Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible Trojan/Virus: while.com.

From: <joshb () wwe com>
Date: Mon, 26 Nov 2001 10:23:34 -0700 (MST)

This came to one of our lists this morning hit by a similar attack. The
filenames change and the text seems to be taken from the person's computer
sending the e-mail.



Symantec has raised the alert level for a new computer virus called        
W32.badtrans.b to a 3 out of 4.  This virus impacts Windows type
computers.
                                                                           
W32.Badtrans.B@mm is a MAPI worm that emails itself out as one of several  
different file names. This worm also drops a backdoor trojan that logs     
keystrokes.                                                                
                                                                           
Virus definitions dated November 24, 2001 or later will protect against    
this virus.                                                                

On Sun, 25 Nov 2001, Jay D. Dyson wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hi folks,

      I received an unusual spam complaint from one of my users here. 
What's unusual is that I'd not heard about this payload before.  While I
haven't had time yet to give the payload more than a cursory look, my gut
tells me the following is a trojan or worm either deliberately or
unintentionally disseminated by an AOL user (using a forged bellsouth.net
address).  Also of import is that the user who sent this beastie was using
Microsoft Outlook (as if that isn't a big enough warning sign). 

      The text accompanying this apparently malicious payload is thus:

- -----BEGIN EXCERPT-----

It can be disabled at your discretion, although the default 
configuration is to allow updates. If you want to disable this feature, 
follow the instructions in the online help documentation under the topic 
"Turning Attune off and on".\f0\par

\par

You may not modify, reverse-engineer, decompile, create other works 
from, or disassemble the software. Similarly, you may not copy, modify, 
adapt or create other works based upon the Documentation.

- ----- END EXCERPT -----

      The payload is named "while.com" (did some searching on this term
and came up with goose-eggs).  Vital statistics on the file are: 

      Filesize        : 73,728 bytes
      MD5 sum         : 0cd0a719f9f91630de366c54c427a834
      Interesting bits: mshtml.dll (previously ID'd as security risk)
                        TLOSS error
                        SING error
                        DOMAIN error

      (The above three items strike me as math-intensive, possibly
      indicating a cracking functionality of some type...or maybe I'm
      whistling in the dark.  Like I said, this is a suspected trojan,
      not confirmed.)

      Anyway, with the creepy-crawlies typically associated with
Microsoft-sired worms (use of MS Outlook, generic text, unsolicited
payload, et cetera), I'm regarding this as a high-probability trojan/worm.

      Anyone interested in vivisecting this beastie can find a copy of
it here:

      The file: http://www.treachery.net/~jdyson/trojans/while.com
      MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5

      Oh...and in case anyone's wondering, I've already sent off a
letter to AOL to let them know about this.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) |    = |-'
  `--' `--'  `---------- Si vis pacem, para bellum. ----------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu
JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W
/owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi
Yj+1XeDe910=
=MnN0
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: