 |
|
|
| News, removal tools, how to delete viruses, trojans, worms |
|
Virus Top Twenty for May 2007 from Kaspersky Labs -- Posted by Igor_Donchenko on Tuesday, June 19 2007
| Position | Change | Name | Proactive defection flag | % | | 1. | 0 | Email-Worm.Win32.NetSky.t | Trojan.generic | 15.31 | | 2. | +1 | Email-Worm.Win32.NetSky.q | Trojan.generic | 14.76 | | 3. | +1 | Email-Worm.Win32.Bagle.gt | Trojan.generic | 13.46 | | 4. | New! | Email-Worm.Win32.Sober.aa | Hidden Install | 11.86 | | 5. | +1 | Worm.Win32.Feebs.gen | Hidden Data Sending | 6.49 | | 6. | +6 | Email-Worm.Win32.NetSky.aa | Trojan.generic | 5.44 | | 7. | 0 | Net-Worm.Win32.Mytob.c | Trojan.generic | 3.33 | | 8. | New! | Trojan-Downloader.Win32. Agent. bqs | * | 2.44 | | 9. | +1 | Email-Worm.Win32.Scano.gen | Trojan.generic | 2.22 | | 10. | -1 | Email-Worm.Win32.NetSky.b | Trojan.generic | 2.20 | | 11. | New! | Virus.Win32.Grum.a | ** | 2.18 | | 12. | +7 | Net-Worm.Win32.Mytob.t | Worm.P2P. generic | 1.63 | | 13. | +4 | Email-Worm.Win32.LovGate.w | Trojan.generic | 1.34 | | 14. | Return | Net-Worm.Win32.Mytob. dam | [Damaged] | 1.18 | | 15. | Return | Email-Worm.Win32.NetSky.x | Trojan.generic | 1.17 | | 16. | -3 | Email-Worm.Win32.Mydoom.l | Trojan.generic | 1.12 | | 17. | Return | Exploit.Win32.IMG-WMF.y | *** | 0.99 | | 18. | -2 | Email-Worm.Win32.Zhelatin.dam | [Damaged] | 0.72 | | 19. | New! | Email-Worm.Win32.Warezov.ns | Invader | 0.62 | | 20. | New! | Virus.Win32.Cheburgen.a | ** | 0.57 | | Other malicious programs | | 10.97 |
* - this is a downloader for Email-Worm.Win32.Warezov. It is detected as Invader.
** - PDM is not designed to detect classic viruses.
*** - WMF graphics file.
Source: http://www.viruslist.com
|
Weekly report on viruses and intruders from Panda Software -- Posted by Igor_Donchenko on Tuesday, June 5 2007
This week's PandaLabs' report focuses on the Bankey.A, BankFake.A, Ketawa.A and the Opticibot.A Trojans and informs about Braban.F, a worm that spreads through MSN Messenger.
BanKey.A and BankFake.A have similar characteristics. Both banker Trojans display a spoof online banking screen and offer users the possibility of entering their bank details (account numbers, passwords,:). If users enter the information, it is immediately sent by email to the malware creators.
However, they differ in the way data is sent. BankFake.A uses a secure SMTP connection through port 465 and sends out encrypted data. BanKey.A, however, sends data to a Gmail account, using a template designed by the Trojan itself.
To ensure users do not suspect the fraud, once the information is stolen, the malicious codes display an error message apologizing for service disruption. To make the deceit more credible, BankFake.A redirects users to the bank's legitimate website.
Both malicious codes can be distributed by email and are installed on computers under the guise of a Windows Internet Explorer shortcut. Finally, BankFake.A is also downloaded onto computers by the Downloader.OPY Trojan.
The Ketawa.A Trojan can reach users by email or as part of an Internet download. When run, the file opens a browser window with a joke in Indonesian in a similar way to some spam messages.
This Trojan modifies the Windows registry to make sure it is run every time the system restarts. It also creates some hidden files and modifies registry entries to conceal the changes it makes.
Opticibot.A is a 'password stealer' Trojan which uses rootkit techniques to hide the files and registry entries it creates. This way, it tries to go undetected by security solutions.
One of these registry entries ensures that it is run on every system restart. It also tries to connect to a web page to download malware or other malicious files.
"These four malicious codes are related to the new financially-oriented malware dynamic. Trojans are ideal tools for this purpose since they allow cyber-crooks to obtain plenty of confidential data more silently than other techniques," summarizes Luis Corrons, Technical Director of PandaLabs.
The Braban.F worm spreads through MSN Messenger by sending a link to all the infected user's contacts. The link is sent together with a text in Portuguese prompting users to click on it. If they do, they will be downloading copies of the worm.
The link also redirects users to a Brazilian web page, which asks for users' consent to run a file. If they accept, they will be redirected to a page in Russian which will show a picture of a girl with a camera. While this occurs, users will be infected with the Banbra.EJX banker Trojan, the Nabload.BJG Trojan and the Braban.F worm.
Source: http://www.pandasoftware.com
|
Trojans and adware accounted for almost 50% of all infections in May (Panda Software report) -- Posted by Igor_Donchenko on Monday, June 4 2007
Trojans and adware were responsible for 49.8 percent of all infections detected by Panda ActiveScan in May. Specifically, Trojans were the culprits of 26.14 percent of attacks, while adware (a type of malware designed to display advertisements) reached 23.7 percent.
Last month also witnessed a slight rise in the number of attacks involving bots (3.37%) and spyware (3.03%), both of which are also used for financial gain by cyber-crooks. Similarly, backdoor Trojans accounted for 5.36 percent of all infections.
"The creators of malicious code are now almost entirely focused on spreading types of malware that can bring financial returns and as such we are seeing less of the traditional viruses or worms that were behind previous widescale epidemics," confirms Luis Corrons, Technical Director of PandaLabs.
Other types of malware such as worms and dialers accounted for 9.46 percent and 3.74 percent of all infections respectively.
As for May's malware Top Ten, in first place came MSNPhoto.A, a new MSN Messenger worm In order to spread, it tries to trick users into installing it by using messages alluding to the president of the USA.
| Malware | Previous position | | W32/MsnPhoto.A.worm | New | | Trj/KillAV.FW | 2 | | W32/Brontok.H.worm | 4 | | JS/Downloader.NOE | 3 | | W32/Puce.E.worm | 6 | | Trj/Downloader.IOL | New | | W32/Sdbot.ftp.worm | 5 | | Trj/Agent.FCA | New | | Trj/Dropper.UN | New | | Trj/Downloader.OCJ | New |
KillAV.FW, a Trojan designed to steal confidential information from computers, was in second place, the same position it held the previous month. Brontok.H is still one of the most frequently detected worms, and rose to third place in the ranking in May. The Downloader.NOE Trojan remained in fourth place.
Puce.E, a worm that spreads via P2P networks, moved up one place into fifth. Then came the new Donwloader.NZR Trojan, designed to download other strains of malware onto an infected system.
Sdbot.ftp, the script that worms from this family use to download themselves via FTP has dropped down two places into seventh since the previous month.
The last three places in the list are occupied by three new malicious codes. The Agent.FCA, Dropper.UN and Downloader.OCJ Trojans.
Source: http://www.pandasoftware.com
|
Compromised News Website Spells Lots of Trouble to Visitors -- Posted by Igor_Donchenko on Friday, June 1 2007
The number of systems exposed to the attack suddenly spiked when a post linking to an article hosted on the compromised TCSDaily website appeared on the social news aggregator site Reddit.
The malicious Java Script makes the user's browser download and execute a Trojan - detected by BitDefender as Trojan.Downloader.Small.BIB - which is hosted on a Chinese website, which is probably also compromised.
"It's a pretty simple piece of malware, but it's obfuscated, so most antivirus programs could not detect it," said Marius Tivadar, BitDefender antivirus researcher. "A drive-by download is like that - one often gets infected at first with something that is nearly innocuous and really stealthy, the kind of thing antivirus software is most likely to just ignore, but once your system is infected, all bets are off."
The Trojan downloader itself downloads, from the same Chinese website, four other bits of malware, namely a backdoor, a bit of adware, a password stealer and another Trojan, by the names of, respectively Backdoor.Poisonivy.M, Adware.Bho.WOX, Trojan.Pws.OnlineGames.AUD and Trojan.Agent.ADL.
Trojan.Agent.ADL also downloads yet more malware (detected by BitDefender as Backdoor.Hupigon.YEO) from yet another website.
"We were hot on the trail and finding new malware everywhere as the analysis proceeded," BitDefender antivirus researcher Mihai Calota, who had been tasked with charting out the threat. "It's like diving into caves - there's always this new nook which turns out to be a passage to a new room."
Source: http://www.bitdefender.com
|
Weekly report on viruses and intruders from Panda Software -- Posted by Igor_Donchenko on Monday, May 28 2007
This week's PandaLabs' report focuses on Conycspa.AJ, a dangerous Trojan that downloads nine malicious codes onto computers. It also focuses on Briz.X, a Trojan that has infected more than 14,000 users, and on the MSNPhoto.A and Ridnu.D worms.
The Conycspa.AJ Trojan is designed to show adverts to users. To do so, it changes several Windows registry entries and modifies the results of online user searches. This way, it redirects users to specific web pages, mostly related to medicine.
This Trojan also connects to a specific web address from which it downloads various files. One of them is mm4839.exe, which is designed to send spam about medicines from users' computers.
It also downloads a long list of infected files from the Internet which correspond to the following malware: the MalwareAlarm adware, the potentially dangerous programs DriveCleaner, WinAntivirus2006 and PsKill.J, the Stox.A and Cimuz.EI Trojans, and the DriveCleaner, MediaPlex and DriveCleaner cookies.
"Cyber-crooks seek profit with their malware attacks. In each infection they manage to insert malicious codes on users' computers, increasing the possibility of profiting from stealing confidential data, visiting web pages that sell specific products, sending spam, hijacking computers, etc.", explains Luis Corrons.
Conycspa.AJ creates more changes in the Windows registry, one of which makes sure it is run on every restart. It also creates a BHO (Browser Helper Object) which allows it to record users' browsing activity.
It also modifies the firewall to open a random port and the win.ini file to automatically run when a session is started.
The Windows operating system has a protection called Windows File Protection (WFM), which checks there are no corrupt files, replacing them for the original copies if there are. This dangerous Trojan modifies the file restoration folder by establishing its own. Consequently, when the operating system tries to restore the corrupt library, it will be replaced by the one created by the Trojan. This way, it protects its modifications and prevents the operating system from deleting it.
Briz.X has also played an important role this week. PandaLabs found a server that received confidential information stolen by this Trojan. More than 14,000 users have been affected by this variant which infects 500 computers a day on average.
Briz.X has a parser module which allows cyber-crooks to handle all the stolen information, searching for terms or IP addresses or creating filters to obtain data quickly.
MSNPhoto.A is a worm that spreads through MSN Messenger. This malware reaches the computer with the icon of an image, but it is really an .exe file.
When run, MSNPhoto.A shuts all the MSN Messenger windows opened by the user and sends a message to its contacts tricking them into opening a file called fotos_posse.zip, which is really a copy of the worm.
This worm also prevents the task manager from opening, therefore preventing the user from closing MSN Messenger. It also tries to download several files from the Internet. Finally, it modifies the Windows registry to maker sure it is run every time the system restarts.
"Instant messaging services like MSN Messenger, Yahoo!Messenger, AIM, etc. are increasingly used by home users and businesses. And the fact that they are so widespread has made them an excellent means of propagation for malware, which uses it to spread to as many computers as possible," explains Corrons.
Ridnu.D is the second worm in this report. This malware, like other variants of the Ridnu family, is characterized by displaying annoying messages. This way, it replaces "run" for "Mr_CoolFace Has Come!". It also changes the name of the "My Documents" to "Mr_CoolFace" and writes messages like "Dear my princess" every time the user opens the Notepad.
One of the malicious actions carried out by Ridnu.D is to create several entries in the Windows registry to change the aspect of the Windows Explorer taskbar and make sure it runs every time the computer is restarted.
Source: http://www.pandasoftware.com
|
Powered by Coranto
|
