morning_wood morning_woodat_private http://exploitlabs.com Analysis of "Update880.exe" W32.gibe - Trojan / Worm Overview: -------------------- Update880.exe arrives as email, claiming to be a new Microsoft update. It is a virus, class KaZZA Droper. This is a different variant than identified by Symantic in March 2003. This is a small analysis of of this variants binary. References: -------------------- references to to "p214537.exe" http://www.arnes.si/news/archive/si.org.arnes/msg02077.html report of html body code ( mine was blank) http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt reference to "Coded ...by Begbie, Slovakia" http://www.eset.sk/scriptless/pedia/cervy/clausa.htm http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm aka: Q216309.exe Coded ...by Begbie, Slovakia AutMSUpdate = p214537 MSUpdate MSUpdate KaZaA uploDropper Binary Text Extract: -------------------- Installing Microsoft Update wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1 Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ... LicenseForm License Form1 Command2 Text1 This product is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. Microsoft does not warrant that the functions for the software or code will meet your requirements, or that the operation of the software or code will be uninterrupted or error-free, or that defects in the software or code can be corrected. Furthermore, Microsoft does not warrant or make any representations regarding the use or the results of the use of the software, code or related documentation in terms of their correctness, accuracy, reliability, or otherwise. No oral or written information or advice given by Microsoft or its authorized representatives shall create a warranty or in any way increase the scope of this warranty. Should the software or code prove defective after Microsoft has delivered the same, you, and you alone, shall assume the entire cost associated with all necessary servicing, repair or correction. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of software, documents, provision of or failure to provide services, or information available from the services. COPYRIGHT NOTICE. Copyright 2003 Microsoft Corporation, One Microsoft Way, Redmond, Washington U.S.A. All rights reserved. Command1 Label2 Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement. Label1 Please read the following license agreement. Press the Page Down key to see the rest of the agreement. Installation: -------------------- \AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messenger Setup .... by Begbie Microsoft Internet Update Pack Coded REG_SZ This will install Microsoft Security Update. Code Stuff: (filenames) ------------------ DxLoad \DX3DRndr.exe \gibe.dll \MSBugAdv.exe \MSWinsck.ocx \WMSysDx.bin ZipName Code Stuff:(functions) ------------------- Email Address Not found LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was cancelled. This update has been successfully installed. ProgramFilesDir pdate A -EP WinRAR.exe -min -e -o WinZip.exe App Paths\ Outlook.Application GetNamespace Version GetDefaultFolder Items Email1Address Email2Address Folders \MailViews.db AddressLists AddressEntries Count Address SOFTWARE\Microsoft\Wab\WAB4\Wab File Name Software\Kazaa \LocalContent DisableSharing 012345: Dir99 LocalContent Transfer DownloadDir DlDir0 \mirc \mirc32 \mirc.ini \script.ini [script] Service n1= /if ( $nick == $me ) { halt } n2= /.dcc send $nick Code Stuff: (keywords) -------------------- IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program \Software\Microsoft\Internet Account Manager\Accounts \Identities \Identities\ SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server Microsoft Internet Engine Automat Robot Daemon Disp Name :[prior] \Start menu\Programs\Startup \Documents and Settings\ \Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType RootFolder Windows WinMe Win95 Win98 \All Users BuildPath FolderExists \WebLoader.exe CopyFile All Users Default User Administrator \TempRes.dat Identification: -------------------- FileInfo Translation StringFileInfo 040904B0 CompanyName Microsoft Corporation FileDescription Microsoft Security Patch for Windows LegalCopyright 1981-2003 Microsoft Corporation LegalTrademarks is a registered trademark of Microsoft Corporation. Windows is a trademark of Microsoft Corporation. ProductName MSUpdate FileVersion 9.31.2541 ProductVersion 9.31.2541 InternalName p214537 OriginalFilename p214537.exe This is a non technical report of a windows32 binary of an unknown type and function at the time of aquisition. Information is provided for identification and the type of functions, keywords and registry entries of W32.gibe virus. Conclusion: -------------------- While this is a known virus, it's method of delivery and masqurading of a legitimate updat makes this particulary unsuspecting attatchment that is easily mistaken by the general internet user as a legitimate Microsoft update. As well the main program has been modified to redude detection. Credits: -------------------- morning_wood http://exploitlabs.com
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 11:04:05 PDT