MVP Jubo Security Blog : Latest Virus Threats

An Online ticket?!?

jubo — Mon, 22 Sep 2008 14:28:00 GMT

What a surprise... This morning I was happily working at the office, hhmm... okay, from home..., when Outlook notified me that I had received an email. When I checked it was from an unknown company USA3000 Airlines. When I read the email they even had a ticket for me and had charged the credit card for $646.27. I thought, that should be at least a ticket to fly across the pond. Well, could have been a surprise from my wife since she's visiting family in the USA. But no, I unzipped the file and there was a file called: "eTicket.doc.exe" and... not detected by McAfee's antivirus program... yet... Submitted the file to VirusTotal and you can find the result here.

Then I also submitted the file to McAfee's WebImmune and they found a "new detection" and named it "spy-agent.bw". Not really a new one but a new variant. Not long after that I received an "Extra.dat" file from AvertLabs for some extra protection. See also McAfee's Avert Labs Blog: Invoice Spam Takes Flight

No e-ticket for me this morning... but the computer is still safe. Now I only wonder how it came through the company's security. They run Symantec stuff...

Olympic attachment?

jubo — Fri, 08 Aug 2008 06:36:33 GMT

Not only the Olympic games have started, but also the malware games related to the Olympics. One of the latest is that if you receive an attachment named as: "ioc_guidelines_for_persons_accredited_at_the_xxix_olympiad.pdf" then delete this immediately. If you open it then it could execute a malicious JavaScript that exploits a patched Adobe Reader vulnerability. And it follows to install a backdoor detected as BackDoor-DMG.

McAfee has named this one: "Exploit-PDF.b"; for more detailed information about it check this article: Exploit-PDF.b.

Aliases:

EXPL_PIDIEF.O (TrendMicro)
Trojan.Pidief.C (Symantec)

If you do not have Adobe Reader version 9 installed, then you can download it from the Adobe Download. Unfortunately it comes with Adobe AIR, which you can uninstall through Windows "Add/Remove Programs". Also, during the installation process you might want to uncheck the option to install the Google toolbar.

Mass Hack Attack

jubo — Fri, 14 Mar 2008 07:31:47 GMT

Really cool video at the McAfee's Avert Labs blog site about the latest mass hack attack at phpBB web sites. See how it looks like from an end user's perspective: Mass Hack Attack.

Source: McAfee Avert Labs Blog.

Email with subject: "Israel Just Have Started World War III"

jubo — Tue, 10 Apr 2007 09:08:00 GMT

Late last night I found a strange email in my email Inbox; from a person I didn't know. It even had an attachment called: "News.exe". I could even save it to my hard drive without any antivirus program jumping up. Decided to submit it to McAfee's Avert Labs and a few minutes later I received the following results:

(Click the Image for a larger view)

It shows you that DAT version 5004 didn't detect this "Nuwar" virus, but they already had an "Extra.dat" available, which detect this virus. Hopefully this "Extra.dat" is included in today's DAT update.

Then I also submitted the "News.exe" file to VirusTotal to see if any of the other antivirus vendors would find the virus. See this screen shot for their results:

(Click the image for a larger view)

Even though many of the antivirus vendors found the virus some of the bigger comapnies, like Sophos, Microsoft, McAfee and Panda didn't find the virus.

If you get an email from an unknown person with a subject like:

Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Missle Strike: The USA kills more then 20000 Iranian citizens
USA Missle Strike: Iran War just have started
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
USA Declares War on Iran

and it has an attachment like:

More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

then delete the email immediately and make sure you have an up-to-date antivirus signature files.

And since this is "patch tuesday" also make sure your version of Windows is patched and has all the updates. If you don't have the automatic updates enabled then check it at Microsoft Update.

For more information about this virus see McAfee's writeup: W32/Nuwar.

McAfee added detection for fake IE7

jubo — Sat, 31 Mar 2007 06:30:00 GMT

McAfee has added detection for the fake IE7 email. See their writeup: W32/Grum. You need at least DAT version 4996. So check if your version of McAfee is up-to-date.

For Symantec see: W32.Grum.A

Beware of fake IE7 Beta email

jubo — Fri, 30 Mar 2007 12:35:00 GMT

There's a email out there, which says that it is coming from admin@microsoft with an attachment called: "IE7.0.exe". The subject of this email is: "Internet Explorer 7 Downloads" and it shows you an image of an IE7 Beta 2 download. Do NOT click on this image! If you do you are offered to download a trojan.

Two reasons why you should know this email is fake:

Microsoft NEVER sends out updates or downloads by email.
IE7 has been released and there's no Beta program anymore.

A screenshot of the email can be found at the Sunbelt Blog.

F-Secure detects the file as: Virus.Win32.Grum.A.

BootMerlin virus

jubo — Thu, 22 Feb 2007 21:09:00 GMT

This is a virus written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time:

Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language:

W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):

%Windir%\System\csrss.exe
%Windir%\System32\dllcache\G-Vulcan-III.exe
X:\Recuerda que te quiero.exe
X:\LINEAS TELEFONICAS SIJIN VIEJA.exe
X:\PODER SALDARRIAGA1.exe
X:\SOLICITUD A MI GENERAL.exe
X:\SEGURO BTA EQUIPOS.exe
X:\CURSO CONSTITUCIONAL.copia.exe

(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)

It installs the following registry key(s) to start at Windows boot up:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "WinSound" = "%Windir%\System\csrss.exe"

The C:\Boot.ini should be restored manually to the original settings (see removal section).

Method of infection: W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.

Removal: This virus can C:\boot.ini to display anti-MS Windows messages in Spanish. These messages can be removed using a text editor, for example:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="AUN Usas Windows..?"/fastdetect

edit it to become:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="{your original operating system name}" /fastdetect {your original boot up options where applicable}

Do not modify any other parts of the C:\boot.ini file. Also check under My Computer->Properties->Advanced->Startup and Recovery Settings that It is pointing to the default operating system that was originally configured for.

Source: McAfee Virus Library

Be aware for Valentine Day's e-greetings emails!

jubo — Sat, 10 Feb 2007 17:18:00 GMT

If you receive emails with variable subjects such as: "Together You and I, Everyone Needs Someone or Cyber Love, then delete them immediately. They're ususally sent by a female using different names. The attached file that contains the worm is an executable file with names such as flash postcard.exe or greeting postcard.exe.

According to Pandalabs, this virus is spreading rapidly and they have named it: Nurech.A. Other malicious codes currently infecting users include Nuwar.D. This worm arrives in messages with subjects like “5 reasons I love you” or “A kiss for you”.

See for more information: ORANGE VIRUS ALERT The Nurech.A worm spreads rapidly, infecting hundreds of computers and Valentine’s Day: a powerful lure for spreading malware.

Symantec calls it: Trojan.Peacomm, aka "Storm Trojan".

I think I just stick with AmericanGreetings...

Critical 0-Day Internet Explorer Exploit Discovered In The Wild

jubo — Wed, 20 Sep 2006 10:14:00 GMT

A lot of web sites are already talking about it. There's a critical 0-day exploit discovered in the wild for Internet Explorer. According to the Microsoft TechNet web site, it's a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML).

Microsoft is aware of the issue and will have a security update to address this vulnerability ready on Tuesday, October 10, 2006 or sooner depending on customers needs.

More information at:

For Windows Live OneCare users, if your current status is green then you're already protected from malware that uses this vulnerability. All other users, please keep your antivirus software up to date.

Microsoft word document spam

jubo — Tue, 05 Sep 2006 19:10:00 GMT

McAfee Avert Labs has recently seen spammers start to use Microsoft Word documents and HTML attachments to deliver their advertising payload. By moving the advertising content, most importantly the URL link, into an attached document rather than the body of the email message, spammers are able to evade some of the Anti-Spam vendors’ content filtering techniques. This is because most vendors don’t scan content inside attachments because this has previously not been necessary.

Microsoft Word is a convenient format because it supports clickable links and most recipients will have Word installed or would be able to open the document with another compatible word processor.

The spammer is varying the attachment file name, email body text and subject in nearly every batch of the messages sent, for example:

Subject: Billing Update, Bill #90023
Forward original invoice with attached invoice transmittal sheet to the contracting officer.
DATED MATERIAL,INVOICE ATTACHED

Subject: Your receipt for Invoice #25826
Credit memo attached to deleted payment receipt cannot be applied to different invoice.
Software order has a Related invoice attached with prepayment information.

And other subjects. The conclusion, according to Avert Labs, is that to keep up with this, Anti-Spam vendors may need to add attachment scanning to their solutions, which would require additional processing power on customers email servers. In addition, the attachments mean spam is getting bigger. The messages in the current campaign are only 35k in size, but Word documents are well known for growing very quickly in size. A rise in document spam would mean recipients’ mailboxes and servers clog up faster, worsening the burden that spam puts on us all.

For more information and screen shots about this, check the Avert Labs blog.

Santa IM Worm Installs Rootkit Payload

jubo — Thu, 22 Dec 2005 10:09:00 GMT

A new Christmas-themed worm attack is underway, delivering an offensive rootkit payload over the AOL, MSN, Windows Messenger, ICQ and Yahoo instant messaging networks.

The worm, identified as IM.GiftCom.All, was discovered by researchers at IMLogic Inc.'s Threat Center spreading via IM and attempting to trick users into clicking on a malicious URL.

The link lures the target into visiting a harmless Santa Claus Web site, but actually installs a rootkit payload to the victim's machine, IMLogic said in an advisory.

"The rootkit payload is often named gift.com and when executed hides itself on the user's system, attempts to shutdown desktop anti-virus software and starts collecting the infected user's information for broadcast over the Internet," the company explained.

Source and full article: eWeek.com
See also: Messenging users, keep away from "Santa Claus"

Latest Virus Threat: Zafi.D

jubo — Thu, 16 Dec 2004 11:54:00 GMT

Zafi.D

Aliases:

Email-Worm.Win32.Zafi.d
Nocard.A@mm
W32.Erkez.D@mm
W32/Zafi-D
W32/Zafi.D.worm
W32/Zafi.d@MM
Win32.Zafi.D
Win32.Zafi.D!ZIP
Win32/Zafi.D.Worm
WORM_ZAFI.D
Zafi.D

F-SECURE

Zafi.D
Description:
A new variant of Zafi worm - Zafi.D is spreading. While the original Zafi.A uses only Hungarian, the new Zafi.D spreads in email in English, Italian, Spanish, Russian, Swedish and several other languages.

NETWORK ASSOCIATES

W32/Zafi.d@MM
Description:
The risk assessment of this threat was raised to Medium due to increased prevalence. The 4414 DATs were released early for this threat.

SOPHOS

W32/Zafi-D
Description:

COMPUTER ASSOCIATES

Win32.Zafi.D
Description:
Win32.Zafi.D is a worm that spreads via e-mail and peer-to-peer file sharing. It has been distributed as a 11,745-byte, FSG-packed Windows executable, which may be inside a ZIP archive. When run, Zafi.D displays a simulated error message

PANDA ANTIVIRUS

Zafi.D
Description:
It opens the port 8181, waits for a file to be transferred through it, and executes this file.

SYMANTEC

W32.Erkez.D@mm
Description:
W32.Erkez.D@mm is a mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer.

TREND MICRO

WORM_ZAFI.D
Description:
As of December 14, 2004 8:13 AM (PST), TrendLabs has declared a MEDIUM risk virus alert to control the spread of this mass-mailing worm. It has been found spreading in Germany, France, and Spain.

Source: Secunia

MyDoom seeks to destroy antivirus firms

jubo — Tue, 19 Oct 2004 11:55:00 GMT

Antivirus companies are perplexed by a spate of recent viruses that contain messages in which the writers threaten to attack them.

Worm writers are threatening to attack antivirus companies F-Secure, Symantec, Trend Micro and McAfee.
In the latest version of MyDoom--MyDoom.AE--the authors embedded a message ridiculing rival worm Netsky and promising to attack the antivirus companies.

The message has left antivirus companies unsure of what to expect.

"It remains to be seen what they mean by threatening to attack us," said Mikko Hypponen, director of antivirus research for F-Secure. "That might mean a denial-of-service attack. We've been a target before, but they haven't tried any recently."

Full article: ZDNet

W32/Zafi.b@MM

jubo — Sat, 12 Jun 2004 13:56:00 GMT

W32/Zafi.b@MM (McAfee/NAI)

Virus Characteristics:
This is a mass-mailing worm that constructs messages using its own SMTP engine, spoofing the From: address. It also attempts to propagate via P2P, via copying itself to folders on the local system (containing "share" or "upload" in the folder name).
While the original Zafi.A uses only Hungarian, the new Zafi.B spreads in email in English, Italian, Spanish, Russian, Swedish etc.

Installation
When executed, the worm copies itself twice to the %windir%\system32 folder using a random name and .EXE and .DLL extension.

Example:

C:\WINNT\system32\jrbtgmqi.exe
C:\WINNT\system32\enfrbatm.dll

For McAfee the minimum DAT file: 4366, which will be released on: 06/16/2004. However, detection and removal is included in their DAILY DAT (beta) files, which can be downloaded from their DAT File Updates website.

Other links:
CA: Win32.Zafi.B
Sophos: W32/Zafi-B
F-Secure: Zafi.B
Symantec: W32.Erkez.B@mm
TrendMicro: PE_ZAFI.B

The Korgo Family

jubo — Mon, 31 May 2004 15:31:00 GMT

W32.Korgo is a worm that spreads via the Internet by exploiting the LSASS vulnerability, as described in Microsoft Security Bulletin MS04-011, in remote computers. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.

W32.Korgo listens to the TCP ports 113, 3067 and 2041 and connects to several IRC servers through the port 6667.

The Korgo Family

McAfee	Panda	Symantec	TrendMicro
	Korgo.A	W32.Korgo.A	WORM_KORGO.A
W32/Korgo.worm.b	Korgo.B	W32.Korgo.B	WORM_KORGO.B
	Korgo.C	W32.Korgo.C	WORM_KORGO.C
		W32.Korgo.D
		W32.Korgo.E
		W32.Korgo.F
W32/Korgo.worm.f		W32.Korgo.F	WORM_KORGO.F