Saturday, 08 July 2006

Looks like a new variant of an old virus is making the rounds.

I got an email tonight in my personal email account that pretended to be from Microsoft and which contained a virus in an attached ZIP file. The attachment was called "Microsoft SMS Manager.zip" and contains two files - which are packaged as a .JPG file and a .HTA file. The JPG file is actually the infected binary and the HTA file is a real HTA with malicious content to call the binary and perform some other actions. The email came from an IP at an ISP located in Asia.

Of course I didn't get infected, because I saw it as obviously fake. Microsoft will never send software or updates via email, but in the social engineering department this one is bound to fool a number of people (despite the bad grammar), so it's a good idea to get the word out. I confirmed the virus infection with Symantec's AV software client on the local machine.

Here is the info about the infected contents of the ZIP file (specifically the JPG file):

Scan type:  Auto-Protect Scan
Event:  Threat Found!
Threat: W32.Gavgent.A
File:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip\Product.jpg
Location:  C:\DOCUME~1\*********\Temp\Temporary Directory 1 for Microsoft SMS Manager.zip
Computer:  *******
User:  *******
Action taken:  Delete succeeded : Access denied
Date found: Saturday, July 08, 2006  11:22:31 PM

If the AV software is correct and it's actually a W32.Gavgent.A virus in this file, this is an older worm (1995) that was not too prevalent at the time. The dates on the files in the ZIP are 8/2005, so it's entirely possible this is a reuse of an older virus. The HTA file in the package is an actual HTA file, and it references "Gavgent.B" in it's contents, so it's likely this is a repackaging of the Gavgent.A variant. At this time, there is no reference to Gavgent.B at Symantec Security Response. Luckily the old Gavgent.A variant is what trips the Symantec software, so detection seems to be easy enough. Below is the header from the HTA file. The executable section contains a lot of obfuscated VBScript and an IFRAME that loads the microsoft.com site with some extra arguments on the query string.

<HTA:APPLICATION ID="GavGent.B-ID"
    APPLICATIONNAME="GavGent.B"
    CAPTION="Microsoft SMS Manager"
    SHOWINTASKBAR="yes"
    SYSMENU="yes"
    WINDOWSTATE="maximize">

This virus does the classic network worm thing and collects email addresses and spreads via the common methods. It tends to restart the computer it infects and is generally an annoying dude. It will also try to kill AV and other security processes upon execution. Details are available here.

The original email I received is below. The subject line was "SMS Manager from Microsoft."

Developer@microsoft.com wrote:

Dear Customer,
This email provides you information about new product from Microsoft
Corporation, called Microsoft SMS Manager.
These product would help your activities, you can send and receive SMS
messages through your PC with no charge before December 31, 2005 (trial
period).
It's compatible with most of GSM and CDMA operators.
The Installation's document is attached (Microsoft SMS Manager.zip).

For further informations, please contact support@microsoft.com

Best Regards,
---------------------------------------------------------------------

Microsoft Corporation
http://www.microsoft.com


Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Saturday, 08 July 2006 22:58:17 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by:
http://search.daum.net/ [Referral]
http://www.jeanstruereligion.org/ [Referral]
http://www.beatsbydreheadphonessale.net/ [Referral]
http://zwembroekblog.nl/zwembroek/ [Referral]
http://www.extensalighting.com/street-light-poles-lighting-c... [Referral]
http://www.beatsmonstersale.net/ [Referral]
http://zwem-broek.nl/zwembroek-heren [Referral]
http://php.farmnotebook.com/forum/profile.php?id=285812 [Referral]
http://www.newznext.com/Entertainment/toolbar-icons/ [Referral]
http://emulemania.altervista.org/mybb/member.php?action=prof... [Referral]
http://tvclick.ru/user/imagemagickxpm/ [Referral]
http://libfoto.ru/user/imagenesnombres/ [Referral]
http://thingsicelandic.com/forum/memberlist.php?mode=viewpro... [Referral]
http://dig-info.ru/user/mediagrouprn/ [Referral]
http://totoplus.biz/memberlist.php?mode=viewprofile&u=1254 [Referral]
http://artetenshun.livejournal.com/ [Referral]
http://iraidaumoo57.livejournal.com/ [Referral]
http://skukybovm.livejournal.com/ [Referral]
http://begro777.livejournal.com/ [Referral]
http://mlashsalx9.livejournal.com/ [Referral]
http://terpconnect.umd.edu/~paulwhit/INFM700/CL/ForSale_Furn... [Referral]

More...
Comments are closed.