MS C# virus

javacool · Mar 1, 2002

From SecurityNewsPortal.com

Gigabyte, a female virus writer proves 'girl power' by writing MS C# virus
'Girl Power'... a ' spicey ' girl virus coder..
03-01-2002 3:36:40 PM CST -- By Brian McWilliams, Newsbytes

A virus writer who identifies herself as a 17-year-old girl from Belgium has released what is believed to be the first virus using Microsoft's C# programming language. According to virus researchers, the new Sharpei mass-mailing worm is also just the second piece of malicious code designed to target Microsoft's new .NET platform.

Sharpei's author, who calls herself Gigabyte and is a member of a virus writing group named Metaphase, posted a copy of the code at her Web site Monday. In an online interview today, Gigabyte said she wrote the worm to prove a social point as well as a technical one. "I want to let people (and especially guys) know there ARE girls out there who like computers and for more than games. I think that's quite important ... for all girls out there who know something about computers but are surrounded by guys who think they're all stupid,"...
Click to expand...

Catch the article here: http://www.securitynewsportal.com/c...i?database=JanH.db&command=viewone&id=55&op=t

javacool · Mar 1, 2002

Full report from Newsbytes.com:

Girl Power's Point Of Virus Written In Microsoft's C#

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
01 Mar 2002, 11:05 AM CST

A virus writer who identifies herself as a 17-year-old girl from Belgium has released what is believed to be the first virus using Microsoft's C# programming language.

According to virus researchers, the new Sharpei mass-mailing worm is also just the second piece of malicious code designed to target Microsoft's new .NET platform.

Sharpei's author, who calls herself Gigabyte and is a member of a virus writing group named Metaphase, posted a copy of the code at her Web site Monday.

In an online interview today, Gigabyte said she wrote the worm to prove a social point as well as a technical one.

"I want to let people (and especially guys) know there ARE girls out there who like computers and for more than games. I think that's quite important ... for all girls out there who know something about computers but are surrounded by guys who think they're all stupid," she said.

According to an analysis of Sharpei by anti-virus firm Symantec, when the worm infects a system it first checks to see if the .NET framework is present, and if so it will infect executable files in the Microsoft Intermediate Language (MSIL) portable executable format that are located in the Windows directory and some sub-directories of the Program Files directory.

If the .NET framework is not present, the worm will merely mail itself to all contacts in the victim's Microsoft Outlook address book.

On an infected system, Sharpei will pop up a box saying "You're infected with Win32.HLLP.Sharp, written in C#, by Gigabyte/Metaphase."

As virus researchers often do when naming viruses, Symantec has intentionally snubbed the author by assigning Sharpei a name after the breed of wrinkly-faced dogs. An alternative name given to the virus by anti-virus firm F-Secure is Blunt.

Last month, the Donut virus captured computer industry's attention for being the first to target Microsoft's new platform for building XML-based Web and application services.

The work of a Czech virus writer known as Benny, Donut was rated a low risk for spreading because it lacked a mass-mailing component and instead needed to be sent directly to a victim or downloaded from the Internet.

While it has not yet been reported in the wild, Sharpei goes beyond its proof-of-concept predecessor and appears designed to spread by e-mail. As a result, it has been assessed a higher level 2 risk-rating from anti-virus firm Symantec.

Using a hackneyed "social engineering" technique for convincing recipients to click the attached executable, Sharpei arrives in a message with the subject line "Important: Windows update." The e-mail bears an attachment, MS02-010.exe, which follows a convention used by Microsoft for naming its security bulletins.

The message body states: "Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it."

In the interview, Gigabyte denied that she intended for the worm to spread.

"(C#) ain't the language to use when you want it to go (in the wild). Especially not now, too few people have win XP or the .Net framework installed," she said.

According to Symantec, Sharpei attempts to hide its mass-mailing activity by deleting the sent messages from Outlook's Sent folder. The worm also deletes the Visual Basic program used to perform the mass-mailing.

Symantec confirmed that Sharpei successfully infected .NET files on a test system. When infected executable are run, the virus begins the mass-mailing routine again and looks for other files to infect.

Gigabyte is also the author of an earlier virus known as Parrot which masquerades as a screen saver and displays a message box on infected systems that includes offensive text about Graham Cluley of anti-virus firm Sophos.

When asked in the interview why she targeted Cluley, Gigabyte said it was because "he's a sexist" and because Cluley has posted messages in virus newsgroup forums stating that "female virus writers ... can't code" she said.

Cluley was not immediately available for comment. In a 1998 posting to the alt.comp.virus newsgroup, Cluley stated that "there are few (if any) female virus writers."

Symantec's description of Sharpei is at http://www.sarc.com/avcenter/venc/data/w32.hllp.sharpei@mm.html .

Gigabyte's site is http://www.coderz.net/gigabyte/index.html .

Reported by Newsbytes, http://www.newsbytes.com .

11:05 CST

(20020301/WIRES ONLINE, LEGAL, PC/EWORM/PHOTO)

© 2001 The Washington Post Company
Click to expand...

Link to article: http://www.newsbytes.com/news/02/174895.html.

FanJ · Mar 4, 2002

W32/Sharp-A

Name: W32/Sharp-A
Aliases: W32/Sharpie@mm
Type: Win32 executable file virus
Date: 4 March 2002

At the time of writing Sophos has received no reports from users affected by this virus. However, we have issued this advisory following enquiries to our support department from customers.

Description:

W32/Sharp-A is a virus that arrives in an email message with the following characteristics:

Subject: Important: Windows update
Message body: Hey, at work we are applying this update because it makes Windows over 50% faster and more secure. I thought I should forward it as you may like it.
Attachment: MS02-010.EXE

When W32/Sharp-A is executed it copies itself to C:\MS02-010.EXE
and drops and executes sharp.vbs in the current directory. This file is detected as VBS/Sharp-A. The script sends the email described above to everyone in the Outlook address book.

If the virus detects the Microsoft .NET runtime, it drops and executes the file cs.exe in the Windows directory. This file infects .EXE files with W32/Sharp-A and creates the file sharp.vbs in the Windows startup folder. This file merely displays a message box with the title "Sharp" and the text

"You're infected with Win32.HLLP.Sharp, written in C#, by Gigabyte/Metaphase"

The virus also creates the registry key HKLM/Software/Sharp
which contains the name of the viral file which was run.

Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32sharpa.html

Log in or Sign up

MS C# virus

javacool BrightFort Moderator

javacool BrightFort Moderator

FanJ Guest

Log in or Sign up

MS C# virus

javacool BrightFort Moderator

javacool BrightFort Moderator

FanJ Guest

Useful Searches