price.doc.exe "What it Is"

[snichols () MICROSTRATEGY COM (Nichols, Scott)]

For those of you who haven't received email from me personally, the file
price.doc.exe is a Trojan horse password stealer.  The name of the Trojan is
GIP (currently hosted on an Russian Site)  http://xbx.rial.net:8101/.
The program will steal and email cached passwords via smtp back to the
configured destination.  It has many configurable parameters including
frequency of mailings.  The program installs itself in the %SYSTEMROOT%
directory and winupdate.exe and makes the appropriate changes to the
registry to run upon startup.  It also claims to connect back to the hosting
site and update itself when new releases become available. ( Yeah right.. if
I had more time I would put a sniffer on it).  The site is in Russian but
has a tab that will provide an English menu.

Hope this clears it all up.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of illu5i0n () HUSHMAIL COM
Sent: Friday, May 19, 2000 5:46 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: hiding attachment extensions

I ran this my lab to see what it did (yea, crazy but the machines are there
to hack and crash).  I don't know all of what it did, but the machine was
using netbios trafic and browsing mailslots.  I think it is a e-mail virus
of some kind.  I did not see it propigate yet.

It also changes the file so that it's filename is really a .doc.  However
that file is 19k in size and appears to be empty when opened with M$ word.
 This file does not seem to have any macro's in it.

I'll have more later.  I hope this helps
Illu5i0n

At Thu, 18 May 2000 12:20:34 +0200, "Volker Werth [VWSoft]"
<VWerth () VWSOFT COM>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks!
>
> Well, I know this might be something for an antivirus vendor but I
> thought it's of interest for the incidents list.....
>
> I received a mass email message from unknown (to me) source which had
> a file attached to it.
>
> The MUA (Eudora in my case) showed this to be a .DOC file but in
> truth this figured out to be an executable file. The guys did really
> a good job to "hide" the real file extension.
>
> They used the following filename (paste from original mail):
>
> price.doc%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
> 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
> 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2
> %20%20%20%20%20%20%20%20%20%20%20.exe
>
> which results in displaying a filename "price.doc" and lots of spaces
> so neither the email client nor the Win explorer shows the correct
> filename (explorer correctly shows the file type as executable).
>
> A joe average user would identify this to be a Word document file
> (....and just click on it like he does everytime as we've seen from
> Melissa & Co.).
>
> For everyone who wants to take a look at the EXE file, I've attached
> a ZIP file (password is "price" without quotes).
>
> Attention: I did NO investigation on that EXE file - so I don't know
> if this file will be safe to execute or contains any dangerous code!
> DO NOT EXECUTE THE FILE CONTAINED IN THE ZIP! Maybe someone is able
> and has the time to investigate the file by disassembling it.
>
> Cheers,
>
> Volker
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.1 Int. for non-commercial use
> <http://www.pgpinternational.com>
>
> iQA/AwUBOSO14LdVlYEAznqjEQLYLgCfXV67/l1INMUPHsuAMuXxE2b56swAnRNr
> piGDGegcdJmsXMmwtja5qTBE
> =XTzk
> -----END PGP SIGNATURE-----

IMPORTANT NOTICE:  If you are not using HushMail, this message could have
been read easily by the many people who have access to your open personal
email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.