dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
734

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

11September.exe email Worm!

Posted by Technodrome at Wilders:

VIRUS ALERT - 9-11 virus (W32/Chet@mm) reported!

Command Software Systems, Inc.

Name: W32/Chet@mm
Aliases: Chet, W32/Chet@MM
Type: Internet Worm
Discovery Date: September 10, 2002

Description:

W32/Chet@mm is a internet worm that arrives as an email with an attachment
entitled "11September.exe". More details about this worm are pending.
more: »www.commandsoftware.com

»www.wilderssecurity.com/ ··· did=3579

ChrisJT
Premium Member
join:2001-12-20
Torrance, CA

ChrisJT

Premium Member

great

Some people are so gutless, they have to make a virus for 9/11.

Thanks for the heads up, Name Game.

Apple4life
I'M Going Nucking Futs
join:2002-09-07
Bronx, NY

Apple4life to Name Game

Member

to Name Game
thanks a million for letting all of us know about this. personally i can't believe some stupid person had the guts to make a virus for 9/11

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Name Game

MVM

to Name Game
Not on yesterday's NAV definitions... Will have to check back later today.

Nightfall
My Goal Is To Deny Yours
MVM
join:2001-08-03
Grand Rapids, MI

Nightfall

MVM

We got an instance of it this morning. I love NAV Corporate edition. Cleaned it right up. Make sure your virus definitions are updated!

davidovv
join:2001-06-19
Netherlands

davidovv to Name Game

Member

to Name Game
FYI: this (not particular most dangerous one I've ever seen..) worm is covered by fairly all good AVs: KAV, DrWeb, NOD32 in the meanwhile. Daily database updates are a nice feature IMHO .

regards.

Paul Wilders

»www.wilders.org security

danawhitaker
Space...The Final Frontier
Premium Member
join:2002-03-02
Thorndale, ON

danawhitaker to Apple4life

Premium Member

to Apple4life
**thanks a million for letting all of us know about this. personally i can't believe some stupid person had the guts to make a virus for 9/11**

True...but people also had the nerve to fly planes into buildings. The person writing the virus is just riding on the coat tails of a tragedy.

Sammie

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to Name Game

Premium Member

to Name Game
Update: This one apparently is broken

»www.theregister.co.uk/co ··· 070.html

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to R2

Premium Member

to R2
R2, get today's IU or LU, it's detected now. :)

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay to Name Game

MVM

to Name Game
Just another reason not to open .exe attachments...or any attachments in some cases, depending upong your habits! 9/11 or no, the worms are still at it writing worms. Disgusting.
Motumbo
join:2002-05-15
Belgium

Motumbo to Name Game

Member

to Name Game
From the Swiss KAV website »www.kav.ch

I-Worm.Chet

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 27Kb of length written in Microsoft Visual C++.

The infected messages have following fields:

From: main@world.com
To: You
Subject: All people!!
Attachment: 11september.exe

Message text: Dear ladies and gentlemen! The given letter does not contain viruses, and is not Spam. We ask you to be in earnest to this letter. As you know America and England have begun bombardment of Iraq, cause of its threat for all the world. It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001. Are real proofs of connection between Bush and Al-Qaeda necessary for you? Please! There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention. All this circus was specially played to powder brains!! You'll find out the truth. Naked truth, instead of TV showed. For your convenience, and to make letter less, all documentary materials (photos and MS Word documents) are located in one EXE file. Open it, and all materials will be installed on your computer. You will receive the freshest and classified documents automatically from our site. It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.

Installing

While installing the worm copies itself to Windows system directory with the "synchost1.exe" name and registers that file in system registry auto-run key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ICQ1 = %SystemDir%\synchost1.exe

The original file is then deleted.

Spreading

To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book. It also gets to WAB file(s) and reads victim emails from there.

To send infected messages the worm uses direct connection to SMTP server "mail.ru".

Other

The worm also sends two notification messages to its "master". One notification is sent before spreading (see above), the second message is sent just after spreading routine. These two messages are sent to three addresses:

connectionICQ@mail.ru
Icq_Premium@mail.ru
PremiumServ@mail.ru

They have following subjects:

message1: Otchet from user
message2: Otchet2 from user

The message body contains victim emails list and worm's EXE file full name.

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell

Premium Member

said by I-Worm.Chet:
It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.
Yeh, right...it'll open your eyes for sure!! :D:D:D