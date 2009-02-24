Spyware, Viruses, & Security forum

VIRUS \ SPYWARE ALERTS - February 25, 2009

by Marianna Schmudlach / February 24, 2009 2:08 PM PST
Troj/Rootkit-EZ
by Marianna Schmudlach / February 24, 2009 2:08 PM PST
Collapse -
Troj/Poison-AQ
by Marianna Schmudlach / February 24, 2009 2:09 PM PST
Collapse -
Troj/MalDoc-P
by Marianna Schmudlach / February 24, 2009 2:10 PM PST
Collapse -
Troj/Autothum-A
by Marianna Schmudlach / February 24, 2009 2:11 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Troj/Autothum-A is a Windows Shortcut (.lnk) file which executes a malicious VB script.

The script is typically a member of the VBS/Autorun family, for example VBS/Autorun-UC.

The script is typically called thumb.db. This is an attempt to disguise the true nature of the file, and should not be confused with the legitimate thumbs.db file found in many image folders.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojautothuma.html?_log_from=rss

Collapse -
Mal/EncPk-GZ
by Marianna Schmudlach / February 24, 2009 2:12 PM PST
Collapse -
Mal/Behav-256
by Marianna Schmudlach / February 24, 2009 2:13 PM PST
Collapse -
Error Check System, Kenny Glenn, and Parking Tickets
by Marianna Schmudlach / February 24, 2009 2:15 PM PST

Posted by Sean

Error Check System: As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence.

It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites.

More: http://www.f-secure.com/weblog/

Collapse -
W32.Spamuzle.E
by Marianna Schmudlach / February 24, 2009 2:21 PM PST

Discovered: February 24, 2009
Updated: February 24, 2009 8:34:42 AM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

W32.Spamuzle.E is a worm that spreads by copying itself to mapped drives. The worm may download potentially malicious files and steal information from the compromised computer.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022408-1520-99

Collapse -
W32.Spamuzle.E!inf
by Marianna Schmudlach / February 24, 2009 2:21 PM PST
Collapse -
Troj/MDrop-BZM
by Marianna Schmudlach / February 24, 2009 11:37 PM PST
Collapse -
Troj/Keygen-CU
by Marianna Schmudlach / February 24, 2009 11:39 PM PST
Collapse -
Troj/Inject-ER
by Marianna Schmudlach / February 24, 2009 11:39 PM PST
Collapse -
Troj/Inject-EQ
by Marianna Schmudlach / February 24, 2009 11:40 PM PST
Collapse -
Troj/Drop-BX
by Marianna Schmudlach / February 24, 2009 11:41 PM PST
Collapse -
Troj/Delf-FBO
by Marianna Schmudlach / February 24, 2009 11:42 PM PST
Collapse -
Troj/Agent-JAB
by Marianna Schmudlach / February 24, 2009 11:43 PM PST
Collapse -
Troj/Agent-IZZ
by Marianna Schmudlach / February 24, 2009 11:44 PM PST
Collapse -
Troj/Agent-IZY
by Marianna Schmudlach / February 24, 2009 11:45 PM PST
Collapse -
Mal/NTRootK-A
by Marianna Schmudlach / February 24, 2009 11:46 PM PST
Collapse -
Excel Trojan targets unpatched flaws
by Marianna Schmudlach / February 25, 2009 12:07 AM PST

Another day, another zero-day threat

By John Leyden

25th February 2009

Virus authors have reportedly created a Trojan that exploits an unpatched vulnerability in a range of versions of Excel.

The malware comes in the form of a maliciously constructed spreadsheet file with a malicious payload identified by McAfee, for example, as the BackDoor-DUE trojan. Many versions of Excel are vulnerable, including 2000, 2002, 2003, 2007, 2004/2008 for Mac, Excel Viewer/Excel Viewer 2003.

Opening up an infected file using vulnerable software packages creates a backdoor. Attacks thus far are "very targeted and limited" and similar in this respect to malware targeting the also unpatched Adobe PDF flaw, McAfee reports.

More:http://www.theregister.co.uk/2009/02/25/excel_trojan/

Collapse -
Backdoor.Syzoor
by Marianna Schmudlach / February 25, 2009 12:14 AM PST

Discovered: February 25, 2009
Updated: February 25, 2009 9:28:57 AM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Backdoor.Syzoor is a Trojan horse that opens a back door on the compromised computer.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022509-1352-99

Collapse -
Xbox Live Losers Resort to Hacking
by Marianna Schmudlach / February 25, 2009 12:16 AM PST

Feb25

Xbox Live users, specifically winning players, are being targeted by hackers. Researchers believe that the attacks are done so other Xbox Live users could get back at the players who beat them in a game.

A BBC report explains that the tools used in this hacking attack do not target the Xbox Live network but the IP addresses of players hosting games. Hackers first try to find out what a target user?s IP address is, and when successful doing this, they are able to stage attacks commonly done on websites.

Denial of service is an infamous line of attack where hackers flood sites to make it inaccessible to visitors.

This attack again presents an opportunity for cybercriminals to offer their services, for certain amounts of money of course. That is, if they were not already involved in the first place. Sniffing for IP addresses is the hard part of this operation. Imagine irate users paying money to get that information so they could get their revenge.

More: http://blog.trendmicro.com/

Collapse -
TROJ_PROXY.AEI.
by Marianna Schmudlach / February 25, 2009 12:18 AM PST

Gmail Downtime Exposes Ad-Rigged Site

Feb25

The Gmail downtime experienced today may have caused a nasty ruckus by frustrated users, but unknown to these users is an issue bigger than not being able to access email messages.

In the midst of the commotion brought about by the outage lasting only a few hours, cybercriminals managed to squeeze in an attempt to distribute malicious files to unknowing users.

During the downtime, searches for the string ?gmail down? yielded a Google Group page also named Gmail down as the top result. Trend Micro Researcher Loucif Kharouni reports that the said page was found displaying a banner with images related to pornography, which then pointed to a pornographic website. But what?s more dangerous is that links in the said webpage lead to malicious files.

More: http://blog.trendmicro.com/

Collapse -
WORM_DOWNAD.AD,
by Marianna Schmudlach / February 25, 2009 12:19 AM PST

New DOWNAD/CONFICKER Variant Already Detected
Feb25

There have been some concerns over whether another new Conficker variant (DOWNAD for Trend Micro) has been released or not. Recall that in January, we have witnessed cybercriminals update WORM_DOWNAD.A?s routines to include being able to propagate via more channels to become WORM_DOWNAD.AD. Reports talk of yet more updated functionalities in a more recent Conficker run.

This variant, which we also detect as WORM_DOWNAD.AD, has brought in two new paths for binary validation and execution. Both bypass the use of Internet Rendezvous points which, for the earlier variant, is used by bot masters to make contact with DOWNAD drones for tracking or new payload updates:

* One path is in an extension to netapi32.dll which checks for URLs in RPC traffic. If valid, the file from the URL is downloaded, and if the file is valid for the malware?s purposes, the file is executed.
* The other new path is when the malware creates a named pipe which it will use to receive any URL sent by the botmaster, much like a backdoor. The malware reads from the named pipe and, if it does not return an error, passes it to another function which will then download, validate and execute a file.

More: http://blog.trendmicro.com/

Collapse -
TROJ_MDROPPER.XR
by Marianna Schmudlach / February 25, 2009 12:21 AM PST

Another Exploit, This Time On MS Excel

Feb25

Cybercriminals are actively taking advantage of another vulnerability, this time in Microsoft Office Excel. This is the third threat in less than two weeks that featured exploits. Exploit codes on IE7 and PDF bugs were discovered last week and earlier this week respectively.

Microsoft acknowledges the Excel vulnerability in a recent bulletin. The software giant says that it is now investigating the case.

A malicious binary detected by Trend Micro as TROJ_MDROPPER.XR is found exploiting this said Excel bug in the wild . The Trojan arrives on systems as a specially-crafted Excel file, through spammed messages or via remote malicious websites. Its routines are triggered when it is opened by unknowing users.

TROJ_MDROPPER.XR drops and executes BKDR_AGENT.FAX, which in turn executes at every system startup. The backdoor connects to websites to send and receive information. It also gives cybercriminals almost the same user rights as the infected local user by opening a random port and enabling a remote user to execute the following commands:

More: http://blog.trendmicro.com/

Collapse -
P2P-Worm:W32/Bacteraloh.H
by Marianna Schmudlach / February 25, 2009 12:24 AM PST

Name : P2P-Worm:W32/Bacteraloh.H
Detection Names : P2P-Worm.Win32.Bacteraloh.h
Aliases : W32.Sality.X (Symantec)
W32/Sality.ac (McAfee)
PE_SALITY.AL (Trend Micro)
Type: P2P-Worm
Category: Malware
Platform: W32

Summary
A type of worm that spreads over Peer-to-Peer (P2P) networks.

Process Changes
Creates these mutexes:

* _kuku_joker_v4.00


Network Connections
Attempts to connect with HTTP to:



More: http://www.f-secure.com/v-descs/p2p-worm_w32_bacteraloh_h.shtml

Collapse -
Worm:SymbOS/Yxe
by Marianna Schmudlach / February 25, 2009 12:25 AM PST

Name : Worm:SymbOS/Yxe
Detection Names : Worm:SymbOS/Yxe.gen
Worm.SymbOS.Yxe
Worm:SymbOS/Yxe
Aliases : SymbOS/Yxes.A!worm (Other)
Type: Worm
SMS-Worm
Category: Malware
Platform: SymbOS

Summary
Worm:SymbOS/Yxe is malicious software for Symbian S60 3rd Edition Phones.

Prevention

S60 phones have a list of valid certificates.

To maintain a current list of valid certificates, the application manager settings should be adjusted from the defaults. The default App. manager setting for Online certif. check is Off.

The On setting is necessary to remove revoked certificates from your phone during installation.

Online Certificate Check details from Nokia:

More: http://www.f-secure.com/v-descs/worm_symbos_yxe.shtml

Collapse -
Symbian users are lured by 'Sexy View' once again.
by Marianna Schmudlach / February 25, 2009 12:27 AM PST
In reply to: Worm:SymbOS/Yxe

25 February 2009

?Do not trust any kind of ?Sexy View? application and be careful even if you get a message from a known contact?, say our threat researchers, ?particularly these days, when Symbian users are under attack from the next generation of malware that targets the S60 3rd Edition phones and those compatible with them?.

You may be surprised to find out the so called ?Sexy View? application from a ?Play Boy? vendor conceals a monster that will steal your confidential details as well as the bill that you?ll have to pay for all those SMS messages that were sent from your device .

This monster (Symb/Yxes-Gen) is a clever thing, as in addition to claiming to provide English and Chinese language options upon installation it arrives as a SISX installation file with the valid Symbian certificate.

http://www.sophos.com/security/blog/2009/02/3341.html

Collapse -
W32/OnlineG-AX
by Marianna Schmudlach / February 25, 2009 2:17 AM PST
Collapse -
Troj/Waled-BA
by Marianna Schmudlach / February 25, 2009 2:18 AM PST
