Kirsty, Calm down...everything's going to be alright. I even downloaded the file...I didn't execute it though...so no rebuild needed yet. <whew> Thanks for your advisory. On a related note, McAfee's warning on the worm suggests that everyone just delete all their administrative shares "to be safe". That's great...delete IPC$ so that nobody can connect to the server. That's just what folks need to be doing. <grin> Roger ----- Original Message ----- From: "Still, Kirsty" <Kirsty.Still@b-and-q.co.uk> To: "'Jay D. Dyson'" <jdysonat_private>; "Incidents List" <incidentsat_private> Sent: Wednesday, July 16, 2003 10:22 AM Subject: RE: TROJAN: Symantec: New Serious Virus found. (fwd) > What a croc of an e-mail supposedly from Symantec. This is a nasty little > b*gger ... which will bring up lots of pop up windows like window > properties, display properties, eject cd rom and bring up a message saying > that it has encountered an error (like the ones you get on XP) a little > strange seeing as not a lot of corporations are running on XP! > Then it comes up with a message saying how it has basically taken over the > machine 'cos he/she was bored and blah blah blah ... got bored reading it to > be honest! > > It'll allow you to eventually close down all of the pop up windows and > resume 'normal' usage of the PC .. or so you think, but if you go to run a > program already installed on your PC it won't allow it to run. It also > won't allow any .exe's to be run either, which makes clearing up the little > blighter pretty mighty. If you look straight into the task manager and look > at the applications it's running (upon trying to execute a program manually) > it will show multiple 'windows updates' in a running state. Of course it's > not updating at all. > > It does the obvious and changes your registry > (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Windows > Management Instrumentation" = %worm path%\mwd.exe) > and installs a little icon on your desktop that won't allow you to delete > it. Supposedly it works off of the admin$ shares, so restricting > permissions and unplugging from the network immediately is recommended! > > For your own sake do not click on the link in Jay's e-mail, or you'll end up > doing a rebuild! Instead read about it here: > http://vil.nai.com/vil/content/v_100467.htm > > (network associates web page). Hope this helps. > > Regards, > ~ Kirsty > > Security Consultant > > > -----Original Message----- > From: Jay D. Dyson [mailto:jdysonat_private] > Sent: 16 July 2003 02:50 > To: Incidents List > Subject: TROJAN: Symantec: New Serious Virus found. (fwd) > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oh, this is interesting. > > The little beastie claims to come from Symantec. It's actually from some > joker (possibly a victim) in Guatemala. Even comes with a .exe attachment > for those dumb enough to be suckered into believing it's actually from > Symantec. > > The payload has been saved at the following URL: > http://www.treachery.net/~jdyson/trojans/Symantec_Norton_Tool.exe > > Dunno if this qualifies as an "incident," but I'm sure you folks at > Symantec would like to know about this... > > > - ---------- Forwarded message ---------- > Return-Path: <securityat_private> > Delivered-To: jdysonat_private > Received: (qmail 15579 invoked from network); 16 Jul 2003 01:33:01 -0000 > Received: from mail1.intelnet.net.gt (216.230.128.17) > by h-66-134-87-75.lsanca54.covad.net with SMTP; 16 Jul 2003 01:33:01 -0000 > Received: from User ([10.28.1.30]) > by mail1.intelnet.net.gt (Pro-8.9.3/8.9.3) with SMTP id BAA08384; > Wed, 16 Jul 2003 01:43:40 +0600 (GMT) > Message-Id: <200307151943.BAA08384at_private> > From: "Symantec Corporation"<securityat_private> > Subject: Symantec: New Serious Virus found. > Date: Tue, 15 Jul 2003 19:29:30 -0600 > MIME-Version: 1.0 > X-Priority: 1 > X-MSMail-Priority: High > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > > > Norton Security Response, has detected a new virus in the Internet. For this > reason we > made this tool attachement, to protect your computer from this serious > virus. Due to the number of submissions > received from customers, Symantec Security Response has upgraded this threat > to a Category > 5 (Maximum ). > > > Prevention, using the W32.Gruel@mm Tool: > To prevent or remove W32.W32.Gruel@mm , apply this attachment tool as > quickly as possible. This is the easiest way to > remove/prevent this threat. > > > Technical Details: > Also Known As: W32.Gruel@mm , W32.KillerGuate > Type: Virus > Infection Length: 45,195 bytes (zip file), 45,528 bytes (executable) (45KB > approx) > Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows > XP, Windows Me, Windows 2003 > Systems Not Affected: Macintosh, OS/2, UNIX, Linux > > > Additional information: > Security Response has received many submissions of corrupted > W32.W32.Gruel@mm . A specific detection for this type of > infected file has been added as W32.W32.Gruel@mm . This detection is > available in virus definitions dated June 12 > 2003. Be sure to delete the files detected as W32.W32.Gruel@mm . > > Note: If you believe your computer may already be infected or just want to > protect it agains W32.W32.Gruel@mm , please > download this tool now. > > > Symantec Corporation. > Last Updated on: July 13, 2003 04:55:35 PM > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE/FK8/Nlg1oZSC9mkRAs9LAJoCRzROK0VpLiJVb9obbSPyeQlSRwCeKfsR > dhQaF6P1a71l4jYKqUklOlo= > =HoBr > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------- -- > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training > sessions, > 1,800 delegates from 30 nations including all of the top experts, from CSO's > to > "underground" security specialists. See for yourself what the buzz is > about! > Early-bird registration ends July 3. This event will sell out. > www.blackhat.com > -------------------------------------------------------------------------- -- > > __________________________________________________________ > > B&Q plc > Registered Office: Portswood House, 1 Hampshire Corporate Park, > Chandlers Ford, Eastleigh, Hampshire, SO53 3YX > > Buy Online NOW at http://www.diy.com > > Registered in England Number 973387 > > This e-mail is only intended for the person(s) to whom it is addressed and > may contain confidential information. Unless stated to the contrary, > any opinions or comments are personal to the writer and do not represent > the official view of the company. If you have received this e-mail in > error, please notify us immediately by reply e-mail and then delete this > message from your system. Please do not copy it or use it for any > purposes, or disclose its contents to any other person. Thank you for > your co-operation. > __________________________________________________________ > > -------------------------------------------------------------------------- -- > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training sessions, > 1,800 delegates from 30 nations including all of the top experts, from CSO's to > "underground" security specialists. See for yourself what the buzz is about! > Early-bird registration ends July 3. This event will sell out. www.blackhat.com > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 21:58:53 PDT