Yet another virus alert

University of Pennsylvania | 08-25-03 | Jeff Douthett

[backhoe]

Yet another virus alert from UPenn IT folks... the standard reminders
apply...

From: ISC Provider Desk <prodesk@POBOX.UPENN.EDU
Subject:      **Virus Alert -- W32.Squirm@mm**

This is an alert regarding W32.Squirm@mm, a mass-mailing worm that has
begun appearing in high volumes in certain areas of the campus.  This worm
affects machines running Windows 95, 98, ME, NT, 2000, and XP.  The worm
arrives via an email with an attachment named either patch.zip or
patch_329390.exe, which, if executed, will email itself to all entries in
the user's address book.

In addition, the worm opens a port and listens for connections.  The worm
also spreads through file sharing applications and by using DCC, the worm
propogates through IRC.

Symantec definitions dated 08/20/2003 should detect W32.Squirm@mm
although that has not been confirmed yet.  There have been several
reports of W32.Squirm@mm appearing on campus so far.


Characteristics
---------------

The virus arrives in an email claiming to be from "support@microsoft.com"
and with the Subject: "Microsoft Security Bulletin" and the Message Body
listed below.

---------------------------------------------------------
"Unchecked Buffer in Windows Explorer Could Enable System Compromise
(329390)

Summary
Who should read this bulletin: Customers using Microsoft Windows
95,98,2K,ME,XP
Impact of vulnerability: Run code of an attacker's choice

Maximum Severity Rating: Critical

Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should
apply the patch immediately."
---------------------------------------------------------

The email will contain an attachment named either patch.zip or
patch_329390.exe


When the attachment is executed, the worm will do the following:

1. Drops the file, %Windir%\Zlib.dll, which is a legitimate compression
utility.

2. Starts listening on port 61282 for a connection from the worm's author
(opening a backdoor).

3. Displays a dialog box stating "Patching system Wait":

4. When you click OK, the worm adds the value: "CPU Manager" =
"%Windir%\cpumgr.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and the value: "Type"="High"

to the key:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows

5. Drops the files:
-- %Windir%\Cpumgr.dll: An encoded copy of the worm.
-- %Windir%\Cpumgr.exe: The worm's executable.
-- %Windir%\Pdmn.smt: A file containing information about the local
computer.
-- %Windir%\Photo.zip: A zip file containing a copy of the worm.

6. Displays a dialog box stating "Patched. Thanks for using Microsoft
Windows"

7. When you click OK, the worm remains memory-resident, and after a
period of time, it drops files to the default shared folders of some
popular file-sharing program. For a complete list of the paths and
filenames, see the web write-up to be linked shortly off the Virus Alerts
page.

8. Attempts to contact www.google.com to check for Internet connectivity.

9. If this check succeeds, the worm attempts to mail itself to the
contacts listed in the address book with the same message contents as
listed above forging the "From:" line to look it's from
support@microsoft.com.

10. Attempts to send a message to the author notifying him/her of the
newly infected host.

Protection
----------

Symantec definitions dated 08/20/2003 should detect W32.Squirm@mm
although this has yet to be confirmed.

-----

Jeff Douthett
Senior Programmer Analyst
University of Pennsylvania
ISC Support on Site -- ULAR
Phone: 215-573-7301


"Time is that quality of nature which keeps events from happening all at
once. Lately it doesn't seem to be working."

  - Anonymous

[backhoe]

This just in from my wife's office- it appears to be authentic.

[Mo1]

Thanks for the info

[Ferret Fawcet]

fyi bump

[Dog Gone]

It's really time to make creation of one of these things a crime punishable by death. As long as it's funny and punishable by probation with a stipulation that the creator stay away from the computer for a couple of years, we can expect this to get worse and worse.

[livius]

A long slow death, at that! I keep my virus scan, firewall, etc. updated, but these things are always pinging away, trying to find a way to get in. Just think how much they slow down the Internet, how much they cost in tech time and lost productivity, etc.

[AppyPappy]

One of our folks got it today.

[New Horizon]

It is.

[Redcloak]

How about the death penalty for releasing software with mile-wide security holes?

(...asks Redcloak as he takes an oar gives the pot a vigorous, mischieveous stirring.)

[backhoe]

One of our folks got it today.

Thanks for that confirmation- the woman who sent this to my wife is the Secretary for the Diocese of Georgia, and usually very cautious not to send frivolous alerts, but I could not find a daggone thing on "squirm" during a search, so I was hesitant to post this.

The writer's information looked legit, so I figured it was more important to be fast.

[backhoe]

Appreciate that info- a search of Google News Beta still shows nothing in the headlines.

[New Horizon]

Until the "dumbies" realize that this is "series" and could cause pontentially "hugh" problems, they should never, ever open attachments from just anybody.

Our corporate AV does a pretty damn good job of keeping this stuff quarantined upon arrival, but only if it is already a known virus and our server has been updated to recognize the new threat.

The appeal of an email message like this is that the peons can play "techy network-savvy enginner guy", and update their own PCs...all by themselves!

Boom!

[null and void]

It affects Windoze??? We're doomed...

[Dog Gone]

Nope. Blaming the homeowner for the burglary doesn't cut it.

[willieroe]

I believe that it is safe to block all mail from support@microsoft.com - Microsoft does not send mail from that email address.

[backhoe]

-Worm and Virus Wars- the August Edition--

[Redcloak]

Nope. Blaming the homeowner for the burglary doesn't cut it.

Can we blame the guy who installed the homeowner's doors and forgot to buy locking doorknobs?

[tall_tex]

Me to bump to the office for tomorrow.

[Dog Gone]

Your point is not without merit, but the criminal is the one we should be most angry at. Locking our doors at night would have been considered paranoid in the town where I grew up.

[Chad Fairbanks]

How about the death penalty for releasing software with mile-wide security holes?

I know you are just 'stirring the pot', but I don't call opening an attachment that is unsolicited a 'mile-wide security hole' - more like a mile-wide idiocy streak... ;0)

[Redcloak]

Of course, the virus writer is to blame for the damage they cause; however, shoddy workmanship from a certain Pacific-Northwest software vendor who shall remain nameless cannot be ignored. If you're going to start lopping off heads, then more than just the virus writers ought to be headed for the block.