Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.438 -- UNIRAS Alert -18/01
Malicious Software reports
19 October 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Outlook
Outlook Express
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - -----------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Alert Notice – 18/01 dated 18.10.01 Time: 16:00
UNIRAS Alerts are also available from our website at www.uniras.gov.uk
- - -----------------------------------------------------------------------------
Title
=====
Malicious Software warning
Systems affected
============
Outlook and Outlook Express using local and global address books and running
Windows operating systems.
Virus Name
=========
At present the virus has been named W32/eder, however this is a temporary name
and is likely to change once the major Anti Virus manufacturers release definition
files. This virus is similar to REDE, -A.K.A Dark Machine or UCON-, which is also
new. W32/eder is different despite it accessing some of the same registry keys and
using some of the same names for the attachments. For clarity the details of REDE
A.K.A. UCON or Dark Machine are included at the end of this Alert. It is thought
that these two viruses are made by the same person and released at approximately the
same time in an effort to ensure as wide a spread as possible. Several versions of
what was originally W32/eder have already been observed and more are likely.
Advice
=====
To the best of our knowledge Microsoft do not send out patches to normal users, they
rely entirely on the user visiting the Microsoft sites to obtain the relevant patches.
Therefore any Email that contains attachments purporting to come from Microsoft will
be false. It is best therefore to block any emails purporting to come from Microsoft
with attachments.
Ensure that users do not open .exe attachments.
Update Anti virus definition files as soon as they become available.
Have in place procedures for limiting the spread of a virus should the normal security
procedures fail and a system becomes infected.
Detail
======
This is an Internet Worm that spreads through e-mail.
During the early hours of the 18th of October anti virus discussion groups that are
monitored by UNIRAS were reporting the emergence of a new virus. This virus may have
the potential to spread rapidly due to the clever use of social engineering techniques;
the email with the virus attachment purports to be a new patch from Microsoft that will
help protect a system from viruses that spread via Outlook and Outlook Express address
books (which are often the same address book).
Type: Internet Worm written in Visual Basic 6
Size: 12288 bytes
The email will probably arrive with one of the following subject headers.
Subject:
FW: Security Update by Microsoft.
FW: Microsoft security update.
FW: IT departments on state of HIGH ALERT.
FW: Important news from Microsoft.
FW: Stop terrorists computer viruses reign.
FW: Terrorists release computer virus.
FW: Emergency response from Microsoft Corp.
FW: Terrorist Emergency. Latest virus can wipe disk in minutes.
FW: Microsoft Update. Final Release Candidate.
FW: New computer virus.
The likely text will read as follows, but please do not rely on this being entirely
accurate as it is possible that this virus may appear using different text. These
viruses often have the ability to mutate quite considerably and this is one of the
first copies seen.
Text:
Just recieved this in my email
I have contacted Microsoft and they say it's real !
-----Original Message-----
From: Microsoft Support Desk [mailto:Support@microsoft.com]
Sent: 17 October 2001 15:21
Subject: Security Update
Due to the recent spate of email spread computer viruses
Microsoft Corp has released a security patch.
Please apply the attached file to your Windows computer
to stop any futher spread or these malicious programs.
Microsoft Support
Attachment names:
msmapiupdate.exe
Common.exe
Rede.exe
Si.exe
UserConf.exe
disk.exe
It adds the following keys in registry:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunRede]
with value “C:Rede.exe”
[HKLMSoftwareMicrosoftWindowsCurrentVersionErrorHandlingError]
with value “True”
Payload:
On 11/11/2001 it will add the following lines to c:autoexec.bat:
ECHO Bide ye the Wiccan laws ye must, In perfect love and perfect trust.
format C: /autotest so after reboot it will format automatically the drive C.
The virus contains the following Unicode strings:
When misfortune is enow, wear the blue star on thy brow.
True in love ye must ever be, lest thy love be false to thee.
These words the Wiccan Rede fulfill: An ye harm none, do what ye will.
Rede(c)Si 2001 ... heh, want my phone number too ?!?
Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
***********Similar Versions****************************************
REDE, UCON or Dark Machine Details:
The worm arrives as a .exe attachment with varying names. The subject
line also varies, but the body of the message stays the same:
Message Body:
======
heh. I tell ya this is nuts ! You gotta check it out !
======
Subject lines observed so far include:
======
Kev Gives great orgasms to ladeez!! -- Kev
I don't want to write anything but Si is bullying me. -- Jim
Scientists have found traces of the HIV virus in cow's milk...here is
the proof -- Will
A new type of Lager / Weed variant...... sorted !
I want to live in a wooden house -- Arwel
======
The names in the subject lines may or may not be related to the name
of the person sending the email.
The .exe attachment names vary, but the list of ones that seen
So far is:
=====
Common.exe
Rede.exe
UserConf.exe
Si.exe
=====
Regmon shows that the worm changed two registry keys:
739 59.36779760 Userconf SetValueEx
HKLMSoftwareDescriptionMicrosoftRpcUuidPersistentDataClockSequence
SUCCESS 0xA2E
740 59.36783360 Userconf SetValueEx
HKLMSoftwareDescriptionMicrosoftRpcUuidPersistentDataLastTimeAllocated
SUCCESS 40 D3 9C 15 EB C
These don't appear to be hostile behavior--these keys seem to be changed by
other programs as well.
It did access, but apparently did not attempt to write to, WIN.INI.
It created a temporary binary file at C:WINDOWSTEMP~DFE855.TMP (this
was a Win98 machine). It is not a copy of the worm, as it is significantly smaller.
It contains the following text strings:
Root Entry
rn1org
It creates the following files:
411 0.00014800 Userconf Write C:COMMON.EXE SUCCESS
Offset: 0 Length: 10240
428 0.00018800 Userconf Write C:REDE.EXE SUCCESS
Offset: 0 Length: 10240
445 0.00018960 Userconf Write C:SI.EXE SUCCESS
Offset: 0 Length: 10240
462 0.00018480 Userconf Write C:USERCONF.EXE SUCCESS
Offset: 0 Length: 10240
479 0.00018320 Userconf Write C:DISK.EXE SUCCESS
Offset: 0 Length: 10240
The files other than DISK.EXE are already known to be possible names of
email attachments. All the files are identical copies of the worm.
The worm then launches Outlook and attempts to send copies of itself
out.
- - -----------------------------------------------------------------------------
For additional information or assistance, please contact the UNIRAS HELP
Desk by telephone or Not Protectively Marked information may be sent via
EMail to:
uniras@niscc.gov.uk
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686
UNIRAS material is also available from our website at www.uniras.gov.uk
- - -----------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Message labs for some of the
information contained in this alert.
- - -----------------------------------------------------------------------------
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS. The views and
opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
UNIRAS shall also accept no responsibility for any errors or omissions
contained within this alert notice. In particular, UNIRAS shall not be
liable for any loss or damage whatsoever, arising from or in connection with
the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - -----------------------------------------------------------------------------
<End of UNIRAS Alert>
- -----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQCVAwUBO87r8opao72zK539AQGvMgQAnT93aSZoimFBJr2cxpWprRksidj6YhTZ
yKlauXEovuHUsAsAAY4U9J8Aj51Re1O7PnKkcy91gDB1YUNdSwRUen6Z/eioneRF
Od0jKDA1hfs6o0l5/4NYC5yDx3bx33ARC3b20DTnzp9AnsrIF5iA4rbL0WQ+y7P9
vfKp5U55d0s=
=3pWw
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO9BNryh9+71yA2DNAQFHxgP/WAanp/Syqb9RobjqGy4PeJ9fjJ3wvaLT
xxYUg9G9trvWw/peP3CVVmGsm5tfKT3L0f3a6MuyV9aJDoQvwshV4ILVLdu0rICK
mDr8MepfOKMhreHyoGSpWbgTnd5TPKyqI6eT1NoSLohgFeqM6OlegXkPK4wifzwe
kVggEtc+0Jc=
=mTJW
-----END PGP SIGNATURE-----