Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

FAST MOVING EMAIL VIRUS, More IE scripting concerns

Published: 2004-01-26
Last Updated: 2004-01-27 03:21:17 UTC
by Joshua Wright (Version: 1)
0 comment(s)
FAST MOVING EMAIL VIRUS

A mass-mailing virus has been released that uses its own SMTP engine and Kazaa P2P to spread. AV vendors began releasing updated signatures around 6 pm EST (2300 UTC) on the 26th, with several different names. Since release of the new signatures, our mail filter has intercepted several hundred copies of this virus at a rate of several per minute.



As of 10pm EST (0300 UTC 27 JAN 04) there has been a slowdown in the number of emails received here. More details about the virus are online at
http://news.com.com/2100-7349_3-5147605.html?tag=nefd_top


The following excerpts are from AV vendor write-ups at their links below, check frequently for additions.

Names
W32/Mydoom@MM
http://vil.nai.com/vil/content/v_100983.htm

Novarg
F-Secure)
http://www.f-secure.com/v-descs/novarg.shtml

W32.Novarg.A@mm (Symantec)
http://securityresponse.symantec.com/avcenter/venc/data/w32.novarg.a@mm.html

Win32/Shimg (CA)
http://www3.ca.com/virusinfo/virus.aspx?ID=38102

WORM_MIMAIL.R (Trend) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R

The email arrives with a masked executable attachment. The attachment file extensions vary (.exe, .pif, .cmd, .scr)

Size - (22,528 bytes)

Attachment Names (not exhaustive) are chosen from the following list of names:

Data
Readme
Message
Body
Text
file
doc
document


The icon used by the file tries to make it appear as if the attachment is a text file. There are other reports of different icons being used such as a MSDOS shortcut which is the executable.

The worm may also send itself out as a legitimate ZIP archive.

Upon execution, it launches Notepad.exe and displays a message with non-legible characters.

The worm encrypts most of the strings in its UPX-packed body with rot13 method.

The worm opens a connection on TCP port 3127 suggesting remote access capabilities. Connecting to this port on an infected computer using Netcat shows only binary output, suggesting a possible backdoor, additional instructions for a possible future worm, or perhaps an encrypted SMTP engine for spammers. Investigation continures.

Other email
characteristics;


From: (spoofed)

Possible Subjects (not exhaustive):
Server Report
Mail Delivery System
hi
status
hello
HELLO
Hi
test
Test
Mail Transaction Failed
Server Request
Error

Or a subject name consisting of randomly genereated characters.

Body: (Varies, such as these examples)

"The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment."
"The message contains Unicode characters and has been sent as a binary attachment."
"Mail transaction failed. Partial message is available."

After a system becomes infected, it may begin to participate in a DDoS attack against sco.com by routinely sending 63 HTTP requests. This may cause local DoS conditions as well due to excessive traffic from multiple infected hosts.

More Internet Explorer Scripting Concerns

A new method of exploiting Microsoft Internet Explorer security zones was posted to the BUGTRAQ mailing list today that uses the Windows XP ".folder" extension to trick users into running scripts in the My Computer zone. This is another example of the dangers of unrestricted scripting in trusted zones. Preliminary information from Microsoft indicates that Service Pack 2 for Windows XP will include improvements to restrict web pages from running in the My Computer zone. In the meantime, organizations are advised to disable the "Hide Extensions for Known File Types" option on Windows systems, and advise users to report instances of folders appearing with the ".folder" extension.

--------------------

-Joshua Wright

(Updated by Marcus Sachs)
Keywords:
0 comment(s)
Diary Archives