Re: Warning to Bugtraq posters.

1999-12-24 Thread Richard M. Smith 

Hi Steven,

Okay, this is probably the NewApt worm/trojan/virus.  Here are
some descriptions of it:

   Trend Micro Description
   http://www.antivirus.com/vinfo/security/sa121499.htm

   NAI Avert Description
   http://vil.nai.com/vil/wm10475.asp

   Symantec Description
   http://www.symantec.com/avcenter/venc/data/worm.newapt.html

   F-Secure Description
   http://www.europe.f-secure.com/v-descs/newapt.htm


The NTBugTraq mailing list had the same problem last week.
All it takes is one person on a mailing list to get infected,
then it sends itself off to people who have posted messages to
the list.  For example, I got a WinApt message from Italy that was a
reply to a message I posted in August to NTBugTraq.

An interesting side note, NewApt contains an IP address
for a Microsoft Web server that shows the www.microsoft.com
homepage.  Not sure what the purpose of this address is
in the code.

Richard

> -Original Message-
> From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of Steven
> Alexander
> Sent: Wednesday, December 22, 1999 11:49 AM
> To: [EMAIL PROTECTED]
> Subject: Warning to Bugtraq posters.
>
>
> After my last post to bugtraq (Re: w00w00) I received a message
> pertaining to be from myself with the same subject line.  The messsage
> contained an attachment program named goal.exe.  It claimed that this
> program was from messagemates.com.  If the program is run it will give an
> error message about an unfound .DLL.  It will also create a new
> goal.exe in
> "C:\WINNT\" and an entry in the registry named "tpawen" with the value
> "C:\WINNT\goal.exe /x" under
> "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run"
> .  I don't
> know what this program is, I am disassembling it now and will post again
> later.  The header from the message I received indicates that the mail was
> received by my mail server from "stu.chesapeake.net, 205.130.220.9".  If
> anyone knows anything more please email me.
>
> -steven alexander
>

Warning to Bugtraq posters.

1999-12-23 Thread Steven Alexander 

After my last post to bugtraq (Re: w00w00) I received a message
pertaining to be from myself with the same subject line.  The messsage
contained an attachment program named goal.exe.  It claimed that this
program was from messagemates.com.  If the program is run it will give an
error message about an unfound .DLL.  It will also create a new goal.exe in
"C:\WINNT\" and an entry in the registry named "tpawen" with the value
"C:\WINNT\goal.exe /x" under
"HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run".  I don't
know what this program is, I am disassembling it now and will post again
later.  The header from the message I received indicates that the mail was
received by my mail server from "stu.chesapeake.net, 205.130.220.9".  If
anyone knows anything more please email me.

-steven alexander

Re: Warning to bugtraq posters.

1999-12-23 Thread Steven Alexander 

It appears that the file I received installs a new goal.exe in C:\Winnt
which is set to run on startup.  Disassembly of the file reveals that it
gathers information about my machine from the registry and attempts to
recover my netscape password from prefs.js.  It then emails the information
to [EMAIL PROTECTED]  I will post a dissasembly of both files on my website
http://www.cell2000.net/security/

-steven alexander