IP: Redesi virus: [risks] Risks Digest 21.71

[David Farber <dave () farber net>]

> Date: Sun, 21 Oct 2001 11:44:54 -0800
> From: Rob Slade <rslade () sprint ca>
> Subject: Redesi virus
>
> RISKS readers may have heard of one or both variants of Redesi, also known
> as Dark Machine or Ucon.  (In fact, it was PGN who first alerted me to the
> existence of the second.)  (If you haven't heard about them, don't open any
> e-mail attachments with filenames of Common.exe, Rede.exe, Si.exe,
> UserConf.exe, or Disk.exe.  These filenames seem to be consistent in both
> versions, in file attachments, and on infected machines.)
>
> There are two variants.  One comes with a large variety of possible subject
> lines, all of which contain either a double hyphen or an ellipsis (three or
> six periods).  Many appear to be comments from Kev, Gaz, Will, Si, Jim,
> Arwel, or Michelle.  The body of the message of this A version reads "heh. I
> tell ya this is nuts ! You gotta check it out !" and file attachments with
> filenames as listed above.  Infected machines will have files with the
> filenames listed created in the root directory of the C: drive with the
> hidden attribute set.  However, this variant doesn't make any changes to the
> Registry, and doesn't do any apparent damage.
>
> The second variant comes with a subject line that may refer to Microsoft,
> security updates, alerts, terrorists, emergency response, and viruses.  The
> body contains what appears to be a message from Microsoft describing the
> attachment as a security patch, and a message of endorsement from the
> forwarder. (Since both variants are forwarded using Microsoft Outlook
> address books, the messages will appear to come from someone you know.)
> (Note that Microsoft is not in the habit of sending out security patches as
> e-mail attachments.)  The B variant adds entries to the Registry, and
> attempts to use an entry in the Autoexec.bat file to reformat the disk on or
> after November 11, 2001.  The filenames of the attachments, and the files
> created, are the same.
>
> Note that the close association and quick release of the two variants may
> have been a two stage piece of social engineering.  The first release would
> create some concern, and would promote a heightened sense of urgency about
> applying patches or fixes, possibly enough to prompt people to run suggested
> repair programs without getting confirmation.  The second virus would take
> advantage of this kind of panic.  And, in this case, the "cure" is
> definitely worse than the disease.
>
> (However, given some of the second set of subject lines, the second release
> may simply be trying to take advantage of the uncertainty over terrorist
> attacks.)
>
> By the way, if you are trying to filter viruses at the e-mail gateway, scan
> e-mail for messages with attachments with filenames Common.exe, Rede.exe,
> Si.exe, UserConf.exe, or Disk.exe.  Also note the message text "heh. I tell
> ya this is nuts ! You gotta check it out !" and "Just recieved this in my
> email I have contacted Microsoft and they say it's real !"  Note that
> deleting messages on the basis of body text is not recommended, since it may
> eliminate warning messages.
>
> rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
> http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


For archives see:
http://www.interesting-people.org/archives/interesting-people/