[jhb_airlines] Re: Nasty trick time again

  • From: gwinsk@xxxxxxx
  • To: jhb_airlines@xxxxxxxxxxxxx
  • Date: Tue, 10 Aug 2004 07:00:11 +0100

I've had a similar one. Deleted it but it doesn't appear in the Deleted folder. 
Off to 
update AVG database.

Gerry Winskill
gwinsk@xxxxxxx



On 10 Aug 2004 at 4:17, Bones wrote:

> I got an email tonight from Gerry Winskill - or so it purported to be.
> The address was kosher but the header and content of the message both
> contained just one word - "Price". As there was an attachment I
> immediately isolated it for further examination.
> 
> The attachment was called NewPrice.zip and it contained one html file
> and an EXE. Both passed the virus checks so I then opened the html
> file in Notepad. Lo and behold it was an interesting bit of Java
> script which played around with the Registry and tried to pass itself
> off as a Windows Update file.
> 
> The EXE file was also scrutinised and it was pretty grim too. Although
> only 5K it had enough in it to either block or take over most
> firewalls and contained a huge list of dodgy web site URL's. You know
> the sort of thing - Russian Brides, Rumanian teenagers, bestiality
> sites etc.
> 
> An hour later I got an almost identical email except that it had a
> New_Price.zip file in it. Contents were otherwise identical.
> 
> The warning is plain yet again. Don't open any emails (even from other
> people on this list) unless you are expecting a private message and
> you KNOW they are sending an attachment with it.
> 
> 
> IMPORTANT UPDATE..
> 
> I have just finished downloading the latest update to my virus
> checking program (and I mean the very latest as I downloaded an update
> around 1700 last night) and have run it on the ZIP files. Both come up
> with the same result:
> 
> i:\documents and settings\bones\desktop\new__price.zip>price/price.htm
> - JS.Bagle.AG worm. i:\documents and
> settings\bones\desktop\new__price.zip>price/price.exe - Win32.Bagle.AG
> worm.
> 
> It's a new version of the Bagel/Bagle worm released in the last 24
> hours - possibly to beat the WinXP Service Upgrade 2 or maybe just
> co-incidence. Here's the official description.
> 
> 
> -------------------------------------------------------------------
> "Bagle.AG consists of several components; the worm executable, an HTML
> file, an EXE dropper and a .DLL that contains a routine to download
> the worm.
> 
> The EXE dropper is 14,848 bytes in size.
> 
> The DLL that will be injected into Explorer.exe process is 11,776
> bytes. Subsequent activities by the malware will appear to have
> originated from Explorer.exe.
> 
> The dropper downloads the worm from a list of 204 different URLs, all
> pointing to a file named 2.JPG.  The file is downloaded to the
> %Windows% directory as "~.exe" and executed.  The downloaded file is a
> 19,460-byte PEX-compressed Win32 executable.
> 
> The HTML contains code to activate PRICE.EXE.
> 
> Once the EXE dropper is activated, it copies itself to the %System%
> directory as "WINdirect.exe", and drops the DLL component as
> "_DLL.EXE". It then creates a remote thread in Explorer.exe process to
> execute the DLL component.
> 
> The following registry values are created to run the EXE dropper when
> Windows starts:
> 
> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe =
> "%System%\WINdirect.exe"
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe =
> "%System%\WINdirect.exe"
> 
> When executed, the worm copies itself to: 
> 
> %System%\windll.exe
> 
> and modifies the registry to ensure that this copy is executed at each
> Windows start:
> 
> HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru1n\erthgdr =
> "%System%\windll.exe"
> ------------------------------------------------
> 
> OK - it's not nice. Don't get caught.
> 
> 
> HC@xxxxxxxxxx
> http://fsaviation.net
> 
> 



Other related posts: