('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.53.0307151847580.15628at_private> It looks to me like a new variant of W32.Gruel@mm (McAfee calls it W32/Fakerr@MM). I scanned it with 7/15 NAV defs, and F-prot and it didn't detect anything. The email you received looks similar to what W32.Gruel@mm sends but altered somewhat. This leads me to think it's a new variant. I suggest submitting a sample to Symantec, McAfee, Trend, Kaspersky, etc. I pulled text strings from the exe and found indications of the following: 1. It's written in Visual Basic 6.0, and requires the VB 6.0 runtime. 2. It seems to have the ability to disable Task Manager, Logoff, Shutdown, Lock Computer, and Change Password, or at least it has GUI elements that allude to that. 3. It contains the string "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!" 4. It looks like it generates, or is capable of generating, a fake Windows Error Report, and a Windows NT bugcheck dump. I haven't attempted to run or disassemble the code. -------------------- >Oh, this is interesting. > >The little beastie claims to come from Symantec. It's actually from some >joker (possibly a victim) in Guatemala. Even comes with a .exe attachment >for those dumb enough to be suckered into believing it's actually from >Symantec. ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 15:18:21 PDT