Bugtraq mailing list archives
Re: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Tue, 17 Jul 2001 23:33:17 +1200
"Robert D. Hughes" wrote:
First of all, here's the headers:
<<snip>>
Now, they've obviously taken an actual MS bulleting and used the text, right down including a pgp key and they've incremented it from the previous bulletin. The first thing I noticed is that the entire message is double-spaced. Not a lot, but it was different from every other bulletin I've gotten. The obvious give away is the address they've used to for the fix, as well specifying a particular file to download. The bulletin page of course is 404.
Apart from the double-spacing and the 404 error on the non-existant security bulletin, this same trick was used a few days (week?) ago to advertise/distribute a (then) new Win32/Leave variant (that worm that spreads via SubSeven machines that the NIPC were so worked up about a couple of weeks back).
The netblock is owned by LYCOS in Europe and points to a tripod page, with an att.net account used to send the mail, and relevant parties have been cc'ed as well. And apparently the user name associated with the site is hicagogppr. From my limited experience, I can tell very little about the file other than it appears to connect to a remote web site. This comes from running strings against the file. It also appears to go after napster and icq accounts, but I can't tell what else it does. I think the most important thing is that scanning it with the latest virus signatures from Norton comes up clean, so a user would not be notified that they are running an infected file. If someone with the knowledge and experience will, please do a full analysis on this and let me know what it is. I'm pretty much a rank newbie at this, as you can probably tell ;) I searched the bugtraq archives, but didn't find anything on this, so if its known, I apologize.
<<snip>> Sounds like a new Leave variant. Please send a copy to your preferred antivirus vendor. To possibly save you the search time, the sample submission addresses of the better-known developers are: Command Software <virus () commandcom com> Computer Associates (US) <virus () cai com> Computer Associates (Vet/IPE) <ipevirus () vet com au> DialogueScience (Dr.Web) <Antivir () dials ru> Eset (NOD32) <trnka () eset sk> F-Secure Corp. <samples () f-secure com> Frisk Software <viruslab () complex is> Kaspersky Labs <newvirus () avp ru> Network Associates (US) <virus_research () nai com> Norman (NVC) <analysis () norman no> Sophos Plc. <support () sophos com> Symantec <avsubmit () symantec com> Trend Micro <virus_doctor () trendmicro com> -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 Robert D. Hughes (Jul 16)
- Re: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 Nick FitzGerald (Jul 17)
- Re: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 Editor InfoGuerra (Jul 17)
- <Possible follow-ups>
- RE: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 Patrick Webster (Jul 17)
- RE: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 Kuo, Jimmy (Jul 18)
- Re: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039 Nick FitzGerald (Jul 17)