
> >
> > price.doc%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> > %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> > 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> > 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> > %20%20%20%20%20%20%20%20%20%20%20.exe
> >
> > which results in displaying a filename "price.doc" and lots of spaces
> > so neither the email client nor the Win explorer shows the correct
> > filename (explorer correctly shows the file type as executable).
> >
> > A joe average user would identify this to be a Word document file
> > (....and just click on it like he does everytime as we've seen from
> > Melissa & Co.).
> >
> > For everyone who wants to take a look at the EXE file, I've attached
> > a ZIP file (password is "price" without quotes).
> >
> > Attention: I did NO investigation on that EXE file - so I don't know
> > if this file will be safe to execute or contains any dangerous code!
> > DO NOT EXECUTE THE FILE CONTAINED IN THE ZIP! Maybe someone is able
> > and has the time to investigate the file by disassembling it.
> >
> > Cheers,
> >
> > Volker
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.1 Int. for non-commercial use
> > <http://www.pgpinternational.com>
> >
> > iQA/AwUBOSO14LdVlYEAznqjEQLYLgCfXV67/l1INMUPHsuAMuXxE2b56swAnRNr
> > piGDGegcdJmsXMmwtja5qTBE
> > =XTzk
> > -----END PGP SIGNATURE-----
>
>
> IMPORTANT NOTICE:  If you are not using HushMail, this message could have
been read easily by the many people who have access to your open personal
email messages.
> Get your FREE, totally secure email address at http://www.hushmail.com.