Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.438 -- UNIRAS Alert -18/01 Malicious Software reports 19 October 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Outlook Outlook Express Operating System: Windows Impact: Execute Arbitrary Code/Commands Access Privileged Data - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - ----------------------------------------------------------------------------- UNIRAS (UK Govt CERT) Alert Notice – 18/01 dated 18.10.01 Time: 16:00 UNIRAS Alerts are also available from our website at www.uniras.gov.uk - - ----------------------------------------------------------------------------- Title ===== Malicious Software warning Systems affected ============ Outlook and Outlook Express using local and global address books and running Windows operating systems. Virus Name ========= At present the virus has been named W32/eder, however this is a temporary name and is likely to change once the major Anti Virus manufacturers release definition files. This virus is similar to REDE, -A.K.A Dark Machine or UCON-, which is also new. W32/eder is different despite it accessing some of the same registry keys and using some of the same names for the attachments. For clarity the details of REDE A.K.A. UCON or Dark Machine are included at the end of this Alert. It is thought that these two viruses are made by the same person and released at approximately the same time in an effort to ensure as wide a spread as possible. Several versions of what was originally W32/eder have already been observed and more are likely. Advice ===== To the best of our knowledge Microsoft do not send out patches to normal users, they rely entirely on the user visiting the Microsoft sites to obtain the relevant patches. Therefore any Email that contains attachments purporting to come from Microsoft will be false. It is best therefore to block any emails purporting to come from Microsoft with attachments. Ensure that users do not open .exe attachments. Update Anti virus definition files as soon as they become available. Have in place procedures for limiting the spread of a virus should the normal security procedures fail and a system becomes infected. Detail ====== This is an Internet Worm that spreads through e-mail. During the early hours of the 18th of October anti virus discussion groups that are monitored by UNIRAS were reporting the emergence of a new virus. This virus may have the potential to spread rapidly due to the clever use of social engineering techniques; the email with the virus attachment purports to be a new patch from Microsoft that will help protect a system from viruses that spread via Outlook and Outlook Express address books (which are often the same address book). Type: Internet Worm written in Visual Basic 6 Size: 12288 bytes The email will probably arrive with one of the following subject headers. Subject: FW: Security Update by Microsoft. FW: Microsoft security update. FW: IT departments on state of HIGH ALERT. FW: Important news from Microsoft. FW: Stop terrorists computer viruses reign. FW: Terrorists release computer virus. FW: Emergency response from Microsoft Corp. FW: Terrorist Emergency. Latest virus can wipe disk in minutes. FW: Microsoft Update. Final Release Candidate. FW: New computer virus. The likely text will read as follows, but please do not rely on this being entirely accurate as it is possible that this virus may appear using different text. These viruses often have the ability to mutate quite considerably and this is one of the first copies seen. Text: Just recieved this in my email I have contacted Microsoft and they say it's real ! -----Original Message----- From: Microsoft Support Desk [mailto:Support@microsoft.com] Sent: 17 October 2001 15:21 Subject: Security Update Due to the recent spate of email spread computer viruses Microsoft Corp has released a security patch. Please apply the attached file to your Windows computer to stop any futher spread or these malicious programs. Microsoft Support Attachment names: msmapiupdate.exe Common.exe Rede.exe Si.exe UserConf.exe disk.exe It adds the following keys in registry: [HKLMSoftwareMicrosoftWindowsCurrentVersionRunRede] with value “C:Rede.exe” [HKLMSoftwareMicrosoftWindowsCurrentVersionErrorHandlingError] with value “True” Payload: On 11/11/2001 it will add the following lines to c:autoexec.bat: ECHO Bide ye the Wiccan laws ye must, In perfect love and perfect trust. format C: /autotest so after reboot it will format automatically the drive C. The virus contains the following Unicode strings: When misfortune is enow, wear the blue star on thy brow. True in love ye must ever be, lest thy love be false to thee. These words the Wiccan Rede fulfill: An ye harm none, do what ye will. Rede(c)Si 2001 ... heh, want my phone number too ?!? Sick of all thes 3rd world gits spreading worms. Time for a bit of Welsh stuff :) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ***********Similar Versions**************************************** REDE, UCON or Dark Machine Details: The worm arrives as a .exe attachment with varying names. The subject line also varies, but the body of the message stays the same: Message Body: ====== heh. I tell ya this is nuts ! You gotta check it out ! ====== Subject lines observed so far include: ====== Kev Gives great orgasms to ladeez!! -- Kev I don't want to write anything but Si is bullying me. -- Jim Scientists have found traces of the HIV virus in cow's milk...here is the proof -- Will A new type of Lager / Weed variant...... sorted ! I want to live in a wooden house -- Arwel ====== The names in the subject lines may or may not be related to the name of the person sending the email. The .exe attachment names vary, but the list of ones that seen So far is: ===== Common.exe Rede.exe UserConf.exe Si.exe ===== Regmon shows that the worm changed two registry keys: 739 59.36779760 Userconf SetValueEx HKLMSoftwareDescriptionMicrosoftRpcUuidPersistentDataClockSequence SUCCESS 0xA2E 740 59.36783360 Userconf SetValueEx HKLMSoftwareDescriptionMicrosoftRpcUuidPersistentDataLastTimeAllocated SUCCESS 40 D3 9C 15 EB C These don't appear to be hostile behavior--these keys seem to be changed by other programs as well. It did access, but apparently did not attempt to write to, WIN.INI. It created a temporary binary file at C:WINDOWSTEMP~DFE855.TMP (this was a Win98 machine). It is not a copy of the worm, as it is significantly smaller. It contains the following text strings: Root Entry rn1org It creates the following files: 411 0.00014800 Userconf Write C:COMMON.EXE SUCCESS Offset: 0 Length: 10240 428 0.00018800 Userconf Write C:REDE.EXE SUCCESS Offset: 0 Length: 10240 445 0.00018960 Userconf Write C:SI.EXE SUCCESS Offset: 0 Length: 10240 462 0.00018480 Userconf Write C:USERCONF.EXE SUCCESS Offset: 0 Length: 10240 479 0.00018320 Userconf Write C:DISK.EXE SUCCESS Offset: 0 Length: 10240 The files other than DISK.EXE are already known to be possible names of email attachments. All the files are identical copies of the worm. The worm then launches Outlook and attempts to send copies of itself out. - - ----------------------------------------------------------------------------- For additional information or assistance, please contact the UNIRAS HELP Desk by telephone or Not Protectively Marked information may be sent via EMail to: uniras@niscc.gov.uk Tel: 020 7821 1330 Ext 4511 Fax: 020 7821 1686 UNIRAS material is also available from our website at www.uniras.gov.uk - - ----------------------------------------------------------------------------- UNIRAS wishes to acknowledge the contributions of Message labs for some of the information contained in this alert. - - ----------------------------------------------------------------------------- Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by UNIRAS. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. UNIRAS shall also accept no responsibility for any errors or omissions contained within this alert notice. In particular, UNIRAS shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. - - ----------------------------------------------------------------------------- <End of UNIRAS Alert> - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQCVAwUBO87r8opao72zK539AQGvMgQAnT93aSZoimFBJr2cxpWprRksidj6YhTZ yKlauXEovuHUsAsAAY4U9J8Aj51Re1O7PnKkcy91gDB1YUNdSwRUen6Z/eioneRF Od0jKDA1hfs6o0l5/4NYC5yDx3bx33ARC3b20DTnzp9AnsrIF5iA4rbL0WQ+y7P9 vfKp5U55d0s= =3pWw - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO9BNryh9+71yA2DNAQFHxgP/WAanp/Syqb9RobjqGy4PeJ9fjJ3wvaLT xxYUg9G9trvWw/peP3CVVmGsm5tfKT3L0f3a6MuyV9aJDoQvwshV4ILVLdu0rICK mDr8MepfOKMhreHyoGSpWbgTnd5TPKyqI6eT1NoSLohgFeqM6OlegXkPK4wifzwe kVggEtc+0Jc= =mTJW -----END PGP SIGNATURE-----