JaBbA's Hut - Viruses

Microsoft Patch

nospam@example.com (JaBbA) — Tue, 26 Sep 2006 17:32:06 -0400

Microsoft released a patch for the VML Issue. Make sure your automatic update is on, or go to windowsupdate.com to get the update directly.

JaBbA says patch. Now!

Status: Yellow. Exploit Code is making the rounds!

nospam@example.com (JaBbA) — Fri, 22 Sep 2006 15:05:45 -0400

ISC has gone Status Yellow because of new exploit code.

It's a drive by - you'll NEVER know you got hacked on a fully-patched Win XP system until someone empties your PayPal account.

Video of it happening is at The Websense Security Blog.

More info in Tuesday's ISC Diary, and Thursday.

JaBbA's Recommendations:

#1 - Use Firefox with NoScript.
#2 - Update your Antivirus. If you don't have Antivirus, try AVG Anti-Virus Free Edition.
#3 - Use Thunderbird instead of outlook.
#4 - Slow down on that itchy trigger finger. Do you really need to click that link that was just sent to you?
#5 - Unregister the DLLs. This isn't for the faint of heart, but it will stop the hack

regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
or
regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Remove the -u to reregister them after October 10th, the date this is supposed to be fixed.

German SPAM? Or Virus

nospam@example.com (JaBbA) — Mon, 16 May 2005 12:26:24 -0400

Actually, a little of both.

At some point, you'll get a German email today. It will either be a short message with a link:

Lese selbst:
http://www.npd.de/npd_info/deutschland/2005/d0405-39.html

Or a long tract:

In den fruehen Abendstunden des 13. Februar 1945 gegen 21:41 Uhr
heulten die Sirenen der Lazarettstadt Dresden das erste mal auf. Die Bewohner der Elbmetropole machten sich zu der Zeit noch keine Sorgen, da Dresden als Stadt ohne Bewaffnung und ohne militaerischen Nutzen bekannt war und von ca. 1,2 Millionen Frauen, Kindern und Greisen bewohnt wurde.

Gegen 22:09 Uhr gab der Rundfunk durch, daÃ die alliierten Bomberverbaende ihren Kurs geaendert haben und nun auf Dresden zufliegen. Kurz darauf befanden sich 244 britische Bomber am Himmel der deutschen Kulturstadt. Drei Stunden nach dieser ersten Angriffswelle - es befanden sich bereits alle verfuegbaren Rettungsmannschaften, Sanitaeter und Feuerwehmaenner in Dresden - verdunkelten weitere 500 Bomber den Himmel.
Am naechsten Tag folgte die letzte Angriffswelle mit erneut 300 US-B-17-Bombern. Zwischen 12:12 Uhr und 12:21 Uhr warfen diese 783 Tonnen Bomben ab. - Das entspricht mehr als 85 Tonnen pro Minute. Nach dem Abwerfen setzten die US-Bomber zum Tiefflug an und beschossen Fluechtende mit ihren Bordwaffen. In diesen drei Angriffsschlaegen, die insgesamt 14 Stunden andauerten, warfen die "Befreier" 650.000 Brandbomben und 200.000 Sprengbomben ab, welche einen Feuersturm von ueber 1000 Grad in der Stadt erzeugten. Obwohl Dresden weder Flugabwehr, noch Ruestungsindustrie oder aehnliche kriegswichtige Ziele besass wurden weit mehr als 350.000 unschuldige deutsche Zivilisten in diesen zwei Tagen kaltbluetig ermordet.

Keiner der schuldigen Alliierten wurde jemals fuer dieses brutale Kriegsverbrechen auch nur angeklagt und die Massenmedien und die bundesdeutsche Regierung schweigen diese Taten tot und sehen es nicht als noetig an den Opfern zu gedenken.!

It's an artifact of the Sober-Q Virus. Apparently, the virus targets European users with copies of itself, but targets the whole world with a political message related to the anniversary of the end of WWII and upcoming elections.

Don't trust the fact that US users seem to get only email. Delete the German emails immediately, in case it morphs to sending malware to everyone.

More info at SANS

Oops! Almost got bit....

nospam@example.com (JaBbA) — Thu, 13 Jan 2005 10:35:04 -0500

Got an email caught in the "Failure" queue this morning. That means that there's something about the MIME boundaries that IronMail just doesn't like - it's VERY picky, nasty emails that every MUA in the world display correctly IronMail chokes on, because it can't scan for viruses if it can't figure out where the attachments are.

Looking at it, it looks like it might be a real email, so I download it to a text editor and look at the source.

Received: from ([67.163.144.96])
by smtp2.mydomain.com with ESMTP id 134030011.445707;
Thu, 13 Jan 2005 10:08:57 -0500
SUBJECT: attachments
FROM: flastname@arealcompany.com
TO: first_last@mydomain.com
DATE: [[ Thu, 13 Jan 2005 10:10:07 AM ]]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--------bound--"

----------bound--
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I have updated my email address
See the (.pdf) file attached and
please respond if you have any questions.
----------bound--
Content-Type: application/x-msdownload; name="zip.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="zip.zip"

UEsDBBQAAAAIAENRLTI

etc...

It took a second to the lack of headers to register - I'd only had one cup of coffee, and I stopped going to starbuck's, so sometimes it takes a while for my brain to kickstart. There's no Mailer-Agent. Only one received header. The Date is formatted oddly.

So I checked out the IP address:

$ host 67.163.144.96
96.144.163.67.in-addr.arpa domain name pointer c-67-163-144-96.client.comcast.net.

No large company (which is where this supposedly came from) is going to allow their people to send directly from their home accounts.

Sure enough, it's a virus - The Bagz worm, apparently.

Zafi-D Effects...

nospam@example.com (JaBbA) — Wed, 15 Dec 2004 11:01:56 -0500

Here's an interesting effect. This is the inbound Internet email volume I manage each day. I've been waiting for the volume to top 40,000 - we've gotten within 300 messages of that number before, but never quite there.

Until yesterday. I came in to a new number:

49,398 inbound messages.

Turns out that 11,000 of them were to a single, (thankfully) invalid email address. Mostly bounces from the Zafi-D virus. So even though we were protected from the virus, we ended up seeing a significant effect.

If you haven't patched, it may be too late....

nospam@example.com (JaBbA) — Thu, 29 Apr 2004 12:20:01 -0400

This came through on the 0day list a few minutes ago:

-= 0day - Freedom of Voice - Freedom of Choice =-

dropped file: %SYSTEM%/msiwin84.exe
remote process established to: lsass.exe
remote ip:4.x.x.x

note: file msiwin84.was not running

this appears to be a "blaster" type of worm working on the first and / or
second subset of the infected host to begin scanning for more hosts.
I have not completly unpacked the binary but here is some strings.

------------------ snip --------------
DnsFlushResolve
{ache.dapi.dllVQUIT RIVMSG %s : screw you KGGo home cCmd.Net, +MODEW ]m715
522947
6660M USERHOST/@ JOINFL :YnASSo DCC \ND " o:.bmp"Jd Error: fix>ipS enc<5n clos
*+h2(P/ t,O cu.g ACHO=Ds NEU(fkbit/s) tal!x f@m'Q_ IP addrvs3

------------------ snip ---------------

based on the above, the worm / viri tries to connect to a IRC server.

anyone else experiencing this?

This is in reference to one of the Microsoft Windows security patches that came out this month - see the CVE CAN-2003--0533 and the Microsoft bulletin MS04-011

Get patched NOW.

UPDATE This report is apparently still not a worm, it is instead an example of targeted attacks against the PCT vulnerability which implant the Backdoor.mipsiv worm. However...

Expect the worm soon. The exploit code is out there...

New MIMAIL-I/J combines Phishing and Virus

nospam@example.com (JaBbA) — Wed, 19 Nov 2003 12:44:20 -0500

The MIMAIL variants have been an especially nasty breed of virus. The newest ones - MIMAIL-I and MIMAIL-J - try to grab Credit Card information from unsuspecting people by masquerading as PayPal information.

See The Register, Symantec, Trend Micro

Another Dangerous Hoax

nospam@example.com (JaBbA) — Tue, 19 Aug 2003 09:24:53 -0400

'Dumaru' is a new virus spread by seeming to be a Microsoft patch for the DCOM exploit used by Blaster and Welchia.

Remember, NEVER execute something you get in email that you have not confirmed with the sender! Update your virus definitions!

Dumaru Details:
FYI: W32.Dumaru@mm Discovered: August 16, 2003
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan onto the infected machine. The worm gathers email addresses from the certain file types and uses its own STMP engine to email itself.
The email has the following characteristics:

From: "Microsoft"
Subject: Use this patch immediately!
Message: Dear friend, use this Internet Explorer patch now!There are dangerous viruses in the Internet now! More than 500,000 already infected!
Attachment: patch.exe
Type: WormInfection Length: 9,216
Systems Affected: Windows 2000, 95, 98, Me, NT & XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
Threat Assessment Level 3
Wild = Medium
Damage = Low
Distribution = Medium

A 'Good' Worm?

nospam@example.com (JaBbA) — Tue, 19 Aug 2003 09:22:54 -0400

Someone has released a new worm dubbed 'Welchia' that uses the same exploit as the blaster worm. However, this worm is an attempt to eradicate the previous worm and to stop the spread of new worms. When it infects a PC, it looks for copies of msblast.exe and deletes them, removes the registry keys, and then downloads the latest patch from Microsoft and installs it.

It then starts looking for more computers that are vulnerable.

Unfortunately, it also reboots your computer upon completion,so it can cause problems if you are in the middle of something. In addition, the reinfection and downloading can swamp networks.

It's illegal under the 1986 law that made all computer intrusions illegal.

There've been a lot of debates over the ethics of a hypothetical 'good virus'. It's not hypothetical anymore.