 |
|
|
| News archive about antivirus software, virus threats, trojans |
|
May 2005
AOL and Yahoo’s targeted by "Star Wars" worm -- Posted by Igor_Donchenko on Friday, May 27 2005
A new threat has been detected by research lab of WinAntiVirus. This time, it is a worm that takes advantage of the release of the new Star Wars film, and targets AOL and Yahoo instant messenger users.
Jon Sakoda from IMLogic stated that in AOL's IM "the worm presents itself through an instant message containing a link that automatically triggers a malicious code download'.
In the case of Yahoo users, the link leads them directly into a phishing scam. Surfers are directed to an almost exact copy of the original Yahoo website, intended to trick them into giving log-in information.
Security experts have warned all users to remain alert to any incoming message contaning links, even from known senders.
Source: http://www.winantivirus.com
|
A Trojan digitally encrypts files and asks for a ransom -- Posted by Igor_Donchenko on Thursday, May 26 2005
PandaLabs has recently reported the appearance of a type of malware that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert.
The malware in question, Trj.PGPCoder.A, is a Trojan, and as is usual in these cases, cannot propagate by itself. Once installed on a computer, it creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.
Once it has been run, the Trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats).
The blackmail is completed with the Trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200.
Source: http://www.pandasoftware.com
|
FTC is to run a number of initiatives against spam -- Posted by Igor_Donchenko on Thursday, May 26 2005
Spammers tend to use the unsecured computers in order to route millions of spam emails through then without owner's knowledge.
This brings lots of issues to authorities being unable to distinguish the really important commercial emails from spam.
The FTC and its 35 partners in more than 20 countries announced Operation Spam Zombies yesterday. This will be an initiative focused on educating Internet service providers abut measures they can take to help reduce the unrelenting flow of junk e-mail.
FTC is to focus on few directions in bringing the rate of spam emails down, including the educational and technical ones.
"Computers around the globe have been hijacked to send unwanted e-mail," said Lydia Parnes, Director of the FTC's Bureau of Consumer Protection. "With our international partners, we're urging Internet Service Providers worldwide to step up their efforts to protect computer users from costly, annoying, and intrusive spam 'zombies.'"
The FTC has created a Web page for this project. It includes a summary of the project, the letter that the FTC and its partners are sending to ISPs, and a list of participating agencies from around the world.
Source: http://www.winantivirus.com
|
Beware! Terrorist virus! -- Posted by Igor_Donchenko on Tuesday, May 24 2005
Internet users already anxious about viruses and new reason to worry: Hackers have found a new way to lock up the electronic documents or files on user's computer and then demand $200 over the Internet to get them back by receiving digital key.
The hacker using the address later demands $200 for the digital keys to unlock the files or other files.
"This is something like someone sniffing your desk, putting your valuables documents in his safe and asking for money to get back your stuff," said Daniel Martinez, a security manager of WinSoftware Corp.
The risks facing Internet users, who must increasingly deal with categories of threats that include spyware, viruses, worms, phishing e-mail fraud and denial of service attacks.
In the recent case, computer users could be infected by viewing a vandalised Web site with vulnerable Internet browser software. To avoid unexpected situations, please update your antivirus software, and antispyware programs.
Source: http://www.winantivirus.com
|
DoubleClick hits the records -- Posted by Igor_Donchenko on Tuesday, May 24 2005
Recent weeks WinSoftware technical support team faces good flow from DoubleClick victims Ц WinAntiVirus' customers and internet users worldwide request for help on getting rid of this "virus". WinHour free live chat experienced 34 related help requests while more than 400 of antivirus subscription owners mailed and called us for help.
Philip Patterson, WinSoftware Senior Security Expert, pays Internet community's attention to the fact that DoubleClick has nothing dangerous for home users Ц technically it is just a cookie file that is being overwritten by specific rules, while cookie is just a text file. So there is no danger to file or system stability.
On other hand, this cookie is being used by united affiliate system partners, and DoubleClick's value is being tracked by these program participants. Philip states that "not every person would love own internet activity tracked even on stats basis", and advices to clear that cookie and get WinAntiVirus Instant Scan (or equivalent technology solution) ON Ц by doing this you would not only get rid of cookie but also see what sites to try to set it.
Source: http://www.winantivirus.com
|
A new instant messaging worm could allow hackers to take control of computers -- Posted by Igor_Donchenko on Saturday, May 21 2005
PandaLabs has reported the appearance of a new example of malware, Oscarbot.F, a worm that could allow a malicious user to take action on the infected computer, and which is designed for AOL Instant Messenger (AIM), a popular instant messaging application, especially in the United States.
This new variant of the Oscarbot family of worms, has 'bot' functions, executing orders that it receives from a remote user. Once installed on a computer, this malware creates a copy of itself in the Windows system folder, and edits certain registry keys to ensure that it is run as a service when the system starts up.
"The propagation of this worm follows the typical modus operandi of malware associated with instant messaging programs: once there is a connection to the Internet, it sends a message to all contacts connected to the affected computer containing a hyperlink, and from which a copy of the worm itself is downloaded or even other malware," explains Luis Corrons, director of PandaLabs. "However, in this case, propagation depends on remote orders: when the worm is run it connects to an IRC server where it receives commands ranging from the downloading and execution of files to propagation using AIM".
This new variant confirms the increasing use made by malware creators of new forms of communication, such as instant messaging. Other examples, about which Panda Software has previously reported, include Bropia and Kelvir both of which have numerous variants. In this case, there would appear to be a dual motive for this malware, as with Bot functions. the distribution of Oscarbot.F. can contribute towards construction of 'botnets' which have numerous aims (typically sending spam, attacks on other machines, or downloading other malware), and through which the creators of the malicious code can obtain financial benefits.
Source: http://www.pandasoftware.com
|
Vulnerability in popular VPN technology -- Posted by Igor_Donchenko on Tuesday, May 17 2005
The UK's national emergency response team, the National Infrastructure Security Coordination Centre, has issued a security alert, warning of a vulnerability in IPsec, a widely used VPN technology. The flaw could potentially allow an attacker to access encrypted communications.
The NISCC rates the vulnerability as high risk. It warns organisations that VPNs using IPsec encryption and tunnelling for remote workers that their data could be at risk.
An attack could exploit the flaw in IPSec configurations to intercept IP packets transmitted between two IPsec devices. Once packets have been intercepted, the encapsulation security payload (the subprotocol used to encrypt the information) can be altered, providing the attacker with a plain text version of the encrypted material.
The NISCC believes that an attacker would only have to exert 'moderate effort' to gain access to encrypted data. The detailed advisory issued by the security body contains several workarounds which can be used.
|
Panda Software's weekly report on viruses and intruders -- Posted by Igor_Donchenko on Tuesday, May 17 2005
This week's report on viruses and intruders will focus on three worms Mytob.CX, Mytob.CU and Sdbot.DKE, two Trojans, Whiter.F and Kelvir.AS, a vulnerability, MS05-024, and a hacking tool, QuickKeylog.
Mytob.CX and Mytob.CU are two members of the Mytob family of worms, of which over 100 variants have been set on the loose in the last few months. These two malicious codes are email worms with backdoor characteristics, which, once installed, connect to an IRC server waiting for instructions to carry out certain actions on the affected computers, such as delete, download or run files. Like other members of the same family, these worms shut down processes belonging to certain security applications and prevent users from accessing various web addresses, mainly sites related to IT security.
Sdbot.DKE is a worm with backdoor characteristics, which, as it is usually the case with bot type malware, allows hackers to gain remote access to the affected computer, in this case through its own IRC server. The worm can accept remote control commands, such as launching denial of service (DoS) attacks against websites. To propagate, Sdbot.DKE uses known vulnerabilities in operating systems and unprotected shared resources as well as resources protected with weak passwords. This worm is also distributed by the Trojan Kelvir.AS.
Kelvir.AS is one of the new Trojans that spread through instant messaging programs, by sending out a message to all the addresses in the Contact List of the affected user. This messages includes a link that points to a web address which, in turn, downloads a copy of the worm Sdbot.DKE. Kelvir.AS does not spread using its own means, but needs manual intervention to reach affected computers. The means of transmission used include floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Although included in this report, QuickKeylog is not a malicious code but a tool reported to have been inappropriately used for unlawful purposes. QuickKeylog is a legitimate and useful tool, whose functionality has made it subject to malicious usage by hackers. QuickKeylog logs keystrokes entered by the affected user and stores them in a hidden and encrypted file, accessible only to the user who installed it.
The war of malware creators against software and music piracy seems to continue with Whiter.F, an extremely harmful Trojan which deletes all of the files in the hard disk of the affected computer. Once installed in a computer, Whiter.F creates a text file called WXP in the root directory of the targeted computer and replaces all the files on the hard drive with the file it has created. This file contains the phrase You did a piracy, you deserve it. Finally, the Trojan completely removes all of the files on the hard drive so that, even if the user attempts to recover the hard drive data using some special tool, the files recovered will be copies of the file WXP.
We will finish today's report with the MS05-024 vulnerability, an important security flaw which affects Windows 2000 computers and could allows hackers to gain remote control of the affected computer with the same privileges as the user that originally logger on to it. MS05-024 is exploited by creating a malicious file and tricking users into connecting to the folder that contains it and previewing it through Windows Explorer. It is recommended to update your operating systems with the corresponding security patch to avoid potential infections.
Source: http://www.pandasoftware.com
|
An extremely damaging Trojan revives the war against software and music piracy -- Posted by Igor_Donchenko on Tuesday, May 17 2005
Malware creators seem to have started a battle against against piracy on the Internet. After recently reporting the appearance of the Nopir worms, whose aim is to deleted all of the MP3 and COM files from the computer, leaving a message to the user of the affected computer, this time, PandaLabs informs that a Trojan called Whiter.F has emerged, a malware that deletes all the files form the hard disk of the affected computer.
This new malware variant, like most Trojans, cannot spread on its own. This Trojan spreads through traditional mediums, such as floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, FTP, etc.
Once installed in a computer, it creates a text file called WXP in the root directory of the user's computer. This file contains the phrase You did a piracy, you deserve it, similar to the threats made by the creator of the Nopir worm.
Then, this Trojan replaces all the files on the hard drive with the text file it has created, and then completely removes them, causing the affected computer to stop functioning. For this reason, this Trojan is considered extremely damaging. Furthermore, even if the user attempts to recover the hard drive data using a special tool, the files recovered will be the files with the messages described above.
Source: http://www.pandasoftware.com
|
Top Ten viruses and spyware most frequently detected by Panda ActiveScan in April -- Posted by Igor_Donchenko on Tuesday, May 3 2005
As with every month, Panda Software has published a list of the ten viruses most frequently detected during the month of April by the online anti-malware solution, Panda ActiveScan. A new version of this tool, which also detects spyware, has recently been made available to users. Based on data collected from this application, Panda Software has also published the Top Ten of the most frequently detected spyware last month.
Malware activity during April was largely split between Trojans and worms, although interestingly enough, the most widespread example of malware was neither of these two, but the detection of a vulnerability for a family of Trojans -the Mhtredir.gen exploit-, which tries to exploit an Outlook Express vulnerability reported by Microsoft in its security bulletin MS04-013. This exploit has regularly appeared in the ranking since it first emerged in August last year.
The rest of the classification is made up of four Trojans, four worms and a backdoor Trojan. In particular, Netsky.P is worth mentioning. This is an email worm that also spreads through P2P programs and exploits a vulnerability in Internet Explorer called Exploit/Iframe. The notable prevalence of Trojans over the last few months has continued this month, in line with the recent trend of attacks motivated by financial returns reported repeatedly by Panda Software of late.
The complete list of viruses and worms and Trojans is as follows:
| Virus Name | Percentage | | Exploit/Mhtredir.gen | 3.06% | | W32/Netsky.P.worm | 2.44% | | Trj/Qhost.AF | 2.18% | | Trj/Shinwow.E | 2.02% | | W32/Sdbot.ftp | 1.82% | | W32/Gaobot.gen.worm | 1.11% | | Trj/Downloader.BSU | 1.05% | | W32/Bagle.CA.worm | 1.05% | | Trj/Citifraud.A | 1.02% | | Bck/Small.HI | 0.99% |
In addition to the ranking, above there is also a classification of infections by spyware, which is without doubt the threat that has flourished most over recent months. Spyware is a type of malware designed to gather data regarding users Internet habits, which is then sent to the creators of the malware or sold on to third-parties, normally spammers.
In many cases, spyware is associated to forms of adware, which modify the browser settings to redirect users to certain websites or cause pop-up adverts to appear.
"Very often the full magnitude of the threat of spyware is not appreciated", explains Luis Corrons, director of PandaLabs. "The real problem with this type of malware is that in addition to the damage it can cause, which is significant, it steals information, examines users Internet habits and can be an entry point for other types of annoying malware such as adware and dialers, as many types of spyware can download other threats from the Internet."
The classification of the most widespread spyware over the last month is as follows:| Name | Percentage | | Spyware/ISTbar | 3.97% | | Spyware/New.net | 3.71% | | Spyware/Cydoor | 3.46% | | Spyware/BetterInet | 3.37% | | Spyware/Altnet | 2.52% | | Spyware/Dyfuca | 1.14% | | Spyware/Petro-Line | 0.9% | | Spyware/MarketScore | 0.8% | | Spyware/Aveo-Attune | 0.38% | | Spyware/YourSiteBar | 0.35% |
ISTbar, like others in the ranking, displays the typical behavior of this kind of malware: the spyware is installed on victims' computers without their consent (camouflaged as an ActiveX control) and, in turn, installs other similar types of malware: spyware, adware and dialers. Additional functions include displaying pornographic pop-ups, installing a toolbar, and changing the browser home page.
Source: http://www.pandasoftware.com
|
New worm Sober.V give tickets for the FIFA World Cup 2006 in Germany for free to cheat users with social engineering techniques -- Posted by Igor_Donchenko on Tuesday, May 3 2005
The new variant V of the worm Sober (Sober.V) has begun spreading and infecting several computers from US, Germany, Austria and Switzerland. It is supposedly sent by the soccer organization FIFA and give users tickets for the FIFA World Cup 2006 in Germany for free. This new worm distributes itself by its own SMTP engine in English or in German, choosing the language depending on the domain and the country in which it will be distributed. Sober.V sends itself out to all the addresses it has gathered from the infected computer.
This new worm, which is using the social engineering to cheat users, comes from a random address choose between one of the followings: Admin, Hostmaster, Info, Postmaster, Register, Service o Webmaster. Furthermore, Sober.V avoids sending messages to addresses containing some strings in its domain. The subject can be one of the following:
Glueckwunsch: Ihr WM Ticket mailing error
Ich bin's, was zum lachen ;) Re:
Ihr Passwort Registration Confirmation
WM Ticket Verlosung Your email was blocked
WM-Ticket-Auslosung Your Password
Source: http://www.pandasoftware.com
|
Panda Software weekly report on viruses and intruders -- Posted by Igor_Donchenko on Monday, May 2 2005
This week's report on viruses and intruders looks at the Kedebe.B and Nopir.A worms, as well as the Bancos.NL Trojan.
Kedebe.A is an email worm whose main danger lies in the fact that it leaves systems defenseless against attacks from other malware. This malicious code spreads in the form of attachments to other emails with variable characteristics, as both the subject and the message text are selected from a predefined list of options.
If a user were to run a file containing Kedebe.A, this would generate two files on the system. One of these contains a copy of the worm, while the other is a text file that reads: "Properly infected. Kill those fools, Mydoom-er and Bagle-r!! They're DEAD!! EthioLove.X!!".
Kedebe.A finalizes memory processes corresponding to security and antivirus applications. Similarly, it modifies the HOSTS file, to prevent access to several web pages related to IT security. It also makes an entry in the Windows registry to ensure it is run on every system start-up.
Nopir.A is designed to spread across P2P networks, deleting files with COM and MP3 extensions that it finds on the computer. For this reason, some media sources have dubbed it an "anti-pirateФ" worm, but really it is a dangerous type of malware that can cause serious damage to systems. It prevents systems from running Windows 2003/XP/2000/NT from starting up, as it deletes the NTDETECT.COM file.
If a user were to run a file containing, an 'anti-pirate' image is displayed on screen. At the same time, it disables the Windows registry editor, the task administrator and the control panel. In order to spread, Nopir.A uses the eMule file-sharing program. It does this by generating a file called ANYDVD 5.1.0.1 CRACK+KEYGEN BY RAZOR.EXE in the folder of this program which other users can download to their computers without realizing that it really contains a copy of Nopir.A.
Finally, the Bancos.NL Trojan is designed to intercept confidential data from clients of more than 2,500 bank portals. This Trojan cannot spread under its own steam, and needs third-parties to intervene manually, using traditional propagation methods such as floppies or CDs or through Internet downloads, email, FTP transfers, P2P networks, etc.
Once a user runs a file containing the Trojan, it is installed on the system as MSCVC.EXE, and starts to monitor the user's Internet activity, waiting for it to connect to one of the 2,500 Internet addresses listed in its code. When this happens, it logs the information entered by the user related to credit cards, account numbers, passwords, etc. This information is sent to a server where it can be collected by cyber-crooks.
Source: http://www.pandasoftware.com
|
Top ten viruses and hoaxes reported to Sophos in April 2005 -- Posted by Igor_Donchenko on Monday, May 2 2005
Sophos, a world leader in protecting businesses against spam and viruses, has published a report revealing the top ten viruses and hoaxes causing problems for businesses around the world during the month of April 2005.
The report, compiled from Sophos's global network of monitoring stations, shows that Zafi-D, which first appeared at the end of 2004, continues its reign at the top of the list for the fifth month running, accounting for 46.6% of all reports. Only one new threat - Mytob-Z - has managed to break into the chart for April, appearing in seventh place.
The top ten viruses in April 2005 were as follows: | Position | Last month | Virus Name | Percentage of reports | | 1 | 1 | W32/Zafi-D | 46.6% | | 2 | 2 | W32/Netsky-P | 20.6% | | 3 | 3 | W32/Zafi-B | 4.5% | | 4 | 5 | W32/Netsky-D | 4.5% | | 5 | 6 | W32/Netsky-Z | 2.5% | | 6 | 7 | W32/Netsky-B | 2.4% | | 7 | New | W32/Mytob-Z | 1.3% | | 8 | 8 | W32/MyDoom-O | 1.2% | | 9 | 9 | W32/Netsky-C | 1.1% | | 10 | 10 | W32/Netsky-Q | 1.0% | | Other malicious programs | 14.3% |
"Old viruses are still taking advantage of poorly protected computers in April," said Carole Theriault, security consultant at Sophos. "The Zafi family of viruses accounts for over 50.0% of all the viruses reported to Sophos in the last month. Perhaps the success of these worms lies in their ability to spread in multiple languages, catching out unwary users all over the world. Users should not only be suspicious of unsolicited email in any language, they should also be ensuring up-to-date anti-virus protection is in place to thump this virus family on the head."
"Although Mytob-Z only accounts for a small percentage of the top ten
reports, it is the only new worm that has managed to break into the stronghold of old threats," continued Theriault. "First sighted in mid-April, Mytob-Z is a nasty piece of work - not only does it spread ferociously, but it plants a backdoor Trojan horse which can be used by remote hackers to gain access and control over a victim's computer. The computer can then be spied upon or used to send spam or launch denial of service attacks."
Sophos analysed and protected against 1146 new viruses in April. The total number of viruses Sophos now protects against is 103,269. Sophos research shows that 2.2%, or one in 46 emails, circulating during the month of April were viral. This figure is slightly lower than last month when 1 in 38 emails were viral.
In order to minimise exposure to viruses, Sophos recommends that companies deploy a policy at their email gateway which blocks unwanted executable attachments from being sent into their organisation from the outside world. Companies should also run up-to-date anti-virus software, firewalls and install the latest security patches.
The top ten hoaxes reported to Sophos during April 2005 are as follows:| Position | Hoasx | Percentage of reports | | 1 | Hotmail hoax | 22.9% | | 2 | Meninas da Playboy | 10.4% | | 3 | Bonsai kitten | 7.9% | | 4 | A virtual card for you | 5.1% | | 5 | Jamie Bulger | 4.4% | | 6 | WTC Survivor | 4.2% | | 7 | Mobile phone hoax | 3.0% | | 8 | Bill Gates fortune | 2.8% | | 9 | Budweiser frogs screensaver | 2.6% | | 10 | Applebees Gift Certificate | 2.1% | | Others | 34.6% |
"While the Hotmail hoax maintains its dominance, there are a couple of re-entries to the chart this month," said Theriault. "The mobile phone hoax, first seen in 2000, spreads via email. It is designed to dupe people into believing that answering a call where caller information is unavailable will render the mobile unusable. As ever, this hoax is nonsense, and the best response for computer users is simply to delete these messages."
Source: http://www.sophos.com
|
