VIRUS \ Spyware ALERTS - January 8, 2009

Malware type: Worm

Malware Overview

This worm may be dropped by other malware.

It creates folders and drops several copies of itself. It then creates registry entries to enable its automatic execution at every system startup.

It modifies registry entires to disable automatic Windows Update, various Security Center functions, and firewall settings; to hide files with both System and Read-only attributes; to disable Automatic Windows Update; and as part of its installation routine.

This worm takes advantage of the following software vulnerability to propagate across networks:

Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability
It drops files.

It acts as a server program controlled by an Internet Relay Chat (IRC) bot. It opens a random port and connects to a random server, where it joins a channel. Once connected, it receives several commands from the IRC bot. These commands are executed locally, effectively compromising the affected system.

It bears the icon normally used by Microsoft Word documents to trick users into thinking that it is a legitimate application.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FIRCBOT%2ECAV

Discovered: January 8, 2009
Updated: January 8, 2009 8:01:15 AM
Type: Virus

W32.Grenail.C!inf is a detection for files infected to run other threats when executed.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-010807-4631-99

Discovered: January 8, 2009
Updated: January 8, 2009 8:01:19 AM
Type: Virus

W32.Grenail.D!inf is a detection for files infected to run other threats when executed.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-010807-5046-99

Name : Worm:W32/Downadup.AL
Detection Names : Net-Worm.Win32.Kido.cg
Worm:W32/Downadup.AL
Worm:W32/Downadup.AL

Aliases : Mal/Conficker-A (Sophos)
W32/Conficker.worm.gen.b (Symantec)
Worm:Win32/Conficker.B (Microsoft)

Type: Worm
Category: Malware
Platform: W32

Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

Removal Tools


ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

Note: please read the text file included in the ZIP for additional details.

Scanning options

Downadup makes use of random extension names in order to avoid detection.

During disinfection scanning options should be set to:


Scan all files

http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Category Viruses and Spyware

Type Trojan

Troj/Renos-CI is a Trojan for the Windows platform.

Troj/Renos-CI includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Renos-CI downloads files with .gif extensions from multiple websites.
These files are actually executable files and are run once downloaded.

The following registry entry is created to run Troj/Renos-CI on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSFox
<pathname of Troj/Renos-CI>

Registry entries are created under:

HKLM\SOFTWARE\Mozilla\MSFox

http://www.sophos.com/security/analyses/viruses-and-spyware/trojrenosci.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealekv.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealeku.html?_log_from=rss

Aliases Trojan-Downloader.Win32.Small.aiij

Category Viruses and Spyware

Type Trojan

Troj/DwnLd-L is a Trojan for the Windows platform.

Troj/DwnLd-L includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldl.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Bckdr-QRB is a Trojan for the Windows platform.

Troj/Bckdr-QRB includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqrb.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/Banker-G is a malicious program for the Windows platform.


http://www.sophos.com/security/analyses/viruses-and-spyware/malbankerg.html?_log_from=rss

By Tom Espiner ZDNet.co.uk
Posted on ZDNet News: Jan 08, 2009

A Microsoft worm that is currently attacking business systems is also a USB worm, security vendor F-Secure has warned.

The worm, which F-Secure calls Downadup, attacks the vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October.

The worm launches a dictionary attack to attempt to crack user passwords, and uses server-side polymorphism and modification to the Access Control Lists (ACL) "to make network disinfection particularly difficult", F-Secure said in a blog post on Tuesday.

More: http://news.zdnet.com/2424-9595_22-258763.html

The conclusion of the recent holiday season didn?t stop cybercriminals from creating new spoofed promos to distribute malware, of course.

Very much similar to the social-engineering campaign that used McDonald?s and Coca-Cola, yet another spam run that distributes malware was recently found by Trend Micro researchers.

Popular brands such as Ikea, Symantec, Jack Daniel?s, and British Airways were all used for this recent campaign. Spam emails are sent, promoting a coupon and instructing the recipient to open the attached coupon to cash in on savings. But instead of a coupon, the attachment actually contains malware that compromises the victim?s computer.

Below are screenshots of sample spam emails with their corresponding attachments:

http://blog.trendmicro.com/

Date Published:
8 Jan 2009

Last Updated:
8 Jan 2009

Characteristics
Type : Worm

Category : Win32

Also known as: Trojan.Win32.Buzus.afqp (Kaspersky), Mal/CryptBox-A (Sophos), Hacktool.Spammer (Symantec)

Description
Win32/Fruspam.A is a mass-mailing worm that sends spam messages through its in-built SMTP engine.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77083

Type Virus SubType Generic Worm

Overview -
This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.

Characteristics
Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\
ServiceDll = "Path to worm" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\
ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

More: http://vil.mcafeesecurity.com/vil/content/v_153710.htm

Aliases Win32/TrojanDownloader.Delf.ODS
not-a-virus:FraudTool.Win32.Antivirus2009.dw
Generic Dropper.bw

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-KW is a Trojan for the Windows platform.

Troj/FakeAle-KW includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/FakeAle-KW copies itself to <System>\explorer32.exe.

The following registry entry is created to run explorer32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ieupdate
<System>\explorer32.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealekw.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbdoorark.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiol.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiok.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentioj.html?_log_from=rss

Aliases Win32/Inject.NBY
Backdoor.Win32.Agent.wci

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentioi.html?_log_from=rss

Aliases Win32/Chiviper.B
TR/Dldr.JKCN

Category Viruses and Spyware

Type Malicious Behavior

Mal/TinyDL-X is a malicious program for the Windows platform.

http://www.sophos.com/security/analyses/viruses-and-spyware/maltinydlx.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/malircboth.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/malfakeavr.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/malbankerf.html?_log_from=rss

( W32.Downadup, W32/Worm.AHGV, Net-Worm.Win32.Kido.bg )

TECHNICAL DESCRIPTION:

Win32.Worm.Downadup is a worm which relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) for spreading on other computers in the local network. The authors took various approaches to make this malware especially fast spreading and hard to remove.

More: http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html