[iwar] Malicious Code Alert - South Park Shooter Worm (fwd)
From: Fred Cohen
From: fc@all.net
To: iwar@egroups.com
Thu, 11 May 2000 13:51:54 -0700 (PDT)
fc Thu May 11 13:53:15 2000
Received: from 207.222.214.225
by localhost with POP3 (fetchmail-5.1.0)
for fc@localhost (single-drop); Thu, 11 May 2000 13:53:15 -0700 (PDT)
Received: by multi33.netcomi.com for fc
(with Netcom Interactive pop3d (v1.21.1 1998/05/07) Thu May 11 20:53:09 2000)
X-From_: sentto-279987-340-fc=all.net@returns.onelist.com Thu May 11 15:52:50 2000
Received: from mq.egroups.com (mq.egroups.com [207.138.41.138]) by multi33.netcomi.com (8.8.5/8.7.4) with SMTP id PAA01399 for ; Thu, 11 May 2000 15:52:50 -0500
X-eGroups-Return: sentto-279987-340-fc=all.net@returns.onelist.com
Received: from [10.1.10.36] by mq.egroups.com with NNFMP; 11 May 2000 20:52:52 -0000
Received: (qmail 27819 invoked from network); 11 May 2000 20:51:57 -0000
Received: from unknown (10.1.10.26) by m2.onelist.org with QMQP; 11 May 2000 20:51:57 -0000
Received: from unknown (HELO all.net) (24.1.84.100) by mta1 with SMTP; 11 May 2000 20:51:55 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id NAA31499 for iwar@onelist.com; Thu, 11 May 2000 13:51:54 -0700
Message-Id: <200005112051.NAA31499@all.net>
To: iwar@egroups.com
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen
MIME-Version: 1.0
Mailing-List: list iwar@egroups.com; contact iwar-owner@egroups.com
Delivered-To: mailing list iwar@egroups.com
Precedence: bulk
List-Unsubscribe:
Date: Thu, 11 May 2000 13:51:54 -0700 (PDT)
Reply-To: iwar@egroups.com
Subject: [iwar] Malicious Code Alert - South Park Shooter Worm (fwd)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Finjan Software, Inc. * Malicious Code Alert * 5/11/2000
Threat: Medium
---------------------------------------------------------------
South Park Shooter Worm
---------------------------------------------------------------
Finjan’s Malicious Code Research Center (MCRC) has analyzed a new worm
called South Park Shooter that was discovered yesterday in the wild in
Europe. This worm uses Microsoft Outlook to spread via e-mail to the entire
contents of the victim’s address book every 30 seconds. It also will fill
up the victim’s hard drive to maximum capacity. So the worm’s payload is a
denial-of-service attack on both PCs and e-mail servers.
DESCRIPTION
File attachment: “South Park.exe” (Original name: “hit it.exe”)
File size: 19,968 bytes
Under file properties, the file is named “South Park Shooter” and the
company name and copyright are listed as “Comicplanet”
The e-mail is written in German with the subject: “Servus Alter!”
(Translation: “Hey Dude!” (Bavarian slang))
Message body: “Hier ist das Spiel, das du unbedingt wolltest!”
(Translation: “Here is the game, that you desperately wanted”)
When launched, South Park Shooter adds 3 keys to the registry:
HKEY_USERS/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Run
Key name: windll
Value: c:\winguard.exe
HKEY_USERS/.DEFAULT/Software
Key name: vb and va program settings
Folder name: Microsoftt Sucks
Folder name: Authors
Key name: SUSI V1.0
Value: SUSI V1.3 made by ::((LITTLE JiM))::
The worm creates 2 .dll files C:\windowssystem.dll (1 K)
C:\windowsstart.dll (1 K) and the executable file: C:\winguard.exe (19.5 K).
It also copies the South Park.exe to the C: root directory and searches the
floppy drive for a diskette. If it finds one, it copies PC system files and
the attack file, effectively making the diskette capable to boot and infect
other PCs.
Once winguard.exe is running, it sends an e-mail with the South Park.exe
attachment to all the contacts in the Microsoft Outlook address book every
30 seconds. Therefore, South Park Shooter has the ability to crash e-mail
servers due to extreme bandwidth consumption.
It also creates a text file: C:\swapfile.vxd and fills it with random
characters until the hard drive is full, effectively creating a
denial-of-service attack on the PC.
We caution companies to be aware that English translations are likely and/or
new variants may appear shortly.
PROTECTION
Finjan’s SurfinShield Corporate will protect corporate PCs from all variants
of this worm through its sophisticated, proactive monitoring technology that
“sandboxes” executables saved on PCs. By monitoring actual code behavior,
Finjan’s SurfinShield Corporate protects PCs from malicious code attacks
without requiring users to download any software patch or signature database
update.
SurfinGuard is Finjan’s free, personal-sandbox Internet-security utility for
PCs that prevents malicious worm and Trojan attacks. SurfinGuard can be
downloaded www.finjan.com/surfinguard.
Anti-virus software is simply not enough by itself to protect you or your
organization from new, first-strike attacks. There are more than one hundred
known executable compressors available to change the signature or
“footprint” of worms and Trojan attacks. Once an attack is compressed,
reactive anti-virus software is rendered useless until a patch is issued and
all clients are updated.
------------------------------------------------------------------------
There's still time to order Calyx & Corolla flowers for mom.
These fresh and elegant bouquets are available for delivery
by Mother's Day. To order, please visit
http://click.egroups.com/1/4103/11/_/595019/_/958078368/
------------------------------------------------------------------------
------------------
http://all.net/