From: Kevin Patz (jambo_catyahoo.com)
Date: Wed Jul 16 2003 - 13:37:53 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In-Reply-To: <Pine.LNX.4.53.0307151847580.15628predator.treachery.net>

It looks to me like a new variant of W32.Gruelmm
(McAfee calls it W32/FakerrMM). I scanned it with
7/15 NAV defs, and F-prot and it didn't detect
anything. The email you received looks similar to
what W32.Gruelmm sends but altered somewhat. This
leads me to think it's a new variant.

I suggest submitting a sample to Symantec, McAfee,
Trend, Kaspersky, etc.

I pulled text strings from the exe and found
indications of the following:

1. It's written in Visual Basic 6.0, and requires the
VB 6.0 runtime.
2. It seems to have the ability to disable Task
Manager, Logoff, Shutdown, Lock Computer, and Change
Password, or at least it has GUI elements that allude
to that.
3. It contains the string "kIlLeRgUaTe 1.03, I mAke
ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"
4. It looks like it generates, or is capable of
generating, a fake Windows Error Report, and a Windows
NT bugcheck dump.

I haven't attempted to run or disassemble the code.

--------------------
>Oh, this is interesting.
>
>The little beastie claims to come from Symantec.
It's actually from some
>joker (possibly a victim) in Guatemala. Even comes
with a .exe attachment
>for those dumb enough to be suckered into believing
it's actually from
>Symantec.

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]