Skip to comments.
Yet another virus alert
University of Pennsylvania
| 08-25-03
| Jeff Douthett
Posted on 08/25/2003 3:20:48 PM PDT by backhoe
Yet another virus alert from UPenn IT folks... the standard reminders
apply...
From: ISC Provider Desk <prodesk@POBOX.UPENN.EDU
Subject: **Virus Alert -- W32.Squirm@mm**
This is an alert regarding W32.Squirm@mm, a mass-mailing worm that has
begun appearing in high volumes in certain areas of the campus. This worm
affects machines running Windows 95, 98, ME, NT, 2000, and XP. The worm
arrives via an email with an attachment named either patch.zip or
patch_329390.exe, which, if executed, will email itself to all entries in
the user's address book.
In addition, the worm opens a port and listens for connections. The worm
also spreads through file sharing applications and by using DCC, the worm
propogates through IRC.
Symantec definitions dated 08/20/2003 should detect W32.Squirm@mm
although that has not been confirmed yet. There have been several
reports of W32.Squirm@mm appearing on campus so far.
Characteristics
---------------
The virus arrives in an email claiming to be from "support@microsoft.com"
and with the Subject: "Microsoft Security Bulletin" and the Message Body
listed below.
---------------------------------------------------------
"Unchecked Buffer in Windows Explorer Could Enable System Compromise
(329390)
Summary
Who should read this bulletin: Customers using Microsoft Windows
95,98,2K,ME,XP
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Critical
Recommendation: Customers using Microsoft Windows 95,98,2K,ME,XP should
apply the patch immediately."
---------------------------------------------------------
The email will contain an attachment named either patch.zip or
patch_329390.exe
When the attachment is executed, the worm will do the following:
1. Drops the file, %Windir%\Zlib.dll, which is a legitimate compression
utility.
2. Starts listening on port 61282 for a connection from the worm's author
(opening a backdoor).
3. Displays a dialog box stating "Patching system Wait":
4. When you click OK, the worm adds the value: "CPU Manager" =
"%Windir%\cpumgr.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and the value: "Type"="High"
to the key:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows
5. Drops the files:
-- %Windir%\Cpumgr.dll: An encoded copy of the worm.
-- %Windir%\Cpumgr.exe: The worm's executable.
-- %Windir%\Pdmn.smt: A file containing information about the local
computer.
-- %Windir%\Photo.zip: A zip file containing a copy of the worm.
6. Displays a dialog box stating "Patched. Thanks for using Microsoft
Windows"
7. When you click OK, the worm remains memory-resident, and after a
period of time, it drops files to the default shared folders of some
popular file-sharing program. For a complete list of the paths and
filenames, see the web write-up to be linked shortly off the Virus Alerts
page.
8. Attempts to contact www.google.com to check for Internet connectivity.
9. If this check succeeds, the worm attempts to mail itself to the
contacts listed in the address book with the same message contents as
listed above forging the "From:" line to look it's from
support@microsoft.com.
10. Attempts to send a message to the author notifying him/her of the
newly infected host.
Protection
----------
Symantec definitions dated 08/20/2003 should detect W32.Squirm@mm
although this has yet to be confirmed.
-----
Jeff Douthett
Senior Programmer Analyst
University of Pennsylvania
ISC Support on Site -- ULAR
Phone: 215-573-7301
"Time is that quality of nature which keeps events from happening all at
once. Lately it doesn't seem to be working."
- Anonymous
TOPICS: Breaking News; News/Current Events; Technical
KEYWORDS: yava
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-60, 61-80, 81-95 next last
This just in from my wife's office- it appears to be authentic.
1
posted on
08/25/2003 3:20:48 PM PDT
by
backhoe
To: backhoe
Thanks for the info
2
posted on
08/25/2003 3:27:27 PM PDT
by
Mo1
(http://www.favewavs.com/wavs/cartoons/spdemocrats.wav)
To: backhoe
fyi bump
3
posted on
08/25/2003 3:32:13 PM PDT
by
Ferret Fawcet
(Trust God's authority, not man's majority.)
To: backhoe
It's really time to make creation of one of these things a crime punishable by death. As long as it's funny and punishable by probation with a stipulation that the creator stay away from the computer for a couple of years, we can expect this to get worse and worse.
4
posted on
08/25/2003 3:33:23 PM PDT
by
Dog Gone
To: Dog Gone
A long slow death, at that! I keep my virus scan, firewall, etc. updated, but these things are always pinging away, trying to find a way to get in. Just think how much they slow down the Internet, how much they cost in tech time and lost productivity, etc.
5
posted on
08/25/2003 3:42:03 PM PDT
by
livius
To: backhoe
One of our folks got it today.
6
posted on
08/25/2003 3:42:34 PM PDT
by
AppyPappy
(If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
To: backhoe
To: Dog Gone
How about the death penalty for releasing software with mile-wide security holes?
(...asks Redcloak as he takes an oar gives the pot a vigorous, mischieveous stirring.)
8
posted on
08/25/2003 3:43:25 PM PDT
by
Redcloak
(All work and no FReep makes Jack a dull boy. All work and no FReep make s Jack a dul boy. Allwork an)
To: AppyPappy
One of our folks got it today.Thanks for that confirmation- the woman who sent this to my wife is the Secretary for the Diocese of Georgia, and usually very cautious not to send frivolous alerts, but I could not find a daggone thing on "squirm" during a search, so I was hesitant to post this.
The writer's information looked legit, so I figured it was more important to be fast.
9
posted on
08/25/2003 3:46:27 PM PDT
by
backhoe
To: New Horizon
Appreciate that info- a search of Google News Beta still shows nothing in the headlines.
10
posted on
08/25/2003 3:48:28 PM PDT
by
backhoe
To: AppyPappy
Until the "dumbies" realize that this is "series" and could cause pontentially "hugh" problems, they should never, ever open attachments from just anybody.
Our corporate AV does a pretty damn good job of keeping this stuff quarantined upon arrival, but only if it is already a known virus and our server has been updated to recognize the new threat.
The appeal of an email message like this is that the peons can play "techy network-savvy enginner guy", and update their own PCs...all by themselves!
Boom!
To: backhoe
It affects Windoze??? We're doomed...
To: Redcloak
Nope. Blaming the homeowner for the burglary doesn't cut it.
13
posted on
08/25/2003 3:51:57 PM PDT
by
Dog Gone
To: backhoe
I believe that it is safe to block all mail from
support@microsoft.com - Microsoft does not send mail from that email address.
To: All
15
posted on
08/25/2003 3:56:47 PM PDT
by
backhoe
To: Dog Gone
Nope. Blaming the homeowner for the burglary doesn't cut it. Can we blame the guy who installed the homeowner's doors and forgot to buy locking doorknobs?
16
posted on
08/25/2003 4:02:22 PM PDT
by
Redcloak
(All work and no FReep makes Jack a dull boy. All work and no FReep make s Jack a dul boy. Allwork an)
To: Ferret Fawcet
Me to bump to the office for tomorrow.
17
posted on
08/25/2003 4:02:34 PM PDT
by
tall_tex
To: Redcloak
Your point is not without merit, but the criminal is the one we should be most angry at. Locking our doors at night would have been considered paranoid in the town where I grew up.
18
posted on
08/25/2003 4:04:54 PM PDT
by
Dog Gone
To: Redcloak
How about the death penalty for releasing software with mile-wide security holes? I know you are just 'stirring the pot', but I don't call opening an attachment that is unsolicited a 'mile-wide security hole' - more like a mile-wide idiocy streak... ;0)
19
posted on
08/25/2003 4:08:53 PM PDT
by
Chad Fairbanks
(My Doc said I'm paranoid, and gave me pills. I don't take them cuz I think he's trying to kill me...)
To: Dog Gone
Of course, the virus writer is to blame for the damage they cause; however, shoddy workmanship from a certain Pacific-Northwest software vendor who shall remain nameless cannot be ignored. If you're going to start lopping off heads, then more than just the virus writers ought to be headed for the block.
20
posted on
08/25/2003 4:11:24 PM PDT
by
Redcloak
(All work and no FReep makes Jack a dull boy. All work and no FReep make s Jack a dul boy. Allwork an)
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-60, 61-80, 81-95 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson