Yet another Mass e-mail worm TM - Gibe-F/Swen-A - E-mail from Microsoft

Nice Icon

Nice GUI

Asks you to fill in all your mail-server details, pretty nifty peice of
code.

More info here:

http://www.security-forums.com/forum...pic.php?t=8447

--
Get your Geek Goodies!
http://shop.security-forums.com

..: http://www.security-forums.com :.

Share your knowledge
It's a way to achieve
Immortality.

Lord Shaolin

Yes,

Got one too. Looks almost genuine (except for the fact microsoft never sends
out patches). I wonder what the 'patch' does?

Regards, Ron AF Greve

"Lord Shaolin" <abuse@127.0.0.1> wrote in message
news:q1uab.7517$...
> Nice Icon
>
> Nice GUI
>
> Asks you to fill in all your mail-server details, pretty nifty peice of
> code.
>
> More info here:
>
> http://www.security-forums.com/forum...pic.php?t=8447
>
> --
> Get your Geek Goodies!
> http://shop.security-forums.com
>
> .: http://www.security-forums.com :.
>
> Share your knowledge
> It's a way to achieve
> Immortality.
>
>

Moonlit

On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
<> wrote:

>Yes,
>
>Got one too. Looks almost genuine (except for the fact microsoft never sends
>out patches). I wonder what the 'patch' does?
>
Quite a lot of info here :-

http://us.mcafee.com/virusInfo/defau...virus_k=100662

John

John wrote:
> On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
> <> wrote:
>
>
>>Yes,
>>
>>Got one too. Looks almost genuine (except for the fact microsoft never sends
>>out patches). I wonder what the 'patch' does?
>>
>
> Quite a lot of info here :-
>
> http://us.mcafee.com/virusInfo/defau...virus_k=100662
uggg i just got 120 in 4 hrs

--
http://aleeya.net

Tell me and I'll forget.
Show me and I'll remember.
Involve me and I will learn.


Give a man a fish, feed him for a day.
Teach a man to fish, feed him for a lifetime.

kyra

"kyra" <> wrote in message
newsXCab.2135$.. .
> John wrote:
> > On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
> > <> wrote:
> >
> >
> >>Yes,
> >>
> >>Got one too. Looks almost genuine (except for the fact microsoft never
sends
> >>out patches). I wonder what the 'patch' does?
> >>
> >
> > Quite a lot of info here :-
> >
> > http://us.mcafee.com/virusInfo/defau...virus_k=100662
> uggg i just got 120 in 4 hrs
>
> --
> http://aleeya.net
>
> Tell me and I'll forget.
> Show me and I'll remember.
> Involve me and I will learn.
>
>
> Give a man a fish, feed him for a day.
> Teach a man to fish, feed him for a lifetime.
>
>

thats what you get for posting your mail addy to
www.free-boobie-pics-mail-me.com ;D

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

"Lord Shaolin" <abuse@127.0.0.1> wrote in message
news:q1uab.7517$...
> Nice Icon
>
> Nice GUI
>
> Asks you to fill in all your mail-server details, pretty nifty peice of
> code.
>
> More info here:
>
> http://www.security-forums.com/forum...pic.php?t=8447
>
>

Nice to see someone taking pride and effort in their work

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

"Lord Shaolin" <abuse@127.0.0.1> wrote in message
news:q1uab.7517$...
> Nice Icon
>
> Nice GUI
>
> Asks you to fill in all your mail-server details, pretty nifty peice of
> code.
>
> More info here:
>
> http://www.security-forums.com/forum...pic.php?t=8447

heh, well if people are stupid enough to open exe's from their email. I'm
assuming it spoofs the from feild as M$ ? othewise its gunna look even more
strange if all your mates are sending you patches, i guess... hrmmm...... .

Anyway, i dont know if i mentioned it, but i dont run AV software, i used to
occasionally scan when i got updates from work, but i'm too lazy. Anyway, i
got my first virus in 6 years the other day wooooooooo. Or should i say my
first infection. Blaster Worm anyway, i got the rpc error so i knew
summink was up, then my firewall kicked off. in about 30secs i knew where it
came from (kazaa ), identified the file, killed it, killed the process and
removed all entries, completely clean. But just to be safe i downloaded the
AV scan/patch, over 20 ****ing minutes it took and the result, to summarize
exactly what i had done (and what it failed to as i was clean). Bah to it
all

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic

Hi,

Thanks for the link, so it is mainly replicating and major nuisance (with
the false error messages).

Regards Ron.
"John" <> wrote in message
news:...
> On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
> <> wrote:
>
> >Yes,
> >
> >Got one too. Looks almost genuine (except for the fact microsoft never
sends
> >out patches). I wonder what the 'patch' does?
> >
> Quite a lot of info here :-
>
> http://us.mcafee.com/virusInfo/defau...virus_k=100662

Moonlit

Hi,

It looks so real I think this one is going to beat a lot of other virusses
(as one said this virus relies heavily on social engineering and
unfortunately that works).

Luckily I only got two in the past 24 hours.

Regards, Ron AF Greve.

"kyra" <> wrote in message
newsXCab.2135$.. .
> John wrote:
> > On Fri, 19 Sep 2003 12:56:10 +0200, "Moonlit"
> > <> wrote:
> >
> >
> >>Yes,
> >>
> >>Got one too. Looks almost genuine (except for the fact microsoft never
sends
> >>out patches). I wonder what the 'patch' does?
> >>
> >
> > Quite a lot of info here :-
> >
> > http://us.mcafee.com/virusInfo/defau...virus_k=100662
> uggg i just got 120 in 4 hrs
>
> --
> http://aleeya.net
>
> Tell me and I'll forget.
> Show me and I'll remember.
> Involve me and I will learn.
>
>
> Give a man a fish, feed him for a day.
> Teach a man to fish, feed him for a lifetime.
>
>

Moonlit

In article <t4idnURUFus6hfaiU->, "Mimic" <>
wrote:
>heh, well if people are stupid enough to open exe's from their email. I'm
>assuming it spoofs the from feild as M$ ? othewise its gunna look even more
>strange if all your mates are sending you patches, i guess... hrmmm...... .

As you say, people are stupid (I prefer to say "naive" or "ignorant" - it's
slightly more polite). Yes, the virus spoofs to make it look like it comes
from the right place. It'd probably spread even if it didn't - it looks so
pretty that some people just have to click - they'd probably even follow
instructions to open a zip file, enter a password, open the file, save it to
their network server, and run it. Social engineering exploits that one big
bug that noone can quite manage to fix.

>Anyway, i dont know if i mentioned it, but i dont run AV software, i used to
>occasionally scan when i got updates from work, but i'm too lazy. Anyway, i
>got my first virus in 6 years the other day wooooooooo. Or should i say my
>first infection. Blaster Worm anyway, i got the rpc error so i knew
>summink was up, then my firewall kicked off. in about 30secs i knew where it
>came from (kazaa ), identified the file, killed it, killed the process and
>removed all entries, completely clean. But just to be safe i downloaded the
>AV scan/patch, over 20 ****ing minutes it took and the result, to summarize
>exactly what i had done (and what it failed to as i was clean). Bah to it
>all

Ooh, you're soooo butch!

Yeah, I hear you on the "I don't run AV software" thing - for the most part,
it's a waste of time for someone who reads the right lists and has a good
amount of knowledge. But then, that's not the same group of people that are
clicking on attachments, is it? The "click anything with a blue line under
it" brigade need some form of automated protection.

[If MS didn't exist, and we were all using Linux, these guys would _still_
save attachments out to the disk, drop into a shell, and execute away!]

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | .
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Alun Jones [MS MVP]