|
Wednesday, 03 August 2005 |
Malware type: Virus
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Infects files, Propagates via email, Propagates via software vulnerabilities
Description:
This virus infects all .EXE files in the Windows folder and the Windows temporary folder. It has no infection marker so upon startup it reinfects .EXE files again.
This virus can also propagate via email messages. It sends a copy of itself as an attachment to email messages and sends it to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine.
The email that it sends out has the following details:
Subject: (any of the following)
? bush
? Captured..
? Finally!
? Finally! Captured
? funny
? God Bless America
? God Bless the USA!
? God Bless!
? He has been captured..
? joke
? pics
? secret
Message Body: (combination of any of the messages from groups A and B. The body may also be in a form of message in C.)
Group A
? Attached some pics that i found
? Check this out :-)
? Hello,
? I was going through my album, and look what I found..
? Long time! Check this out!
? Osama Bin Laden Captured.
? Remember this?
? Saddam Hussein - Attempted Escape, Shot dead
? Secret!
? Testing
Group B
? +++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
? +++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
? +++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
? +++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.com
Group C
Turn on your TV.
Osama Bin Laden has been captured.
While CNN has no pictures at this point of time, the military channel (PPV) released some pictures.
I managed to capture a couple of these pictures off my TV.
Ive attached a slideshow containing all the pictures I managed to capture.
I apologize for the low quality, its the best I could do at this point of time.
Hopefully CNN will have pictures and a video soon.
God bless the USA!
?Name?
(Note: ?Name? is user name spoofed from field.)
Attachment: (any of the following file names)
? bush
? funny
? joke
? pics
? pictures
? secret
(using any of the following extension names)
? EXE
? PIF
? SCR
? ZIP
It also exploits the Windows LSASS vulnerability to propagate. More information about this vulnerability can be found in this page:
Microsoft Security Bulletin MS04-011
It also modifies the HOSTS file to prevent access to several Web sites.
|
