Internet Security Update

Udhay Shankar N udhay@pobox.com
Sun, 10 Mar 2002 22:38:38 +0530


At 08:28 AM 3/10/02 -0800, Gregory Alan Bolcer wrote:
>I'm still getting used the idea that Microsoft is
>sending out non-signed .exe files in direct mailings
>to customers for security fixes--particularly after the
>Verisign debacle last year when they issued a root
>certificate for someone pretending to be Microsoft.
>
>Isn't there a better way to do this?

You've been social engineered. See below.

Udhay

>Date: Sat, 9 Mar 2002 13:44:32 -0400
>From: "David Farber" <dfarber@earthlink.net>
>Importance: Normal
>Subject: BEWARE! It's a WORM! Re: IP: The next step in malicious spam
>To: ip-sub-1@majordomo.pobox.com
>
>
>-----Original Message-----
>From: Ari Ollikainen <Ari@OLTECO.com>
>Date: Sat, 09 Mar 2002 09:20:13
>To: farber@cis.upenn.edu
>Subject: BEWARE! It's a WORM! Re: IP: The next step in malicious spam
>
> >-----Original Message-----
> >From: Joe Faber <joefaber@alumni.princeton.edu>
> >Date: Sat, 09 Mar 2002 11:28:46
> >To: <farber@cis.upenn.edu>
> >Subject: The next step in malicious spam
> >
> >Dave,
> >I'm used to ignoring spam, but this morning I woke up to find that I
> >received no fewer than three 160K+ .exe attachments in my inbox
> >purporting to be from Microsoft. The were from the "Microsoft
> >Corporation Security Center" and used "Internet Security Update" as
> >their subject heading. The email explains that the attached patch is
> >the "5 Mar 2002 Cumulative Patch which eliminates all Ms
> >Outlook/Express as well as six new vulnerabilities" [sic]. It goes
> >on to list some of the specific vulnerabilities and system
> >requirements. They even provide a link to a Microsoft security
> >website (where I couldn't find any mention of the patch).
>
>         Read the following http://zdnet.com.com/2100-1105-853235.html
>
>         and act accordingly.
>
>"...
>Gibe worm poses as a Microsoft update
>
>By Robert Vamosi
>ZDNet Reviews & Solutions
>March 6, 2002, 9:00 AM PT
>
>What appears to be a new security update from Microsoft is actually a
>clever attempt by a virus writer to spread a worm. Gibe (w32.gibe@mm)
>is a nondestructive worm written in Visual Basic that attempts to
>mass-mail itself to everyone in an address book. Fortunately, the
>infected e-mail is plagued with spelling errors and should be easy to
>spot. Because this worm is not destructive and only sends e-mail to
>others, Gibe ranks as a 4 on the ZDNet Virus Meter.
>
>[...]
>
>
>The attached file is q216309.exe (122,880 bytes), which appears to be
>a Microsoft Knowledge Base entry (it is not).
>
>Users of non-Windows systems are not affected by this worm. If a
>Windows user opens the attached file, Gibe will make the following
>changes to the Registry:
>
>HKLMSoftwareAVTechSettingsDefault Address = (default address)
>HKLMSoftwareAVTechSettingsDefaultServer = (default server)
>HKLMSoftwareAVTechSettingsInstalled = ...by Begbie 
>HKLMSoftwareMicrosoftWindows
>CurrentVersionRun3dfx Acc = (path to gfxacc.exe) HKLMSoftwareMicrosoftWindows
>CurrentVersionRunLoadDBackup = (path to bctool.exe)
>
>These changes allow Gibe to install a backdoor Trojan horse that
>becomes active every time the computer is rebooted. Gibe will also
>create the following files in the Windows directory:
>
>bctool.exe (32,768 bytes) - the mass-mailing component
>winnetw.exe (20,480 bytes)- e-mail address finding component
>q216309.exe (122,880 bytes  - a copy of the worm
>vtnmsccd.dll (122,880 bytes) - a copy of the worm
>gfxacc.exe (20,480 bytes) - the Trojan horse component
>
>The file gfxacc.exe is the backdoor Trojan horse that could allow
>malicious users into a PC. Alert users who monitor their systems with
>a firewall may notice unusual traffic on port 12387 as a result of
>Gibe.
>
>Prevention
>
>Users of Microsoft Outlook 2002 and users of Outlook 2000 who have
>installed the Security Update should be safe from the EXE attachment
>included with Gibe. Users who have not upgraded to Outlook 2002 or who
>have not installed the Security Update for Outlook 2000 should do so.
>In general, do not open attached files in e-mail without first saving
>them to hard disk and scanning them with updated antivirus software.
>Contact your antivirus vendor to obtain the most current antivirus
>signature files that include Gibe.
>
>Removal
>
>A few antivirus software companies have updated their signature files
>to include this worm. This will stop the infection upon contact and
>in some cases will remove an active infection from your system. For
>more information, see McAfee, Sophos, Symantec, and Trend Micro..."
>
>---------------------------------------------------------------------
>Dilbert's words of wisdom #18: Never argue with an idiot. They drag
>you down to their level then beat you with experience.
>---------------------------------------------------------------------
>         OLTECO                    Ari Ollikainen
>         P.O. BOX 20088            Networking Architecture and Technology
>         Stanford, CA              Ari@OLTECO.com
>         94309-0088                415.517.3519
>
>For archives see:
>http://www.interesting-people.org/archives/interesting-people/



--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
      God is silent. Now if we can only get Man to shut up.