First of all, here's the headers: Microsoft Mail Internet Headers Version 2.0 Received: from mail.gmx.net ([194.221.183.20]) by hexch01.robhughes.com with Microsoft SMTPSVC(5.0.2195.2966); Mon, 16 Jul 2001 21:07:01 -0500 X-Proxy: fwall.robhughes.com protected by Firewall Received: (qmail 19842 invoked by uid 0); 17 Jul 2001 02:06:58 -0000 Received: from 252.fwsgrp27.als.att.net (HELO bleh.bleh.com) (12.44.146.252) by mail.gmx.net (mail01) with SMTP; 17 Jul 2001 02:06:58 -0000 Message-ID: <bleh1234567890> Date: Sun, 13 Jul 1337 13:37:37 +1337 From: secnotifat_private Reply-To: secnotifat_private X-Mailer: Mozilla 4.75 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: robat_private Subject: Microsoft Security Bulletin MS01-039 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Return-Path: deathsdoorat_private X-OriginalArrivalTime: 17 Jul 2001 02:07:02.0181 (UTC) FILETIME=[2B2B0550:01C10E65] Now, they've obviously taken an actual MS bulleting and used the text, right down including a pgp key and they've incremented it from the previous bulletin. The first thing I noticed is that the entire message is double-spaced. Not a lot, but it was different from every other bulletin I've gotten. The obvious give away is the address they've used to for the fix, as well specifying a particular file to download. The bulletin page of course is 404. The netblock is owned by LYCOS in Europe and points to a tripod page, with an att.net account used to send the mail, and relevant parties have been cc'ed as well. And apparently the user name associated with the site is hicagogppr. From my limited experience, I can tell very little about the file other than it appears to connect to a remote web site. This comes from running strings against the file. It also appears to go after napster and icq accounts, but I can't tell what else it does. I think the most important thing is that scanning it with the latest virus signatures from Norton comes up clean, so a user would not be notified that they are running an infected file. If someone with the knowledge and experience will, please do a full analysis on this and let me know what it is. I'm pretty much a rank newbie at this, as you can probably tell ;) I searched the bugtraq archives, but didn't find anything on this, so if its known, I apologize. Thanks, Rob -----Original Message----- From: secnotifat_private [mailto:secnotifat_private] Sent: None To: Robert D. Hughes Subject: Microsoft Security Bulletin MS01-039 Importance: Low The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** - ---------------------------------------------------------------------- Title: Vulnerability in Windows systems allowing an upload of a serious virus. Date: 10 July 2001 Software: Windows 2000 Impact: Privilege Elevation Bulletin: MS01-039 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-039.asp - ---------------------------------------------------------------------- Yesterday the internet has seen one of the first of it's downfalls. A virus (no name assigned yet) has been released. One with the complexity to destroy data like none seen before. Systems affected: ================= Microsoft Windows 95 Microsoft Windows 95b Microsoft Windows 98 Microsoft Windows 98/SE Microsoft Windows NT Enterprise Microsoft Windows NT Workstation Microsoft Windows Millenium Edition Microsoft Windows 2000 Professional Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server Service packs up to Service Pack 6 for Windows NT 3/4 Systems. Service pack 1 and 2 for windows 2000. Issue: ====== Officials say this virus is unique in many ways. It spreads via new forms, such as using a new vulnerability in Windows 98 allowing already infected computers to upload (send files) to non-infected computers, this means that you do not have to download or visit a site to be infected with the virus. The infected computers are programmed to scan for computers running Windows 9x, and Windows 2000 and uploading the virus. -What the virus does: The virus itself is a threat to normal users aswell as businesses. Cooper from microsoft said "This virus has the ability to wipe out most of the internet users and the chances are it will, the risk is high, patches must be installed to affected systems." The virus itself is made for one reason and one reason only, to reproduce, destroy documents, delete mp3 files, movie files, infect .exe files, this virus also has a unique feature that destroys the BIOS (Basic Input Output System), which means ones that are infected would need to purchase a new motherboard. Patch Availability: =================== Visit http://www.microsoft.com@%36%32%2E%35%32%2E%31%36%32%2E%31%34%37/%68%69%63%61 %67%6F%67%70%70%72/%6D%73%5F%76%32%37%35%36%35%37%5F%78%38%36%5F%65%6E.e%78%6 5 to download the patch named ms_v275657_x86_en.exe. Download and run the file. Acknowledgment: =============== - Jon McDonald (http://www.entrigue.net) - Russ Cooper (http://www.ntbugtraq.com) - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9 bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4 bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg== =QExj -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTat_private The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 23:01:51 PDT