#1
  1. An Ominous Coward
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2002
    Posts
    4,425
    Rep Power
    0

    Exclamation Warning: Patch256.exe (Likely Virus)


    I have received an e-mail with the attached file "patch256.exe". The e-mail claims to be from "MS Network Security Section" and appears to be from a spoofed e-mail address (gzgqvxmflv_632167@iPEIRCM.com). The text of the e-mail can be had here.

    I am unfamiliar with this particular virus/hoax. Can anyone confirm this is new?

    I am without my Linux box, so I cannot do anything with this file. If anyone wants me to e-mail a copy of it to them, PM me with the e-mail address.
    Last edited by Ctb; September 10th, 2003 at 05:51 PM.
  2. #2
  3. Perl Hacker turned Farmer
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Aug 2003
    Location
    Idaho Boondocks
    Posts
    1,466
    Rep Power
    86
    A few things that stand out about the text of the email.

    A) Microsoft never mails out security advisories with attached patches.

    B) Whenever Microsoft releases a patch, they provide a direct link to their site that contains specific details about the patch and what it fixes. This is missing.

    C) Though much better than most, the grammar in this text is not entirely correct - almost always a dead give away.

    Gonna PM Ctb for the file and will run it through the virus scanner.
  4. #3
  5. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,430
    Rep Power
    4539
    I just got an email from my ISP support warning about a couple new viruses that are rumored to be released tomorrow 9/11

    Maybe you are a beta?

    As raklet said, MS will never send around an executable via email.
  6. #4
  7. An Ominous Coward
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2002
    Posts
    4,425
    Rep Power
    0
    Raklet -

    Sent you a forward of the whole e-mail. Note the Return-Path: in the headers appears to be a valid e-mail address at tijd.com

    I've posted this to a MS Security Forum just in case it is new... but I'm hoping I'm wrong or tomorrow could be a veeerrryyyy bad day for me.
  8. #5
  9. Perl Hacker turned Farmer
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Aug 2003
    Location
    Idaho Boondocks
    Posts
    1,466
    Rep Power
    86
    The file is a virus.

    W32.Gibe.B@mm

    Quick summary from Symantec with link to follow:

    Wild: Low
    Damage: Low
    Distribution: High

    Payload is large scale emailing

    Displays a fake message claiming to be from Microsoft.

    Copies itself to multiple system and registry locations.

    Can spread through email, Kazaa, mIRC, and mapped network drives.

    Can be removed through virus scan. Doesn't appear to need special removal tool.

    Full Details:

    http://securityresponse.symantec.com...gibe.b@mm.html
  10. #6
  11. An Ominous Coward
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2002
    Posts
    4,425
    Rep Power
    0
    Excellent work - thanks raklet!

    I don't worry about recognized viruses because I rarely get a Windows virus in my e-mail, but I didn't recognize this one right away. Normally, that means it's new or it's distribution is on the rise. I guess I just got a false alarm on that one.

    As for 9/11, I'd expect a new round of SoBig to take off tomorrow. The current version expired today.

IMN logo majestic logo threadwatch logo seochat tools logo