[PLUG] Fwd: NEW WORM - Friendgreetings.com mass E-mailer

Percival, Ray Ray.Percival at summit.fiserv.com
Fri Oct 25 20:18:14 UTC 2002


Just so you know what IP to block in your firewall

www.friendsgreetings.com

66.172.0.91

Won't keep you from getting the emails but it will prevent your lusers from infecting themselves. Also , and you really should be doing this anyway, if you strip out activex they won't be able to infect themselves.

Ray

-----Original Message-----
From: Patrick Beart 
Sent: Friday, October 25, 2002 1:10 PM
To: clients at Webarchitecture.com
Cc: plug at lists.pdxlinux.org
Subject: [PLUG] Fwd: NEW WORM - Friendgreetings.com mass E-mailer
Importance: High


Folks:

	There is a NEW Windows virus out. This one DOES NOT have any 
"fixes" from the usual anti-virus companies (e.g. Symantec, McAfeee, 
etc.), for reasons that are alluded to, below.

	This "Worm" is different that previous viruses, in that it 
relies on user ignorance (stupidity!) to install itself. Basically, 
it uses YOU to do it's nastiness by assuming that you won't read the 
EULA (End-User License Agreement) that comes along with it.

	Here's Symantec's information on it, followed by a post from 
one of the original discoverers of this - who happens to be a friend 
of mine. My friend's company spent most of yesterday looking into 
this new worm, so the remainder of the post is HIGHLY technical in 
nature.

	http://www.sarc.com/avcenter/venc/data/friendgreetings.html





Patrick Beart

---------------

>Delivered-To: mail.webarchitecture.com-patrick at tesla.iweb4biz.com
>From: Russell Washington <russ.washington at vaultsentry.com>
>To: "'list at dshield.org'" <list at dshield.org>
>Subject: [Dshield] Friendgreetings.com mass emailer
>Date: Thu, 24 Oct 2002 15:02:53 -0700
>
>We've been researching an item that "landed" in an end-user's inbox this
>morning.  Given the lack of information on this mass emailer I thought I
>should get some more seasoned eyes on it.  Here's the dump of information I
>have to date.  Symantec is aware of this item but (at least when we talked
>to them) has it classified as "non-malicious malware" and is still debating
>whether to include detection for it in the Norton Anti-Virus product.
>
>It is probably worthwhile to figure out what the background process this
>thing leaves running is actually up to.  When we locked down the NTFS (yes,
>Windows, sorry) permissions on the directory containing the executable and
>its DLLs, other processes (no pattern determined) became unhappy.  Might be
>coincidence, might be causal.
>
>Anyway, have at this one guys.  Our research is far from comprehensive.
>
>The trojan runs a program called OTMS.EXE in the background and sets the
>system up to restart it at each logon. What purpose this program serves is
>unknown and we have been unable to test it. At this point I believe the
>safest assumption to make is that it represents a security compromise, and
>the process should be terminated on any machine running it.
>
>The program comes from an outfit called "Permission Media" and installs
>something for "Friend Greetings". It looks like Friend Greetings is the user
>and Permission Media is the creator. Important to note is the following
>License Agreement verbage ("Friendgreetings License Agreement") that I dug
>out of what appeared to be the install point:
>
>	1. Consent to E-Mail Your Contacts. As part of the installation
>process, Permissioned Media will access your MicroSoft Outlook(r) Contacts
>list and send an e-mail to persons on your Contacts list inviting them to
>download FriendGreetings or related products. By downloading, installing,
>accessing or using the FriendGreetings, you authorize Permissioned Media to
>access your MicroSoft(r) Outlook(r) Contacts list and to send a personalized
>e-mail message to persons on your Contact list. IF YOU DO NOT WANT US TO
>ACCESS YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST,
>DO NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.
>
>End User Zero claimed they never saw this agreement.  However, Symantec
>claimed that this verbage is in fact presented and we have confirmed this.
>Either way it explains exactly what we saw, which was that the first
>infected machine started shoveling customized-to-the-contact copies of the
>original email to everyone in the victim's address book.
>
>We only found one reference in Google that I was able to find under a
>variety of searches, and the message thread only underscores the unknown
>nature of this program. You can find the thread at
>http://forums.techguy.org/t100166/s49b6012a49a2b50020b83e4d76bce31f.html. It
>should be noted that one of the filenames installed, "winsrvc.exe", is
>referenced in knowledge bases as being associated with the 2000-era Navidad
>virus. This does not appear to be the same program or even a variant.
>
>Technical details known to date:
>
>The installer uses an MSI package and invokes the Windows Installer service.
>
>
>The installer placed materiel in the directories c:\program files\common
>files\media, c:\temp\_IS5, and
>c:\temp\{499AFE40-6C35-483D-B6F3-F6AB95C2E6EC}. The last two directories may
>be temporary install points that are deleted when installation is
>successfully completed. The "license agreements" are in the last directory.
>
>The installer inserts the item "PMedia" under
>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value C:\Program
>Files\Common Files\Media\OTMS.exe.
>
>The installer invokes OTMS.EXE with the obvious intent of having it run this
>process in the background.
>
>The installer places an application called "WinSrv Reg" in Add/Remove
>Programs (HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall)
>
>---- Begin original message----
>From: (infected sender)
>Sent: Thursday, October 24, 2002 9:59 AM
>To: (Recipient email "friendly name" in sender's Outlook Contacts folder)
>Subject: (recipient first name) you have an E-Card from .
>Greetings!
>has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
>can pickup your E-Card at the FriendGreetings.com by clicking on the link
>below.
>http://www.friendgreetings.com/pickup/pickup.aspx?code=Humayun&id=2410021
>Message:
>------------------------------------------------------------
>(recipient first name),
>I sent you a greeting card. Please pick it up.
>------------------------------------------------------------
>----End original message----


-- 
------------------------------------------------
Web Architecture  &  "iWeb4Biz"         503-774-8280       Portland, OR
Internet Consulting, Intelligent Web site Development & Secure site Hosting.
http://www.WebArchitecture.com/

"This is an era when nonsense has become acceptable and sanity is 
controversial."
                                      - Thomas Sowell
------------------------------------------------

_______________________________________________
PLUG mailing list
PLUG at lists.pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug






More information about the PLUG mailing list