Problems Contacting Me?? - If you've experienced difficulties contacting me by email, I I've located the source of problem. I've recently learned that my access ISP began upgrading their DNS servers and server software a month or so ago, and during the changeover, both the old and the new were online. Even though the changeover was supposed to be seamless (it rarely ever is), it has been causing havoc with my email. It seems at the time of this writing I can receive, but I can send to very few folks. I'm told that the has problem identified, but not the repair. Hopefully the it will be fixed shortly.

Unnoticed Event - I suppose it really shouldn't be any surprise with all of life's distractions today; election turmoil, soaring energy prices, illegal immigration and its problems, rising food prices, and a host of other equally distracting events, that a rather small thing like a birthday would slip by unnoticed. But it did,WINS had a birthday in the middle of May that passed quietly unnoticed. So, Happy 8th Birthday WINS, and thanks to all of the members who made it happen.

WINS Email Lists - Traffic has been very light lately, but it appears that the Lists are working problem free (which is more than I can say for my email). If you are experiencing any List problems please let me know and I'll do what I can to help get it fixed.

Infection and Malware Alerts - Below are some new and continuing problems reported in May/June to keep your eye out for. Information source, Panda Security's weekly report on viruses and intruders - Virus Alerts.

Viruses:

The Kukuku.A virus changes Internet Explorer's home page and opens several windows displaying Asian websites. It also connects to an Internet address to download malware onto the computer (the Admoke adware, the Agent.ISE and Delf.AIN Trojans, etc.).

The Kleste.A virus uses the name net.exe and the default Windows executable file icon to distribute itself. When run, it copies itself to c:\, using the same name, net.exe, and drops the winini.exe file that acts as a downloader Trojan on the computer. It also drops the winsys.sys file which acts as a rootkit to avoid being detected by antiviruses in the c:\Windows\system32\drivers directory. It then infects other executable files on the system by adding the necessary code to connect to a web address where up-to-date versions of the virus are download.

Worms:

Constructor/Wormer is a tool for creating worms through a console in Visual Basic. Among other characteristics, this malicious tool includes options for compressing the malicious code created, enabling MuteX and selecting the icons to use. The most curious option however, is that users can choose to prevent the malicious code created from infecting removable drives, such as pen drives, etc.

The Manclick.B worm's main function is to open specific web pages. When run, it creates several copies of itself on the infected system and creates keys in the Windows registry. Actions taken by this worm include; blocking several applications, disabling the Registry Editor and the Windows Start menu and preventing the computer from starting in secure mode.

The Radulambu.C worm reaches computers with a typical image file icon, called Palma.exe. When run, it copies itself in several computer locations and mapped drives. It also creates a folder in C: called Images, where it creates several copies of itself under different names, and creates an autorun.inf file on the hard disk and mapped drives. Additionally, Radulambu.C generates several entries in the Windows registry. This way, it modifies the Internet Explorer title bar, disables the system recovery or conceals file extensions.

The Ridnu.H worm disables numerous program processes, many of which belong to security applications. Love messages such as "Dear my princess when the stars fill the sky, I will meet you my lovely princess " displayed on opening the Notepad are a clear indication that the computer is infected by Ridnu.H. This worm carries out several actions on the computer: it causes the Start button to vibrate on clicking it, changes the appearance of all windows opened on the system by covering them with an image similar to the Windows 'cloudy' desktop theme, etc.

The DisaCKT.B worm reaches computers as a file with a Microsoft Office document icon. When run, it changes the name of the Windows Start button to 'NUM', and copies itself under the name Microsoft Office Word 2003.exe to the computer's start menu. Once installed, it prevents users from accessing certain system programs, like the registry and policy editor and the operating system's console and maintenance utilities. It also blocks access to the folder properties.

The Tixcet.A worm is designed to delete MSOffice documents, disable several Windows functions and restart the computer. This worm is in a file with the Microsoft Word icon. When run, it creates several copies of itself on the infected system and keys in the Windows registry. It is easy to recognize when a computer has been infected by this worm, as the word CETIX appears next to the clock in the taskbar and it changes the name with which the system has been registered to CETIX BALi. Tixcet.A spreads by making copies of itself in the drives that it accesses, and creates the file AUTORUN.INF, so it runs automatically.

The Autocrat.A worm copies itself on every system drive, including flash memories and external drives. The malicious actions it carries out include hiding files, blocking the task manager, etc. In short, it slows the PC down.

Trojans:

PGPCoder.E is a ransomware Trojan designed to seize information and blackmail the user into paying to recover it. It does this by encrypting all non-operating-system files (such as those with DOC, XLS, PDF, TXT, JPG, BMP, etc. extensions) contained on a computer when the file containing PGPCoder.E is run. At the same time, it releases two files. One of these is called ¡_READ_ME_!.txt, and contains a message informing users that the files have been encrypted and that to obtain the tool for decrypting them, they have to write to a certain email address.

The NoFreedom.ATrojan has the same name as the malware, but with a .vbs extension. This file displays a message similar to the one described above, but reaches computers in a file called svch0st.exe with a peculiar icon. When run, it opens Internet Explorer and connects to YouTube to show a video of a certain cartoon series. At the same time it creates several files and Windows registry entries, hiding the clock in the taskbar, disabling permissions to shut down or restart the PC and preventing the task manager from being run.

The Perwall.A Trojan spreads to all removable and mapped drives on a computer. When run, Perwall.A creates copies of itself in several places. It also generates the autorun.inf and Boom.vbs files and creates several entries in the Windows registry to run on every system restart. One of its symptoms includes opening the c:\windows\web\wallpaper folder which stores desktop wallpaper images.

The Ceckno.J Trojan is designed to download other malware onto affected computers and act as a backdoor. This malicious code has a downloader component for downloading malware, and a backdoor component downloaded by the downloader. When installed on the computer, it creates copies of itself and scans ports until it downloads a backdoor or exhausts the number of possible attempts (15). With each attempt, the port through which it tries to download malware increases by one. Once the backdoor component is downloaded, the downloader stops running, preventing the system from detecting infection symptoms. Later on, the backdoor is run and listens on a port.

The HostChange.B Trojan spreads through emails that falsely report the death of, Hugo Chavez, president of Venezuela. These messages purport to come from a famous communication channel in Venezuela, to gain users' trust. Additionally, they include links to an alleged video of the fake news story. However, on clicking the links, a file that contains HostChange.B is downloaded. This Trojan modifies the computer host file, associating the website of a well-known financial company in Venezuela to another one with a false page designed to capture users' confidential data.

The Banbra.FTI Trojan is a new member of the extensive family of Trojans of the same name. The file containing this malicious code has a typical Windows image file icon. When run, the Trojan creates several files on the infected system and keys in the Windows registry. With this, the Trojan waits until the user connects to a particular online banking service to steal the login details.

The Banker.LAX Trojan is designed to steal bank details. To do so, it downloads a file with numerous bank addresses onto a system and spies on users' Internet movements. The malicious code then compares the addresses entered in the browser bar with the entries of the file downloaded; if it coincides at least partially, the Trojan's fraud mechanism is activated.

This mechanism consists of redirecting users to a spoof Internet page, instead of the bank's original page. Meanwhile, the Trojan gains control of the browser bar and changes the spoof page for the legitimate one, so users don't suspect anything. On the spoof page, users are asked to enter their details for accessing the Internet. When they do, an error screen is displayed. Then, the data stolen is sent to the server. This dangerous malicious code also steals victims' files and service accounts (MSN Messenger or Outlook).

The Peregar.C Trojan, is designed to fool users into installing a false antivirus. The procedure is as follows: when run, the malicious code opens an Internet Explorer window with a search in Youtube to distract users. Meanwhile, it modifies the system so that when users try to open a Windows Explorer or Internet Explorer window, an error screen with the following message is displayed:

"your system is infected with dangerous virus! Note: Strongly recommend to install antispyware program to clean your system and avoid total crash of your computer! Click OK to download the antispyware. . . . .

If users agree to download the anti-spyware, they will actually be downloading the IEAntiVirus adware onto their computer. Additionally, Peregar.C displays false infection pop-ups so users pay to disinfect their system.

The WmaDownloader.G Trojan on the other hand, is distributed through P2P networks in the form of false files with MP3 and MPG extensions. When run, they connect to an Internet address that offers users the possibility of downloading a specific multimedia player.

Adware:

Xp-Shield is an adware (or advert-displaying program) which tries to pass itself off as an antivirus tool and uses the typical icon of the Security Center included in some Windows versions. When the file containing Xp-Shield is run, it creates several files on the system and a series of entries in the Windows registry. Once installed on the computer, it simulates a computer scan, falsely warning users that the system is infected and prompting them to register (by paying) the software to clean it. Also, it inserts a Security Center icon in the taskbar and displays pop-ups reminding users that the software has not been registered and the computer is still infected.

AdvancedXPFixer is adware (a program designed to display adverts) that tricks users into installing the program and tries to convince them that the computer has been infected. When the file containing the adware is run, a warning message appears indicating that the computer has been infected by spyware. Then a screensaver appears with cockroaches eating the desktop. Then other warning messages may appear and finally, a window with the adware itself, pretending to scan the system for other threats. Needless to say, it always finds a great deal of them, and offers the user the chance to remove them for a fee. If the fee is not paid, the adware continues to display warning messages.

Plugins:

An infected Mozilla-Firefox plug-in has been distributed from the Firefox website in the last few months. The plug-in was for the Vietnamese language and ran files on a specific web page, downloanding the Xorer.T malware onto the system. Although the plug-in can no longer be downloaded from the official Firefox website, users should check to see if they are infected.

Auction News - Please remember, Our Vice President, Doug Prather, WINS#294 has taken on the task of running "Joe's Hat Drawing" and is accepting the donations (or the data), making the list and performing the actual drawing. If you would like to share part of your collection, like Joe did for so many years with fellow members, please send your donation (or data) to Doug. If you would like to donate one or more hobby-related items, but would prefer to remain anonymous you can send those items directly to Doug.

Auction 50 is currently underway and scheduled to run from June 21 until June 28, 2008. Please take the time to have a look and place a bid.

As always, your comments and suggestions are welcome.

Thanks for stoppin' by.  "See ya' at the auction".
JD White
WINS#7, Operations Admin