New Strain of Mass-Email Virus Poses Increased Risk September 22, 2003 Security vendors on Friday continued to issue alerts about a new mass-mailing virus, which has been identified as a variant of the Gibe Family of viruses. According to MessageLabs, W32/Gibe.E-mm, also known as W32/Swen.A-mm, the proportion of emails carrying this virus has risen to 1 in 355 in the last 24 hours, and MessageLabs has classified this as a high-level outbreak situation. The vendor reports that initial copies all originated from Slovakia, and some later copies originated from the Netherlands. The countries most affected by W32/Swen.A-mm are the United States, the U.K. and the Netherlands, respectively. Initial analysis has suggested that this strain is a mass-emailing virus, and is similar to the earlier Gibe strain of viruses. However, there may be sufficient differences to give rise to a new family and further analysis will be required. The emails appear to be different, and the attachment name may vary. For further information, visit the MessageLabs web sitehere. According to Symantec, due to an increase in submissions, the vendor has upgraded W32.Swen.A@mm to a Category 3 threat. Symantec characterizes W32.Swen.A@mm as a mass-mailing worm that uses its own SMTP engine to spread itself. It attempts to spread through file-sharing networks, such as KaZaA and IRC, and attempts to kill antivirus and personal firewall programs running on a computer. The worm can arrive as an email attachment. The subject, body, and From: address of the email may vary. Some examples claim to be patches for Microsoft Internet Explorer, or delivery failure notices from qmail. W32.Swen.A@mm is similar to W32.Gibe.B@mm in function, and is written in C++. Technical details are at this Symantec page. McAfee has also raised its alert level for W32/Swen@MM to medium. The vendor reports that it sometimes purports to be a Microsoft Security Update, and the worm is intended to propagate via various mechanisms: mailing itself to recipients extracted from the victim machine copying itself over network shares (mapped drives) sharing itself over the KaZaa P2P network sending itself via IRC The worm is written in MSVC. Though in a different HLL, it bears similarities to W32/Gibe.b@MM (original Gibe variants were written in VB). The worm terminates processes relevant to various security and anti-virus products (see below). The virus contains its own SMTP engine to construct outgoing messages. Various outgoing messages are created. Some make use of an IE exploit to ensure the worm attachment is run upon viewing the email. See Microsoft Security Bulletin (MS01-020) . One such message bears the following characteristics: Subject : Returned Response From : Email Delivery Service (kmailengine@yahoo.com) Body : Undeliverable mail to (email address ) Messages constructed to take advantage of this vulnerability will be detected as Exploit-MIME.gen.exe with the 4215 DATs or greater (and earlier as Exploit-MIME.gen). Multiple subject lines and attachment names are constructed from pools of strings within the worm to be used in outgoing messages. Target email addresses are extracted from files on the victim machine. At least one message masquerades as a Microsoft update. View the message and other information at this McAfee page. Trojan Exploits IE Vulnerability Troj/JSurf-A arrives via an HTML email exploiting a vulnerability reportedly fixed in the Cumulative Patch of Internet Explorer (MS03-032). The email contains a Object Data tag that runs a VBS script on a remote site. The script drops an EXE in the C:\ drive as DRG.EXE. This component of Troj/JSurf-A connects to a remote website, downloads a DLL to C:\Program Files\win32.dll and then runs regsvr32.exe to register it on the system. The Trojan relies upon a vulnerability in Microsoft's software. Microsoft issued a patch which reportedly fixes the problem in August 2003. The patch can be found here. Worm Targets SMTP To Email Itself W32/Yaha-W is a worm which spreads by emailing itself via SMTP to addresses extracted from various sources on the victim's computer (e.g. the Windows Address Book) and by copying itself to network shares and other fixed drives connected to the computer. The worm copies itself to the Windows folder as REGE32.EXE and to the Windows system folder as EXELD32.EXE and EXPLORERE.EXE. The worm adds the following entries to the registry to run itself on system restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MicrosoftServiceManager = \EXPLORERE.EXE and HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ MicrosoftServiceManager = \EXPLORERE.EXE The worm also changes WIN.INI to run itself on system restart. W32/Yaha-W changes the entries in the registry at: HKCR\exefile\shell\open\command, so that the worm is run before all EXE files. W32/Yaha-W attempts to exploit an IFRAME vulnerability in certain versions of Microsoft Internet Explorer and Outlook Express which allows automatic execution of files attached to emails when the email is viewed. W32/Yaha-W sends emails which have similar characteristics to those of W32/Yaha-T. Read more atthisSophos page. Gibe.C Worm Reports Increasing The new 'C' variant of the Gibe (W32/Gibe.C) worm, detected Thursday by PandaLabs, has become, in less than 24 hours, one of the viruses most frequently detected by the antivirus vendor. Gibe.C uses social engineering, as it reaches computers in an e-mail message that passes itself off as a security patch for Microsoft Windows operating systems. This message has several characteristics, and it can even perfectly imitate the style of Microsoft web pages. In order to gain credibility, the sender of the e-mail message appears to be Microsoft. For example: 'MS Technical Assistance' or 'MS Customer Support', etc. The message also includes an attached file that actually contains the Gibe.C worm and can have different names, such as Q591362.EXE. When the attached file is run, a series of windows are displayed, which simulate the installation of the supposed patch. When the attached file is run, a series of windows are displayed, which simulate the installation of the patch. However, these screens actually cover up the actions that the worm is carrying out. The actions carried out by this worm include disabling the Windows Registry Editor in order to prevent new entries, previously added to the registry by the worm, from being deleted. In addition, Gibe.C displays a message that attempts to trick the user into giving confidential information. Gibe.C ends processes belonging to several antivirus and computer security programs. This leaves the affected computer vulnerable to the attack of hackers or other malicious code. Gibe.C can also exploit two vulnerabilities in the Microsoft Internet Explorer browser to run itself when the message carrying the worm is viewed in the Preview Pane. Finally, this worm can also spread through the peer-to-peer file sharing program KaZaA and via IRC. Due to the incidents reported, and in order to avoid falling victim to Gibe.C, Panda Software advises users to be extremely careful with e-mail messages received and to update their antivirus solutions immediately. For more information about Gibe.C and other malicious code, visit Panda Software's Virus Encyclopediahere. Virus Targets .php Files PHP.Virdrus is a virus that prepends itself to the .php files. PHP.Virdrus is written in PHP. Technical details are atthisSymantec page. Week in Review This week's report on malicious code focuses on Surfbar.B and six worms: Gibe.C, Opaserv.X, variants 'A' and 'B' of Backterra, Reksa.A and Blaster.G. The first worm, Gibe.C, spreads via e-mail in a message that perfectly imitates the style of Microsoft web pages, in order to trick the user into thinking that the attached file is a security patch. It also spreads through the peer-to-peer (P2P) file sharing program KaZaA, across shared network drives and via IRC. This worm exploits the iFrame and Incorrect MIME Header vulnerabilities, and it ends processes belonging to several antivirus programs, firewalls and system monitoring tools. This leaves the affected computer vulnerable to attack from other malicious code. In addition, Gibe.C disables the Windows Registry Editor and displays a message on screen to obtain users' confidential information (as mail account passwords). Another worm that appeared this week is Opaserv.X. This worm spreads to other computers by attacking IP addresses, in which it tries to make copies of itself to the existing shared network drives. It attempts to access these shared drives by exploiting the Share Level Password vulnerability. Opaserv.X creates several files in the Windows directory and it also creates an entry in the Windows registry of the affected computer. The fifth worm on this report is Reksa.A, which spreads via e-mail in a message with the subject 'Support Message' and the attachment 'MSNUPDATE.EXE'. Once it is run, Reksa.A displays a message on screen and it creates the file MSN.EXE in the Windows directory. This file contains the code of the worm. The final worm deted this week is Blaster.G, which affects only Windows 2003/XP/2000/NT computers. It exploits the Buffer Overrun in RPC Interface vulnerability. Blaster.G spreads by attacking IP addresses generated at random and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Blaster.G incorporates its own TFTP (Trivial File Transfer Protocol) server. Two clear symptoms that indicate that Blaster.G has reached the computer are that the network traffic increases--on the TCP 135 and 4444, and UDP 69 ports--and that it blocks and restarts the affected computer. Finally, Surfbar.B is malware that exploits the Internet Explorer Object Data Remote Execution vulnerability to reach computers. Its main action is to change the home page of the Internet Explorer browser.