MALWARE HOAX FW: Microsoft Security Bulletin MS01-039

["Robert D. Hughes" <rob () robhughes com>]

First of all, here's the headers:

Microsoft Mail Internet Headers Version 2.0
Received: from mail.gmx.net ([194.221.183.20]) by hexch01.robhughes.com with
Microsoft SMTPSVC(5.0.2195.2966);
         Mon, 16 Jul 2001 21:07:01 -0500
X-Proxy: fwall.robhughes.com protected by Firewall
Received: (qmail 19842 invoked by uid 0); 17 Jul 2001 02:06:58 -0000
Received: from 252.fwsgrp27.als.att.net (HELO bleh.bleh.com) (12.44.146.252)
  by mail.gmx.net (mail01) with SMTP; 17 Jul 2001 02:06:58 -0000
Message-ID: <bleh1234567890>
Date: Sun, 13 Jul 1337 13:37:37 +1337
From: secnotif () MICROSOFT COM
Reply-To: secnotif () MICROSOFT COM
X-Mailer: Mozilla 4.75 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: rob () robhughes com
Subject: Microsoft Security Bulletin MS01-039
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Return-Path: deathsdoor () gmx co uk
X-OriginalArrivalTime: 17 Jul 2001 02:07:02.0181 (UTC)
FILETIME=[2B2B0550:01C10E65]


Now, they've obviously taken an actual MS bulleting and used the text, right
down including a pgp key and they've incremented it from the previous
bulletin. The first thing I noticed is that the entire message is
double-spaced. Not a lot, but it was different from every other bulletin I've
gotten. The obvious give away is the address they've used to for the fix, as
well specifying a particular file to download. The bulletin page of course is
404.

The netblock is owned by LYCOS in Europe and points to a tripod page, with an
att.net account used to send the mail, and relevant parties have been cc'ed
as well. And apparently the user name associated with the site is hicagogppr.

> From my limited experience, I can tell very little about the file other than
it appears to connect to a remote web site. This comes from running strings
against the file. It also appears to go after napster and icq accounts, but I
can't tell what else it does. I think the most important thing is that
scanning it with the latest virus signatures from Norton comes up clean, so a
user would not be notified that they are running an infected file.

If someone with the knowledge and experience will, please do a full analysis
on this and let me know what it is. I'm pretty much a rank newbie at this, as
you can probably tell ;) I searched the bugtraq archives, but didn't find
anything on this, so if its known, I apologize.

Thanks,
Rob

-----Original Message-----
From: secnotif () MICROSOFT COM [mailto:secnotif () MICROSOFT COM]
Sent: None
To: Robert D. Hughes
Subject: Microsoft Security Bulletin MS01-039
Importance: Low


The following is a Security  Bulletin from the Microsoft Product Security

Notification Service.



Please do not  reply to this message,  as it was sent  from an unattended

mailbox.

********************************



- ----------------------------------------------------------------------

Title:      Vulnerability in Windows systems allowing an upload of a serious
virus.

Date:       10 July 2001

Software:   Windows 2000

Impact:     Privilege Elevation

Bulletin:   MS01-039



Microsoft encourages customers to review the Security Bulletin at: 

http://www.microsoft.com/technet/security/bulletin/MS01-039.asp

- ----------------------------------------------------------------------



Yesterday the internet has seen one of the first of it's downfalls. A virus
(no name assigned yet) has been released. 

One with the complexity to destroy data like none seen before. 



Systems affected:

=================

Microsoft Windows 95

Microsoft Windows 95b

Microsoft Windows 98

Microsoft Windows 98/SE

Microsoft Windows NT Enterprise

Microsoft Windows NT Workstation

Microsoft Windows Millenium Edition

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Server

Microsoft Windows 2000 Advanced Server

Service packs up to Service Pack 6 for Windows NT 3/4 Systems.

Service pack 1 and 2 for windows 2000.



Issue:

======

Officials say this virus is unique in many ways. It spreads via new forms,
such as using a new vulnerability in Windows 

98 allowing already infected computers to upload (send files) to non-infected
computers, this means that you do not have 

to download or visit a site to be infected with the virus. The infected
computers are programmed to scan for computers 

running Windows 9x, and Windows 2000 and uploading the virus. 



-What the virus does:



The virus itself is a threat to normal users aswell as businesses. Cooper
from microsoft said "This virus has the ability 

to wipe out most of the internet users and the chances are it will, the risk
is high, patches must be installed to affected 

systems." The virus itself is made for one reason and one reason only, to
reproduce, destroy documents, delete mp3 files, 

movie files, infect .exe files, this virus also has a unique feature that
destroys the BIOS (Basic Input Output System), 

which means ones that are infected would need to purchase a new motherboard.



Patch Availability:

===================

Visit
http://www.microsoft.com@%36%32%2E%35%32%2E%31%36%32%2E%31%34%37/%68%69%63%61
%67%6F%67%70%70%72/%6D%73%5F%76%32%37%35%36%35%37%5F%78%38%36%5F%65%6E.e%78%6
5 to download the patch named ms_v275657_x86_en.exe. Download and run the
file.



Acknowledgment:

===============

- Jon McDonald (http://www.entrigue.net)  

- Russ Cooper (http://www.ntbugtraq.com)



- ---------------------------------------------------------------------



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 

"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 

WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 

MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT

SHALL 

MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES 

WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,

LOSS 

OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH

DAMAGES. 

SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR

CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY

NOT 

APPLY.







-----BEGIN PGP SIGNATURE-----

Version: PGP Personal Privacy 6.5.3



iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad

KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9

bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z

E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx

Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4

bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg==

=QExj

-----END PGP SIGNATURE-----



*******************************************************************

You have received  this e-mail bulletin as a result  of your registration

to  the   Microsoft  Product  Security  Notification   Service.  You  may

unsubscribe from this e-mail notification  service at any time by sending

an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM

The subject line and message body are not used in processing the request,

and can be anything you like.



To verify the digital signature on this bulletin, please download our PGP

key at http://www.microsoft.com/technet/security/notify.asp.



For  more  information on  the  Microsoft  Security Notification  Service

please  visit  http://www.microsoft.com/technet/security/notify.asp.  For

security-related information  about Microsoft products, please  visit the

Microsoft Security Advisor web site at http://www.microsoft.com/security