Re: Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED

["morning_wood" <se_cur_ity () hotmail com>]

oops' .. hey, that was cool... everyone's AV works ..

wood

----- Original Message -----
From: "morning_wood" <se_cur_ity () hotmail com>
To: <incidents () securityfocus com>; <full-disclosure () lists netsys com>
Sent: Saturday, May 24, 2003 9:04 AM
Subject: [Full-disclosure] Ms Update Spoof - W32.gibe - NOTE:VIRUS ATACHED


> morning_wood
> morning_wood () exploitlabs com
> http://exploitlabs.com
>
>
> Analysis of "Update880.exe" W32.gibe - Trojan / Worm
>
> Overview:
> --------------------
>
>  Update880.exe arrives as email, claiming to be a new Microsoft update.
> It is a virus, class KaZZA Droper. This is a different variant than
> identified by Symantic in March 2003. This is a small analysis of
> of this variants binary.
>
> References:
> --------------------
>
> references to to "p214537.exe"
> http://www.arnes.si/news/archive/si.org.arnes/msg02077.html
>
> report of html body code ( mine was blank)
> http://they.gotdns.org:88/~tscanlan/spam/msvirus.txt
>
>
> reference to "Coded ...by Begbie, Slovakia"
> http://www.eset.sk/scriptless/pedia/cervy/clausa.htm
> http://www.fortinet.com/Vir-Desc/W32/gibe-b.htm
>
>
> aka: Q216309.exe
>
>
> Coded ...by Begbie, Slovakia
> AutMSUpdate     =   p214537 MSUpdate
> MSUpdate KaZaA uploDropper
>
>
> Binary Text Extract:
> --------------------
>
> Installing Microsoft Update
>
>
> wwwwwp vfffffff vfffffff ffffffff xwwwwwwwwwwxp wwwwwwwwwwwwp Form1
>  Frame1 Picture1 Command1 &Cancel ProgressPic Label1 Extracting files ...
> LicenseForm  License Form1 Command2 Text1
>
>
> This product is protected by copyright laws and international  copyright
> treaties,
>  as well as other intellectual property laws and  treaties.
> ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE  PROVIDED "AS IS"
> WITHOUT WARRANTY OF ANY KIND! Microsoft and/or its respective suppliers
> hereby disclaim all warranties  and conditions with regard to this
> information,
> including all warranties  and conditions of merchantability, whether
> express, implied
>  or  statutory, fitness for a particular purpose, title and
> non-infringement.
> Microsoft does not warrant that the functions for the software or code
will
> meet
>  your requirements, or that the operation of the software or  code will
> be uninterrupted or error-free, or that defects in the software
> or code can be corrected.  Furthermore, Microsoft does not warrant
> or make any representations regarding the use or the results of the
> use of the software, code or related documentation in terms of their
> correctness, accuracy, reliability, or otherwise. No oral or written
> information or advice given by Microsoft or its authorized
representatives
> shall create a warranty or in any way increase the  scope of this
warranty.
> Should the software or code prove defective  after Microsoft has delivered
> the same, you, and you alone,  shall assume the entire cost associated
with
> all necessary servicing,  repair or correction. In no event shall
Microsoft
> and/or its respective  suppliers be liable for any special, indirect or
> consequential damages  or any damages whatsoever resulting from loss
> of use, data or profits,  whether in an action of contract,
> negligence or other tortious action,  arising out of or in connection
> with the use or performance of  software, documents, provision of or
> failure to provide services, or  information available from the services.
> COPYRIGHT NOTICE. Copyright   2003
> Microsoft Corporation, One Microsoft Way,
>   Redmond, Washington U.S.A.
> All rights reserved.
>
>
> Command1 Label2
> Do you accept all of the terms of the preceding License Agreement?
>  If you choose No, Install will close. To install you must accept this
> agreement.
>
> Label1
>
> Please read the following license agreement. Press the Page Down key to
see
> the rest
>  of the agreement.
>
>
> Installation:
> --------------------
>
>
> \AC:\ Software\Microsoft\Windows\CurrentVersion\ Internet Settings\Messeng
er
>  Setup .... by Begbie
>
>  Microsoft Internet Update Pack Coded
>
>  REG_SZ This will install Microsoft Security Update.
>
>
> Code Stuff: (filenames)
> ------------------
>
> DxLoad
> \DX3DRndr.exe
> \gibe.dll
> \MSBugAdv.exe
> \MSWinsck.ocx
> \WMSysDx.bin
>
> ZipName
>
> Code Stuff:(functions)
> -------------------
>
>
>  Email Address Not found
> LookName n0=on 1:JOIN:#:{ Update registry settings ... Installation was
> cancelled. This update has been successfully installed.
>
>
>
> ProgramFilesDir
> pdate A -EP
> WinRAR.exe -min -e -o
> WinZip.exe
>
> App Paths\ Outlook.Application
> GetNamespace Version
> GetDefaultFolder Items
> Email1Address
> Email2Address
> Folders \MailViews.db
> AddressLists
> AddressEntries
> Count Address
> SOFTWARE\Microsoft\Wab\WAB4\Wab
>
>
> File Name Software\Kazaa
> \LocalContent
> DisableSharing 012345: Dir99
> LocalContent
> Transfer
> DownloadDir DlDir0
> \mirc \mirc32 \mirc.ini \script.ini [script] Service n1=  /if ( $nick ==
> $me ) { halt } n2=  /.dcc send $nick
>
>
> Code Stuff: (keywords)
> --------------------
>
> IEPatch KaZaA upload XboX Emulator PS2 Emulator XP update XXX Video Sick
> Joke Free XXX Pictures My naked sister Hallucinogenic Screensaver Cooking
> with Cannabis Magic Mushrooms Growing I-Worm_Gibe Cleaner Email Program
>
>
> \Software\Microsoft\Internet Account Manager\Accounts
> \Identities
> \Identities\
>
> SMTP Server SMTP Email Address NNTP Server SMTP Display Name Server
> Microsoft  Internet  Engine Automat Robot Daemon Disp Name :[prior]
> \Start menu\Programs\Startup \Documents and Settings\
> \Winnt\Profiles\ Scripting.FileSystemObject Drives DriveType
> RootFolder Windows WinMe Win95 Win98 \All Users
> BuildPath
> FolderExists \WebLoader.exe
> CopyFile All Users Default User Administrator \TempRes.dat
>
> Identification:
> --------------------
>
> FileInfo Translation StringFileInfo 040904B0
>  CompanyName Microsoft Corporation
>  FileDescription Microsoft Security Patch for Windows
>  LegalCopyright  1981-2003 Microsoft Corporation
>  LegalTrademarks  is a registered trademark of Microsoft Corporation.
> Windows is a trademark of Microsoft Corporation.
>  ProductName MSUpdate
>  FileVersion 9.31.2541
>  ProductVersion 9.31.2541
>  InternalName p214537
>  OriginalFilename p214537.exe
>
>
>  This is a non technical report of a windows32 binary of an unknown type
and
> function at the
> time of aquisition. Information is provided for identification and the
type
> of functions, keywords
> and registry entries of W32.gibe virus.
>
>
> Conclusion:
> --------------------
>
>  While this is a known virus, it's method of delivery and masqurading of a
> legitimate
> updat makes this particulary unsuspecting attatchment that is easily
> mistaken by the
> general internet user as a legitimate Microsoft update. As well the main
> program has
> been modified to redude detection.
>
>
> Credits:
> --------------------
> morning_wood
> http://exploitlabs.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html