AUSCERT External Security Bulletin Redistribution

                    ESB-2001.438 -- UNIRAS Alert -18/01
                        Malicious Software reports
                              19 October 2001


        AusCERT Security Bulletin Summary

Product:                Outlook
                        Outlook Express
Operating System:       Windows
Impact:                 Execute Arbitrary Code/Commands
                        Access Privileged Data

- --------------------------BEGIN INCLUDED TEXT--------------------


- - -----------------------------------------------------------------------------
 UNIRAS (UK Govt CERT) Alert Notice – 18/01 dated 18.10.01 Time: 16:00
 UNIRAS Alerts are also available from our website at www.uniras.gov.uk
- - -----------------------------------------------------------------------------
Malicious Software warning

Systems affected
Outlook and Outlook Express using local and global address books and running
Windows operating systems.

Virus Name
At present the virus has been named W32/eder, however this is a temporary name
and is likely to change once the major Anti Virus manufacturers release definition
files. This virus is similar to REDE, -A.K.A Dark Machine or UCON-, which is also
new. W32/eder is different despite it accessing some of the same registry keys and
using some of the same names for the attachments. For clarity the details of REDE
A.K.A. UCON or Dark Machine are included at the end of this Alert. It is thought
that these two viruses are made by the same person and released at approximately the
same time in an effort to ensure as wide a spread as possible. Several versions of
what was originally W32/eder have already been observed and more are likely.

To the best of our knowledge Microsoft do not send out patches to normal users, they
rely entirely on the user visiting the Microsoft sites to obtain the relevant patches.
Therefore any Email that contains attachments purporting to come from Microsoft will
be false. It is best therefore to block any emails purporting to come from Microsoft
with attachments.
Ensure that users do not open .exe attachments.
Update Anti virus definition files as soon as they become available.
Have in place procedures for limiting the spread of a virus should the normal security
procedures fail and a system becomes infected.

This is an Internet Worm that spreads through e-mail.
During the early hours of the 18th of October anti virus discussion groups that are
monitored by UNIRAS were reporting the emergence of a new virus. This virus may have
the potential to spread rapidly due to the clever use of social engineering techniques;
the email with the virus attachment purports to be a new patch from Microsoft that will
help protect a system from viruses that spread via Outlook and Outlook Express address
books (which are often the same address book).

Type: Internet Worm written in Visual Basic 6
Size: 12288 bytes

The email will probably arrive with one of the following subject headers.
  FW: Security Update by Microsoft.
  FW: Microsoft security update.
  FW: IT departments on state of HIGH ALERT.
  FW: Important news from Microsoft.
  FW: Stop terrorists computer viruses reign.
  FW: Terrorists release computer virus.
  FW: Emergency response from Microsoft Corp.
  FW: Terrorist Emergency. Latest virus can wipe disk in minutes.
  FW: Microsoft Update. Final Release Candidate.
  FW: New computer virus.

The likely text will read as follows, but please do not rely on this being entirely
accurate as it is possible that this virus may appear using different text. These
viruses often have the ability to mutate quite considerably and this is one of the
first copies seen.

  Just recieved this in my email
  I have contacted Microsoft and they say it's real !
  -----Original Message-----
  From: Microsoft Support Desk [mailto:Support@microsoft.com]
  Sent: 17 October 2001 15:21
  Subject: Security Update
  Due to the recent spate of email spread computer viruses
  Microsoft Corp has released a security patch.
  Please apply the attached file to your Windows computer
  to stop any futher spread or these malicious programs.
  Microsoft Support

Attachment names:

It adds the following keys in registry:

with value “C:Rede.exe”

with value “True”

On 11/11/2001 it will add the following lines to c:autoexec.bat:

ECHO Bide ye the Wiccan laws ye must, In perfect love and perfect trust.
format C: /autotest so after reboot it will format automatically the drive C.

The virus contains the following Unicode strings:
When misfortune is enow, wear the blue star on thy brow.
True in love ye must ever be, lest thy love be false to thee.
These words the Wiccan Rede fulfill: An ye harm none, do what ye will.
Rede(c)Si 2001 ... heh, want my phone number too ?!?
Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :)

***********Similar Versions****************************************
REDE, UCON or Dark Machine Details:
The worm arrives as a .exe attachment with varying names.  The subject
line also varies, but the body of the message stays the same:

Message Body:
heh. I tell ya this is nuts ! You gotta check it out !
Subject lines observed so far include:
Kev Gives great orgasms to ladeez!! -- Kev
I don't want to write anything but Si is bullying me. -- Jim
Scientists have found traces of the HIV virus in cow's milk...here is
the proof -- Will
A new type of Lager / Weed variant...... sorted !
I want to live in a wooden house -- Arwel

The names in the subject lines may or may not be related to the name
of the person sending the email.

The .exe attachment names vary, but the list of ones that seen
So far is:
Regmon shows that the worm changed two registry keys:

739     59.36779760     Userconf        SetValueEx

740     59.36783360     Userconf        SetValueEx
SUCCESS 40 D3 9C 15 EB C

These don't appear to be hostile behavior--these keys seem to be changed by
other programs as well.

It did access, but apparently did not attempt to write to, WIN.INI.

It created a temporary binary file at C:WINDOWSTEMP~DFE855.TMP (this
was a Win98 machine). It is not a copy of the worm, as it is significantly smaller.

It contains the following text strings:

Root Entry

It creates the following files:

411  0.00014800     Userconf  Write      C:COMMON.EXE  SUCCESS
Offset: 0 Length: 10240

428  0.00018800     Userconf  Write      C:REDE.EXE    SUCCESS
Offset: 0 Length: 10240

445  0.00018960     Userconf  Write      C:SI.EXE      SUCCESS
Offset: 0 Length: 10240

462  0.00018480     Userconf  Write      C:USERCONF.EXE     SUCCESS
Offset: 0 Length: 10240

479  0.00018320     Userconf  Write      C:DISK.EXE    SUCCESS
Offset: 0 Length: 10240

The files other than DISK.EXE are already known to be possible names of
email attachments.  All the files are identical copies of the worm.

The worm then launches Outlook and attempts to send copies of itself
- - -----------------------------------------------------------------------------
For additional information or assistance, please contact the UNIRAS HELP
Desk by telephone or Not Protectively Marked information may be sent via
EMail to:

Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686

UNIRAS material is also available from our website at www.uniras.gov.uk
- - -----------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Message labs for some of the
information contained in this alert.
- - -----------------------------------------------------------------------------
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS.  The views and
opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

UNIRAS shall also accept no responsibility for any errors or omissions
contained within this alert notice. In particular, UNIRAS shall not be
liable for any loss or damage whatsoever, arising from or in connection with
the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- - -----------------------------------------------------------------------------

<End of UNIRAS Alert>

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key