Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - March 19, 2009

by Marianna Schmudlach / March 18, 2009 2:31 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - March 19, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - March 19, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
by Marianna Schmudlach / March 18, 2009 2:32 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:33 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:34 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:35 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:36 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:37 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:38 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:39 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:40 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:44 PM PDT
Collapse -
by Marianna Schmudlach / March 18, 2009 2:46 PM PDT

Malware type: Trojan


This Trojan may be downloaded from remote site(s) by other malware. It may be downloaded by WORM_DOWNAD.AD to update itself.

It may also be downloaded unknowingly by a user when visiting malicious Web site(s).

This Trojan drops component file(s).

It checks the date and the Operating System (OS) version of the affected system. It runs and drops a file detected by Trend Micro as WORM_DOWNAD.AD in a temporary folder if the following conditions are meet:

* Operating System is Windows XP and above
* System date is (year) 2009 and below, (month) March or below, and date (19 or below)

As a result, malicious routines of dropped file are also exhibited on the affected system.

It then deletes the dropped file and itself after execution.


Collapse -
by Marianna Schmudlach / March 19, 2009 1:18 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:19 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:20 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:21 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:22 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:23 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:24 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:24 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:25 AM PDT
Collapse -
by Marianna Schmudlach / March 19, 2009 1:26 AM PDT
Collapse -
Skinny Guy Eats 53 Hot Dogs
by Marianna Schmudlach / March 19, 2009 1:51 AM PDT

Thursday, March 19, 2009

YouTube is once again being used as a lure to spread malware.

Some clown is sending out e-mails such as this:

Unlike most of the other similar cases, this one does not try to trick the user into downloading and installing a Flash "update".

Instead, if you follow the link, this one actually uses a Java applet (complete with a fake signature) to push a variant of Parite to the machines.

More: http://www.f-secure.com/weblog/

Collapse -
Note, you may need to turn off your Anti-Virus...
by Marianna Schmudlach / March 19, 2009 1:53 AM PDT

The YouTube video promoting a supposed Wii Points Generator, which we blogged about yesterday, has been removed due to terms of use violation.

What's more, the entire "ItunesGenerator" channel has been removed.


Today we took another look and found some more videos to flag.

This video links to a file called Nintendo_Wii_Points_v2.exe. Wait, what does it say underneath the tooltip?

More: http://www.f-secure.com/weblog/

Collapse -
Windows Trojan on Diebold ATMs
by Marianna Schmudlach / March 19, 2009 1:56 AM PDT

19 March 2009

Vanja Svacjer, a virus expert for Sophos, has reported his latest find in a blog entry: a Trojan that spies on PINs. The difference is that this example specialises in cash dispensers made by Diebold, which run Windows.

When Svajcer investigated rumours of malware on automated teller machines (ATMs) and specifically checked the Sophos malware database for samples referencing Diebold, the allegedly targeted ATM manufacturer, he struck oil with three files. Closer analysis then apparently revealed code using undocumented Diebold Agilis functions to address the magnetic-card reader and inject code into some of the ATM's processes.

More: http://www.h-online.com/security/Windows-Trojan-on-Diebold-ATMs--/news/112888

Collapse -
Cold call scam warns of virus infection
by Marianna Schmudlach / March 19, 2009 1:57 AM PDT

19 March 2009

Trading standards organisations are warning of a new cold call scam which attempts to get credit card numbers and other personal information from victims. The scam operates by calling people and telling them that their computer system is infected and that it will be "damaged beyond repair" in fifteen minutes unless they purchase security software and support from the caller.

Staffordshire County Council's warningPDF says that the callers claim to be from "www.supportonclick.co.uk", though they have reports of calls claiming to be from Microsoft. The warning says the sales pitch is "aggressive and persistent".

More: http://www.h-online.com/security/Cold-call-scam-warns-of-virus-infection--/news/112893

Collapse -
by Marianna Schmudlach / March 19, 2009 2:02 AM PDT
Collapse -
Generic Rootkit.g
by Marianna Schmudlach / March 19, 2009 2:26 AM PDT


Overview -

This a component of an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised machine and the attacker can perform the following actions on this infected machine:
Characteristics -

The following registry keys are created:

* HKLM\SYSTEM\CurrentControlSet\Services\msile\Description = "microsoft install le"
* HKLM\SYSTEM\CurrentControlSet\Services\msile\DisplayName = "microsoft install le"
* HKLM\SYSTEM\CurrentControlSet\Services\msile\ErrorControl = dword:00000000
* HKLM\SYSTEM\CurrentControlSet\Services\msile\ImagePath = "%Windows%\System\msile.exe"
* HKLM\SYSTEM\CurrentControlSet\Services\msile\ObjectName = "LocalSystem"
* HKLM\SYSTEM\CurrentControlSet\Services\msile\Start = dword:00000002
* HKLM\SYSTEM\CurrentControlSet\Services\msile\Type = dword:0000011

It drops the following file:

* %System32%\drivers\sysdrv32.sys

More: http://vil.nai.com/vil/content/v_143343.htm

Collapse -
Not so lucky(sploit) mass defacements
by Marianna Schmudlach / March 19, 2009 2:28 AM PDT

19 March 2009

Over the past few months SophosLabs have been seeing a relatively new kit being used by attackers in drive-by downloads to infect victims with malware. The kit is known as LuckySploit, and in this blog I will take a brief look at it and what it currently is being used for.

It is a kit that enables attackers to construct malicious sites in order to hit victims with exploits and infect them with malware. Like many previous kits (Mpack, Firepack, Icepack, El Fiesta and the like), the pages it creates contain heavily obfuscated JavaScript in an attempt to evade detection and blocking. However, unlike previous kits, LuckySploit (or at least the recent version of it) also uses encryption.

Over the past few months numerous legitimate sites have been compromised with iframes whose purpose has been to load malicious content from various domains - mainly .cn - being controlled by criminals (also discussed by Danchev). Such compromised pages are being detected as Mal/Iframe-F.

More: http://www.sophos.com/security/blog/2009/03/3632.html

Collapse -
Natasha Richardson's death exploited by hackers
by Marianna Schmudlach / March 19, 2009 2:29 AM PDT

Cybercriminals don't waste any time these days jumping on the coat-tails of breaking news stories in their attempt to infect as many computer users as possible. This time it's the tragic death of award-winning English actress Natasha Richardson, who died yesterday after suffering head injuries in a skiing accident earlier in the week.

It appears that hackers are stuffing webpages with keywords - most likely scraping the content off legitimate news websites - in order to lure unwary surfers into visiting their dangerous sites and infecting their computers.

We've already seen a couple of compromised websites in Germany that are hosting content such as the following for example:

More: http://www.sophos.com/blogs/gc/

Collapse -
Comcast High Speed Internet - SPAM
by Marianna Schmudlach / March 19, 2009 3:51 AM PDT

Thursday, March 19, 2009

Just a quick note on a new spam run that's going on. It's from the same group that used Bank Of America as the lure late last week and Northern Bank on Monday.

Today it's Comcast and it might actually have a higher success rate then the previous run as users always want faster broadband, especially if there's no fee involved. And the page looks really convincing.

Once installed the malware does the same as in the other spam runs - steals data and sends it to Hong Kong.

More: http://www.f-secure.com/weblog/

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.