Re: Possible Trojan/Virus: while.com.

From: John Sage (jsage@finchhaven.com)
Date: 11/26/01 

Message-ID: <3C027FF3.6060102@finchhaven.com>
Date: Mon, 26 Nov 2001 09:46:27 -0800
From: John Sage <jsage@finchhaven.com>
To: "Jay D. Dyson" <jdyson@treachery.net>
Subject: Re: Possible Trojan/Virus: while.com.

Jay:

Just to take one word ("Attune") out of the excerpt, and do a google
search on it, I found:

http://www.aveo.com/support/index.htm#about1

To quote:

"What is Attune?

Attune is a revolutionary service that provides you with targeted
Intelligram messages, These can give you messages about products,
services, or help you avoid common computer problems. Attune runs
quietly in the background and automatically updates it's Intelligrams
when you are connected to the Internet. These messages are then
displayed when needed, such as if you are about to encounter a situation
that is known to cause problems."

"How did I get Attune on my computer?

You may have received the Attune software through one of many
distribution partner companies. These companies include AskSam, Aveo
Inc., Canon Software, Corel, Cosmi, Dell Computer, E-Color, evesham,
Four Dits, GetRight, Guildhall, Hewlett-Packard, IBM, iCD Publishing,
ID4 Limited, ItsAllFreeSoftware, Kensington, Logitech, McAfee,
Paramagnus, Radiate, US Robotics, WeatherBug, WebHelp and Xoom."

So, at least "Attune" seems to be one of these wonderful new "helpers"
that run in the background on Window$ boxes, and "help" users...

"Click the "Download Attune" button to download the AttuneŽ software
(750 KB) to your PC. Please follow the on-screen download and
installation instructions. After Attune is installed, it will
automatically update itself when you are connected to the Internet with
the latest information and tips to help keep your computer system
trouble-free"

Yeah.. I'll bet...

HTH..

- John

Jay D. Dyson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi folks,
>
> I received an unusual spam complaint from one of my users here.
> What's unusual is that I'd not heard about this payload before. While I
> haven't had time yet to give the payload more than a cursory look, my gut
> tells me the following is a trojan or worm either deliberately or
> unintentionally disseminated by an AOL user (using a forged bellsouth.net
> address). Also of import is that the user who sent this beastie was using
> Microsoft Outlook (as if that isn't a big enough warning sign).

heh..

>
> The text accompanying this apparently malicious payload is thus:
>
> - -----BEGIN EXCERPT-----
>
> It can be disabled at your discretion, although the default
> configuration is to allow updates. If you want to disable this feature,
> follow the instructions in the online help documentation under the topic
> "Turning Attune off and on".\f0\par
>
> \par
>
> You may not modify, reverse-engineer, decompile, create other works
> from, or disassemble the software. Similarly, you may not copy, modify,
> adapt or create other works based upon the Documentation.
>
> - ----- END EXCERPT -----
>
> The payload is named "while.com" (did some searching on this term
> and came up with goose-eggs). Vital statistics on the file are:
>
> Filesize : 73,728 bytes
> MD5 sum : 0cd0a719f9f91630de366c54c427a834
> Interesting bits: mshtml.dll (previously ID'd as security risk)
> TLOSS error
> SING error
> DOMAIN error
>
> (The above three items strike me as math-intensive, possibly
> indicating a cracking functionality of some type...or maybe I'm
> whistling in the dark. Like I said, this is a suspected trojan,
> not confirmed.)
>
> Anyway, with the creepy-crawlies typically associated with
> Microsoft-sired worms (use of MS Outlook, generic text, unsolicited
> payload, et cetera), I'm regarding this as a high-probability trojan/worm.
>
> Anyone interested in vivisecting this beastie can find a copy of
> it here:
>
> The file: http://www.treachery.net/~jdyson/trojans/while.com
> MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5
>
> Oh...and in case anyone's wondering, I've already sent off a
> letter to AOL to let them know about this.
>
> - -Jay
>
> ( ( _______
> )) )) .-"There's always time for a good cup of coffee"-. >====<--.
> C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-'
> `--' `--' `---------- Si vis pacem, para bellum. ----------' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu
> JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W
> /owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi
> Yj+1XeDe910=
> =MnN0
> -----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com