Numismatic Coin Club World Internet Numismatic Society


From Behind The Green Curtain
- October 2008 -

Howdy all,
It's hard to image that the first snows are just around the corner, but nighttime temperatures are already well into the freezing range up on this mountain. Just yesterday, or maybe it was the day before, we were harvesting all sorts of vegetables from the garden, but today I found myself shredding the garden's remains for composting. I guess that means winter is truly on the way, but on the bright side it also means that the Christmas Auction is also just around the corner. After you wade through my IT tripe, I hope you'll take a look at the Auction News discussing the Christmas Auction. Maybe you'll even help make it the best auction ever and consider participating as a seller.

It Can Happen To Anyone - Malware can attack anyone, even those of us that think our systems are protected. It has happened to several of us lately so in my last column I asked if any member would care to share their experiences with the group, below is one member's input:

Sent: Tuesday, September 02, 2008 7:42 PM

I've used AVG for years, and have never gotten any virus that has killed my computer--oh yes, I get viruses but they are always caught and quarantined and my computer is kept safe. (It caught 5 today) For Home users AVG is free.

They also have paid versions but the free one is REALLY good and is what I use. The business edition is where they charge and even that is very low when looking at the hyped-up Norton, or other big names.

At my Brother-in-law's business we have tested AVG right along side of Norton and many other virus scanners on computers we KNOW have a lot of virus. On one computer AVG found 10-times what Norton found (somewhere around 2000 viruses total)!

If anyone needs more info, or would even like a CD/DVD with program on it (in case you are on Dial-Up) I'll be glad to help.

Thanks, Spencer Guiley, WINS#398

If any other member would care to share their malware experiences, antivirus tips or just good IT tips, please contact me.

WINS Email Lists - Traffic is still very light, but it appears that the Lists are working problem free. If you are experiencing any List problems please let me know and I'll do what I can to help get it fixed.

Infection and Malware Alerts - Listed below are some new and continuing problems reported in September/October to keep your eye out for. However, keep in mind that it is estimated that some 400+ new malicious attacks are discovered daily. Information source, Panda Security's weekly report on viruses and intruders - "Virus Alerts".


YTFakeCreator is a program that allows cyber-crooks to create spoof YouTube videos aimed at infecting users with malware. Potential victims receive an email promoting a video supposedly containing sensational content (erotic images of celebrities, death of famous people, etc.) and invite users to click a link to the video. This technique is known as social engineering.

If they take the bait, users will be directed to a spoof YouTube page (shown here) and will see an error message explaining that the video cannot be loaded until a certain component is downloaded (a codec, an Adobe Flash update, etc.). They will be prompted to download it. However if they do, they will actually be downloading some type of malware onto their computers.

YTFakeCreator makes it easy to create these spoof YouTube pages; customizing the error message text and the time it takes to appear. It also allows cyber-crooks to insert the link to the malware to be downloaded onto users' computers, and even to create a false YouTube profile to enhance the realism of the page. And all of this can be done with just a single program (shown here). The malicious code distributed through these spoof pages can be chosen by the person creating the page: Viruses, worms, adware, Trojans...

The Singu.AM backdoor copies itself on computers under the name inetput.exe. When run, it installs itself as a computer service and opens a port on the victim's computer, so the attacker can control it remotely and carry out malicious actions: administer connections, capture keystrokes, configure connection parameters, access the Windows Registry, etc. This malicious code is distributed through P2P networks. To tempt users into downloading it, it uses social engineering techniques, passing itself off as a fake program, an erotic photo, etc.

Slenfbot.C is a bot that spreads by sending itself to users' MSN Messenger and IRC contacts. The file it sends out is called "MVC-Imagen008" and is compressed in zip format. Once run, this malicious code closes all open security applications for monitoring computer processes and traffic in order to make detection more difficult. It also creates some entries in the Windows Registry to ensure it runs even in Windows safe mode. Finally, it disables the Windows administration tools and prevents users from displaying hidden folders on the computer and using the Command Prompt window.

APop.A is a Java Script file that opens a series of Internet Explorer windows when run. One of these opens a page which claims to offer downloads of eMule, the well-known P2P file-sharing application. Both the Web page and the program are very similar to the originals, however, if users read the installation license carefully, they will see a text warning that the Navipromo adware will also be installed on their computer.

 - - WORMS: - -

AutoKitty.A worm is designed to spread to all computer drives and block the PC. This worm reaches computers as a Hello Kitty icon called "m_KITTYKAT.EXE". When run, it carries out numerous malicious actions:
* Blocks the right-click function.
* Blocks hidden folders.
* Modifies the User ID and Windows ID in System Properties:
* Disables access to the Registry
* Disables the MSDOS commandline
* Blocks access to the task manager.
This worm also copies itself to all the system drives, including the removable drives.

W32/MSNBot.D.worm is a Messenger bot designed to steal data (usernames, passwords, addresses...) which could then be used fraudulently. The file has an MSN Messenger icon in order to confuse users. When the file is run the process goes resident on the system, and the MSN Messenger process is continually injected in the system's services, with the obvious intention of waiting to capture data from the computer and then distribute it.

The file makes a copy of itself in C:\Windows and adds a registry entry in order to run on every system startup and to continue stealing data from the computer. This malware is normally distributed via email to contacts it captures in Messenger. Finally, it creates a .txt in C:\Windows to compile and save the stolen data.

P2PShared.M is a worm that spreads through P2P networks. It does this by copying itself to the folders of several P2P applications, under the guise of software programs, which are then downloaded by other users. The worm creates a copy of itself on the system and modifies the Windows Registry.

Earanc.A is a worm that spreads by copying itself to all removable drives on the computer. This way, whenever any such drive is connected to a new computer, it will infect it. Once run, the worm opens Windows Media Player and plays the video of a clock whose hour hand moves from 1 to 12 (shown here). This video is deleted after being played and replaced by a copy of the worm.

Autorun.AHS is a worm designed to spread through the floppy disk drive. When run on the computer, it modifies specific Registry entries to make it seem as though the Task Manager, Windows Registry, Folder options and Explorer files have been enabled. What it really does though, is replace the Internet Explorer start page for a malicious page. It also modifies the Windows Registry to run on every system startup.

 - - TROJANS: - -

The MeteorBot.A backdoor Trogan reaches computers as an icon called "iconos.exe". When run, it displays a photo of a young boy with no associated text (shown here). This malicious code is designed to open a silent Internet Explorer connection and leave it open to TCP traffic through port 81, connecting to a specific IP from which it receives its creator's instructions. MeteorBot.A repeats all its malicious processes every time the computer is restarted, making sure it is active in each new session.

The LowZone Trojan tries to steal personal information stored on users' computers (passwords, user names, etc.) to send to its creator through users' mail system.

The Trj/PHilto.A Trojanis an executable file that displays a video with adult content. It has an icon with an image of Paris Hilton, which when clicked displays a screen prompting users to download and view the video. If users choose the option to view the video, two new windows appear on the screen and the system connects to a web page to download the components needed (codecs) to view the video. A randomly-named, 303104-byte executable is downloaded, detected as Adware/NaviPromo.

The Goldun.TB Trogan reaches the victim's computer on an email attachment (shown here) pretending to be an ICS warning (an incorrect abbreviation of IPCS: Internet Service Provider Consortium), and indicating that the Internet connection will be suspended due to the user's violation of alleged author rights. The email attaches a supposed 6-month activity report which it refers to in the message body. This report is compressed in a .ZIP file. If users decompress and try to open the false report, they will be allowing a copy of the Goldun.TB Trojan onto their computer.

The Sinowal.VTJ Trojan, reaches mailboxes in an email pretending to come from a user who accuses the recipient of sending a virus to his computer via email. The email subject is "I am wait (sic) your reply" and it has an attached file it refers to in the email body, which supposedly contains proof of the user's sending of malicious emails.

On opening the file (.ZIP format) and running the content (executable file that looks like a PDF document), users will be entering a copy of the Sinowal.VTJ Trojan onto their computer. Once on the computer, this malicious code tries to download a configuration file from a Russian domain, previously used to distribute banker malware. It also releases a series of malicious files on the system. Using ingenious social engineering techniques, the cyber-crooks threaten users with cutting off their Internet connection or by taking legal action. This way, users are tempted into viewing the proof against them, and in doing so are infected.

Fakegooglebar.Z, a Trojan that modifies the page of the popular Google search engine to distribute fake antivirus programs. On opening Internet Explorer, Fakegooglebar.Z displays a warning informing that the computer might get damaged on visiting the web page the user is about to view. Then, if the user goes to the Google page, the malicious code inserts a message in it indicating that an unregistered version of "Antivirus 2009" has been detected and encouraging the user to activate the product through a link. If they do that, they are taken to a web site page (shown here) to download this fake antivirus.

Up to now, these rogue software programs were mainly distributed through spam messages with malicious links. In this case, however, cyber-criminals use a Trojan that changes the Google web page. This aims at avoiding raising suspicion among users, as this is a web page they might have visited hundreds of times. All this makes it more tempting to download the fake antivirus.

Then Earanc.A deletes all multimedia files on the infected computer and replaces them with a copy of itself with the following format: original file name.original extension.exe. It also changes the Registry so that file extensions and hidden files are not displayed, and disables the system restore feature and the registry tools. Finally, it changes the Internet Explorer window title to this: ++++ Makanya jangan handak buka BF ja, neh rasain oleh2 dari amang hacker ++++ .

Lydra.AO Trogan records users' activity on the infected computer and sends it to the malware author. To do so, it remains active in the Windows memory and starts capturing keystrokes and mouse movements. It also collects email addresses found in files with certain extensions. It stores the information gathered, together with the PC hardware and software data, and sends it to the malware author via email. To do so, it uses its own SMTP or MAPI engine.

Redvoz.A is a backdoor Trojan that connects to a remote server, which allows the creator to run arbitrary commands on the infected computer and take control of the system. This new malicious code creates a system service for managing network policies displayed by default by system services and third-party applications. This service is run continuously and cannot be stopped, making it difficult to remove. As the service is in a loop, the threat is recreated if it is deleted.

Banbra.GBQ Trogan is designed to obtain bank information from the user. This malicious code is distributed through email. To fools users, the executable file passes itself off as a Word document, and when run it opens a document in Portuguese in which users are asked to appear in the regional electoral committee (shown here). The idea is to distract users while the Trojan is infecting their computers.

The Spammer.AJR Trojan is designed to send spam from infected computers. These emails have interesting sounding subjects and include a link to a fake YouTube page (shown here). If users visit the page, a fake antivirus program will be installed on their system.

 - - ADWARE: - -

The VirusResponseLab2009 adware is another example of how false antivirus solutions are being used by cyber-criminals for financial gain. When run, this adware fakes a system scan, telling users that their computers are infected. It also sporadically launches a pop-up warning, from the taskbar, falsely claiming that the computer is being attacked from the Internet, or that the user is vulnerable to password theft. The real aim of this malicious code is to make users believe they are infected and consequently buy the antivirus solution offered in order to clean their computers of these (non-existent) threats.

Auction News - Auction 51 final - The following report on the Board's action concerning Auction 51 was posted to the WINS talk & trade Lists. It is repeated here for those participating members not on one of the email Lists.

Sent: Saturday, September 27, 2008 9:59 PM
Subject: WINS Auction News

Those of you that were watching Auction 51 probably saw the rather large bid placed by one member on Lot 25, and as you probably guessed it was placed in error. However, because the member didn't bother to check the auction page in the auctions remaining 42+ hours and failed to respond to email verification requests, the member didn't catch their error until the day after the auction closed. When he did realize the error the member requested the bid be withdrawn, but because the auction had already closed it caused a bit of a problem.

After 50 successful auctions conducted over 8 years nothing of this sort has ever happened, WINS members have always been more courteous than this. In a unanimous decision (Board Motion #2008-02) the member was allowed to work out a reduced bid with the seller and the seller has relisted the item. While the Board recognized that the bid had been placed in error, they also recognized that it is the member's responsibility to check the auction page in a timely manner to verify that bids had been recorded correctly. Combined with the non-response to email from the auctioneer requesting bid verification, the Board decided that the member should loose auction privileges for the next two auctions.

However, in the future any such bid retractions may very well result in a member's permanent loss of auction privileges. Members are solely responsible for their bids, and once the auction closes it is too late to make any bid changes.

Auction 53, our Christmas Auction is scheduled to open on November 22 and run for 2 weeks closing on December 6. For this auction, the number of items each seller may submit is increased to 20 Lots. And, as in past Christmas Auctions, sellers may offer "other collectibles" with the following considerations:

  • A numismatic item must accompany each "other collectibles" Lot.
  • Only 50% of the seller's Lots may contain "other collectibles".

Sellers may submit their lot data and images at anytime, but as always - earlier is better.

As always, your comments and suggestions are welcome.

Thanks for stoppin' by.  "See ya' at the auction".
JD White
WINS#7, Operations Admin


Information contained on this page is posted for WINS Club Members use.
If you have any comments or problems with this or any other Club Site page,
please contact the: Operations Admin.

Copyright © 2008 All Rights Reserved.        Legal Notices