Friday, September 11, 2009

Virus: TR/Drop.Agent.agla - Trojan

Date discovered:26/02/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:High
Static file:Yes
File size:172.207 Bytes

GENERAL
Aliases:
• Symantec: W32.SillyFDC
• Sophos: Mal/Generic-A
• Panda: W32/Lineage.KYR
• Eset: Win32/PSW.OnLineGames.NNU

Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003

Side effects:
• Downloads files
• Drops malicious files
• Registry modification

FILES
It copies itself to the following locations:
• %SYSDIR%\kva8wr.exe
• %drive%\jbele1.com

It renames the following files:
• %malware execution directory% into c:\%existing file or directory%.vcd

It deletes the initially executed copy of itself.

It deletes the following file:
• %SYSDIR%\drivers\cdaudio.sys

It may corrupt the following file:
• %SYSDIR%\drivers\cdaudio.sys

The following files are created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
– %SYSDIR%\drivers\klif.sys Further investigation pointed out that this file is malware, too.

Detected as: Rkit/Agent.4160
– %SYSDIR%\bgotrtu0.dll Detected as: TR/Vundo
– %SYSDIR%\uweyiwe0.dll Detected as: TR/Crypt.XPACK.Gen
– %drive%\lot.exe
– %SYSDIR%\ahnfgss0.dll
– %SYSDIR%\ahnsbsb.exe
– %SYSDIR%\ahnxsds0.dll

It tries to download some files:
– The location is the following:
• http://hjkio.com/xhg2/**********
– The location is the following:
• http://kioytrfd.com/xhg2/**********

REGISTRY
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

INJECTION
One of the following values is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "kvasoft"="%SYSDIR%\kva8wr.exe"

The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\System\CurrentControlSet\Services\KAVsys]
• "Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"ImagePath"="\??\%SYSDIR%\drivers\klif.sys"
"DisplayName"="KAVsys"

The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• "NoDriveTypeAutoRun"=dword:00000091
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
New value:
• "CheckedValue"=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
New value:
• "ShowSuperHidden"=dword:00000001
"Hidden"=dword:00000002

ROOTKIT TECHNOLOGY
Hides the following:
– Its own process
Method used:
• Hidden from Master File Table (MFT)
• Hidden from Windows API
• Hidden from Interrupt Descriptor Table (IDT)
____________________________________________

Avira AntiVir Free

Tuesday, September 1, 2009

Win32:Frethem



Win32:Frethem
is an Internet worm which spreads via email. It uses its own SMTP engine to send itself to email addresses that it finds in the Microsoft Windows Address Book and in .dbx, .wab, .mbx, .eml, and .mdb files. The email message arrives with the following characteristics:

Subject: Re: Your password!
Message body:
ATTENTION!

You can access
very important
information by
this password

DO NOT SAVE
password to disk
use your mind

now press
cancel
Attachment: Decrypt-password.exe and Password.txt

When this worm is executed, it does the following: It copies itself to the file %windir%\Taskbar.exe
(please note: %windir% is a variable). The worm locates the Windows main installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. It then configures itself to start when you start Windows by adding the value:
Task Bar %windir%\Taskbar.exe
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The worm then obtains email addresses from the Microsoft Windows Address Book and from .dbx, .wab, .mbx, .eml, and .mdb files, and sends itself to those addresses. When the worm arrives by email, it uses both an IFRAME exploit and a MIME exploit, which allow the virus to be executed when you read or even preview the file. Information and a patch for MIME exploit can be found here.

After sleeping for several hours, the worm copies itself to C:\Windows\All Users\Start Menu\ Programs\Startup\ Setup.exe so that it is executed each time that you start Windows.

This worm exist in several variants, but none of them have any destructive payload.


Wednesday, July 1, 2009

Virus: Win32:Ganda

Win32:Ganda is an Internet worm which uses the social ingeneering to force the users to run the infected mail attachment.It also tries to suspend several antiviral and security programs, such as personal firewalls, on infected computer. It modifies executable files (.exe and .scr extensions) by adding a routine for Ganda's launch from a separate file. It spreads through e-mail. A part of infected mails uses "IFRAME vulnerability" of MS Internet Explorer for launching its mail attachment without user intervention. The worm creates the following files on infected computer:

%WINDOWS%\scandisk.exe
%WINDOWS%\[8 random characters a-z].exe
%WINDOWS%\tmpworm.exe

In the registry, the worm creates inside the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run the following item:
ScanDisk=%WINDOWS%\SCANDISK.exe

The worm is launched from the registry at every computer start. Except this, it might be launched from the modified executables, it adds a code for launchig itself from the files in the %WINDOWS% folder to the executable files. The size of modified files is increased of 567 bytes.

Note: %WINDOWS% is a folder where the Windows system is installed. It's usually "C:\Windows" on Windows 95, 98 or ME, or "C:\WinNT" on Windows NT, 2000 or XP. Those folder names are default, but user can decide for any other name at Windows system instalation.

The worm tries suspend running services named:

f-secure, firewall, kaspersky, mcafee, norton, pc-cillin, sophos, symantec, trend micro, virus

The worm spread through email to addresses it founds in the Windows Address Book or in the files with .dbx, .eml or .htm extensions. Infected mails are either english or swedish, depending on the system language of infected computer. Infected mail have the following features: Subject line is either empty, or it's one of the following phrases (in the english version):

  • Catlover
  • Disgusting propaganda
  • DISKRIMINERAD !!!!
  • GO USA !!!!
  • G.W Bush animation
  • Is USA a UFO?
  • Is USA always number one?
  • LINUX
  • Nazi propaganda?
  • Screensaver advice
  • Spy pics

The attachment has size of 45056 bytes with random 2-letter name and scr extension.

The worm fakes sender address. It chooses message body randomly from 10 messages, either english and swedish.

Avast Viruses Info

Friday, June 26, 2009

Virus: Gumblar.cn

The attackers behind a series of rapidly spreading Web site compromises have begun using a new domain to deliver their malicious code, security experts say.

The attacks, collectively referred to as "Gumblar" by ScanSafe and "Troj/JSRedir-R" by Sophos, grew 188 percent over the course of a week, ScanSafe said late last week. The Gumblar infections accounted for 42 percent of all infections found on Web sites last week, Sophos said.

Over the weekend, the Chinese Web domain used to deliver the malicious code--gumblar.cn--stopped responding, according to Unmask Parasites, a service used to detect malicious code embedded in Web pages. The attacks' malicious payload has, however, continued to be delivered from a different source, the martuz.cn domain, Unmask Parasites said Monday in an advisory.

"They have slightly modified the script and now inject a new version that loads malicious content from a new domain," Unmask Parasites said.

Changes to the script make it more difficult to identify and stop detection by the Google Chrome browser, Unmask Parasites said.

Gumblar was first detected in March and has spread more quickly since then, against the expectations of security experts.

"A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases and website operators begin cleaning the affected sites," ScanSafe senior security researcher Mary Landesman, said late last week in an advisory.

In the Gumblar attacks, the opposite is occurring, partly because Web site administrators themselves are affected by the attacks as they try to address the problem, ScanSafe said.

Sites affected include Tennis.com, Variety.com, and Coldwellbanker.com, according to ScanSafe.

The attacks were carried out in multiple stages, beginning in March, when a number of Web sites were compromised and attack code embedded within them, ScanSafe said.

Then, in early May, as Web site operators began to clean up their sites, the attackers replaced the original malicious code with dynamically generated and heavily obfuscated JavaScript, meaning that the scripts change from page to page and are difficult for security tools to spot.

The scripts attempt to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player to deliver code that injects malicious search results when a user searches Google on Internet Explorer, ScanSafe said.

They also search the victim's system for FTP credentials that can be used to compromise further Web sites, the company said.

The malicious code embedded on a user's system was previously downloaded from gumblar.cn, a Chinese domain associated with Russian and Latvian IP addresses, delivering code from servers based in the U.K., according to ScanSafe. That domain has now changed to martuz.cn.

Matthew Broersma of ZDNet UK reported from London.

More about "Gumblar"

Sunday, May 31, 2009

Free Antivirus : a-squared Free 4.5.0.1 (Latest Version)

Security must not be a privilege. Under this motto, Emsi Software provides the Malware scanner a-squared Free completely free of charge for private use. But it is not a very limited version, it is a full tool to clean your computer from Malware. Not only Spywares, as detected by classic Anti-Spyware programs, but also especially Trojans, Backdoors, Worms, Dialers, Keyloggers and a lot of other destructive pests, which makes it dangerous to surf the web.

a-squared removes reliably:

  • Trojans, Backdoors, Keyloggers, Rootkits
  • Worms, Bots
  • Dialers
  • Spyware, Adware

Free Trial Antivirus : AVG Anti-Spyware

AVG Anti-Spyware 7.5.1.43
Anti-Virus programs offer insufficient protection against urgently growing threats like Trojans, Worms, Dialers, Hijackers, Spyware and Keyloggers. That's where the protection of ewido anti-spyware begins and supplements existing security applications to create a complete security system - because only a complete security system works effectively.

* NEW Completely renewed user interface
* NEW Possibility to create exceptions
* NEW Shredder for secure file deletion
* NEW XP Antispy
* NEW BHO Viewer
* NEW LSP Viewer
* Heuristics to detect unknown threats
* Scanning and cleaning of the Windows registry
* Support for NTFS-ADS scanning
* Daily database updates
* Patch proof by using strong signatures
* Analysis tools (startup, connections and processes)
* Intelligent online-update
* Scan inside archives
* Secure detection and deletion of DLL-Trojans
* Generic crypter detection through emulation
* Generic binder detection
* Free E-Mail Support
* Automatic Clean Engine
* Quarantine for suspicious files
* Multilingual User Interface

Additional features of the Plus-Version

* NEW Scheduled scans
* Real-time monitoring of the entire system
* Memory Scan detects active threats
* Self-protection at kernel layer guarantees gapless monitoring
* Automatic online-update



This setup contains the free as well as the paid version of ewido anti-spyware. After the installation, a free 30-day trial version containing all the extensions of the full version will be activated. At the end of the trial, these extensions will be deactivated and the program will turn into a feature-limited freeware version. The purchased license code can be entered at any time.

This product was formerly knows as Ewido Security Suite

AVG AntiSpyware