ALERT : Bogus Microsoft Bulletin Spreads Internet Worm

posted onJuly 11, 2001

by hitbsecnews

Anti-virus experts today warned of program masquerading as a security patch from Microsoft Corp. [NASDAQ:MSFT] that contains a new variant of a dangerous Internet worm. The worm, which security researchers have named W32.Leave.B.Worm, is the latest incarnation of Leave, a mysterious, self-propagating program that prompted an advisory from the FBI's National Infrastructure Protection Center last month.

The new malicious code is offered for download in a bogus Microsoft security bulletin distributed July 7 with a forged Microsoft.com e-mail return address. Following the standard format used in legitimate advisories from Microsoft, the fake bulletin warns recipients of a new, unnamed virus that can "destroy documents, delete MP3 files (and) movie files, infect .exe files" and wreck a PC's Basic Input Output System (BIOS)....

Bogus Microsoft Bulletin Spreads Internet Worm

By Brian McWilliams, Newsbytes

A hyperlink in the bogus document advises recipients to download and install the patch from a Web site with an address which begins "http://www.microsoft.com@ " and is followed by hexadecimal values - a technique used to conceal the true location of a Web resource, according to Russ Cooper, editor of the NT Bugtraq security mailing list.

The site containing the Trojan horse program, a file called "cvr58-ms.exe," is hosted by Internet Gateway Connections, a Web hosting firm in Florida. IGC representatives were unreachable by Newsbytes.

Headers of a copy of the e-mail obtained by Newsbytes indicate that the bogus bulletin was sent from an e-mail account at GMX.net, a free, Web-based mail service based in Germany.

According to Matt Fearnow, incident handler for the SANS Institute, the new variant of the Leave worm uses sophisticated techniques such as encryption and packing and was likely created by the same authors of the original program.

"The writing in the e-mail wasn't too impressive, but the actual program has everybody in awe. Everybody who has taken a look at it so far has agreed it was not written by your average script kiddie," said Fearnow.

While more than 10,000 PCs have already been infected with the original Leave worm, Symantec's AntiVirus Research Center so far has received few reports of Leave.B infections, according to director Vincent Weafer.

Leave.B is unlikely to spread widely, Weafer said, because it contains no mechanism for propagating beyond the original e-mail. The code also is self-limiting because, like the original variant, it only infects PCs that have already been compromised by Sub7, a dangerous remote-control Trojan horse program.

While the intentions of the authors of Leave and its variants are still unclear to security experts, Weafer said the code appears capable of a wide range of malicious acts, including the launch of distributed denial of service attacks.

The source code to the programs contains no clues as to when the authors might marshal their army of infected computers, but Weafer said many experts will be on high alert this Friday.

"With the Defcon hacker convention in Las Vegas this week and the occurrence of Friday the 13th, we're waiting and watching," said Weafer.

Symantec's description of Leave.B is here:

http://www.symantec.com/avcenter/venc/data/w32.leave.b.worm.html .

The SANS Institute's write-up on Leave is on the Web at

http://www.incidents.org/react/w32leaveworm.php .

The FBI Leave worm advisory is here:

http://www.nipc.gov/warnings/advisories/2001/01-014.htm .

Reported by Newsbytes.com, http://www.newsbytes.com .