General discussion

VIRUS \ SPYWARE ALERTS - June 23, 2009

Discussion is locked
Follow
Reply to: VIRUS \ SPYWARE ALERTS - June 23, 2009
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS \ SPYWARE ALERTS - June 23, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Troj/FakeAv-TW
- Collapse -
Troj/FakeAV-TV
- Collapse -
Troj/FakeAV-TU
- Collapse -
Troj/Dloadr-COX
- Collapse -
Troj/Chimoz-J
- Collapse -
Troj/BDoor-AVF
- Collapse -
Troj/Agent-KGS
- Collapse -
Troj/Agent-KGR
- Collapse -
Troj/Agent-KGQ
- Collapse -
Troj/Agent-KGP
- Collapse -
Troj/FakeAV-TQ
- Collapse -
Troj/FakeAV-TR
- Collapse -
Troj/FakeAV-TS
- Collapse -
Troj/PoisonI-D
- Collapse -
Trojan.Spadenf
- Collapse -
ErrorFix

Updated: June 23, 2009 9:11:37 AM
Type: Misleading Application
Name: ErrorFix
Version: 2.8.3456.520
Publisher: PC Utility Inc
Risk Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Behavior
ErrorFix is a misleading application that may give exaggerated reports of threats on the computer.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-062308-1901-99

- Collapse -
Another Messy Mass Compromise Emerges

by Det Caraig (Technical Communications)

The hype after recent mass compromises has not even died down yet, and already another massive attack has been launched. Trend Micro was alerted of the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar, only that this time, the Nine Ball domain is only one of hundreds of landing pages users can be redirected to.

As reported by Ivan Macalintal, Manager of Threat Research, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in Ukraine.

The chain ends when the user?s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat, Adobe Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

Compromised websites were injected with the following 1?3 blocks of obfuscated script, which is detected as JS_DLOADR.ALP (see Figure 1):

* hdOruVsHnKBXZuvtsRmw
* eMCeGjolMPJFNuucZWLk
* vIkytowORShQVZqTBFox

More: http://blog.trendmicro.com/

- Collapse -
All feedback is good feedback

Jun23

by Robert McArdle (Senior Malware Researcher)

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to ?Screw you my friend Aver? (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean ?AVer? (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

http://blog.trendmicro.com/
More:

- Collapse -
Limited FakeAV?s

Posted on June 23rd, 2009 by PrashantKumar


I have seen Fake Anti Virus software before. In fact, SophosLabs have been seeing them in various of different forms, like 1 and 2.

What stood out about today?s sample (Protection System), was how easily it seems to have been created. Virus names are stolen, messages and detection info are hard-coded and even the website has the *same* virus names which are hard-coded into the malware. Here are some screenshots

http://www.sophos.com/blogs/sophoslabs/

- Collapse -
Anti-Malware-Malware!?!

Posted on June 22nd, 2009 by Pete, SophosLabs AU

Na

- Collapse -
The end of an era?

Posted on June 22nd, 2009 by Dmitry Samosseiko, SophosLabs Canada

Alan Ralsky? His name is too familiar to the veterans of the anti-spam industry.

He was notorious for the ?stock pump-n-dump? scam e-mails and was the #1 spammer on the SpamHaus?s ?The 10 Worst Spammers? list as early as November 2005:

Today, one of the world?s first spam kings pleaded guilty ?to charges of violating federal anti-spam laws by sending millions of emails in a stock-fraud scheme?.

It?s good to see anti-spam laws like the CAN-SPAM Act being put to use.

http://www.sophos.com/blogs/sophoslabs/

- Collapse -
PWS-Banker.gen.bq.dr

Type
Trojan
SubType
Dropper

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Characteristics -

When this Trojan is executed, it drops following files:

%System%\bekbn.dll (http://vil.nai.com/vil/content/v_160660.htm)
%\System%\inform.dat
%\System%\fkas

Note:

%System% is a variable location and refers to the windows system directory
This Trojan by itself doesn�t create any startup registry entries, and hence doesn�t execute on system startup
The dropped dll is registered as a BHO by the trojan.

It creates following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\InprocServer32

More: http://vil.nai.com/vil/content/v_143667.htm

- Collapse -
Generic PWS.y!bb

Type
Trojan

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics -

It is registered as a BHO by trojan PWS-Banker.gen.bq.dr (http://vil.nai.com/vil/content/v_143667.htm)

It is capable of logging keystrokes and also capable of spreading via USB devices.

It creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}
StubPath = "rundll32 bekbn.dll,InitO"

More: http://vil.nai.com/vil/content/v_160660.htm

- Collapse -
W32/Autorun.worm.fl
- Collapse -
Troj/FakeAV-TY
- Collapse -
Troj/FakeAV-TX
- Collapse -
Troj/ExpPPT-F
- Collapse -
Troj/Dwnldr-HTQ
- Collapse -
Troj/Agent-KGU
- Collapse -
Troj/Agent-KGT

CNET Forums