Kip Powick Posted May 11, 2003 Share Posted May 11, 2003 I think Pierre Garneau alluded to this but there are a lot of BLUE MOUNTAIN virus infected emails going around. Here is the normal text..... ((((((Hi I sent you an E-card from Blue Mountain.com To view your eCard, open the attachment If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd Thanks for using BlueMountain.com.))))) The trick here is that you are asked to open the attachment. If you receive a legit E-card, there is a link to "click" on that will take you to the card.....you NEVER have to open an attachment.. Link to comment Share on other sites More sharing options...
Guest M. McRae Posted May 12, 2003 Share Posted May 12, 2003 http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.hllw.cult.c@mm.html W32.HLLW.Cult.C@mm Discovered on: April 02, 2003 Last Updated on: May 09, 2003 08:53:18 AM W32.HLLW.Cult.C@mm is an email worm that has backdoor capabilities. It uses its own SMTP engine to send itself to randomly generated recipient names at these domains: email.com earthlink.net roadrunner.com yahoo.com msn.com hotmail.com The email message has the following characteristics: Subject: Hi, I sent you an eCard from BlueMountain.com Message: Hi , I sent you an eCard from Blue-Mountain.com To view your eCard, open the attachment If you have any comments or questions, please visit http:/ /www.bluemountain.com/customer/index.pd Thanks for using BlueMountain.com. Attachment: BlueMountaineCard.pif This threat is compressed with ASPack. Also Known As: Win32.Cult.F [CA] Type: Worm Infection Length: 22,016 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Macintosh, OS/2, UNIX, Linux Virus Definitions (Intelligent Updater) * April 02, 2003 Virus Definitions (LiveUpdate™) ** April 02, 2003 * Intelligent Updater virus definitions are released daily, but require manual download and installation. Click here to download manually. ** LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate. Wild: Number of infections: 50 - 999 Number of sites: More than 10 Geographical distribution: Low Threat containment: Easy Removal: Moderate Threat Metrics Wild: Low Damage: Medium Distribution: High Damage Payload: Large scale e-mailing: Sends itself to randomly generated email address on some predefined domains Compromises security settings: Allows unauthorized access to the infected computer Distribution Subject of email: Hi, I sent you an eCard from BlueMountain.com Name of attachment: BlueMountaineCard.pif Size of attachment: 22,016 bytes When W32.HLLW.Cult.C@mm runs, it does the following: Copies itself as %System%iexplorer.exe. NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Adds the value: sysconfig iexplorer.exe to these registry keys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion RunServices so that the worm runs when you start Windows. If the operating system is Windows 95/98/Me, the worm registers itself as a service process so that it is not displayed in the Close Program dialog box. Enters an IRC channel and notifies the client side. Then, W32.HLLW.Cult.C@mm waits for the commands from the remote client. The commands allow the hacker to perform any of the following actions: Deliver system and network information to the hacker Download and execute files Dynamically update the installed worm Send the worm to other IRC channels to attempt to compromise more computers Trigger a mass-mailing function Send email that contains the worm to any email address. Mass-mailing routine If the mass-mailing routine is activated, the worm first creates the email as: Subject: Hi, I sent you an eCard from BlueMountain.com Message: Hi , I sent you an eCard from Blue-Mountain.com To view your eCard, open the attachment If you have any comments or questions, please visit http:/ /www.bluemountain.com/customer/index.pd Thanks for using BlueMountain.com. Attachment: BlueMountaineCard.pif Then, it constructs email addresses using the following format: [RandomSurname][RandomNumber]@[RandomDomain] The [RandomSurname] is taken from a list of 100 hard-coded strings. Here are some samples: Lighthall Selnes Vittorini Gammons Raker McRaney The [RandomNumber] is a random one or two digit number. In some cases, the worm may omit the [RandomNumber]. The [RandomDomain] is randomly chosen from the following strings: hotmail.com msn.com yahoo.com Roadrunner.com Earthlink.net email.com Link to comment Share on other sites More sharing options...
Pierre Garneau Posted May 12, 2003 Share Posted May 12, 2003 I deleted 5 today and about the same yesterday, all BLUE MOUNTAIN. PG Link to comment Share on other sites More sharing options...
Guest Jazz Monkey Posted May 12, 2003 Share Posted May 12, 2003 I recall reading about this on a site several months ago. When the attachment was launched you were asked to agree to installing something (obscure). Anyhow, the company was able to avoid being prosecuted for this because you had to agree to their "licence agreement". I don't recall all the details; however I am trying to find that article. In the meantime, here is another post from Symantec: http://www.symantec.com/avcenter/venc/data/bluemtn.html Link to comment Share on other sites More sharing options...
HHI Posted May 12, 2003 Share Posted May 12, 2003 Pierre, Yesterday was Mother's Day. Just wait until Father's Day... Cheers, Henry Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.