[plans] distributed.net .plan update

plans at nodezero.distributed.net plans at nodezero.distributed.net
Sun Sep 24 21:00:03 EDT 2000


distributed .plan updates in the last 24 hours: 
---

bovine :: 24-Sep-2000 12:51 (Sunday) ::

We have recently discovered that a new infectious worm has recently begun
circulating throughout the Internet and includes a hidden payload of our
dnetc.exe client.  We have already discredited all stats credit for that
participant's email address.  As stated by our policies at
http://www.distributed.net/legal/policy.html and by our trojan horse
disclaimer at http://www.distributed.net/trojans.html, performing these
types of malicious activities are not condoned at all and these matters
are aggressively pursued by distributed.net.

This worm propagates by randomly selecting an arbitrary IP address and
attempting to connect to the "C" file share on that machine.  If it is
successful in accessing that share, it will copy several files into the
remote machine's "\WINDOWS\Start Menu\Programs\StartUp\" and
"\WINDOWS\SYSTEM\" directories:

+ MSxxx.EXE ~22016 bytes (size and filename varies slightly) + MSCLIENT.EXE
4096 bytes + INFO.DLL (text file log of other infected computers) +
DNETC.EXE 186188 bytes (official release v2.8010-463-CTR-00071214) +
DNETC.INI (containing the email address bymer at inec.kiev.ua)

Note that the presence of DNETC.EXE and DNETC.INI (but with another email
address) on a computer may potentially represent an authorized installation
of our client software, knowingly done by the owner of the machine, so it
not reasonable to indiscriminately delete all instances of those filenames
should you find them.

Please note that the MSxxx.EXE file will vary slightly and will contain
the first numerical component of your computer's IP address and possibly
a few extra characters.  For example, the following filenames have been
encountered: MS216.EXE, MSI216.EXE, MSI211.EXE.  It has been discovered
that some instances of this worm's file is secondarily infected with the
FunLove.4099 virus, so the filesize may be slightly larger that 22016
bytes if so.

Additionally, as a part of the infection, the following line may be added
to the remote computer's \WINDOWS\WIN.INI file:

load=c:\windows\system\msxxx.exe          (filename varies)

Once either of the first two EXEs have executed once, under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ registry key,
the following registry value may be added:

MSINIT=c:\windows\system\msxxx.exe        (filename varies)

Since the worm also executes "dnetc.exe -hide -install", there will also
be the addition of another registry value to automatically start the client
as well.  Note that the existence of that other registry value in itself
may not necessarily imply an unauthorized installation of our software by
the worm, such as if the owner of the machine had legitimately installed
our client software.

The propagation of this worm is possible solely because many Win9x computer
owners unknowingly choose to share their entire hard drives un-passworded
and with full read/write control granted.  Readers are encouraged to warn
others about the dangers of sharing directories (and full hard disks)
without strong passwords.



bovine :: 24-Sep-2000 13:19 (Sunday) ::

I have created a simple program that can be run on Win9x machines to
attempt to remove files associated with this most recent "MSINIT" worm,
as well as the VBS.Network and VBS.NetLog worms).  You can download this
utility (with full source) from the following location:
http://www1.distributed.net/~bovine/wormfree.zip


bovine :: 24-Sep-2000 12:51 (Sunday) ::

We have recently discovered that a new infectious worm has recently begun
circulating throughout the Internet and includes a hidden payload of our
dnetc.exe client.  We have already discredited all stats credit for that
participant's email address.  As stated by our policies at
http://www.distributed.net/legal/policy.html and by our trojan horse
disclaimer at http://www.distributed.net/trojans.html, performing these
types of malicious activities are not condoned at all and these matters
are aggressively pursued by distributed.net.

This worm propagates by randomly selecting an arbitrary IP address and
attempting to connect to the "C" file share on that machine.  If it is
successful in accessing that share, it will copy several files into the
remote machine's "\WINDOWS\Start Menu\Programs\StartUp\" and
"\WINDOWS\SYSTEM\" directories:

+ MSxxx.EXE ~22016 bytes (size and filename varies slightly) 
+ MSCLIENT.EXE 4096 bytes 
+ INFO.DLL (text file log of other infected computers) 
+ DNETC.EXE 186188 bytes (official release v2.8010-463-CTR-00071214) 
+ DNETC.INI (containing the email address bymer at inec.kiev.ua)


Note that the presence of DNETC.EXE and DNETC.INI (but with another email
address) on a computer may potentially represent an authorized installation
of our client software, knowingly done by the owner of the machine, so it
not reasonable to indiscriminately delete all instances of those filenames
should you find them.

Please note that the MSxxx.EXE file will vary slightly and will contain
the first numerical component of your computer's IP address and possibly
a few extra characters.  For example, the following filenames have been
encountered: MS216.EXE, MSI216.EXE, MSI211.EXE.  It has been discovered
that some instances of this worm's file is secondarily infected with the
FunLove.4099 virus, so the filesize may be slightly larger that 22016
bytes if so.

Additionally, as a part of the infection, the following line may be added
to the remote computer's \WINDOWS\WIN.INI file:

load=c:\windows\system\msxxx.exe          (filename varies)

Once either of the first two EXEs have executed once, under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ registry key,
the following registry value may be added:

MSINIT=c:\windows\system\msxxx.exe        (filename varies)

Since the worm also executes "dnetc.exe -hide -install", there will also
be the addition of another registry value to automatically start the client
as well.  Note that the existence of that other registry value in itself
may not necessarily imply an unauthorized installation of our software by
the worm, such as if the owner of the machine had legitimately installed
our client software.

The propagation of this worm is possible solely because many Win9x computer
owners unknowingly choose to share their entire hard drives un-passworded
and with full read/write control granted.  Readers are encouraged to warn
others about the dangers of sharing directories (and full hard disks)
without strong passwords.



--
To unsubscribe, send 'unsubscribe plans' to majordomo at lists.distributed.net



More information about the plans mailing list