Re: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039

["Nick FitzGerald" <nick () virus-l demon co uk>]

"Robert D. Hughes" wrote:

> First of all, here's the headers:
<<snip>>
> Now, they've obviously taken an actual MS bulleting and used the text, right
> down including a pgp key and they've incremented it from the previous
> bulletin. The first thing I noticed is that the entire message is
> double-spaced. Not a lot, but it was different from every other bulletin I've
> gotten. The obvious give away is the address they've used to for the fix, as
> well specifying a particular file to download. The bulletin page of course is
> 404.

Apart from the double-spacing and the 404 error on the non-existant 
security bulletin, this same trick was used a few days (week?) ago 
to advertise/distribute a (then) new Win32/Leave variant (that worm 
that spreads via SubSeven machines that the NIPC were so worked up 
about a couple of weeks back).

> The netblock is owned by LYCOS in Europe and points to a tripod page, with an
> att.net account used to send the mail, and relevant parties have been cc'ed
> as well. And apparently the user name associated with the site is hicagogppr.
>
> From my limited experience, I can tell very little about the file other than
> it appears to connect to a remote web site. This comes from running strings
> against the file. It also appears to go after napster and icq accounts, but I
> can't tell what else it does. I think the most important thing is that
> scanning it with the latest virus signatures from Norton comes up clean, so a
> user would not be notified that they are running an infected file.
>
> If someone with the knowledge and experience will, please do a full analysis
> on this and let me know what it is. I'm pretty much a rank newbie at this, as
> you can probably tell ;) I searched the bugtraq archives, but didn't find
> anything on this, so if its known, I apologize.
<<snip>>

Sounds like a new Leave variant.  Please send a copy to your 
preferred antivirus vendor.  To possibly save you the search time, 
the sample submission addresses of the better-known developers are:

   Command Software               <virus () commandcom com>
   Computer Associates (US)       <virus () cai com>
   Computer Associates (Vet/IPE)  <ipevirus () vet com au>
   DialogueScience (Dr.Web)       <Antivir () dials ru>
   Eset (NOD32)                   <trnka () eset sk>
   F-Secure Corp.                 <samples () f-secure com>
   Frisk Software                 <viruslab () complex is>
   Kaspersky Labs                 <newvirus () avp ru>
   Network Associates (US)        <virus_research () nai com>
   Norman (NVC)                   <analysis () norman no>
   Sophos Plc.                    <support () sophos com>
   Symantec                       <avsubmit () symantec com>
   Trend Micro                    <virus_doctor () trendmicro com>


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854