Security Incidents mailing list archives

Re: Looks like a duck...quacks like a duck...

From: Brad Griffin <b.griffin () cqu edu au>
Date: Wed, 29 Nov 2000 10:01:09 +1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jay

That is the worm known as I-worm.music.d

Have a look at fsecure's (borrowed from Eugene Kaspersky) description
here:
http://www.f-secure.com/v-descs/music.htm
or viruslist's:
http://www.viruslist.com/eng/viruslist.asp?id=4117&key=000010001300001
00047

Yours is a variant of this one.

Cheers,
Brad

- -----Original Message-----
From: Jay D. Dyson [mailto:jdyson () TREACHERY NET]
Sent: Tuesday, November 28, 2000 2:46 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Looks like a duck...quacks like a duck...



*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x94FC1215
*** Signed: 29/11/2000 0:45:38
*** Verified: 29/11/2000 9:54:17
*** BEGIN PGP VERIFIED MESSAGE ***

Hi folks,

        I figured I'd pass this along for consideration and review.  The
following was received at a staff distribution address at another
site.
While I haven't confirmed this is a genuine Outlook trojan/worm, it
has
all the markings of such.  Namely:

        1.      The message was unsolicited

        2.      Tell-tale generic subject and body

        3.      Microsoft executable payload; the payload (wishyou.zip)
                contains Music.exe.  Interested parties can snag a copy of
                the binary at http://www.treachery.net/~jdyson/wishyou.zip

        4.      Sender was using Microsoft Outlook Express (which is
                notoriously vulnerable to this sort of thing)

        A cursory review of the binary indicated that the executable calls
wininet.dll.  Doubtful that a music player needs to initiate a
connection
to the internet (all wisecracks about RealPlayer mercifully set
aside).

        Here's the sanitized headers:

- -----BEGIN FORWARDED MESSAGE-----

Return-Path: <staff () recipient site>
Received: from localhost (bob () sender site [XXX.XXX.XXX.XXX])
        by recipient.site (8.9.3/3.8.9) with SMTP id VAA21707
        for <staff () recipient site>; Mon, 27 Nov 2000 21:10:42 -0700
Message-Id: <200011280410.VAA21707 () recipient site>
From: "Mailing Server" <>
To: "Mailing list" <>
Subject: Test mail
Date: Mon, 27 Nov 2000 19:24:23 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="--------"
X-Mailer: Microsoft Outlook Express 4.0

Hi, just verifying email, enjoy the attached file.

- ----- END FORWARDED MESSAGE -----

- -Jay

   (
______
   ))   .-- "There's always time for a good cup of coffee." --.

===<--.

 C|~~| (>------- Jay D. Dyson --- jdyson () treachery net -------<) |
= |-'
  `--'  `- I'm not surrounded, I just have more targets now. -'
`-----'


*** END PGP VERIFIED MESSAGE ***

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: To verify the authenticity of this message, use PGP.

iQA/AwUBOiO7IkGaH3QeRkD+EQKHwQCfd1shuYzCpBtCcZ0QVndFbYm7CQYAoNGK
SCj+9Qj6YXUHBUf6XUkN5bIi
=FUPV
-----END PGP SIGNATURE-----

Current thread:

Looks like a duck...quacks like a duck... Jay D. Dyson (Nov 29)
- Re: Looks like a duck...quacks like a duck... Brad Griffin (Nov 30)