New Worm: Chike.B
Chike.B is a worm that spreads by copying itself to removable drives and shared folders on the network. This malicious code changes the Windows explorer settings, disables the system restore feature and disables the Windows Registry. Finally, it configures the Windows Registry to make sure it is run every time a session is started.

New Worm: P2PShared.C
P2PShared.C reaches computers with an icon of two tools. When run, it shows an error message. To spread, it is copied to P2P directories with names such as "Windows Vista x86 MultiLang AutoPatcher.rar" or "MSN Messenger 8 Fully Patched for XP Sp2 and ViSTA.rar".

New Worm:Manclick.A
Manclick.A is a worm that installs on computers under the guise of a Windows folder. When this worm is run, it passes itself off as the web page of the Google search engine. The appearance of this page is very similar to the original one and the results, if a user were to click them, could lead to malicious websites that download malware or take other malicious action.

The worm creates several copies of itself on the system and it also creates two registry keys to ensure it is run every time the system is started up. Similarly, it deletes certain Windows registry keys to prevent the computer from starting up in any of the available save modes.

New Worm:Dung.A
Dung.A is a worm that also enters computers using the icon of a Windows folder. This malicious code opens a random system port and waits to receive commands, sending requests to a certain web page. It also makes several copies of itself on the system and edits two Windows registry keys to be able to run every time a session is started.

New Trojan: BankFake.H and the malicious JavaScript code Downloader.RXG.
BankFake.H reaches computers with a Windows Media file icon. In an attempt to trick users, when it is run it attempts to display a video on YouTube. It also connects to a web address from which it downloads several malicious files including the Nabload.CUH Trojan.

The files it downloads are false online banking pages. The objective is that, if users enter the address of any of these banks in their browser, the false page will be displayed. If any data is then entered on the page, this information will be sent to the creator of BankFake.H via email.

New Trojan: Asprox.A
Asprox.A is designed to open a port on the infected computer and turn it into a proxy server. This could allow cyber-crooks to perform malicious actions (bank transfers with money coming from scams, send spam, etc.) from the infected user's computer using its IP address.

New Trojan: Romeo.C
Romeo.C is installed on computers disguised as a Windows folder. This code has been designed to create or modify several keys in the Windows Registry, which allows it to perform malicious actions such as disable the system restore feature, hide the "Start" menu "Run" option, or hide file extensions.

Every time the user starts up the computer, the Trojan will display the following text: "Su PC esta infestada por un virus de ultima generación" ("Your PC is infected by a latest generation virus").

New Trojan: Nabload.CXU
The Nabload.CXU Trojan spreads in emails with the subject "A Pessoa com o Maior Rabo do Mundo" and contains a text in Portuguese and a link to a video. However, if the user clicks the link, they will actually be downloading a copy of the Trojan onto their computers. Then, the Trojan plays a YouTube video to conceal its actions. This malicious code also downloads two banker Trojans onto the computer to steal login data for accessing various banking entities' services.

New Trojan: Percoban.A
Percoban.A reaches computers disguised as a Word file. When run, it makes a copy of itself with names such as Rahasiamu.exe or Jangan Dibuka.exe, and it creates a Windows registry key to ensure that it is run on every session startup. In addition, it disables the Registry editor and the task manager, and hides the search function in the Start menu.

Auction News - The WINS auctions have had a small change, but one that should ensure that a well-liked feature will continue. With Joe Garbarini, WINS#9 under the 24-hour care of medical professionals the "Hat Drawing" needed someone to take over for him in the interim. Our new Vice President, Doug Prather, WINS#294 has taken on the task and will be gathering the donations (or the data), making the list and performing the actual drawing. If you would like to share part of your collection like Joe did for so long with fellow members, please send your donation data to Doug. If you would like to donate one or more hobby-related items, but would prefer to remain anonymous you can send those items directly to Doug.

Auction 48 is currently scheduled to run from March 8-15, 2008, however because I will be attending the ANA show in Phoenix from March 6th until late afternoon/evening of March 8th, all seller data must be submitted by 7:00 PM MST, Tuesday, March 4.

2008 Auction Schedule - The tentative auction schedule is posted on the main auction index page (linked at the top of the page). Sellers, data for the next auction may be submitted at any time.

ANA Convention - For any WINS member interested in meeting other WINS members on this side of the country, the March ANA Convention is the perfect place. Doug Prather, WINS#294 and I will be in Phoenix, Arizona in the late afternoon of Thursday, March 6 until mid morning or so of Saturday, March 8 to attend the convention. We would enjoy making this a WINS West Coast event similar to those held in Saint Louis so come on by and join us for a few hours, shake hands and have a cup of coffee.

As always, your comments and suggestions are welcome.

Thanks for stoppin' by.  "See ya' at the auction".
JD White
WINS#7, Operations Admin