OpenBCM V1.13 (Linux)

Packet Radio Mailbox

DB0FHN

[JN59NK Nuernberg]

 Login: GUEST





  
M1CUK  > INFO     10.11.02 00:33l 72 Lines 2586 Bytes #999 (0) @ WW
BID : 792570M1CUK
Read: DB0FHN GUEST
Subj: virus info / update
Path: DB0FHN<DB0ZWI<DB0HDF<DB0ERF<DB0ROF<DB0CWS<DB0SIF<DB0MRW<DB0RGB<OE5XBL<
      OE3XSR<OK0PCC<OK0PAD<OK0PPL<RZ6HXA<SP7MGD<WB0TAX<KC7WDX<W7NTF<GB7FCR
Sent: 021109/2215Z @:GB7FCR.#16.GBR.EU #:27537 [Blackpool] FBB-7.03a $:792570M1
From: M1CUK@GB7FCR.#16.GBR.EU
To  : INFO@WW


FUNLOVE in Disguise - PE_BRID.A 

Upon execution, PE_BRID.A kills all instances of EXPLORER.EXE from memory
causing the Windows Start bar and the Desktop Icons to not display. 

It also drops five files - four of which are copies of the virus
PE_FUNLOVE.4099. The remaining file that is not a copy of PE_FUNLOVE.4099,
is an Outlook Express Email file that is used by the virus as a template
for sending email messages. 

It also adds a registry entry so that its copy executes when the infected
system is restarted.

PE_BRID.A uses its own SMTP engine to send copies of itself via email to
all addresses listed in .HTM and .DBX files of the infected system.

The addresses found are also used to spoof the FROM: field of the email
message that it sends out. This email uses a known vulnerability in
Internet Explorer-based email clients to execute the file attachment
automatically, known as Automatic Execution of Embedded MIME type. 

The dropped email message contains the executable attachment registered as
the content-type audio/x-wav. When the recipient views the infected email
message, the default application associated with audio files is opened
(typically Windows Media Player). The embedded .EXE file cannot be viewed
in Microsoft Outlook.

The email it sends contains the following: 

From: Registered Owner
Subject: Registered Organization 
Message Body: Hello,
Product Name: %Product Name%
Product Id: %Product ID%
Product Key: %Product Key%
Process List: A list of currently running processes 
Thank you. 
Attachment: README.EXE (114,687 Bytes) 

It takes the Registered Organization, Registered Owner, Product Name,
Product ID, and Product Key of the infected machine. It spawns one of 
its 5 dropped files, which stays in memory and infects all files with 
.EXE, .SCR and .OCX extensions. To infect, it appends the virus codes at
the bottom of the target file. It modifies the first few Bytes of the 
entry point of the target file to execute its virus codes first, before
those of the file. 

The file properties of the email attachment, README.EXE, indicate that
Trend Microsoft Inc developed it. Trend Microsoft Inc. is not related to
Trend Micro Inc. in any way.

-----------------------


73's 
    Trev,
    SysOp GB7FCR 
    E-Mail trev@gb7fcr.co.uk    
    Web Site http://www.gb7fcr.co.uk
    AX25 - tcp/ip - Telnet - axip - RF & Internet Linked System's
    Located in Blackpool,Lancashire,On the North West Coast of the UK
    Message timed: 21:14 on 09 Nov 02
    Message sent using WinPack-Telnet V6.80





Read previous mail | Read next mail


 05.07.2026 21:17:30lGo back Go up