[SECURITY-L] CERT Incident Note IN-2002-01

[Daniela Regina Barbetti]

----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----

From: Cristine Hoepers <cristine em nic.br>
Subject: [S] CERT Incident Note IN-2002-01
To: seguranca em pangeia.com.br
Date: Wed, 30 Jan 2002 11:20:44 -0200
X-Mailer: Mutt 1.0.1i


[http://www.cert.org/incident_notes/IN-2002-01.html]

   
CERT® Incident Note IN-2002-01

   The CERT Coordination Center publishes incident notes to provide
   information about incidents to the Internet community.
   
W32/Myparty Malicious Code

   Release Date: January 28, 2002
   
   A complete revision history can be found at the end of this file.
   
Systems Affected

     Systems running Microsoft Windows
   
Overview

   "W32/Myparty" is malicious code written for the Windows platform that
   spreads as an email file attachment. The malicious code makes use of
   social engineering to entice a user to execute it. The W32/Myparty
   payload is non-destructive.
   
   As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received
   reports of W32/Myparty from several dozen individual sites.
   
I. Description

   Analysis of the W32/Myparty malicious code indicates that it is a
   Windows binary spreading via an email message with the following
   characteristics:
   
     SUBJECT: new photos from my party!
     
     BODY:
     Hello!
     
     My party... It was absolutely amazing!
     I have attached my web page with new photos!
     If you can please make color prints of my photos. Thanks!
     
     ATTACHMENT: www.myparty.yahoo.com
     
   The attached file name containing the malicious code,
   www.myparty.yahoo.com, was carefully chosen to entice the email
   recipient to open and (in most email clients) run the attachment. This
   social engineering exploits the fact that .com is both an executable
   file extension in Windows and a top-level domain (TLD).
   
   We have seen two variants of www.myparty.yahoo.com as follows:
   
   Filename = www.myparty.yahoo.com
   MD5 checksum = 43fc3f274372f548b7e6c14af45e0746
   File size = 30172
   
   Filename = www.myparty.yahoo.com
   MD5 checksum = 221c47432e70b049fce07a6ca85ca7dd
   File size = 29701
   
   Both files take the same actions when executed:
     * the file msstask.exe is created in the current user's profile
       Startup folder (\Start Menu\Programs\Startup) and is immediately
       executed. It will also be executed every time the Windows user
       logs into the system.
       Filename = msstask.exe
       MD5 checksum = cda312b5364bbaddcd2c2bf3ceb4e6cd
       File size = 6144
     * on Windows 9x computers, a copy of www.myparty.yahoo.com is
       written to C:\Recycled\REGCTRL.EXE. On Windows NT computers, this
       copy is placed in either C:\REGCTRL.EXE or a newly created random
       directory in the C:\Recycled folder. This copy is subsequently
       executed.
     * an email message is sent to a predefined address with a subject
       line of the folder where the W32/Myparty malicious code was stored
       on the victim machine. When sending this message, W32/Myparty will
       use the SMTP statement HELO HOST when identifying itself to the
       SMTP server.
     * the current user's default SMTP server is retrieved from the
       following registry key:
       
     HKEY_CURRENT_USER\Software\Microsoft\Internet Account
     Manager\Accounts\00000001
     * the hard drive is scanned for Windows Address Book (.WAB) files
       and Outlook Express inboxes and folders (.DBX) in order to harvest
       email addresses.
     * copies of the malicious code are emailed to all the email
       addresses it could find.
       
   Outside analysis indicates that this final step of mass mailing may be
   time-dependant. The code may only send itself if the clock on the
   victim machine is set to January 25-29. It is the experience of the
   CERT/CC that variants of malicious code often occur, so this
   time-trigger may not apply.
   
   Other outside analysis also indicates that the default web browser may
   be launched to a particular URL under certain circumstances.
   
II. Impact

   W32/Myparty may cause the default web browser to run unexpectedly.
   Likewise, the victim and targeted sites may experience an increased
   load on the mail server when the malicious code is propagating.
   
III. Solution

Run and maintain an anti-virus product

   It is important for users to update their anti-virus software. Most
   anti-virus software vendors have released updated information, tools,
   or virus databases to help detect and recover from W32/Myparty. A list
   of vendor-specific anti-virus information can be found in Appendix A.
   
   Many anti-virus packages support automatic updates of virus
   definitions. We recommend using these automatic updates when
   available.
   
Exercise caution when opening attachments

   Exercise caution when receiving email with attachments. Users should
   be suspicious of unexpected attachments regardless of their origin. In
   general, users should also always scan files received through email
   with an anti-virus product.
   
   The following section of the "Home Network Security" document provides
   advice on handling email attachments securely:
   
     http://www.cert.org/tech_tips/home_networks.html#IV-A-4
     
Filter the email or use a firewall

   Sites can use email filtering techniques to delete messages containing
   subject lines known to contain the malicious code, or they can filter
   all attachments.
   
Appendix A. - Vendor Information

Aladdin Knowledge Systems

          http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10102
          
Central Command, Inc.

          http://support.centralcommand.com/cgi-bin/command.cfg/php/e
          nduser/std_adp.php?p_refno=020128-000003
          
Command Software Systems

          http://www.commandsoftware.com/virus/myparty.html
          
Computer Associates

          http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1323
          
F-Secure Corp

          http://www.datafellows.com/v-descs/myparty.shtml
          
McAfee

          http://vil.mcafee.com/dispVirus.asp?virus_k=99332&
          
Norman Data Defense Systems

          http://www.norman.com/virus_info/w32_myparty_a_mm.shtml
          
Panda Software

          http://service.pandasoftware.es/servlet/panda.pandaInternet .EntradaDatosInternet?  operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirus Ficha=W32/Myparty em MM
          
Proland Software

          http://www.pspl.com/virus_info/worms/myparty.htm
          
Sophos

          http://www.sophos.com/virusinfo/analyses/w32mypartya.html
          
Symantec

          http://securityresponse.symantec.com/avcenter/venc/data/pf/
          w32.myparty em mm.html
          
Trend Micro

          http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VN
          ame=WORM_MYPARTY.A
          
   You may wish to visit the CERT/CC's Computer Virus Resources Page
   located at: 
   
     http://www.cert.org/other_sources/viruses.html
     _________________________________________________________________
   
   Authors: Roman Danyliw, Allen Householder
   ______________________________________________________________________
   ______________________________________________________________________
   
   This document is available from:
   http://www.cert.org/incident_notes/IN-2002-01.html
   ______________________________________________________________________
   
CERT/CC Contact Information

   Email: cert em cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.
          
   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
   EDT(GMT-4) Monday through Friday; they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.
   
Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   
   http://www.cert.org/CERT_PGP.key
       
   If you prefer to use DES, please call the CERT hotline for more
   information.
   
Getting security information

   CERT publications and other security information are available from
   our web site
   
   http://www.cert.org/
       
   To subscribe to the CERT mailing list for advisories and bulletins,
   send email to majordomo em cert.org. Please include in the body of
   your message
   
   subscribe cert-advisory
   
   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________
   
   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________
   
   Conditions for use, disclaimers, and sponsorship information
   
   Copyright 2002 Carnegie Mellon University.
   
   Revision History
Jan 28, 2002: Initial release
Jan 29, 2002: Modified feedback link



----- End forwarded message -----