Howdy all,
It's hard to image that the first snows are just around the corner, but nighttime temperatures are already well into the freezing range up on this mountain. Just yesterday, or maybe it was the day before, we were harvesting all sorts of vegetables from the garden, but today I found myself shredding the garden's remains for composting. I guess that means winter is truly on the way, but on the bright side it also means that the Christmas Auction is also just around the corner. After you wade through my IT tripe, I hope you'll take a look at the Auction News discussing the Christmas Auction. Maybe you'll even help make it the best auction ever and consider participating as a seller.

It Can Happen To Anyone - Malware can attack anyone, even those of us that think our systems are protected. It has happened to several of us lately so in my last column I asked if any member would care to share their experiences with the group, below is one member's input:

If any other member would care to share their malware experiences, antivirus tips or just good IT tips, please contact me.

WINS Email Lists - Traffic is still very light, but it appears that the Lists are working problem free. If you are experiencing any List problems please let me know and I'll do what I can to help get it fixed.

Infection and Malware Alerts - Listed below are some new and continuing problems reported in September/October to keep your eye out for. However, keep in mind that it is estimated that some 400+ new malicious attacks are discovered daily. Information source, Panda Security's weekly report on viruses and intruders - "Virus Alerts".

YTFakeCreator is a program that allows cyber-crooks to create spoof YouTube videos aimed at infecting users with malware. Potential victims receive an email promoting a video supposedly containing sensational content (erotic images of celebrities, death of famous people, etc.) and invite users to click a link to the video. This technique is known as social engineering.

If they take the bait, users will be directed to a spoof YouTube page (shown here) and will see an error message explaining that the video cannot be loaded until a certain component is downloaded (a codec, an Adobe Flash update, etc.). They will be prompted to download it. However if they do, they will actually be downloading some type of malware onto their computers.

YTFakeCreator makes it easy to create these spoof YouTube pages; customizing the error message text and the time it takes to appear. It also allows cyber-crooks to insert the link to the malware to be downloaded onto users' computers, and even to create a false YouTube profile to enhance the realism of the page. And all of this can be done with just a single program (shown here). The malicious code distributed through these spoof pages can be chosen by the person creating the page: Viruses, worms, adware, Trojans...

The Singu.AM backdoor copies itself on computers under the name inetput.exe. When run, it installs itself as a computer service and opens a port on the victim's computer, so the attacker can control it remotely and carry out malicious actions: administer connections, capture keystrokes, configure connection parameters, access the Windows Registry, etc. This malicious code is distributed through P2P networks. To tempt users into downloading it, it uses social engineering techniques, passing itself off as a fake program, an erotic photo, etc.

Slenfbot.C is a bot that spreads by sending itself to users' MSN Messenger and IRC contacts. The file it sends out is called "MVC-Imagen008" and is compressed in zip format. Once run, this malicious code closes all open security applications for monitoring computer processes and traffic in order to make detection more difficult. It also creates some entries in the Windows Registry to ensure it runs even in Windows safe mode. Finally, it disables the Windows administration tools and prevents users from displaying hidden folders on the computer and using the Command Prompt window.

APop.A is a Java Script file that opens a series of Internet Explorer windows when run. One of these opens a page which claims to offer downloads of eMule, the well-known P2P file-sharing application. Both the Web page and the program are very similar to the originals, however, if users read the installation license carefully, they will see a text warning that the Navipromo adware will also be installed on their computer.

AutoKitty.A worm is designed to spread to all computer drives and block the PC. This worm reaches computers as a Hello Kitty icon called "m_KITTYKAT.EXE". When run, it carries out numerous malicious actions:
* Blocks the right-click function.
* Blocks hidden folders.
* Modifies the User ID and Windows ID in System Properties:
* Disables access to the Registry
* Disables the MSDOS commandline
* Blocks access to the task manager.
This worm also copies itself to all the system drives, including the removable drives.

W32/MSNBot.D.worm is a Messenger bot designed to steal data (usernames, passwords, addresses...) which could then be used fraudulently. The file has an MSN Messenger icon in order to confuse users. When the file is run the process goes resident on the system, and the MSN Messenger process is continually injected in the system's services, with the obvious intention of waiting to capture data from the computer and then distribute it.

The file makes a copy of itself in C:\Windows and adds a registry entry in order to run on every system startup and to continue stealing data from the computer. This malware is normally distributed via email to contacts it captures in Messenger. Finally, it creates a .txt in C:\Windows to compile and save the stolen data.

P2PShared.M is a worm that spreads through P2P networks. It does this by copying itself to the folders of several P2P applications, under the guise of software programs, which are then downloaded by other users. The worm creates a copy of itself on the system and modifies the Windows Registry.

Earanc.A is a worm that spreads by copying itself to all removable drives on the computer. This way, whenever any such drive is connected to a new computer, it will infect it. Once run, the worm opens Windows Media Player and plays the video of a clock whose hour hand moves from 1 to 12 (shown here). This video is deleted after being played and replaced by a copy of the worm.

Autorun.AHS is a worm designed to spread through the floppy disk drive. When run on the computer, it modifies specific Registry entries to make it seem as though the Task Manager, Windows Registry, Folder options and Explorer files have been enabled. What it really does though, is replace the Internet Explorer start page for a malicious page. It also modifies the Windows Registry to run on every system startup.

The MeteorBot.A backdoor Trogan reaches computers as an icon called "iconos.exe". When run, it displays a photo of a young boy with no associated text (shown here). This malicious code is designed to open a silent Internet Explorer connection and leave it open to TCP traffic through port 81, connecting to a specific IP from which it receives its creator's instructions. MeteorBot.A repeats all its malicious processes every time the computer is restarted, making sure it is active in each new session.

The LowZone Trojan tries to steal personal information stored on users' computers (passwords, user names, etc.) to send to its creator through users' mail system.

The Trj/PHilto.A Trojanis an executable file that displays a video with adult content. It has an icon with an image of Paris Hilton, which when clicked displays a screen prompting users to download and view the video. If users choose the option to view the video, two new windows appear on the screen and the system connects to a web page to download the components needed (codecs) to view the video. A randomly-named, 303104-byte executable is downloaded, detected as Adware/NaviPromo.

The Goldun.TB Trogan reaches the victim's computer on an email attachment (shown here) pretending to be an ICS warning (an incorrect abbreviation of IPCS: Internet Service Provider Consortium), and indicating that the Internet connection will be suspended due to the user's violation of alleged author rights. The email attaches a supposed 6-month activity report which it refers to in the message body. This report is compressed in a .ZIP file. If users decompress and try to open the false report, they will be allowing a copy of the Goldun.TB Trojan onto their computer.

The Sinowal.VTJ Trojan, reaches mailboxes in an email pretending to come from a user who accuses the recipient of sending a virus to his computer via email. The email subject is "I am wait (sic) your reply" and it has an attached file it refers to in the email body, which supposedly contains proof of the user's sending of malicious emails.

On opening the file (.ZIP format) and running the content (executable file that looks like a PDF document), users will be entering a copy of the Sinowal.VTJ Trojan onto their computer. Once on the computer, this malicious code tries to download a configuration file from a Russian domain, previously used to distribute banker malware. It also releases a series of malicious files on the system. Using ingenious social engineering techniques, the cyber-crooks threaten users with cutting off their Internet connection or by taking legal action. This way, users are tempted into viewing the proof against them, and in doing so are infected.