Security Incidents mailing list archives
Re: hiding attachment extensions
From: Dan_Schrader () TRENDMICRO COM (Dan Schrader)
Date: Tue, 23 May 2000 11:49:53 -0700
The attachement was a password stealing Trojan called TROJ_PSW_GIP.112 Description: This password stealing Trojan propagates by appending itself to a document file. When seen in Window explorer its icon has a document icon. When the file with the appended Trojan is opened, MS Word is called to view the document, however, the Trojan executes itself tricking the user into believing only a Word document is being opened. This Trojan drops the file "Winupdate.exe" on the directory of windows and when triggered emails the infected user information to specific email addresses. Solution: Run REGEDIT and delete the registry data "c:\<window directory>\winupdate.exe" from: Hkey_Current_User\Software\Microsoft\Windows\ Current Version\Run Hkey_Local_Machine\Software\Microsoft\Windows\ Current Version\Run Hkey_Local_Machine\Software\Microsoft\Windows\ Current Version\RunServices Hkey_User\.Default\Software\Microsoft\Windows\ Current Version\Run Restart in DOS mode and delete the file C:\WINDOWS\winupdate.exe Scan your system with Trend antivirus and delete all files detected as TROJ_PSW_GIP.112. To do this Trend customers must download the latest pattern file and scan their system. Other email users may use Trend HouseCall, a free online virus scanner When executed this Trojan modifies the following registry: Location: Hkey_Current_User\Software\Microsoft\Windows\ Current Version\Run Hkey_Local_Machine\Software\Microsoft\Windows\ Current Version\Run Hkey_Local_Machine\Software\Microsoft\Windows\ Current Version\RunServices Hkey_User\.Default\Software\Microsoft\Windows\ Current Version\Run Name: Welcome" "Config" "Service" "Welcome" Data "c:\<window directory>\winupdate.exe" "c:\<window directory>\winupdate.exe" "c:\<window directory>\winupdate.exe" "c:\<window directory>\winupdate.exe" The Trojan then uses SMTP or pop mail to contact elite-m () beer com or mzreg () zxmail com using the name gip () mail com. With this mail transaction if all acknowledgements are successful, it emails your dial up password and user name; ICQ info: UIN, password, and Nick; System info: computer name, password, CPU stats, and other information. -----Original Message----- From: illu5i0n () HUSHMAIL COM [mailto:illu5i0n () HUSHMAIL COM] Sent: Friday, May 19, 2000 2:46 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: hiding attachment extensions I ran this my lab to see what it did (yea, crazy but the machines are there to hack and crash). I don't know all of what it did, but the machine was using netbios trafic and browsing mailslots. I think it is a e-mail virus of some kind. I did not see it propigate yet. It also changes the file so that it's filename is really a .doc. However that file is 19k in size and appears to be empty when opened with M$ word. This file does not seem to have any macro's in it. I'll have more later. I hope this helps Illu5i0n At Thu, 18 May 2000 12:20:34 +0200, "Volker Werth [VWSoft]" <VWerth () VWSOFT COM> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks! Well, I know this might be something for an antivirus vendor but I thought it's of interest for the incidents list..... I received a mass email message from unknown (to me) source which had a file attached to it. The MUA (Eudora in my case) showed this to be a .DOC file but in truth this figured out to be an executable file. The guys did really a good job to "hide" the real file extension. They used the following filename (paste from original mail): price.doc%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 %20%20%20%20%20%20%20%20%20%20%20.exe which results in displaying a filename "price.doc" and lots of spaces so neither the email client nor the Win explorer shows the correct filename (explorer correctly shows the file type as executable). A joe average user would identify this to be a Word document file (....and just click on it like he does everytime as we've seen from Melissa & Co.). For everyone who wants to take a look at the EXE file, I've attached a ZIP file (password is "price" without quotes). Attention: I did NO investigation on that EXE file - so I don't know if this file will be safe to execute or contains any dangerous code! DO NOT EXECUTE THE FILE CONTAINED IN THE ZIP! Maybe someone is able and has the time to investigate the file by disassembling it. Cheers, Volker -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOSO14LdVlYEAznqjEQLYLgCfXV67/l1INMUPHsuAMuXxE2b56swAnRNr piGDGegcdJmsXMmwtja5qTBE =XTzk -----END PGP SIGNATURE-----
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages. Get your FREE, totally secure email address at http://www.hushmail.com.
Current thread:
- hiding attachment extensions Volker Werth [VWSoft] (May 18)
- <Possible follow-ups>
- Re: hiding attachment extensions illu5i0n () HUSHMAIL COM (May 19)
- Re: hiding attachment extensions Dan Schrader (May 23)