[SECURITY-L] CERT Incident Note IN-2002-01
Daniela Regina Barbetti
daniela em ccuec.unicamp.br
Qua Jan 30 15:28:33 -02 2002
----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----
From: Cristine Hoepers <cristine em nic.br>
Subject: [S] CERT Incident Note IN-2002-01
To: seguranca em pangeia.com.br
Date: Wed, 30 Jan 2002 11:20:44 -0200
X-Mailer: Mutt 1.0.1i
[http://www.cert.org/incident_notes/IN-2002-01.html]
CERT® Incident Note IN-2002-01
The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
W32/Myparty Malicious Code
Release Date: January 28, 2002
A complete revision history can be found at the end of this file.
Systems Affected
Systems running Microsoft Windows
Overview
"W32/Myparty" is malicious code written for the Windows platform that
spreads as an email file attachment. The malicious code makes use of
social engineering to entice a user to execute it. The W32/Myparty
payload is non-destructive.
As of 16:00 EST (UTC-0500) January 28, 2002 the CERT/CC has received
reports of W32/Myparty from several dozen individual sites.
I. Description
Analysis of the W32/Myparty malicious code indicates that it is a
Windows binary spreading via an email message with the following
characteristics:
SUBJECT: new photos from my party!
BODY:
Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
ATTACHMENT: www.myparty.yahoo.com
The attached file name containing the malicious code,
www.myparty.yahoo.com, was carefully chosen to entice the email
recipient to open and (in most email clients) run the attachment. This
social engineering exploits the fact that .com is both an executable
file extension in Windows and a top-level domain (TLD).
We have seen two variants of www.myparty.yahoo.com as follows:
Filename = www.myparty.yahoo.com
MD5 checksum = 43fc3f274372f548b7e6c14af45e0746
File size = 30172
Filename = www.myparty.yahoo.com
MD5 checksum = 221c47432e70b049fce07a6ca85ca7dd
File size = 29701
Both files take the same actions when executed:
* the file msstask.exe is created in the current user's profile
Startup folder (\Start Menu\Programs\Startup) and is immediately
executed. It will also be executed every time the Windows user
logs into the system.
Filename = msstask.exe
MD5 checksum = cda312b5364bbaddcd2c2bf3ceb4e6cd
File size = 6144
* on Windows 9x computers, a copy of www.myparty.yahoo.com is
written to C:\Recycled\REGCTRL.EXE. On Windows NT computers, this
copy is placed in either C:\REGCTRL.EXE or a newly created random
directory in the C:\Recycled folder. This copy is subsequently
executed.
* an email message is sent to a predefined address with a subject
line of the folder where the W32/Myparty malicious code was stored
on the victim machine. When sending this message, W32/Myparty will
use the SMTP statement HELO HOST when identifying itself to the
SMTP server.
* the current user's default SMTP server is retrieved from the
following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Account
Manager\Accounts\00000001
* the hard drive is scanned for Windows Address Book (.WAB) files
and Outlook Express inboxes and folders (.DBX) in order to harvest
email addresses.
* copies of the malicious code are emailed to all the email
addresses it could find.
Outside analysis indicates that this final step of mass mailing may be
time-dependant. The code may only send itself if the clock on the
victim machine is set to January 25-29. It is the experience of the
CERT/CC that variants of malicious code often occur, so this
time-trigger may not apply.
Other outside analysis also indicates that the default web browser may
be launched to a particular URL under certain circumstances.
II. Impact
W32/Myparty may cause the default web browser to run unexpectedly.
Likewise, the victim and targeted sites may experience an increased
load on the mail server when the malicious code is propagating.
III. Solution
Run and maintain an anti-virus product
It is important for users to update their anti-virus software. Most
anti-virus software vendors have released updated information, tools,
or virus databases to help detect and recover from W32/Myparty. A list
of vendor-specific anti-virus information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus
definitions. We recommend using these automatic updates when
available.
Exercise caution when opening attachments
Exercise caution when receiving email with attachments. Users should
be suspicious of unexpected attachments regardless of their origin. In
general, users should also always scan files received through email
with an anti-virus product.
The following section of the "Home Network Security" document provides
advice on handling email attachments securely:
http://www.cert.org/tech_tips/home_networks.html#IV-A-4
Filter the email or use a firewall
Sites can use email filtering techniques to delete messages containing
subject lines known to contain the malicious code, or they can filter
all attachments.
Appendix A. - Vendor Information
Aladdin Knowledge Systems
http://www.esafe.com/home/csrt/valerts2.asp?virus_no=10102
Central Command, Inc.
http://support.centralcommand.com/cgi-bin/command.cfg/php/e
nduser/std_adp.php?p_refno=020128-000003
Command Software Systems
http://www.commandsoftware.com/virus/myparty.html
Computer Associates
http://www3.ca.com/solutions/collateral.asp?CT=65&ID=1323
F-Secure Corp
http://www.datafellows.com/v-descs/myparty.shtml
McAfee
http://vil.mcafee.com/dispVirus.asp?virus_k=99332&
Norman Data Defense Systems
http://www.norman.com/virus_info/w32_myparty_a_mm.shtml
Panda Software
http://service.pandasoftware.es/servlet/panda.pandaInternet .EntradaDatosInternet? operacion=EV2FichaVirus&pestanaFicha=0&idioma=1&nombreVirus Ficha=W32/Myparty em MM
Proland Software
http://www.pspl.com/virus_info/worms/myparty.htm
Sophos
http://www.sophos.com/virusinfo/analyses/w32mypartya.html
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/pf/
w32.myparty em mm.html
Trend Micro
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VN
ame=WORM_MYPARTY.A
You may wish to visit the CERT/CC's Computer Virus Resources Page
located at:
http://www.cert.org/other_sources/viruses.html
_________________________________________________________________
Authors: Roman Danyliw, Allen Householder
______________________________________________________________________
______________________________________________________________________
This document is available from:
http://www.cert.org/incident_notes/IN-2002-01.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert em cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo em cert.org. Please include in the body of
your message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
Jan 28, 2002: Initial release
Jan 29, 2002: Modified feedback link
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L