oops' .. hey, that was cool... everyone's AV works .. wood ----- Original Message ----- From: "morning_wood" <se_cur_ityat_private> To: <incidentsat_private>; <full-disclosureat_private> Sent: Saturday, May 24, 2003 9:04 AM Subject: [Full-Disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED > morning_wood > morning_woodat_private > http://exploitlabs.com > > > Analysis of "Update880.exe" W32.gibe - Trojan / Worm > > Overview: > -------------------- > > Update880.exe arrives as email, claiming to be a new Microsoft update. > It is a virus, class KaZZA Droper. This is a different variant than > identified by Symantic in March 2003. This is a small analysis of > of this variants binary. > > References: > -------------------- > > references to to "p214537.exe" > http://www.arnes.si/news/archive/si.org.arnes/msg02077.html > > report of html body code ( mine was blank) > http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt > > > reference to "Coded ...by Begbie, Slovakia" > http://www.eset.sk/scriptless/pedia/cervy/clausa.htm > http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm > > > aka: Q216309.exe > > > Coded ...by Begbie, Slovakia > AutMSUpdate = p214537 MSUpdate > MSUpdate KaZaA uploDropper > > > Binary Text Extract: > -------------------- > > Installing Microsoft Update > > > wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1 > Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ... > LicenseForm License Form1 Command2 Text1 > > > This product is protected by copyright laws and international copyright > treaties, > as well as other intellectual property laws and treaties. > ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE PROVIDED "AS IS" > WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers > hereby disclaim all warranties and conditions with regard to this > information, > including all warranties and conditions of merchantability, whether > express, implied > or statutory, fitness for a particular purpose, title and > non-infringement. > Microsoft does not warrant that the functions for the software or code will > meet > your requirements, or that the operation of the software or code will > be uninterrupted or error-free, or that defects in the software > or code can be corrected. Furthermore, Microsoft does not warrant > or make any representations regarding the use or the results of the > use of the software, code or related documentation in terms of their > correctness, accuracy, reliability, or otherwise. No oral or written > information or advice given by Microsoft or its authorized representatives > shall create a warranty or in any way increase the scope of this warranty. > Should the software or code prove defective after Microsoft has delivered > the same, you, and you alone, shall assume the entire cost associated with > all necessary servicing, repair or correction. In no event shall Microsoft > and/or its respective suppliers be liable for any special, indirect or > consequential damages or any damages whatsoever resulting from loss > of use, data or profits, whether in an action of contract, > negligence or other tortious action, arising out of or in connection > with the use or performance of software, documents, provision of or > failure to provide services, or information available from the services. > COPYRIGHT NOTICE. Copyright 2003 > Microsoft Corporation, One Microsoft Way, > Redmond, Washington U.S.A. > All rights reserved. > > > Command1 Label2 > Do you accept all of the terms of the preceding License Agreement? > If you choose No, Install will close. To install you must accept this > agreement. > > Label1 > > Please read the following license agreement. Press the Page Down key to see > the rest > of the agreement. > > > Installation: > -------------------- > > > \AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messeng er > > Setup .... by Begbie > > Microsoft Internet Update Pack Coded > > REG_SZ This will install Microsoft Security Update. > > > Code Stuff: (filenames) > ------------------ > > DxLoad > \DX3DRndr.exe > \gibe.dll > \MSBugAdv.exe > \MSWinsck.ocx > \WMSysDx.bin > > ZipName > > Code Stuff:(functions) > ------------------- > > > Email Address Not found > LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was > cancelled. This update has been successfully installed. > > > > ProgramFilesDir > pdate A -EP > WinRAR.exe -min -e -o > WinZip.exe > > App Paths\ Outlook.Application > GetNamespace Version > GetDefaultFolder Items > Email1Address > Email2Address > Folders \MailViews.db > AddressLists > AddressEntries > Count Address > SOFTWARE\Microsoft\Wab\WAB4\Wab > > > File Name Software\Kazaa > \LocalContent > DisableSharing 012345: Dir99 > LocalContent > Transfer > DownloadDir DlDir0 > \mirc \mirc32 \mirc.ini \script.ini [script] Service n1= /if ( $nick == > $me ) { halt } n2= /.dcc send $nick > > > Code Stuff: (keywords) > -------------------- > > IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick > Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking > with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program > > > \Software\Microsoft\Internet Account Manager\Accounts > \Identities > \Identities\ > > SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server > Microsoft Internet Engine Automat Robot Daemon Disp Name :[prior] > \Start menu\Programs\Startup \Documents and Settings\ > \Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType > RootFolder Windows WinMe Win95 Win98 \All Users > BuildPath > FolderExists \WebLoader.exe > CopyFile All Users Default User Administrator \TempRes.dat > > Identification: > -------------------- > > FileInfo Translation StringFileInfo 040904B0 > CompanyName Microsoft Corporation > FileDescription Microsoft Security Patch for Windows > LegalCopyright 1981-2003 Microsoft Corporation > LegalTrademarks is a registered trademark of Microsoft Corporation. > Windows is a trademark of Microsoft Corporation. > ProductName MSUpdate > FileVersion 9.31.2541 > ProductVersion 9.31.2541 > InternalName p214537 > OriginalFilename p214537.exe > > > This is a non technical report of a windows32 binary of an unknown type and > function at the > time of aquisition. Information is provided for identification and the type > of functions, keywords > and registry entries of W32.gibe virus. > > > Conclusion: > -------------------- > > While this is a known virus, it's method of delivery and masqurading of a > legitimate > updat makes this particulary unsuspecting attatchment that is easily > mistaken by the > general internet user as a legitimate Microsoft update. As well the main > program has > been modified to redude detection. > > > Credits: > -------------------- > morning_wood > http://exploitlabs.com > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat May 24 2003 - 12:39:00 PDT