NOD32 and Virus News - Adware, Spyware and Trojans

Death of the Nothing Doing Worm

news@betterantivirus.com (Annette King) — Tue, 15 Jul 2008 15:06:00 -0600

We know, it's sad but true. Our last weeks super-star, the worm that does nothing, has slowly declined it's spread.

We've been following it's evolution, however it seems the last version only has one additional feature: it can update itself to the latest version. It does this by exploiting the adodb.stream vulnerability in Internet Explorer to download a file from several hosts which contain instructions on the location of the new version. Although BitDefender detects this e-threat since January under the name VBS.Worm.Runauto.E it has not changed ever since. Seems like it's development stopped at version 10.0.

Nevertheless, this weeks malware evolution hasn't stopped with our friendly worm. Next we will look at a worm called Win32.Antiman.N. If infected with it, the victim will surely be ridden of a certain genre of music called "manele". It searches the entire hard disk for most "manele" artists and and will delete them. Next it will add a lot of entries to the %windir%system32drivershosts file to block social networking websites, like hi5 and netlog, and many free download websites that provide this genre of music. It will also send itself to the whole Yahoo Messenger list using a set number of strings in Romanian language that state something like: I found a great new program for winamp (or for pictures).
Continue reading "Death of the Nothing Doing Worm"

E-mail allegedly from UPS delivers a computer virus

news@betterantivirus.com (Sean Cannon) — Tue, 15 Jul 2008 11:27:03 -0600

An e-mail informing recipients that they have a package that the United Parcel Service could not deliver is actually a new computer virus, company officials said.

The e-mail that appears to come from UPS contains an attachment that recipients are told to open in order to make arrangements to pick up their shipment, UPS officials said.

The attachment is actually a computer virus, the company said.

Continue reading "E-mail allegedly from UPS delivers a computer virus"

Virus attacks on 120 brokers' servers force DSE to halt trading

news@betterantivirus.com (Sean Cannon) — Thu, 10 Jul 2008 09:04:33 -0600

Massive virus attacks on over 120 brokerage houses' server systems yesterday forced the Dhaka Stock Exchange (DSE) to suspend stock trading for almost the whole day.

Till filing of this report at 9 pm yesterday, DSE teams were working to get the systems restored. They were using anti-virus software Kaspersky to clean the infected servers .

DSE Chief Executive Officer said an investigation will be launched to find out whether the virus attack was an act of any organised crime.

Trading meanwhile took place on the premier bourse for only one hour at the later part of the day.

Continue reading "Virus attacks on 120 brokers' servers force DSE to halt trading"

Watch Out for an IE Zero-Day Attack

news@betterantivirus.com (Sean Cannon) — Wed, 09 Jul 2008 10:59:00 -0600

There's no fix yet available for the latest attack against Microsoft's browser.

Microsoft yesterday warned of a new attack underway against a flaw in the ActiveX control for the Snapshot Viewer for Microsoft Access, used by IE. There is not yet any patch available for the zero-day security hole, and the attacks likely focus on business targets.

In its security advisory, Redmond says the vulnerable control installs with "all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer." A poisoned Web page that exploits the hole could surreptitiously download malware to a victim PC.
Continue reading "Watch Out for an IE Zero-Day Attack"

Malware scenario: Third World War has begun

news@betterantivirus.com (Sean Cannon) — Wed, 09 Jul 2008 09:05:53 -0600

Sophos is warning of an attempt by hackers to infect computers using the camouflage of a news report claiming that the USA has invaded Iran. Widely spammed out emails with subject lines including "Third World War has begun", "20000 US Soldiers in Iran", and "US Army crossed Iran's borders" have been intercepted by Sophos.

The emails contain links to a malicious webpage that displays what appears to be a video player showing the mushroom cloud of a nuclear explosion with the following text beneath:

Continue reading "Malware scenario: Third World War has begun"

Storm gang uses 4 July fireworks to spread Trojan

news@betterantivirus.com (Sean Cannon) — Tue, 08 Jul 2008 16:31:00 -0600

A widespread malicious e-mail spam campaign used the guise of the 4 July American Independence Day celebrations last week.

Using the promise of an impressive video clip of fireworks, the spam was designed to steal users' private data, including online banking details.

The attack was the latest from the gang behind the Dorf malware, also known as the Storm worm, reported anti-virus software firm Sophos.

Continue reading "Storm gang uses 4 July fireworks to spread Trojan"

E-hijackers make a killing with 'ransomware'

news@betterantivirus.com (Annette King) — Tue, 08 Jul 2008 14:30:00 -0600

Name and Fame were once the driving factors for writing viruses, but thats not what drives virus authors of today. Now, its all about money and the present generations of malware authors are finding new ways to indulge in cyber crime.

From installing adware and spyware programmes, to spam and phishing or extortion of internet websites with denial of service attacks, cyber criminals are now targeting home consumers with Ransomware.

Just like criminals who kidnap your loved ones and then demand a ransom to return them unharmed , ransomware is an extortion scheme whereby cyber criminals hijack data files on a victims computer and then demand a ransom to get back the files in their original condition.

Important documents and image files on the victims computer are encrypted and held to ransom until the victim agrees to the attackers demands.

Ransomware programmes may also try to embarrass or scare their victims to get them to comply quickly, using dirty tactics like displaying pornographic images and threatening to expose them for possession of such material on their computer.

Continue reading "E-hijackers make a killing with 'ransomware'"

Microsoft Offers Bug Workaround for ActiveX Exploit

news@betterantivirus.com (Annette King) — Tue, 08 Jul 2008 11:21:14 -0600

Microsoft Relevant Products/Services on Monday issued a security advisory to warn users about attacks targeting a vulnerability in the ActiveX control for the Snapshot Viewer in the Microsoft Access database management system.

Microsoft said it is investigating active, targeted attacks. "When a user views the Web page, the vulnerability could allow remote code execution," Microsoft said in its security advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."

The ActiveX control for the Snapshot Viewer enables users to view a Microsoft Access report snapshot without having the standard or run-time versions of Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

Continue reading "Microsoft Offers Bug Workaround for ActiveX Exploit"

Trojan lurks, waiting to steal admin passwords

news@betterantivirus.com (Sean Cannon) — Tue, 08 Jul 2008 09:14:51 -0600

Coreflood uses Microsoft admin tool to infect corporate networks, security firm says

Writers of a password-stealing Trojan horse program have found that a little patience can lead to a lot of infections.

They have managed to infect hundreds of thousands of computers, including more than 14,000 within one unnamed global hotel chain, by waiting for system administrators to log onto infected PCs and then using a Microsoft administration tool to spread their malicious software throughout the network.

Continue reading "Trojan lurks, waiting to steal admin passwords"

Trojan lurks, waiting to steal admin passwords

news@betterantivirus.com (Annette King) — Mon, 07 Jul 2008 21:15:00 -0600

Writers of a password-stealing Trojan horse program have found that a little patience can lead to a lot of infections.

They have managed to infect hundreds of thousands of computers, including more than 14,000 within one unnamed global hotel chain, by waiting for system administrators to log onto infected PCs and then using a Microsoft administration tool to spread their malicious software throughout the network.

The criminals behind the Coreflood Trojan are using the software to steal banking and brokerage account usernames and passwords. They've amassed a 50GB database of this information from the machines they've infected, according to Joe Stewart, director of malware research at security vendor SecureWorks Inc.

"They've been able to spread throughout entire enterprises," he said. "That's something you rarely see these days."

Continue reading "Trojan lurks, waiting to steal admin passwords"

Trojans stop play for web gamers

news@betterantivirus.com (Annette King) — Fri, 04 Jul 2008 14:30:00 -0600

Malware aimed at online gamers posed the most serious online security threat in June, a security firm reported today.

ESET found that 13.29 per cent of malware detections from a sample of over 10 million systems worldwide were classified as 'Win32/PSW.OnLineGames'.

Although this figure is significantly down from last month's 18 per cent, ESET warned that this "does not necessarily" mean a drop in the number of infections.

Win32/PSW.OnLineGames is a family of Trojans with key-logging and rootkit capabilities that gathers information relating to online gaming.

Continue reading "Trojans stop play for web gamers"

A Worm That Does Nothing

news@betterantivirus.com (Annette King) — Thu, 03 Jul 2008 13:27:55 -0600

A Worm That Does Nothing

This weeks e-threats activity was pretty odd. We have proxy servers, trojans, patchers and the one that beats them all, a worm that does nothing but spread.

Trojan.Asprox.F
Upon execution this trojan installs itself in the Windows directory and executes at startup as a system process. It's function is that of a proxy server. It listens for connections on TCP ports 80 and 82. It is spreading through compromised websites which make use of the ADODB Javascript exploit that downloads the Trojan on your computer without any interaction. The websites themselves are cracked using SQL Injection exploits. The ugly thing about this is that whenever you visit a website like this you get infected simply by browsing it, if you are using Internet Explorer that is. The Javascript exploit is harmless on other browsers, it will just increase the loading time of the page.

It seems that a lot of effort is being put into spreading this proxy, so the intentions behind it are probably serious cracking and spamming attempts.

VBS.Worm.Runauto.A
It's the strangest thing nowadays. This worm seems not to have any destructive intention. It is only spreading. We say it's strange because usually no more malware is out there without having a negative effect on the victims PC, be it downloading other applications, infecting or deleting files, running backdoors and rootkits, you name it. It uses the most basic hiding methods, merely setting hidden and read only attributes on its own file(s). It also copies itself into your windows and windowssystem32 directories and adds some registry entries to run on system startup. It is spreading through removable drives and uses autorun.inf files to execute itself.

NOTE: We at Computer Security Solutions are leary of this worm. If your NOD32 detectes it, click to remove, report or repair. If NOD32 is unable to do so, boot into safe mode and run a full scan. We suspect the author of this worm may be setting the groundwork for a future attack or to plant infections on your computer.

Trojan.Qhost.AKR
This threat patches the BitDefender products (Internet Security 2008, Total Security 2008 and Antivirus Plus 2008). It has a nicely built user interface and detailed instructions on how to use it. At some point you are requested to push a button that will add an entry to your system32driversetchosts file. It will set the BitDefender update server (update.bitdefender.com) to localhost (127.0.01). It seems this Trojans purpose is to render the BitDefender products update service unusable so it will not detect new threats anymore.

Original Story

Web threats hit 12-month high

news@betterantivirus.com (Annette King) — Wed, 02 Jul 2008 14:28:00 -0600

The number of new malicious websites rose by 58 per cent in June to its highest level since April 2007, security experts warned today.

The latest MessageLabs Intelligence Report attributed the rise to a jump in the number of spyware and adware sites being blocked.

"Web-based malware has become a dangerous tool in the arsenal of cyber-criminals," said Mark Sunner, chief security analyst at MessageLabs.

"The bad guys know that web-borne attacks are uncharted territory for many computer users and are taking advantage of this in addition to vulnerabilities and weak security in web applications."

Sunner added that businesses that allow employee access to any website, and sites with webmail accounts that have not been scanned by corporate security systems, are at particular risk.

Continue reading "Web threats hit 12-month high"

Author of peer-to-peer computer virus captured

news@betterantivirus.com (Annette King) — Tue, 01 Jul 2008 15:42:00 -0600

Milmont said in an e-mail exchange tonight that he has suffered from a brain tumor from an early age that was discovered when he was 16, around when he began work on the virus.

"It is obvious to me and my family that this greatly affected my mental, physical and emotional state," Milmont wrote. "Most of the illegal activity took place before I was 18, and I wouldn't do it today."

Federal authorities say they have captured the author of an innovative computer virus that infected as many as 15,000 PCs last year.

Jason Michael Milmont, 19, agreed to plead guilty (you can download a PDF of the plea agreement here) in his hometown of Cheyenne, Wyo., to a federal felony charge of unauthorized access to a computer to further a fraud, according to court documents. He reached the deal with prosecutors in Los Angeles and could face as many as five years in prison.

Continue reading "Author of peer-to-peer computer virus captured"

Google among top malware offenders

news@betterantivirus.com (Sean Cannon) — Tue, 01 Jul 2008 09:45:19 -0600

NEW DELHI: This is one ranking Google could have done without. According to a recent report by Internet consumer advocacy group Stopbadware.org, Google is one of the top five networks responsible for hosting dangerous websites.

The study describes "badware" as "spyware, malware and deceptive adware."

Google recorded some 213,575 individual websites, till May this year, which StopBadware then mapped to IP addresses.

Continue reading "Google among top malware offenders"

NOD32 and Virus News - Adware, Spyware and Trojans

Death of the Nothing Doing Worm

E-mail allegedly from UPS delivers a computer virus

Virus attacks on 120 brokers' servers force DSE to halt trading

Watch Out for an IE Zero-Day Attack

Malware scenario: Third World War has begun

Storm gang uses 4 July fireworks to spread Trojan

E-hijackers make a killing with 'ransomware'

Microsoft Offers Bug Workaround for ActiveX Exploit

Trojan lurks, waiting to steal admin passwords

Trojan lurks, waiting to steal admin passwords

Trojans stop play for web gamers

A Worm That Does Nothing

Web threats hit 12-month high

Author of peer-to-peer computer virus captured

Google among top malware offenders

Storm gang uses 4 July fireworks to spread Trojan