Virus: TR/Drop.Agent.agla - Trojan

Date discovered:	26/02/2009
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	High
Static file:	Yes
File size:	172.207 Bytes

GENERAL
Aliases:
• Symantec: W32.SillyFDC
• Sophos: Mal/Generic-A
• Panda: W32/Lineage.KYR
• Eset: Win32/PSW.OnLineGames.NNU

Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Downloads files
• Drops malicious files
• Registry modification

FILES
It copies itself to the following locations:
• %SYSDIR%\kva8wr.exe
• %drive%\jbele1.com

It renames the following files:
• %malware execution directory% into c:\%existing file or directory%.vcd

It deletes the initially executed copy of itself.

It deletes the following file:
• %SYSDIR%\drivers\cdaudio.sys

It may corrupt the following file:
• %SYSDIR%\drivers\cdaudio.sys

The following files are created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too.

Detected as: Rkit/Agent.4160
– %SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo
– %SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen
– %drive%\lot.exe
– %SYSDIR%\ahnfgss0.dll
– %SYSDIR%\ahnsbsb.exe
– %SYSDIR%\ahnxsds0.dll

It tries to download some files:
– The location is the following:
• http://hjkio.com/xhg2/**********
– The location is the following:
• http://kioytrfd.com/xhg2/**********

REGISTRY
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

INJECTION
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

ROOTKIT TECHNOLOGY
Hides the following:
– Its own process
Method used:
• Hidden from Master File Table (MFT)
• Hidden from Windows API
• Hidden from Interrupt Descriptor Table (IDT)
____________________________________________

Avira AntiVir Free

Win32:Frethem

Win32:Frethem
is an Internet worm which spreads via email. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:

Subject: Re: Your password!
Message body:
ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel
Attachment: Decrypt-password.exe and Password.txt

When this worm is executed, it does the following: It copies itself to the file %windir%\Taskbar.exe
(please note: %windir% is a variable). The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. It then configures itself to start when you start Windows by adding the value:
Task Bar %windir%\Taskbar.exe
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The worm then obtains email addresses from the Microsoft Windows Address Book and from .dbx, .wab, .mbx, .eml, and .mdb files, and sends itself to those addresses. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found here.

After sleeping for several hours, the worm copies itself to C:\Windows\All Users\Start Menu\ Programs\Startup\ Setup.exe so that it is executed each time that you start Windows.

This worm exist in several variants, but none of them have any destructive payload.

Virus: Win32:Ganda

Win32:Ganda is an Internet worm which uses the social ingeneering to force the users to run the infected mail attachment.It also tries to suspend several antiviral and security programs, such as personal firewalls, on infected computer. It modifies executable files (.exe and .scr extensions) by adding a routine for Ganda's launch from a separate file. It spreads through e-mail. A part of infected mails uses "IFRAME vulnerability" of MS Internet Explorer for launching its mail attachment without user intervention. The worm creates the following files on infected computer:

%WINDOWS%\scandisk.exe
%WINDOWS%\[8 random characters a-z].exe
%WINDOWS%\tmpworm.exe

In the registry, the worm creates inside the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run the following item:
ScanDisk=%WINDOWS%\SCANDISK.exe

The worm is launched from the registry at every computer start. Except this, it might be launched from the modified executables, it adds a code for launchig itself from the files in the %WINDOWS% folder to the executable files. The size of modified files is increased of 567 bytes.

Note: %WINDOWS% is a folder where the Windows system is installed. It's usually "C:\Windows" on Windows 95, 98 or ME, or "C:\WinNT" on Windows NT, 2000 or XP. Those folder names are default, but user can decide for any other name at Windows system instalation.

The worm tries suspend running services named:

f-secure, firewall, kaspersky, mcafee, norton, pc-cillin, sophos, symantec, trend micro, virus

The worm spread through email to addresses it founds in the Windows Address Book or in the files with .dbx, .eml or .htm extensions. Infected mails are either english or swedish, depending on the system language of infected computer. Infected mail have the following features: Subject line is either empty, or it's one of the following phrases (in the english version):

• Catlover
• Disgusting propaganda
• DISKRIMINERAD !!!!
• GO USA !!!!
• G.W Bush animation
• Is USA a UFO?
• Is USA always number one?
• LINUX
• Nazi propaganda?
• Screensaver advice
• Spy pics

The attachment has size of 45056 bytes with random 2-letter name and scr extension.

The worm fakes sender address. It chooses message body randomly from 10 messages, either english and swedish.

Avast Viruses Info

Virus: Gumblar.cn

The attackers behind a series of rapidly spreading Web site compromises have begun using a new domain to deliver their malicious code, security experts say.

The attacks, collectively referred to as "Gumblar" by ScanSafe and "Troj/JSRedir-R" by Sophos, grew 188 percent over the course of a week, ScanSafe said late last week. The Gumblar infections accounted for 42 percent of all infections found on Web sites last week, Sophos said.

Over the weekend, the Chinese Web domain used to deliver the malicious code--gumblar.cn--stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in Web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an advisory.

"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said.

Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.

Gumblar was first detected in March and has spread more quickly since then, against the expectations of security experts.

"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.

In the Gumblar attacks, the opposite is occurring, partly because Web site administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.

Sites affected include Tennis.com, Variety.com, and Coldwellbanker.com, according to ScanSafe.

The attacks were carried out in multiple stages, beginning in March, when a number of Web sites were compromised and attack code embedded within them, ScanSafe said.

Then, in early May, as Web site operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.

The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.

The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the U.K., according to ScanSafe. That domain has now changed to martuz.cn.

Matthew Broersma of ZDNet UK reported from London.

More about "Gumblar"

Free Antivirus : a-squared Free 4.5.0.1 (Latest Version)

Security must not be a privilege. Under this motto, Emsi Software provides the Malware scanner a-squared Free completely free of charge for private use. But it is not a very limited version, it is a full tool to clean your computer from Malware. Not only Spywares, as detected by classic Anti-Spyware programs, but also especially Trojans, Backdoors, Worms, Dialers, Keyloggers and a lot of other destructive pests, which makes it dangerous to surf the web.

a-squared removes reliably:

• Trojans, Backdoors, Keyloggers, Rootkits
• Worms, Bots
• Dialers
• Spyware, Adware

Free Trial Antivirus : AVG Anti-Spyware

AVG Anti-Spyware 7.5.1.43

Anti-Virus programs offer insufficient protection against urgently growing threats like Trojans, Worms, Dialers, Hijackers, Spyware and Keyloggers. That's where the protection of ewido anti-spyware begins and supplements existing security applications to create a complete security system - because only a complete security system works effectively.

* NEW Completely renewed user interface
* NEW Possibility to create exceptions
* NEW Shredder for secure file deletion
* NEW XP Antispy
* NEW BHO Viewer
* NEW LSP Viewer
* Heuristics to detect unknown threats
* Scanning and cleaning of the Windows registry
* Support for NTFS-ADS scanning
* Daily database updates
* Patch proof by using strong signatures
* Analysis tools (startup, connections and processes)
* Intelligent online-update
* Scan inside archives
* Secure detection and deletion of DLL-Trojans
* Generic crypter detection through emulation
* Generic binder detection
* Free E-Mail Support
* Automatic Clean Engine
* Quarantine for suspicious files
* Multilingual User Interface

Additional features of the Plus-Version

* NEW Scheduled scans
* Real-time monitoring of the entire system
* Memory Scan detects active threats
* Self-protection at kernel layer guarantees gapless monitoring
* Automatic online-update



This setup contains the free as well as the paid version of ewido anti-spyware. After the installation, a free 30-day trial version containing all the extensions of the full version will be activated. At the end of the trial, these extensions will be deactivated and the program will turn into a feature-limited freeware version. The purchased license code can be entered at any time.

This product was formerly knows as Ewido Security Suite

AVG AntiSpyware

Free Download Antivirus: ThreatFire Antivirus

PCs are under constant attack from viruses, spyware and identity theft. Every day you hear about a new threat to your PC. They're coming faster than ever before, they're getting harder to stop and traditional antivirus products are not able to keep up.

Will your antivirus software catch the latest malware that just came out today? In most cases, no, because it simply does not know how to detect it yet. But ThreatFire's ActiveDefense technology does, and has proven to provide up to 243% more protection when combined with traditional AntiVirus products
If I already have antivirus software why do I need ThreatFire?

ThreatFire is dramatically different to traditional antivirus software. Normal antivirus products usually need to have first identified and seen a threat before they can provide adequate protection against it. The protection is then provided via a signature or fingerprint update, which must first be written by an antivirus researcher. This creates a large window of time where threats are undetected and can therefore infect your PC even when you have antivirus software installed.

Free Download ThreatFire

Virus: Win32:VB-CD alias Kamasutra

The worm Win32:VB-CD [Wrm] or Win32:VB-CD2 [Wrm] is a mail worm known also as Nyxem-E, Blackmal-F, MyWife-D or Grew or (perhaps locally and usually in news) as Kamasutra.This worm spreads by e-mail and by network shares. It kills processes of miscelaneous antivirus and security programs and deletes files of them. The worm is destructive, tries to delete files of certain types every 3-rd day in month.

When executed, the worm creates one of the listed files:

• %windows%\Rundll16.exe
• %system%\New winzip file.exe
• %system%\sample.zip
• %system%\winzip_tmp.exe

and files:

• %system%\scanregw.exe
• %system%\update.exe
• %system%\sample.zip
• %system%\winzip.exe

The worm is autostarted with Windows using the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Its item „ScanRegistry” has the value “%System%\scanregw.exe /scan”

The worm collects mail addresses from documents on the infected computer. The infected mail has one of the Subjects:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Sexy
Fwd: image.jpg
Fwd: Photo
give me a kiss
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

The infected attachment is in the file named

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Sometimes, the attachment is MIME encoded and uses one of the names

3.92315089702606E02.UUE
Attachments00.HQX
Attachments001.BHX
Attachments[001].B64
eBook.Uu
Original Message.B64
SeX.mim
Sex.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

In such case, special tool is needed to unpack and execute the worm.

On every 3-rd day of month, the worm tries to delete data files with the extensions *.dmp, *.doc, *.mdb, *.mde, *.pdf, *.pps, *.ppt, *.psd, *.rar, *.xls, *.zip

avast! with VPS file dated on or after 17th January 2006 is able to detect this worm.

_________________________________________________________

Windows Repair Kit

FREE ANTI VIRUS: Panda Cloud Antivirus

Thanks to Panda Security’s Collective Intelligence malware and goodware online database, Panda Cloud Antivirus detects more malware than traditional signature-based solutions which take longer to detect the most recent, and therefore most dangerous, variants.

With Panda Cloud Antivirus we introduce a new protection model based on a thin-client agent & server architecture which services malware protection as opposed to locally installed products. By combining local detection technologies with cloud-scanning capabilities and applying non-intrusive interception techniques on the client architecture, Panda Cloud Antivirus provides some of the best protection with a lightweight antivirus thin-client agent that barely consumes any PC resources.

Light

Panda Cloud Antivirus protects you while you browse, play or work and you won’t even notice it. It is extremely light as all the work is done in the cloud.

Secure

Panda Cloud Antivirus provides you with the fastest protection against the newest viruses thanks to its cloud-scanning from PandaLabs’ servers.

Easy

Panda Cloud Antivirus is truly install and forget. Don’t worry about updates, configuration or complicated decisions ever again.

Read more

FREE ANTI VIRUS: PC Tools AntiVirus Free Edition

With PC Tools AntiVirus Free Edition you are protected against the most nefarious cyber-threats attempting to gain access to your PC and personal information. Going online without protection against the latest fast-spreading virus and worms, such as Netsky, Mytob and MyDoom, can result in infections within minutes.

[+] Click to Enlarge

Once infected, the virus will usually attempt to spread itself to your friends, family and associates by accessing your email contacts and networked PCs. The infection may also allow hackers to access files on your PC, use it to launch attacks against other computers and websites or to send mass SPAM email.

That's why PC Tools AntiVirus Free Edition provides world-leading protection, with rapid database updates, IntelliGuard™ real-time protection and comprehensive system scanning to ensure your system remains safe and virus free. PC Tools products are trusted and used by millions of people everyday to protect their home and business computers against online threats.

PC Tools AntiVirus Free Edition feature highlights

• Protects your PC as you are working, surfing and playing
• Detects, quarantines, disinfects and destroys Viruses, Trojans and Worms
• IntelliGuard™ protects your computer against threats in real-time
  
• Automatically checks for frequent updates against the latest threats
  
• Best of all it's FREE. No catches, limitations or time-limit

PC Tools AntiVirus

Free Anti Virus: SuperAntiSpyware Free Edition

SuperAntiSpyware, a next generation product, with its Multi-Dimensional Scanning and Process Interrogation Technology will detect spyware and remove over 1,000,000 pests such as Vundo, ZLob, SmitFraud, WinFixer, VirusRay, and VirusHeat. Repair broken Internet connections, desktops, registry editing, and task manager. The program provides complete and custom scanning of hard drives, removable drives, memory, registry, individual folders include trusting items and excluding folders for complete customization of scanning. Detect and remove spyware, adware, malware, Trojans, dialers, worms, keyloggers, and hijackers. Prevent potentially harmful software from installing or re-installing. First Chance Prevention examines over 50 critical points of your system each time your system starts up and shuts down to eliminate threats before they have a chance to infect and infiltrate your system. Our Direct Disk Access (DDA) technology sees rootkits others miss.

Version 4.25.1014 includes Smart Definitions to detect zero-day threats,Improved rootkit removal technology to handle rootkits that disable security applications,Updated Direct Registry Access (DRA) Technology.

Super Antispyware.com

Anti Spyware Software

CNet Download.com

Return of AVG's LinkScanner

When AVG Technologies slurped up Exploit Prevention Labs, it rolled the standalone LinkScanner security app into its popular antivirus offerings. While the newfound ability to rate search results and live Web pages for safety ratings lent AVG products some extra relevancy and clout, not everyone wants to download a full-blown security app just to get a warning or go-ahead to search a Web site.

Thankfully, AVG Technologies has seen the error of its bundling-only ways, and has rereleased LinkScanner as a free, standalone add-on for Firefox or Internet Explorer once again. This is particularly sanguine news for those who noted performance bungles when using rival software like McAfee SiteAdvisor (for Firefox and IE).

Those well-versed in the LinkScanner of yore won't see too many changes in the new LinkScanner 8.5. The usual red, yellow, and green flags emerge on Google and Yahoo search results, and on the Web page itself, to tip you off if the page in question might contain harmful or seedy elements.

We're glad to see LinkScanner back on its own, and after you read up on this handy security scout, you might be, too.

Read the hands-on review of Link Scanner

Download LinkScanner 8.5

CNET Downloads Dispatch for Windows ( Download.com )

Virus: Win32:Banker [Trojan Horse]

Win32:Banker is a family of Trojans capable of monitoring user activity and stealing private information. Win32:Banker monitors user’s internet access. If certain websites (banking, payment system) are visited, Win32:Banker will log user’s activity. Win32:Banker will than send all the stolen details to the attacker.

Description

Win32:Banker is a family of Trojans capable of stealing private information such as account numbers, passwords and banking credentials. Many variants can wait in the background and monitor user's internet activity. A logging procedure starts when a certain website is accessed, or if the address of an accessed website contains certain words. Many variants may supplement legitimate banking or payment system websites to get user details.

After getting the user details, Win32:Banker will send all the information to the attacker. Data can be sent to the attacker’s e-mail, can be uploaded to the attacker’s FTP server or can be submitted to the attacker’s website.

Win32:Banker may be downloaded by a user or can be received via email, but usually it is downloaded by other Trojan-Downloaders. When Win32:Banker is launched, it may copy itself to various folders such as %WINDOWS% or %SYSTEM%. Many variants set themselves to run each time Windows starts by creating the corresponding registry entries.

Most known variants target the users of Brazilian banks. These variants may be distributed in executables with names containing the word "cartao" ("card" in English).

If a user’s computer is infected with Win32:Banker, it is recommended to change the logging details of user’s bank account.

Avast

FREE ANTI VIRUS: Ansav +EA 2.0.26 Beta / 1.9.3

This antivirus helps you to identify, thwart and eliminate computer viruses and other malicious software.

Ansav is a free antivirus utility designed to identify, thwart and eliminate computer viruses and other malicious software (malware)

ANSAV, abbreviation from An's AntiVirus, is an application that runs on Windows XP and was made especially to handle various mallware like virus

, Trojan and Spyware.

This is not a commercial Antivirus, ANSAV was only designed as portable software and can be undertaken without needing the installation, because ANSA V is not resident and only treats.

At this time ANSAV could have detected various newest local virus (Indonesia Viruses) and several foreign viruses that often circulated in Indonesia, but ANSAV cannot be relied on as personal Antivirus because there are quite a few viruses that could be detected by other Antivirus softwares and were not detected by ANSAV. This was caused by the limitations of the Antivirus database (the virus definition signature)

ANSAV was developed for Indonesian purpose (local support only) although it can detect several foreign viruses, therefore your role is to always send the sample of the newest virus that still could not be detected by ANSAV, so that ANSAV would become your main weapon to eradicate the virus, especially the local virus.

Ansav contains the definitions of more than 776 viruses.

Ansav AntiVirus

FREE ANTI VIRUS: a-squared Free 4.0

Freeware! This free version is the little brother of a-squared Anti-Malware and contains only the scanner to clean infected computers. But it does not come with a background guard, Auto-Update, scheduled scans and HiJackFree.

• Scan your PC for infections of Trojans, Viruses, Spyware, Adware, Worms, Bots, Keyloggers and Dialers.
• 2 Cleaning Scanners in 1: Anti-Virus + Anti-Spyware
• 4 million users world wide rely on a-squared to clean their PC from Malware.

COMPUTER VIRUS

A computer virus is a computer program that can copy itself and infect a computer without the permission or knowledge of the owner. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability. A true virus can only spread from one computer to another (in some form of executable code) when its host is taken to the target computer; for instance because a user sent it over a network or the Internet, or carried it on a removable medium such as a floppy disk, CD, DVD, or USB drive. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.^[1][2]

The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware, and other malicious and unwanted software), including true viruses. Viruses are sometimes confused with computer worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a program that appears harmless but has a hidden agenda. Worms and Trojans, like viruses, may cause harm to either a computer system's hosted data, functional performance, or networking throughput, when they are executed. Some viruses and other malware have symptoms noticeable to the computer user, but many are surreptitious.

Most personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, Instant Messaging, and file sharing systems to spread.

From Wikipedia

FREE ANTIVIRUS: C.O.M.O.D.O

FREE ANTIVIRUS SOFTWARE - NO LICENSE FEES EVER

Comodo Internet Security is the all-in-one security software that keeps your computer completely safe from viruses and internet threats. The software is free for life and incorporates Comodo Firewall and Comodo Antivirus. If required, either product can be installed individually during setup.

Comodo Antivirus

Conficker worm might originate in China

Updated at 9:13 p.m. PDT with information provided by BKIS stating that its free version of BKAV antivirus software can remove the worm from any infected computer.

There's been a lot of fuss about the Conficker worm. And here's the a $250,000 question: what is the origin of the virus?

$250,000 is the amount of money Microsoft is putting up as a reward for any information leading to an arrest related to the case. Folks at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, announced Monday that they found clues that the virus may have originated in China. Previously, there were rumors that it might have been from Russia or Europe.

The firm's conclusion is based on its analysis of the virus' coding. It found that Conficker's code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nimda was made in China, based on the firm's own data.

It's important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China, that is in no way hard evidence.

Even if this finding by BKIS is credible, it's hardly good news, as it does little to help the authorities lay their hands on whomever is responsible for creating the virus. What it does is narrow in on where to block the return of the virus.
Read more

VIRUS: Win32:Confi (Confiker, Downup, Downadup and Kido)

Win32:Confi is a mass spreading worm

Summary

Type : Worm
Aliases : W32/Downadup, Net-Worm, Win32.Kodo, W32/Confoker
Platform : Windows
Known locations : %WINDIR%\system32, recycle bin

Description

Win32:Confi exploits a security hole in Windows (http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx ) to propagate itself over networks. After infecting a machine, Confi creates a service with a randomly generated name and tries to infect other computers in the same subnet. It also drops itself into any removable media (USB sticks) plugged into the infected machine. When the attempt to exploit neighbouring computers fails, the worm runs a brute-force attack against weak passwords. Filesystem operations above the Win32:Confi files are not accessible for common users (not even for administrators), because the worm removes the rights and ownership from its files.

Detection/Removal

Manually download the corresponding patch from MS (Confi blocks access to some anti-malware sites). Update avast! VPS to the latest version. Unplug the LAN cable. Schedule the boot time scan and move all Win32:Confi files to the virus chest. After rebooting, install the MS patch. Reconnect the LAN cable and everything should be fine.

Avast Home Edition

FREE ANTI VIRUS: BitDefender Free

Yooo...another FREE ANTI VIRUS : BitDefender Free Edition.

It is FREE Antivirus for All

BitDefender Free Edition is your chance to use one of the world's most effective antivirus engines for free!

BitDefender Free Edition uses the same ICSA Labs certified scanning engines found in other BitDefender products, allowing you to enjoy basic virus protection for no cost at all.

BitDefender Free Edition is your chance to use one of the world's most effective antivirus engines for free!
BitDefender Free Edition is an on-demand virus scanner, which is best used in a system recovery or forensics role. If you are on an "always-on" Internet connection, we strongly advise you to consider using a more complex antivirus solution.

BitDefender AntiVirus

FREE ANTI VIRUS : ClamWin Antivirus

This is another Free AntiVirus, really truly free. ClamWin is a Free Antivirus program for Microsoft Windows 98/Me/2000/XP/2003 and Vista.

ClamWin Free Antivirus comes with an easy installer and open source code. You may download and use it absolutely free of charge. It features:

* High detection rates for viruses and spyware;
* Scanning Scheduler;
* Automatic downloads of regularly updated Virus Database.
* Standalone virus scanner and right-click menu integration to Microsoft Windows Explorer;
* Addin to Microsoft Outlook to remove virus-infected attachments automatically.

The latest version of Clamwin Free Antivirus is 0.94.1
Please note that ClamWin Free Antivirus does not include an on-access real-time scanner. You need to manually scan a file in order to detect a virus or spyware.

ClamWin Free Antivirus is based on ClamAV engine and uses GNU General Public License by the Free Software Foundation, and is free (as in freedom) software. To find out more about GNU GPL, please visit the following link: Philosophy of the GNU Project - Free Software Foundation.
ClamWin Free Antivirus uses ClamAV Scanning Engine.
Donwload ClamWin Free Antivirus

FREE ANTI VIRUS: RISING Free Edition Antivirus

This is one of my favorites free anti virus.

Rising Antivirus Free Edition 2009 protects your computers against all types of viruses, Trojans, worms, rootkits and other malicious programs. Ease of use and Smartupdate technology make it an "install and forget" product and entitles you to focus on your own jobs with your computer. RISING Antivirus powerful engine has been certified by Virus Bulletin,Checkmark, TUV.

Rising Antivirus Free Edition 2009 is a solution with no cost to personal users.

RISING Free Anti Virus was upgrade now.

The latest Rising Antivirus Free Edition has the same service and function as Rising Antivirus 2009 paid version, but there are some differences which need users to know:

1. Information centre service:
Rising Antivirus Free Edition has Information centre window in its main interface, and this window drive users get latest news of RISING. But Rising Antivirus 2009 paid version not;
2. Update Service:
RISING paid version product gets update through high speed update server each day, but Rising Antivirus Free Edition product does not;
3. Technical support:
RISING provides fast response technical support to each paid version product user; but the support to RISING free version product user may be limited;
4. Users buy Rising Antivirus paid version can get a Rising Firewall with same service life in FREE; but Rising Antivirus Free version users could not.

RISING Antivirus Free Edition

FREE ANTI VIRUS: AVG Anti Virus Free Edition

AVG Anti-Virus Free Edition - trusted by 80 million users.

Antivirus and antispyware protection for Windows available to download for free.

• Award-winning antivirus and antispyware
• Real-time safe internet surfing and searching
• Quality proven by 80 million of users
• Easy to download, install and use
• Protection against viruses and spyware
• Compatible with Windows 7, Windows Vista and Windows XP

Note : AVG Anti-Virus Free Edition is only available for single computer use for home and non commercial use. It is a basic protection against viruses and spyware. AVG Free Edition

FREE ANTI VIRUS: Avira AntiVir Personal

Avira AntiVir Personal is a free antivirus (Basic protection).
Protects your computer against dangerous viruses, worms, Trojans and costly dialers. New: Basic Anti-Spyware.
Note: Avira AntiVir Personal - FREE Antivirus is only available for single computer use for home and non commercial use.
Avira AntiVir Personal

FREE ANTI VIRUS: Avast! Home Edition Antivirus.

Avast Home Edition is one of the FREE anti virus. This edition is truly free of charge antivirus with spyware protection for non-commercial use. Try and look if you like it.


Avast Home Edition

Following version 4.8 of avast! Home Edition and Professional Edition earlier this year, ALWIL Software has now released version 4.8 of avast! Server Edition and Small Business Server Edition.

Welcome to the collection of Free Antivirus. I'll try to introduce about all of Free Antivirus in the world. Hope you enjoy this.