Interesting People mailing list archives
IP: Redesi virus: [risks] Risks Digest 21.71
From: David Farber <dave () farber net>
Date: Thu, 25 Oct 2001 07:50:46 -0400
Date: Sun, 21 Oct 2001 11:44:54 -0800 From: Rob Slade <rslade () sprint ca> Subject: Redesi virus RISKS readers may have heard of one or both variants of Redesi, also known as Dark Machine or Ucon. (In fact, it was PGN who first alerted me to the existence of the second.) (If you haven't heard about them, don't open any e-mail attachments with filenames of Common.exe, Rede.exe, Si.exe, UserConf.exe, or Disk.exe. These filenames seem to be consistent in both versions, in file attachments, and on infected machines.) There are two variants. One comes with a large variety of possible subject lines, all of which contain either a double hyphen or an ellipsis (three or six periods). Many appear to be comments from Kev, Gaz, Will, Si, Jim, Arwel, or Michelle. The body of the message of this A version reads "heh. I tell ya this is nuts ! You gotta check it out !" and file attachments with filenames as listed above. Infected machines will have files with the filenames listed created in the root directory of the C: drive with the hidden attribute set. However, this variant doesn't make any changes to the Registry, and doesn't do any apparent damage. The second variant comes with a subject line that may refer to Microsoft, security updates, alerts, terrorists, emergency response, and viruses. The body contains what appears to be a message from Microsoft describing the attachment as a security patch, and a message of endorsement from the forwarder. (Since both variants are forwarded using Microsoft Outlook address books, the messages will appear to come from someone you know.) (Note that Microsoft is not in the habit of sending out security patches as e-mail attachments.) The B variant adds entries to the Registry, and attempts to use an entry in the Autoexec.bat file to reformat the disk on or after November 11, 2001. The filenames of the attachments, and the files created, are the same. Note that the close association and quick release of the two variants may have been a two stage piece of social engineering. The first release would create some concern, and would promote a heightened sense of urgency about applying patches or fixes, possibly enough to prompt people to run suggested repair programs without getting confirmation. The second virus would take advantage of this kind of panic. And, in this case, the "cure" is definitely worse than the disease. (However, given some of the second set of subject lines, the second release may simply be trying to take advantage of the uncertainty over terrorist attacks.) By the way, if you are trying to filter viruses at the e-mail gateway, scan e-mail for messages with attachments with filenames Common.exe, Rede.exe, Si.exe, UserConf.exe, or Disk.exe. Also note the message text "heh. I tell ya this is nuts ! You gotta check it out !" and "Just recieved this in my email I have contacted Microsoft and they say it's real !" Note that deleting messages on the basis of body text is not recommended, since it may eliminate warning messages. rslade () vcn bc ca rslade () sprint ca slade () victoria tc ca p1 () canada com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Redesi virus: [risks] Risks Digest 21.71 David Farber (Oct 25)