News archive about antivirus software, virus threats, trojans

June 2005

Virtual postcard spam delivers malware surprise -- Posted by Igor_Donchenko on Thursday, June 30 2005
Experts at SophosLabs, Sophos's global network of virus and spam analysis centers, have warned of a spam campaign that poses as virtual postcard delivery, but is really an attempt to lure innocent computer users into being infected by a Trojan horse.

The email claims that you have a virtual postcard waiting for you:

You have just received a virtual postcard from Ryan Tamares!

You can pick up your postcard at the followind web address:
http://***/postcard.html

We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself!

Regards,
Best Postcards

Windows users who follow the web link visit a website which exploits vulnerabilities in Microsoft's software and installs the Clsldr-D Trojan horse onto their computer alongside other malicious code (Troj/Delf-KP, Troj/Lofler-A, Troj/Siggy-A, Troj/Webdrop-A, Troj/Small-EM, and Troj/Divo-A). Troj/Divo-A is a phishing Trojan which grabs personal details as compromised users log into online banks.

Sophos experts have intercepted hundreds of the spam messages being sent using a variety of different domain names as disguises. Computer users are urged to ensure their anti-virus software is up-to-date, that they are patched against the latest Microsoft security vulnerabilities, and to always be cautious of unsolicited emails.

"Because this email doesn't arrive with an attached file, some may believe it is harmless. But just visiting the web link on an unprotected computer puts it at risk of infection," said Graham Cluley, senior technology consultant for Sophos. "The message is simple - don't trust everything you read on the internet, and ensure you are not putting your computer and its data in danger."

"There's a very real risk that some people will think one of these emails is from a long forgotten friend or work colleague and follow the link out of curiousity," continued Cluley. "If you receive an unexpected virtual postcard it may prove wise to simply delete it."

Source: http://www.sophos.com

Virus authors continue to use extortion -- Posted by Igor_Donchenko on Thursday, June 30 2005
PandaLabs has detected the appearance of PGPCoder.B, a Trojan designed to blackmail users by encrypting the files in the computers they affect and asks the user to buy an application in order to restore them to their original status.

The new variant is more powerful than its predecessor, as it can encrypt more file types. These files include those belonging to the most widely-used applications in the Microsoft Office suite (such as Word or Outlook), and the most common compressed file formats, like zip, rar or arj. Similarly, the creator of this Trojan has slightly changed the encryption algorithm it uses.

"It is highly probable that the author of this new Trojan is the same as the creator of the original one. The biggest difference we have seen in this version, up until now, is that it affects more file types. However, as it has taken over a month for this new version to be unleashed, it is possible that the author is taking time to perfect his creation. This does not mean however, that in the meantime, other variants won't be released, to help him make ends meet," explains Luis Corrons, director of PandaLabs.

PGPCoder.B cannot propagate by itself, and therefore, it must be distributed directly by the author. This can be done through many different means: Internet downloads, FTP, storage devices, P2P file sharing networks, etc.

If the user runs the file carrying PGPCoder.B, the Trojan encrypts all the files with certain extensions it finds on the computer. In exchange, it leaves a text file in the folder in which the encrypted file was stored which contains the following message:

Some files are coded.
To buy decoder mail: md56@mail.ru
with subject: PGPcoder md56

Then it inserts several entries in the Windows Registry indicating the number of files it has encrypted on the system, for example. Finally the Trojan self-destructs. To do this, it creates a self-executable file which deletes PGPCoder.B from the system.

"The appearance of PGPCoder.B is yet further proof that currently the main aim of malware authors is financial gain. Bear in mind that this Trojan has been designed exclusively to make money. This, along with other types of online fraud like phishing or pharming, present a dangerous outlook for users. Our advice is to always use the appropriate security measures to protect systems, above all because not only files and computers are at risk, but also the user's bank balance," concludes Corrons.

To prevent infection from PGPCoder.B or other malicious code, Panda Software advises all users to keep their antivirus software up-to-date.

Source: http://www.pandasoftware.com

Made-to-measure attacks delivered in a Word document -- Posted by Igor_Donchenko on Friday, June 24 2005
PandaLabs reports the recent discovery of a surprising new Trojan, Sikou.A, which is extremely versatile and sophisticated and uses a Microsoft Word document to spread. This Trojan exploits a vulnerability which allows it to run arbitrary code in a large number of Microsoft Office applications.

This Trojan has been found in a Word document designed to exploit the MS03-037 vulnerability reported by Microsoft, which allows the Trojan to run as soon as the user opens the Word document. When it is run, Sikou.A installs itself. To do this, it copies itself to the system directory and installs two files, one of which contains the Trojan's functions. The other file is a driver that allows the Trojan to hide its activity from the user, making it extremely difficult to detect this malware.

When it is running and hidden, the Trojan tries to access a text file housed at a URL in the Internet, which contains another URL and a port that it must access in the next step. This file can be updated periodically by the creator of this malware, so that the locations the Trojan accesses change, making it more complicated to neutralize it.

The Trojan accesses the URL, where it can download the file that extends its functions. As it periodically accesses this URL, Sikou.A has an extremely high capacity to alter its behavior, as the creator of this malware only needs to modify this file to change the functions of the Trojans distributed.

If this file is downloaded successfully, it automatically connects to a third URL, where it receive commands to shut down the computer, collect information (financial or other personal data) or download and run files, among others. This last action could allow other types of malware, especially spyware, to get into the computer, which could then be used to steal information from the affected computer.

"As this is a Trojan Цwhich must be distributed manually-, its means of transmission and the fact that it uses a not particularly new vulnerability, makes us think that this could be a malicious code designed to steal information from a specific computer or entity," explains Luis Corrons, director of PandaLabs. "What's more, the use of stealth techniques, its capacity to update itself and its extreme versatility that allows it to receive commands, suggest that the creator of this malware intends to leave this Trojan resident on the computer for a long time, carrying out extremely variable actions."

Recently, several attacks on companies that aim to steal information using Trojans or other malware have been reported, such as the attacks on Israeli companies (currently subject to legal proceedings). WhatТs more, malware with customizable functions are appearing more frequently (such as the recent Rona Trojan), fuelling the idea that financial gain is now the motive for computer hackers.

Source: http://www.pandasoftware.com

Ranking of the famous people most often used to spread viruses on the Internet -- Posted by Igor_Donchenko on Tuesday, June 14 2005
The recent distribution of a new type of malware, detected by Panda Software as Downloader.DBR, by mass mailing messages to users around the world and using a spoof story about a suicide attempt by Michael Jackson, is nothing more than a new episode in social engineering: exploiting the popularity of certain celebrities to increase the propagation of this type of threat.

The strategy used to spread this malware is actually quite complex: the message, which has been distributed manually as spam across the Internet, contains a link to web page. This page, by means of an example of malware detected by Panda Software as Phel.J, exploits a browser vulnerability to insert Inor.AK, an HTML application, on computers. This in turn provides the access needed to install Downloader.DBR on the user's computer. However the malicious chain doesn't end there. Once installed on computers, this Trojan downloads the AU variant of the Dedler worm, which actually takes the malicious action on the infected computer.

This is not the first time that Michael Jackson has been used as bait to distribute this kind of threat: last November a mail was distributed supposedly containing a link to a website from which users could download a video of Jackson with a child. This video did not exist, but instead a Trojan was downloaded onto the computer.

Even though it is not usual for such complex coordinated techniques to be used to install malware on computers, the names of celebrities are frequently used to distribute mails which either contain malware attached to the mail itself (often camouflaged as an image), or which contain a URL where the malware is accessed (as in this case). Trojans in themselves do not generally have the capacity to propagate (as worms do), and so this type of strategy is needed for the message to spread.

Top of this particular "celebrity virus ranking" is Britney Spears, who according to data from PandaLabs, has been the involuntary protagonist of most attacks over the last years. Attractive female celebrities are often used for these purposes as the excuse for sending the mail is often to entice users with the promise of interesting photos. Along these lines, third and fourth respectively in the ranking come Jennifer Lєpez (unfortunately associated to the famous LoveLetter) and Shakira. Porn stars are also often used for this purpose.

The second person most frequently used by malware creators to distribute their works is Microsoft owner, Bill Gates, and fifth in the list is Osama Bin Laden. The latter has been the subject of e-mails claiming that he has been hung, or finally caught, and the spread of these messages increased after the Iraq war.

Other famous people who have been used in this context include Anna Kournikova, who was the subject of a widespread example of malware bearing her name, Bill Clinton, Pamela Anderson, and even Alberto Fujimori, the ex-president of Peru.

The ranking of famous people most frequently used is:

1. Britney Spears
   
2. Bill Gates
   
3. Jennifer Lopez
   
4. Shakira
   
5. Osama Bin Laden
   
6. Michael Jackson
   
7. Bill Clinton
   
8. Anna Kournikova
   
9. Paris Hilton
   
10. Pamela Anderson

Michael Jackson suicide spam leads to Trojan horse -- Posted by Igor_Donchenko on Friday, June 10 2005
Experts at SophosLabs, Sophos's global network of virus and spam analysis centers, have warned of a spam campaign that claims that Michael Jackson has attempted suicide in an attempt to lure innocent computer users into being infected by a Trojan horse.

Sophos has identified hundreds of the spam messages being sent, preying on intense media interest in the trial of the controversial popstar. The spam emails have the following characteristics:

Subject: Re: Suicidal aattempt

Message text:
Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt.

They suggest this attempt follows the last claim was made against the king of pop. 46 years old Michael has left pre-suicid note which describes and interpretes some of his sins.

Read more...

However, when users click on the link they are taken to a website which secretly installs malicious code onto their PCs.

"If you click on the link the website displays a message saying it is too busy, which may not surprise people who think it might contain genuine breaking news about Michael Jackson," said Carole Theriault, security consultant at Sophos. "However, this is a diversionary tactic - because behind the scenes the website is downloading malware onto the user's computer without their knowledge."

Experts at Sophos have analysed the code downloaded by clicking on the link, and determined that it itself attempts to download another Trojan horse which Sophos detects as Troj/Borobt-Gen.

Sophos notes that this is not the first time that the troubled pop star has been exploited by virus writers and hackers attempting to spread their malware. In October last year messages were posted on the internet claiming that incriminating home videos belonging to Jackson had been discovered - but clicking on the link infected web surfers with the Hackarmy Trojan horse.

"The sick minds behind viruses and other malware often exploit celebrity names and news stories in an attempt to infect as many people as possible," continued Theriault. "All computer users should be very careful about clicking on weblinks in unsolicited email or launching unknown attachments."

Source: http://www.sophos.com

The lion sings tonight as Trojan horse steals passwords -- Posted by Igor_Donchenko on Friday, June 10 2005
Experts at SophosLabs, Sophos's global network of virus and spam analysis centers, have warned users about a Trojan horse which tries to steal confidential passwords and other data from infected computers. Bizarrely, the Trojan horse is accompanied by an animated picture of a lion wishing a happy birthday as it steals information from unsuspecting users.

Innocent computer users are being tempted to download the Troj/LdPinch-BD Trojan horse after a download link to the file was included in a spam campaign. The Trojan horse is designed to steal sensitive information, including passwords, from various applications. Information stolen can include:

• computer details (OS version, memory, CPU etc.)
  
• available drives (drive letter, type and free space)
  
• hostname and IP address
  
• Windows folder volume information
  
• Passwords and confidential information from 'Protected Storage'
  
• POP3 and IMAP server information, usernames and passwords
  
• FTP usernames and passwords
  
• RAS dial-up settings

A new spyware program capable of infecting files -Smitfraud- is spreading across the Internet -- Posted by Igor_Donchenko on Friday, June 10 2005
PandaLabs has reported the appearance of Smitfraud, a new spyware program that stands out because it infects system files, affecting its functioning.

This malicious application is downloaded to the computer through another spyware program known as CWS.YEXE, which is included in a large number of underground web pages. As well as dropping other malware like Smitfraud on the computer, it also installs other malicious applications.

When reaching computers, Smitfraud installs an antispyware application named PSGuard. It also creates several files. One of these files is called oleadm32.dll which is a copy of the system file wininet.dll. This file isinfected with a virus named W32/Smitfraud.A, and it will try to replace the original file when the computer is restarted. Another of the files this spyware creates on the system is called wp.bmp and is an image that simulates a blue screen of death that appears when an error occurs in Windows operating systems. This image shows a text that informs the user that the computer is infected by a spyware program called Smitfraud.c, and recommends scanning the computer with a program that can fix the problem.

When user run PSGuard, the malware (Smitfraud.c) will be detected. However, to remove it from the PC, user must buy and register this antispyware tool.

According to Luis Corrons, director of PandaLabs, "This spyware is quite unusual in the way it operates. In fact, it is the second known program of this type capable of infecting files. Nevertheless, its real objective is to trick users for financial gain. Today's creators of malware are motivated solely by money, and have no hesitation in using any tactic in order to achieve their aims. For this reason users should keep their guard up at all times."

Source: http://www.pandasoftware.com

New Bagle variants spreading the net -- Posted by Igor_Donchenko on Friday, June 3 2005
Bagle variants have begun circulating on the Internet, and as always, the best way to protect your computer is to update your antivirus package with the latest antivrius base.

Mass mailers trojans Bagle and Mytob have been appearing in WinAntiVirus research centre. Bagle, which has been floating around from 2004, brought forth three new variants as new "release".

Beagle - a Zip archive that is unpacked in its message will try to download a Trojan from one of several web sites. The Trojan begins the usual mass mailing and also attempts to install a backdoor on the infected computer.

Mytob installs a backdoor and does the mass mailing with its preinstalled email engine. Upon infecting a machine, it gathers email addresses and then, mails itself to every email address.

Both trojans are low risk to users who take care about their security and update their antivirus software properly.

Source: http://www.winantivirus.com

Extortion attempts from hackers on the increase -- Posted by Igor_Donchenko on Friday, June 3 2005
PandaLabs has reported the appearance of a new kind of spyware, SpywareNo, which urges users to buy a solution to counteract false infections. This new strain of malware comes on top of other similar threats reported in previous weeks, in what would seem to be a wave of attempted extortions on computer users.

After the attacks in recent weeks of PGPCoder, a Trojan that encrypted files with certain extensions and then demanded a sum of money to reverse the process, or Topspyware, spyware that behaved in a similar way to the current threat, SpywareNo joins the list of what has been dubbed "ransom-ware", i.e., malicious software used by its creator to demand ransoms.

SpywareNo exploits browser vulnerabilities to download onto users' computers when they visit certain adult or pirate websites. The visible symptoms of infection are apparent immediately. When installed on a PC, it creates an icon both in the desktop and the system tray warning of a false infection by spyware. It also alters the registry to ensure that the malware is run on every system startup.

After a time, it displays a message on-screen warning of the dangers of spyware and inviting users to buy the full version of the product to disinfect the computer. If users fail to register, this commercial software will 'detect' threats that don't actually exist on the computer, and which will 'disappear' as soon as users pay for the product. On the website of the commercial software used for this extortion, it is possible to download a trial version of the product.

"Malware creators are increasingly motivated by the potential financial benefits. In addition to PGPCoder, Topspyware, and now SpywareNo, over the last few weeks we have also seen regular attacks against users of online banking services, through phishing techniques or intrusions on computers to monitor their actions," explains Luis Corrons, director of PandaLabs. "Users themselves are the main victims, as if they are not adequately protected, they are exposed to a continual bombardment of these types of threats and it is difficult to constantly emerge unscathed."

Source: http://www.pandasoftware.com

A new and dangerous variant of Mitglieder is being spread massively -- Posted by Igor_Donchenko on Friday, June 3 2005
According to Pandalabs, the new and dangerous DC variant of the Mitglieder family of Trojans (also called Bagle.BO or BagleDI-Q by other security companies) has been sent as spam to thousands of users around the world. Mitglieder.DC blocks memory processes belonging to a range of antivirus and IT security applications, leaving the computer unprotected against other attacks. In the last hours, detections in ActiveScan are increasing progressively because this malware is being mass-mailed, which is a technique aimed at increasing the number of detections.

As this malicious code cannot spread by itself, Mitglieder.DC reaches computers in a series of highly variable email messages. For the same reason, this malicious code can be distributed through numerous channels: storage devices, Internet downloads, P2P networks, etc.

If a user runs the file that contains Mitglieder.DC, in addition to blocking security applications that could be running, it tries to connect to numerous Internet addresses, from which it downloads and runs the osa.gif file. This in turn contains Downloader.CYB, a Trojan designed to download all types of malware on computers that it infects.

"Malware creators try to distribute their creations rapidly to prevent users from having time to update their antivirus solutions. They're trying to exploit the "vulnerability window", i.e. the time that it takes between new malware appearing and users installing the updates on their computers", explains Luis Corrons, director of PandaLabs. "New techniques are frequently being used in order to spread malware as rapidly as possible. So for example, as in this case, thousands of infected mails could be sent simultaneously as spam, or numerous variations can be launched at the same time. Another frequently used system is to exploit software vulnerabilities, as was the case with Sasser, infecting millions of computers last year."

Source: http://www.pandasoftware.com

AntivirusWorld recommends:   Buy EZ Antivirus - automatic defense against the viruses eTrust EZ Antivirus detects and removes 100% of computer viruses "in the wild" - keeping you safe from virtually all known virus threats. Plus, with automatic software updates, new threats that emerge daily won't stand a chance.

	News archive

• May 2007
• April 2007
• March 2007
• February 2007
• May 2006
• April 2006
• March 2006
• January 2006
• October 2005
• September 2005
• August 2005
• July 2005
• June 2005
• May 2005
• April 2005
• March 2005
• February 2005
• January 2005
• December 2004
• November 2004
• October 2004
• September 2004
• August 2004
• July 2004
• June 2004
• May 2004
• April 2004
• March 2004
• February 2004
• January 2004
• December 2003
• November 2003
• October 2003
• September 2003
• August 2003
• July 2003
• June 2003
• May 2003
• March 2003
• February 2003
• January 2003
• December 2002
• November 2002
• October 2002
• September 2002
• August 2002
• July 2002
• June 2002
• May 2002
• April 2002
• March 2002
• February 2002