What a croc of an e-mail supposedly from Symantec. This is a nasty little b*gger ... which will bring up lots of pop up windows like window properties, display properties, eject cd rom and bring up a message saying that it has encountered an error (like the ones you get on XP) a little strange seeing as not a lot of corporations are running on XP! Then it comes up with a message saying how it has basically taken over the machine 'cos he/she was bored and blah blah blah ... got bored reading it to be honest! It'll allow you to eventually close down all of the pop up windows and resume 'normal' usage of the PC .. or so you think, but if you go to run a program already installed on your PC it won't allow it to run. It also won't allow any .exe's to be run either, which makes clearing up the little blighter pretty mighty. If you look straight into the task manager and look at the applications it's running (upon trying to execute a program manually) it will show multiple 'windows updates' in a running state. Of course it's not updating at all. It does the obvious and changes your registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Windows Management Instrumentation" = %worm path%\mwd.exe) and installs a little icon on your desktop that won't allow you to delete it. Supposedly it works off of the admin$ shares, so restricting permissions and unplugging from the network immediately is recommended! For your own sake do not click on the link in Jay's e-mail, or you'll end up doing a rebuild! Instead read about it here: http://vil.nai.com/vil/content/v_100467.htm (network associates web page). Hope this helps. Regards, ~ Kirsty Security Consultant -----Original Message----- From: Jay D. Dyson [mailto:jdysonat_private] Sent: 16 July 2003 02:50 To: Incidents List Subject: TROJAN: Symantec: New Serious Virus found. (fwd) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh, this is interesting. The little beastie claims to come from Symantec. It's actually from some joker (possibly a victim) in Guatemala. Even comes with a .exe attachment for those dumb enough to be suckered into believing it's actually from Symantec. The payload has been saved at the following URL: http://www.treachery.net/~jdyson/trojans/Symantec_Norton_Tool.exe Dunno if this qualifies as an "incident," but I'm sure you folks at Symantec would like to know about this... - ---------- Forwarded message ---------- Return-Path: <securityat_private> Delivered-To: jdysonat_private Received: (qmail 15579 invoked from network); 16 Jul 2003 01:33:01 -0000 Received: from mail1.intelnet.net.gt (216.230.128.17) by h-66-134-87-75.lsanca54.covad.net with SMTP; 16 Jul 2003 01:33:01 -0000 Received: from User ([10.28.1.30]) by mail1.intelnet.net.gt (Pro-8.9.3/8.9.3) with SMTP id BAA08384; Wed, 16 Jul 2003 01:43:40 +0600 (GMT) Message-Id: <200307151943.BAA08384at_private> From: "Symantec Corporation"<securityat_private> Subject: Symantec: New Serious Virus found. Date: Tue, 15 Jul 2003 19:29:30 -0600 MIME-Version: 1.0 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Norton Security Response, has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum ). Prevention, using the W32.Gruel@mm Tool: To prevent or remove W32.W32.Gruel@mm , apply this attachment tool as quickly as possible. This is the easiest way to remove/prevent this threat. Technical Details: Also Known As: W32.Gruel@mm , W32.KillerGuate Type: Virus Infection Length: 45,195 bytes (zip file), 45,528 bytes (executable) (45KB approx) Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Windows 2003 Systems Not Affected: Macintosh, OS/2, UNIX, Linux Additional information: Security Response has received many submissions of corrupted W32.W32.Gruel@mm . A specific detection for this type of infected file has been added as W32.W32.Gruel@mm . This detection is available in virus definitions dated June 12 2003. Be sure to delete the files detected as W32.W32.Gruel@mm . Note: If you believe your computer may already be infected or just want to protect it agains W32.W32.Gruel@mm , please download this tool now. Symantec Corporation. Last Updated on: July 13, 2003 04:55:35 PM -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE/FK8/Nlg1oZSC9mkRAs9LAJoCRzROK0VpLiJVb9obbSPyeQlSRwCeKfsR dhQaF6P1a71l4jYKqUklOlo= =HoBr -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ---------------------------------------------------------------------------- __________________________________________________________ B&Q plc Registered Office: Portswood House, 1 Hampshire Corporate Park, Chandlers Ford, Eastleigh, Hampshire, SO53 3YX Buy Online NOW at http://www.diy.com Registered in England Number 973387 This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. Unless stated to the contrary, any opinions or comments are personal to the writer and do not represent the official view of the company. If you have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your co-operation. __________________________________________________________ ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 15:45:34 PDT