RootsWeb: HUNGARY-L [HUNGARY-L] Mystery Worm

HUNGARY-L Archives

Archiver > HUNGARY > 2001-09 > 0999570506

From: "Joseph Serflek" <>
Subject: [HUNGARY-L] Mystery Worm
Date: Mon, 3 Sep 2001 22:32:25 -0400

Hello There has been some mention about a virus / worm threat on these lists I belong to. Some of you may have encountered this worm with your a/v protection program. It is very serious and just as bad as the last one a week or two ago. I know this is not the place to mention this, but I hope none have been hit by it. Hope you do have a firewall. József (Joseph) Serflek ----- Original Message ----- From: Stan Broski <> To: 50plus list <> Sent: Monday, September 03, 2001 1:26 PM Subject: [50plus] The Fifty Plus Mystery Worm Hello List, Several participants on this list (Ray, Chris, and Julius) have reported recently receiving some malicious code. I received the same crap as well. A worm is malicious code that spreads copies of itself. Malicious code may damage infected PCs, which is a characteristic of a virus. For simplicity I'll refer to this particular malicious code as the Mystery Worm. (MW). Comments about MW have been requested. These are mine expressed as answers to key questions. What is the AV industry-assigned name of MW? The identification of MW is presently uncertain. I note from the reports that virus checkers including mine have identified it as the hybris worm. However, when researching authoritative information about this worm <http://www.viruslist.com/eng/viruslist.asp?id=4246&key=00001000130000 100096> <http://www.viruslist.com/eng/viruslist.asp?id=4112&key=00001000130000 100044&f_page=1> I conclude that it although MW has some characteristics of the hybris it does not appear to have them all and it has characteristics of another worm. The identification of new worms is becoming more difficult because they can take several forms (polymorphic). MW does spread in the form described in the Kaspersky Labs write up for the "Cuerpo" worm, which I quote below: "The worm arrives to a computer as email message in HTML format. The subject of message may be vary. Message body has no visible text but contain script that is worm itself. " The report also indicates that the Cuerpo worm can attach a copy of itself, which is what MW does. The MW also has some characteristics of the Hybris worm in that the Hybris worm attaches randomly named eight character file names that are executable files. The MW I received has an attachemnt named, "FKJBHWFK.EXE". Chris reported that the attachment he received was named, "FKJBHNFK.Z19". The file attachment Chris received was probably FKJBHNFK.EXE and his ZoneAlarm protected him by renaming it FKJBHNFK.Z19. This change means that the file will not execute on Chris' PC. Ray reported that the subject of the email was "remote mail sender" which was the subject of the MW message I received. The virus checkers probably identified the MW as a Hybris worm because it may contain the signature code, "HYBRIS (c) Vecna". Since the Hybris and Cuerpo worms are polymorphic, I conclude that MW is a possibly a variation of either or even a third type of worm from the same author(s) that includes features of the other two worms. If anyone on the list subscribes to an AV service that will receive suspect email and analyze it and you receive a copy of the MW, I suggest that you send them a copy. Who originated the MW email? It is possible by examining the header information in an email to trace its originating IP Address. Mail servers that receive email routinely attach this information to email headers as they process email before sending it on to its intended destination. For example my version of the MW had the following source information: "Received: from bc-van-wvn-a53-01-72.look.ca ([216.66.156.168] helo=v1tzd)" Analyzing the above header information reveals that: (1) "bc-van-wvn-a53-01-72" is a sub-component of a domain name that suggests that it is related to an Internet connection provided to someone in in West Vancouver portion of the Vancouver BC area. The same header in similar email received by Ray and Chris indicated a sub component in the North Vancouver area (see initials "nvn" in their reports. (2) "look.ca" is the domain name of the ISP used by the originating, infected PC. Therefore, the same ISP is involved in all reports about MW. (3) 216.66.156.168 is the IP Address administered by Look.ca that is recorded in Internet records as being assigned to bc-van-wvn etc. The IP Address for Chris' and Ray's version is different because it is assigned to the different IP address it used. My conclusion is that the infected PC is using a dial up connection and, as is normal, is being assigned different IP addresses whenever it connects. I received my worm on a different day than Chris and Ray. Julius may well have a different IP Address used by look.ca. (He did not report its source IP Address.) (4) When a PC connects with an email server and it identifies itself by using the keyword "helo" followed by its name. Some evil persons forge this information to confuse tracers. However most servers, having access to the correct IP Address of the incoming email, will check it against its registered domain name to see if it agrees with what the connecting system says it is. If there is a variation, it repeats the helo detail in the message. It appears that the MW attempts to disguise its origin by calling itself "v1tzd". The intervening servers spotted this deception and indicated this by repeating the helo information. This is helpful to us because it confirms that various copies of the MW received by us were transmitted by the same version of the worm. I conclude from the comments above that MWs received by us came from a look.ca user in the Vancouver area. (Although possible, it less likely that more than one look.ca customer is involved). Furthermore,it should be possible for the staff of look.ca using the information in MW header emails to determine the telephone connection used by infected PC to send the worm. This information should help to identify the person using the infected PC. I suggest that everyone who received a copy of the MW send a copy of the email with all of the header information to , as I did. I have included at the end of this email a copy of the message I sent,as an example. How was it possible for the MW to directly mail itself to Fifty Plus Net participants using their email addresses? Worms/viruses usually infect the PC using executable files or script files used by Microsoft applications, like visual basic script or small programs used by the IE browser like ActiveX. The latest worms are miniature email applications. They can use the Microsoft email APIs. APIs are "hooks" into the operating system that allow a worm to use features of the operating system like searching incoming email for email addresses and sending email to these addresses without the knowledge or consent of the PC's user. These worms can operate independently of any email application normally used on an infected PC. My theory is that a look.ca user in the Vancouver area with an infected PC receives email such as a posting to the fifty-plus net either directly or in digest form. These postings contain the email address of anyone posting to the list. Those of us who received the MW all posted our email addresses to the list when it was reopened this week. In my case, the MW was able to use my brand new email address which had only been in use for a few days. The most likely source of my new email address for the MW would be my posts to this list because I had only used this address in posts to the list and in in email to a few other persons, and none of them are participants on this list, nor are they look.ca clients. The fact that the others on the list who received the MW from the same source in Vancouver tends to confirm that the posts to the fifty plus postings are being used to by the MW to mine target email addresses. It is also possible that a member of this list may be sending copies of these posts to someone in the Vancouver area who is not a member of the list. I say this because I understand from Sky that there are no look.ca subscribers in the Vancouver area on the list. Incidentally, I also understand from Sky that she intends to contact look.ca officials about this problem, if she hasn't done so already. What steps can be taken to protect yourself? I can think of several. These suggestions are based on the assumption that you still wish to participate on this list Most email applications allow the use of filters. Filters are rules. Each incoming email is compared against a list of rules, and if a rule applies the email may be deleted without opening. A rule could be created to delete any email coming from look.ca. You might also email and tell them you are filtering out any email coming from them as long as they allow their customers to send email worms. You might consider using a free email service like Hotmail as your 50 plus list address. I understand that worms or viruses cannot be spread by accounts like Hotmail. Perhaps some would like to comment about this. Users of Microsoft's IE and Outlook and Express should ensure that their scripting capability is turned off and that they have installed the latest patches. There is a new application available that claims that it can prevent any of the known and possible future viruses/worms from infecting PCs by email. It also will prevent an infected PC from sending out a worm or virus should a PC become infected in some other way. Presently, the program is free. I have not tried it, but perhaps others might consider doing so and letting the rest of us know what you think of it it is called "M@ilDefence"and is available at: http://www.indefense.com/manuals/maildefense/index.html Stan Broski P.S. This is a copy of the email I sent to about the MW I had received ---------------------- QUOTE This is to inform you that I received an email with a virus attached to it from one of your subscribers. The body of the message was blank, the subject was "Remote Mail Delivery", and the attachment was named FKJBHNFK.EXE. A copy of the headers appears below. It indicates that the message originated from an IP Address administered by Look and which appears to be in the Vancouver area. It would be appreciated if you would take appropriate action to prevent this from happening again. Thank you. Stan Broski -------------------------- Return-Path: <> Received: from rabacal.direct.ca ([199.60.229.8]) by tomts12-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <> for <>; Wed, 29 Aug 2001 11:01:07 -0400 Received: from bc-van-wvn-a53-01-72.look.ca ([216.66.156.168] helo=v1tzd) by rabacal.direct.ca with smtp (Exim 2.12 #7) id 15c6pu-0005Bm-00 for ; Wed, 29 Aug 2001 08:00:59 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--VEP23OX27016FWPUFG5AZ0XMNWL2B49M705" Message-Id: <> From: Remote Mail Delivery System <> Bcc: Date: Wed, 29 Aug 2001 08:00:59 -0700 UNQUOTE (1) -- Best regards, Stan mailto:

This thread:

[HUNGARY-L] Mystery Worm by "Joseph Serflek" <>