Home page logo

isn logo Information Security News mailing list archives

WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro
From: InfoSec News <isn () c4i org>
Date: Tue, 2 Oct 2001 04:28:07 -0500 (CDT)

Forwarded from: "Jay D. Dyson" <jdyson () treachery net>


Courtesy of Incidents List.

- ---------- Forwarded message ----------
Date: Sun, 30 Sep 2001 20:47:58 -0600
From: aleph1 () securityfocus com
To: incidents () securityfocus com
Subject: WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro

It has come to our attention that a message claiming to come from
SecurityFocus' ARIS system and TrendMicro is being used to deliver what
looks like a trojan horse to unsuspecting users. These messages do not
come from us or TrendMicro, as a quick check of the headers will reveal. 

The messages come with an executable attachment named FIX_NIMDA.exe.  Do
*NOT* run this attachment. 

The name is similar to the one used by TrendMicro for their free Nimda
removal tool (FIX_NIMDA.com). To say the least we haven't ever sent out
any type of executable attachment claiming to be a fix to any worm or
vulnerability. And we certainly don't end out email using the brain dead
multipart/alternative MIME type. 

We are still trying to determine what the code does. At first flag it
appears to include some type of zip file that when run creates a directory
with the called FIX_NIMDA, with the files FIX_NIMDA.exe, readme.txt,
SLIDE.DAT, and slide.exe. 

The readme.txt file is copy of the file distributed by TrendMicro with the
their free Nimda disinfection tool. The FIX_NIMDA.exe file is not the same
as TrendMicro's but it appears to attempt to deceive the user by printout
out some output that makes it appear like it working as advertised. 

Bellow you can find a sample of the fake message being used to transmit
this trojan. If you have receive a similar message we would like to hear
from you. 

Common sense and best practices indicates that you should not execute any
code that come via email unless you can authenticate the source of the
message. Sadly, as previous worms make all to clear the will be always
people that do not follow safe computing practices. 

Return-Path: <aris-report () securityfocus com>
Received: (qmail 24362 invoked from network); 30 Sep 2001 23:46:17 -0000
Received: from corderoatado.arnet.com.ar (HELO dominios2.arnet.com.ar) (
  by gate.bulinfo.net with SMTP; 30 Sep 2001 23:46:17 -0000
Received: from mcdark ([]) by dominios2.arnet.com.ar  with Microsoft SMTPSVC(5.5.1877.357.35);
         Sun, 30 Sep 2001 20:45:05 -0300
Message-ID: <002901c14a09$f12b6a80$0100a8c0 () mcdark>
From: <aris-report () securityfocus com>
To: <Teraton () sbline net>
Cc: <Teraton () bulinfo net>,
        <ktzenov () hotmail com>
Subject: Possible Nimda Worm infection
Date: Mon, 1 Oct 2001 01:45:03 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Return-Path: aris-report () securityfocus com
Status: RO
Content-Length: 912884
Lines: 11932

This is a multi-part message in MIME format.

- ------=_NextPart_000_0025_01C14A1A.B058CFA0
Content-Type: multipart/alternative;

- ------=_NextPart_001_0026_01C14A1A.B058CFA0
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

This mail is from the ARIS Analyzer Service (Attack Registry and =
Service) from SecurityFocus in cooperation with Trend Micro =
As you are probably aware from the media, the Nimda worm started =
It has come to our attention that your system(s),
listed below have been identified as being compromised by the Nimda =
Worm. =20
The Nimda Worm is rapidly spreading across the Internet.=20

The addresses identified as belonging to you are as follows:

Teraton () sbline net=20
Teraton () bulinfo net
ktzenov () hotmail com

You can find up to date information on the Nimda Worm at:


It is very important that you are checking your Systems that have used =
with the identified addresses
with the special Anti Nimda Software that we send you with this mail. =

It is also important that you are updating all your systems.
For this please show at the following URL


The SecurityFocus ARIS Analyst Team
aris-report () securityfocus com

- ------=_NextPart_001_0026_01C14A1A.B058CFA0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<META http-equiv=3DContent-Type content=3D"text/html; =
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello,<BR>This mail is from the ARIS =
Service (Attack Registry and Intelligence <BR>Service) from =
SecurityFocus in=20
cooperation with Trend Micro Incorporated.<BR>&nbsp;<BR>As you are =
aware from the media, the Nimda worm started spreading.<BR>It has come =
to our=20
attention that your system(s),<BR>listed below have been identified as =
compromised by the Nimda Worm.&nbsp; <BR>The Nimda Worm is rapidly =
across the Internet. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The addresses identified as belonging =
to you are as=20
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"mailto:Teraton () sbline net">Teraton () sbline net</A> <BR><A=20
href=3D"mailto:Teraton () bulinfo net">Teraton () bulinfo net</A><BR><A=20
href=3D"mailto:ktzenov () hotmail com">ktzenov () hotmail com</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>You can find up to date information on =
the Nimda=20
Worm at:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
<DIV><FONT face=3DArial size=3D2><STRONG>It is very important that you =
are checking=20
your Systems that have used with the identified addresses<BR>with the =
Anti Nimda Software that we send you with this mail.=20
<DIV><FONT face=3DArial size=3D2><STRONG>It is also important that you =
are updating=20
all your systems.<BR>For this please show at the following=20
<DIV><FONT face=3DArial size=3D2><A=20
- -26.html</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The SecurityFocus ARIS Analyst =
href=3D"mailto:aris-report () securityfocus com">aris-report () securityfocus c=
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

- ------=_NextPart_001_0026_01C14A1A.B058CFA0--

- ------=_NextPart_000_0025_01C14A1A.B058CFA0
Content-Type: application/x-msdownload;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

[ rest deleted ]

- ------=_NextPart_000_0025_01C14A1A.B058CFA0--

- -- 
Elias Levy
Si vis pacem, para bellum

- ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • WARNING: Trojan Horse Disguised as Message from SecurityFocus and TrendMicro InfoSec News (Oct 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]