[10795] in bugtraq
Info on Worm.ExploreZip
daemon@ATHENA.MIT.EDU (Simple Nomad)
Fri Jun 11 01:37:09 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.10.9906102220360.24835-100000@shell.fastlane.net>
Date: Thu, 10 Jun 1999 22:30:25 -0500
Reply-To: Simple Nomad <thegnome@NMRC.ORG>
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@NETSPACE.ORG
Info on Worm.ExploreZip:
I'm in the process of cleanup - my day job employer got hit, and we're NT
with no 95/98 to speak of. Here are some interesting tidbits that I
haven't seen on some of the commercial Anti-Virus web sites regarding NT.
Payload:
- The trojan can come into any email client, obviously. If executed, it
will proceed to go active in memory. In other words, you do not need
Outlook for the Payload to activate, just a Win32 machine. A Notes mail
client user probably did the most damage in our environment to network NT
file servers.
- It will have a process running called _setup.exe, zipped_f.exe, and
possibly explore.exe.
- One of our users reported seeing explore.exe running as an application,
although I wasn't able to confirm this.
- It deletes files with *.h, *.c, *.cpp, *.asm, *.doc, *.xls, and *.ppt
extensions on all drives (C through Z) that are currently mapped.
- Every few minutes it will repeat the deletion process. This is
particularly nasty if you are trying to do restores to network drives
while the virus is still active in your environment.
Progation:
- On the Melissa-style method of propagation, it checks the user's Inbox
in Outlook. The Outlook client does not have to be running, as the trojan
uses MAPI calls.
- Propagation is triggered by the arrival of a new message into the
Outlook's Inbox.
- Once triggered, the virus takes the first two names in the header and
uses it to plug into the text of the message. If more than one user name
is in the message header (possible if you are using distribution lists or
role-based mail boxes that forward mail to multiple people) it is possible
the names will not be in the correct order. Also if you use Lastname,
Firstname as a naming convention you will get Lastname, plugged into the
messages.
- It creates the message with the names and attaches the trojan, naming it
zipped_files.exe with the happy message as reported on most Anti-Virus
vendor sites.
- In other words, you send an email to billg@microsoft.com with a subject
of Microsoft Sucks, he's infected and his machine is up and running, you
will get a reply with a subject of Re: Microsoft Sucks with the
attachment. I mean he says he'll get back with you and to read the
attached zipped docs, and you being Joe/Josey corporate user check it out.
False message saying it's a corrupt zip, blah, blah, blah, and now you're
sending out trojans.
We got hit when email was sent to some engineers at Microsoft, and the
reply came back with the trojan. The nature of the email sent to Microsoft
was "where is the info we requested" so it seemed natural that the
attachment was supposed to be a self-extracting zip. That's right,
Microsoft got hit, so I would guess a few source code files and Office
docs were wiped. Hopefully as Microsoft starts the slow process of
restoring Office docs and source code (!) they will discover what the
rest of us have known all along -- the security model is less than ideal
(which is, um, an understatement).
Another interesting note, the APIs that the Exchange Anti-Virus vendors
use to scan Exchange mailstores only scan on messages inbound to the
mailstore. This means that outbound messages are not scanned. We had an
affected machine that replied to messages from the Internet with the
trojan attachment as our Exchange outbound goes straight to a Unix machine
on its way to the Internet. Fortunately we had a process running on the
Unix box to catch inbound and outbound email with the attachments named
zipped_files.exe and it was stopped, but this was why we saw our Exchange
AntiVirus *not* catch the message. Why do the Anti-Virus vendors only use
APIs that catch inbound messages? Because that is all Microsoft has given
them. Most of the vendors have really been pressuring Microsoft to release
info about coding to check for outbound messages.
Final tidbits (sorry if this message isn't very coherent, it's late and
I've been up a long time): the trojan was written using Borland Delphi,
and was possibly compiled on April 14, 1999. Obviously the virus writer
got the idea for the propagation method from Melissa, and one can only
wonder what the next worm/trojan/virus will do.
Simple Nomad //
thegnome@nmrc.org // ....no rest for the Wicca'd....
www.nmrc.org //
