(#2002-456) - Topics this issue:
1) Tanatos alias bugbear - New Mass Mailing worm spreading fast...,
<[EMAIL PROTECTED]>
----------------------------------------------------------------------
Date: Tue, 1 Oct 2002 17:30:36 +0700
From: Syafril Hermansyah <[EMAIL PROTECTED]>
Subject: Fw: Tanatos alias bugbear - New Mass Mailing worm spreading fast...
Utk yg masih mengandalkan kepada Content Filter mungkin info ini
bisa membantu (dibuat scriptnya utk karantina suspicious mail dg
subject dibawah).
Begin forwarded message:
Date: Tue, 1 Oct 2002 14:36:34 +0530
From: "Govind Rammurthy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Tanatos alias bugbear - New Mass Mailing worm spreading
fast...
Tanatos alias bugbear - New Mass Mailing worm spreading fast...
*****************************************************
Tanatos is a mass-mailing worm with keylogging and backdoor
capabilties detected on 30th of September 2002. It spreads using
email as the medium, by inserting itself as a randomly named
attachment & once the user clicks on the attachment (or sometimes
automatically too), the worm becomes active.
Subsequently, it harvests email addresses from predefined files on
your local machine and sends itself to these addresses. It also
installs a spy program on your PC so that, when you connect to the
Internet, an external user can view, delete or access your files.
Tanatos also secretly kills many popular antivirus programs so that
its actions are not detected. Moreover, if you machine is part of a
Local Area Network (LAN), other PC's on the LAN also gets
automatically infected.
All-in-all a very dangerous, mean and fast-spreading virus.
If you have eScan or MailScan installed with default configuration,
the worm would be prevented from entering via emails, since eScan
and MailScan both stop Virus-like executable attachments. Both the
product's Signatures have also been updated to detect Tanatos.
The worm is also known by following names: Bugbear, W32/Bugbear,
Tanat,
W32/Tanat, I-Worm.Tanatos
Size of the worm: 50688
For more information, pls check MicroWorld's website
http://www.mwti.net.
Technical Information on Tanatos:
****************************
The worm's file is a PE EXE (portable executable), 50688 bytes long
and is compressed with UPX file compressor.
When run, the worm copies itself to Windows System directory with a
random name (JFMV.EXE for example) and adds a startup key for this
file to the Registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
The worm also drops a keylogging component as a DLL file with a
randomly-generated name (ZLQPUPP.DLL for example) to Windows System
folder.
The worm also creates 2 more DLL files and stores some encrypted
data there.
The worm creates 2 randomly named DAT files in root Windows folder
too.
The worm spreads in e-mail messages as an attachment with
randomly-generated names and with one or more extensions. Subjects
and bodies of infected e-mails are also different. The mass-mailing
routine is quite complex.
The worm's messages can contain IFrame exploit that allows it to run
automatically on some computers when an infected e-mail is viewed
(for example, with Outlook and IE 5.0 or 5.01). This vulnerability
is fixed and a patch for it is available on Microsoft site:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
The worm looks for e-mail addresses in INBOX (Netscape incoming
e-mail database) and in files with the following extensions:
.ODS
.MMF
.NCH
.MBX
.EML
.TBB
.DBX
Sometimes the worm picks up e-mail messages from infected user's
database and sends them out with its copy attached. Also the worm
can place contents of a random text file from an infected hard drive
to an infected message's body. The worm can send itself in a message
with one of the following subjects:
Greets!
Get 8 FREE issues - no risk!
Hi!
Your News Alert
$150 FREE Bonus!
Re:
Your Gift
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
News
free shipping!
its easy
Warning!
SCAM alert!!!
Sponsors needed
new reading
CALL FOR INFORMATION!
25 merchants and rising
Cows
My eBay ads
empty account
Market Update Report
click on this!
fantastic
wow!
bad news
Lost & Found
New Contests
Today Only
Get a FREE gift!
Membership Confirmation
Report
Please Help...
Stats
I need help about script!!!
Interesting...
Introduction
various
Announcement
history screen
Correction of errors
Just a reminder
Payment notices
hmm..
update
Hello!
The worm doesn't send itself to addresses that contain the following
strings (to avoid bounces and other unwanted events):
remove
spam
undisclosed
recipients
noreply
lyris
virus
trojan
mailer-daemon
postmaster@
root@
nobody@
localhost
localdomain
list
talk
ticket
majordom
The worm can send itself as an attachment with with double
extensions. The first extension can be one of the following:
.reg
.ini
.bat
.h
.diz
.txt
.cpp
.c
.html
.htm
.jpeg
.jpg
.gif
The worm sets the content type of an infected attachment according
to the above file types. Content type can be one of the following:
image/gif
image/jpeg
application/octet-stream
text/plain
text/html
The second extension of an infected attachment can be one of the
following:
.scr
.pif
.exe
Also the worm can 'borrow' the name for its attachment from one of
files on an infected hard drive and then to add an executable
extension to it, for example it can send itself as AGREEMENT.DOC.PIF
file. Also the name of an infected attachment can contain one of the
following strings:
readme
Setup
Card
Docs
news
image
images
pics
resume
photo
video
music
song
data
The worm has local network spreading capabilities. The worm
enumerates network resources and tries to locate
\Start Menu\Programs\Startup\ folder
on remote systems. If such path is found, the worm copies itself
there with a random name. When a remote system is restarted, the
worm's file gets control and infects a system.
The worm continuosly looks for and terminates processes with the
below-given names:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ANTI-TROJAN.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
ESAFE.EXE
ESPWATCH.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FINDVIRU.EXE
FP-WIN.EXE
FPROT.EXE
FRW.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
JEDI.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LUALL.EXE
MOOLIVE.EXE
MPFTRAY.EXE
N32SCANW.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NUPGRADE.EXE
NVC95.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
PERSFW.EXE
RAV7.EXE
RAV7WIN.EXE
RESCUE.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SERV95.EXE
SMC.EXE
SPHINX.EXE
SWEEP95.EXE
TBSCAN.EXE
TCA.EXE
TDS2-98.EXE
TDS2-NT.EXE
VET95.EXE
VETTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
ZONEALARM.EXE
The worm uses separate routines for process killing on Windows 9x-
and NT-based systems. In most cases the worm effectively disables
security and anti-virus software that fail to detect it entering a
system.
The worm listens to port 36794 and can provide access to an infected
system and the network it is connected to via an internal backdoor
component. The backdoor component allows an attacker to access an
infected system through a web-based interface. The worm generates
HTML pages on-the-fly when an attacker browses directories on an
infected remote computer.
The worm contains several icons that it uses to identify the type of
remote drives and files. The backdoor component also allows to
browse shared network resources that an infected computer has access
to. The worm also uses icons to identify network resources.
The worm allows an attacker to get information about an infected
system:
operating system, processor type, fixed and network drives. It also
has password stealing capabilities. It installs a keylogging
component co a system, records keystrokes and saves them into a
file. Then the worm sends this file to a few e-mail addresses that
are stored in encrypted for in the worm's body. The smtp server
names that the worm uses to send the files are also stored in
encrypted form in the worm's body.
Disinfection Instructions
To remove the worm from a system it's enough to delete all its files
from a hard drive and to restart a computer. If the worm is in a
network environment, the network should be temporarily taken down
and all systems have to be disinfected separately. Otherwise the
worm will try to re-infect already cleaned systems.
Also after disinfection it is recommended to change all logins and
passwords as they could have been compromised by the password
stealer component of the worm. It is also recommended to check
infected systems and networks for possible hacker intrusion that
could have been performed through the backdoor component of the
worm.
Technical Description courtesy, Kaspersky Labs.
If you have eScan or MailScan installed with default configuration,
the worm would be prevented from entering via emails, since eScan
and MailScan both stop Virus-like executable attachments. Both the
product's Signatures have also been updated to detect Tanatos.
For more information, pls check MicroWorld's website
http://www.mwti.net.
MicroWorld.
--
syafril
-------
Syafril Hermansyah<[EMAIL PROTECTED]>
------------------------------
End [EMAIL PROTECTED] Digest [10/02/2002 03:01]
---------------------------------------------------
--
--[MDaemon-L]--------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server.
Arsip : <http://mdaemon-l.dutaint.com>
Moderator : <mailto:[EMAIL PROTECTED]>
Henti Langgan: <mailto:[EMAIL PROTECTED]>
Berlangganan : <mailto:[EMAIL PROTECTED]>
Latest Vers. : 6.0.7
