[21557] in bugtraq
MALWARE HOAX FW: Microsoft Security Bulletin MS01-039
daemon@ATHENA.MIT.EDU (Robert D. Hughes)
Tue Jul 17 02:15:51 2001
Date: Mon, 16 Jul 2001 22:34:07 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Message-ID: <B95B566BD245174196CA4EE29E5818834518@robhughes.com>
content-class: urn:content-classes:message
From: "Robert D. Hughes" <rob@robhughes.com>
To: <bugtraq@securityfocus.com>
Cc: <abuse@tripod.com>, <abuse@att.net>, <abuse@gmx.co.uk>,
<focus-virus@securityfocus.com>
Content-Transfer-Encoding: 8bit
First of all, here's the headers:
Microsoft Mail Internet Headers Version 2.0
Received: from mail.gmx.net ([194.221.183.20]) by hexch01.robhughes.com with
Microsoft SMTPSVC(5.0.2195.2966);
Mon, 16 Jul 2001 21:07:01 -0500
X-Proxy: fwall.robhughes.com protected by Firewall
Received: (qmail 19842 invoked by uid 0); 17 Jul 2001 02:06:58 -0000
Received: from 252.fwsgrp27.als.att.net (HELO bleh.bleh.com) (12.44.146.252)
by mail.gmx.net (mail01) with SMTP; 17 Jul 2001 02:06:58 -0000
Message-ID: <bleh1234567890>
Date: Sun, 13 Jul 1337 13:37:37 +1337
From: secnotif@MICROSOFT.COM
Reply-To: secnotif@MICROSOFT.COM
X-Mailer: Mozilla 4.75 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: rob@robhughes.com
Subject: Microsoft Security Bulletin MS01-039
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Return-Path: deathsdoor@gmx.co.uk
X-OriginalArrivalTime: 17 Jul 2001 02:07:02.0181 (UTC)
FILETIME=[2B2B0550:01C10E65]
Now, they've obviously taken an actual MS bulleting and used the text, right
down including a pgp key and they've incremented it from the previous
bulletin. The first thing I noticed is that the entire message is
double-spaced. Not a lot, but it was different from every other bulletin I've
gotten. The obvious give away is the address they've used to for the fix, as
well specifying a particular file to download. The bulletin page of course is
404.
The netblock is owned by LYCOS in Europe and points to a tripod page, with an
att.net account used to send the mail, and relevant parties have been cc'ed
as well. And apparently the user name associated with the site is hicagogppr.
From my limited experience, I can tell very little about the file other than
it appears to connect to a remote web site. This comes from running strings
against the file. It also appears to go after napster and icq accounts, but I
can't tell what else it does. I think the most important thing is that
scanning it with the latest virus signatures from Norton comes up clean, so a
user would not be notified that they are running an infected file.
If someone with the knowledge and experience will, please do a full analysis
on this and let me know what it is. I'm pretty much a rank newbie at this, as
you can probably tell ;) I searched the bugtraq archives, but didn't find
anything on this, so if its known, I apologize.
Thanks,
Rob
-----Original Message-----
From: secnotif@MICROSOFT.COM [mailto:secnotif@MICROSOFT.COM]
Sent: None
To: Robert D. Hughes
Subject: Microsoft Security Bulletin MS01-039
Importance: Low
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
- ----------------------------------------------------------------------
Title: Vulnerability in Windows systems allowing an upload of a serious
virus.
Date: 10 July 2001
Software: Windows 2000
Impact: Privilege Elevation
Bulletin: MS01-039
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-039.asp
- ----------------------------------------------------------------------
Yesterday the internet has seen one of the first of it's downfalls. A virus
(no name assigned yet) has been released.
One with the complexity to destroy data like none seen before.
Systems affected:
=================
Microsoft Windows 95
Microsoft Windows 95b
Microsoft Windows 98
Microsoft Windows 98/SE
Microsoft Windows NT Enterprise
Microsoft Windows NT Workstation
Microsoft Windows Millenium Edition
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Service packs up to Service Pack 6 for Windows NT 3/4 Systems.
Service pack 1 and 2 for windows 2000.
Issue:
======
Officials say this virus is unique in many ways. It spreads via new forms,
such as using a new vulnerability in Windows
98 allowing already infected computers to upload (send files) to non-infected
computers, this means that you do not have
to download or visit a site to be infected with the virus. The infected
computers are programmed to scan for computers
running Windows 9x, and Windows 2000 and uploading the virus.
-What the virus does:
The virus itself is a threat to normal users aswell as businesses. Cooper
from microsoft said "This virus has the ability
to wipe out most of the internet users and the chances are it will, the risk
is high, patches must be installed to affected
systems." The virus itself is made for one reason and one reason only, to
reproduce, destroy documents, delete mp3 files,
movie files, infect .exe files, this virus also has a unique feature that
destroys the BIOS (Basic Input Output System),
which means ones that are infected would need to purchase a new motherboard.
Patch Availability:
===================
Visit
http://www.microsoft.com@%36%32%2E%35%32%2E%31%36%32%2E%31%34%37/%68%69%63%61
%67%6F%67%70%70%72/%6D%73%5F%76%32%37%35%36%35%37%5F%78%38%36%5F%65%6E.e%78%6
5 to download the patch named ms_v275657_x86_en.exe. Download and run the
file.
Acknowledgment:
===============
- Jon McDonald (http://www.entrigue.net)
- Russ Cooper (http://www.ntbugtraq.com)
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL
MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS
OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
NOT
APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOzfaRo0ZSRQxA/UrAQE22gf/W+GD69o8ARA8tPFFJ1hEEa+ISUCqzsad
KCozn4q15zGvZZnM4INxaiD5tPZKkJWIyx8+w5V4AdgTJDLF2YW8ADdk7Dpt1gk9
bOMkr9ipsX5qP5eD3c2cOj+kIQUKQ4Ql5UOW2l6HvrRZUXHyL9sHPpK1+1vwej2z
E9/x0VTDDKu3uc3KTHFFTVbgIfibT4z3zcZUDC0omH8oU+3eNjYwn343ATd+LXMx
Hpsrhrq/gvZc98FYEOW0Re9kHoGuLkDWqdtz63xOxziHjliASPpxsxmJ71bAx0v4
bVuQYQQ+AZklgYwzYDkCfciTfOjjRvi82whlzMDur/t6UtwW3Fe1Zg==
=QExj
-----END PGP SIGNATURE-----
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security
