Re: Concept Virus(CV) V.5 - Quick analysis update

From: Brian Pomeroy (lunarat_private)
Date: Tue Sep 18 2001 - 11:24:05 PDT

Next message: bugtraq: "New worm segfaults apache"

Previous message: Jeremy 'Circ' Charles: "Re: Explorer Dr. Watsons"
In reply to: Olle Segerdahl: "Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Homer Wilson Smith: "Re: Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
Reply: Homer Wilson Smith: "Re: Concept Virus(CV) V.5 - Quick analysis update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This morning I received an e-mail with the subject line "elvis presley -
amazing grace" from asportalat_private and containing an attachment
named read.exe.  I am suspecting this could be related.

Brian Pomeroy
e-Transformation/e-Medicine Center
The Children's Hospital of Philadelphia
Philadelphia, PA USA
http://www.chop.edu/
pomeroyat_private || lunarat_private



----- Original Message -----
From: "Olle Segerdahl" <olleat_private>
To: <bugtraqat_private>; <incidentsat_private>
Sent: Tuesday, September 18, 2001 11:58 AM
Subject: Concept Virus(CV) V.5 - Quick analysis update


>
> More infectation routes:
>
> The worm, upon infecting a new host, goes through all the
> shared directories and their subdirecories and plants the
> following files in each dir:
>
> sample.nws
> sample.eml
> desktop.eml
> desktop.nws
>
> which are eml messages with copies of itself ("readme.exe")
> autoloaded by a html script tag,
>
> riched20.dll
>
> which is a trojan dll version of itself probably designed
> to infect people running notepad/wordpad in that dir.
>
>
> It also infects htm/html/asp files all over the system with
> a <SCRIPT> tag appendage that links to a readme.eml file in
> the current directory, thus infecting more webservers and
> even windows helpsystem and the IE "freindly" error messages.
>
> The worm puts a trojan mmc.exe in the winnt directory that
> is a copy of itself in the above "readme.exe" format.....
>
> So in short: This thing spreads vi fileserver shares and
> also infects all web content files it sees, it's EVIL.
>
> /olle
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: bugtraq: "New worm segfaults apache"
Previous message: Jeremy 'Circ' Charles: "Re: Explorer Dr. Watsons"
In reply to: Olle Segerdahl: "Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Homer Wilson Smith: "Re: Concept Virus(CV) V.5 - Quick analysis update"
Next in thread: Mark Challender: "RE: Concept Virus(CV) V.5 - Advisory and Quick analysis"
Reply: Homer Wilson Smith: "Re: Concept Virus(CV) V.5 - Quick analysis update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:21:02 PDT