Subject: Free Win32 API source From: Codeproject<kl@aminoprojects.com> Attchments: The_Best.scr 45 k [ application/octet-stream ]
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this software
to your friends using your account ID and for each person who registers
with us through your account, we will pay you $1.5.Once your account reaches
the limit of $50, your payment will be send to your registration address by
check or draft.
Please note that the registration process is completely free which means
by participating in this program you will only gain without loosing anything.
Don't try to run the program. Delete this email if you receive it.
The file The_Best.scr includes the following details that I can see without running it:
It is actually an executable program file that is launched by way of .scr scripts normaly being recognized as being "runnable" on non-protected systems. My version of Windows 2000 here seems to view the .scr file as a "screen saver" which it is not.
External resources that are accessed by the program include:
KERNEL32.DLL
ADVAPI32.dll
SHELL32.dll
USER32.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
FindExecutableA
wsprintfA
InternetGetConnectedState
The layout of the file, and the content within reveals it to have been created with Microsoft Visual C++ version 6. It is probably a win32 application (vs MFC) which makes it very compact. It could perform some very dangerous activities on a computer if executed.
------------
Based on the above analysis, I have to conclude that this is a program written by a rather inexperienced "hacker" code-writer who has included "greets" to his friends on the Net in the code. It is likely that this program is an email-propagating backdoor program to resident resources on the infected system to be used for distributed denial of service (DDoS) attacks on various computers over the Internet. It sppears that it may be able to copy itself in a variety of forms (such as .exe files instead of .scr) and may be able to craft a number of outgoing email message variants by assembling them from components of text.
As such, it is unlikely that the program will cause any damage to the infected system since DDoS backdoor programs are most effective when they lay dormant, unintrusive and largely undetected. Only through tracing the program execution (which is not hard to do!) will it be possible to see the central connection for the DDoS's infected systems and the activities used to conceal the program's residency on each infected system. Some of these actions likely include modifications to the Windows registry which, coupled with it being written in Visual C++ and having signature Microsoft executable file formatting clearly targets this to users of Microsoft Windows operating systems.
Following the threads around, it can be seen that the same application is distributed under a variety of aliases and headings, including the following:
Sample Screensavers
- Love Inc. (loverscreensavers@love.com)
Check it out
- Real Inc. (free@sexyscreensavers.com)
- Plus (sales@real.com)
Free Win32 API source
- Codeprojec (kl@aminoprojects.com)
Wanna be a HE-MAN
- Nicolas Schwarzenegga (nics@nomadic.com)
Warning: this is NOT a patch from Norton.. it is in fact the very same virus program. Norton would never send you a patch by email like this!
Patch for Klez.H
- Norton Antiviru (av_patch@norton.com)
This may indicate that this virus is, in fact, the Klez.H worm. That people are still receiving it is a clear indicator that it's still going around because people are gullible/greedy/longing/whatever enough to be enticed to run attachment applications. There appear to be dozens, possibly hundreds of email addresses and headings used, but the message body always appears to be the same, so that's the tip-off! Don't be fooled!
Grr.. actually, there are a couple other message variants:
quote:
Hello,
I just came across your email ID while searching in the Yahoo profiles.
Actually I want a true friend 4 life with whom I can share my everything.
So if you are interested in being my friend 4 life then mail me.
If you wanna know about me, attached is my profile along with some of my
pics. You can check and if you like it then do mail me.
I will be waiting for your mail.
Best Wishes,
Your Friend..
quote:
Hello,
Looking for some Hardcore mind boggling action ?
Install the attached browser software and browse
across millions of paid hardcore sex sites for free.
Using the software you can safely and easily browse
across most of the hardcore XXX paid sites across the
internet for free. Using it you can also clean all
traces of your web browsing from your computer.
Note:The attached browser software is made exclusivley
for demo only. You can use the software for a limited
time of 35 days after which you have to register it
at our official website for its furthur use.
Regards,
Admin.
quote:
This E-Mail is never sent unsolicited. If you receive this
E-Mail then it is because you have subscribed to the official
newsletter at the KOF ONLINE website.
King Of Fighters is one of the greatest action game ever made.
Now after the mind boggling sucess of KOF 2001 SNK proudly
presents to you KOF 2002 with 4 new charecters.
Even though we need no publicity for our product but this
time we have decided to give away a fully functional trial
version of KOF 2002. So check out the attached trial version
of KOF 2002 and register at our official website to get a free
copy of KOF2002 original version
01-30-2003 10:02 PM
" .. "K3HeRe@"
