| HOME | NEWSLETTER |
|
Howdy all, WINS Email Lists - Traffic is still very light, but it appears that the Lists are working problem free. If you are experiencing any List problems please let me know and I'll do what I can to help get it fixed. Infection and Malware Alerts - Listed below are some new and continuing problems reported in November/December to keep your eye out for. However, keep in mind that it is estimated that some 400+ new malicious attacks are discovered daily. Information source, Panda Security's weekly report on viruses and intruders - "Virus Alerts".
BitTera.C is a malicious tool that is able to create hundreds of malicious codes and does not require programming knowledge. Malware creators can customize features: type, effects, encryption, polymorphism, etc. Among other malicious actions, it allows cyber-crooks to:
MSNPhoto.A is a worm that spreads through MSN Messenger. To do so, it sends a message with an infected file to all the affected users' contacts so they accept it and become infected. It also creates a key in the Windows Registry to ensure it is run every time the session is started. Similarly, it disables several functions including the system console and the computer recovery feature, and modifies the host file, preventing access to several Web pages, most of which are IT security-related, so users find it more difficult to remove this worm from their computer. Gimmiv.C is a worm designed to exploit one of the latest Microsoft Windows vulnerabilities (MS08-067). When run on the computer, it drops two malicious files onto the system. One of the malicious files is vista.exe, an IP scanner that scans the subnet range of the local network searching for computers with port 445 open. Then, the worm runs another file downloaded (Mrosconfig.exe), which is used to exploit the MS08-067 vulnerability. Gimmiv.C uses this malicious code on the vulnerable computers found in the scan. It also makes one of the computers download other malware by connecting to a certain URL . Boface.G is a worm designed to spread on social networks such as MySpace or Facebook. This worm posts a link to a fake YouTube video on the infected user's profile or contacts panel, or sends the contacts a private message with the link. When they try to watch the video (which seems to come from one of their friends) they are taken to a Web page where they are encouraged to download a Flash Player update to watch it. However, if they do so, they will let a copy of the worm into their computers and will infect all of their contacts. Nakhatar.A. worm installs on computers disguised as a Windows folder. When run, it closes some security and registry monitoring tools. It also disables other options including the Windows Task Manager. P2PShared.U worm is spread by a fake email message that pretends to be a special Christmas promotion from McDonald's but really is a bait to spread the worm. The message subject is: "Mcdonalds wishes you Merry Christmas!" and the text body reads as follows: Autorun.AOL is a worm that exploits a Microsoft Windows vulnerability to spread (MS04-011). It tries to connect to an IRC channel, where it awaits its creator's instructions, accessing all the system ports. Additionally, it spreads through external drives. MoonLight.V is worm designed to send spam to the contacts users have on their computers. This worm attaches a copy of itself to the spam messages in order to spread, and uses its own SMTP engine to send the emails. Spam message subjects include:
The Downloader.UYC is a malicious script designed to download the Downloader.UYD Trojan, which in turn is used to infect computers with other malware. To fool users and conceal its malicious actions, once run on the computer this script displays a Windows Internet Explorer window. The Trojan downloaded by Downloader.UYC is also designed to prevent the firewall from blocking the downloading of malware. The Wow.VM spreads in a file called Love.jpg, posing as an inoffensive screensaver. When run, it displays a picture of a teenage girl view image sample. However, in the background it takes a series of malicious actions. This Trojan is designed to steal login details (user name and password) for online games such as World of Warcraft. The stolen information is then sent to the creator of the malware via Web. Wow.VM uses stealth techniques to avoid being detected by the user. Once it is installed on the computer, it deletes the original file from which it was run. The Auraax.C reaches computers disguised as a Word file. This worm makes copies of itself in removable drives on the infected system. It also adds itself to the list of authorized applications in the Windows firewall in order to spread across the Internet. The BankoLimb.BW Trogan modifies the Web pages of banks in order to steal users' passwords when they access the page. To do this, it registers as a Browser Helper Object (BHO), so it can monitor the pages users visit on the Internet. When a user visits a certain banking Web page, the Trojan injects its HTML code into the page and captures all information entered. This is then sent to the creator of the Trojan. This Trojan allows remote execution of code permitting an external attacker to control the system. The Spammer.AKE Trogan is designed to send junk mail to email addresses from infected computers. Once it has infected a computer, it downloads a file from the Internet containing addresses to spam and the subjects to use. These messages contain a link claiming to point to some photos but which actually take users to a malicious file. Bankolimb.BX is a Trojan that monitors users' surfing habits and is activated when online banking pages are accessed, to steal passwords, credit card details, PINs, etc. It also steals passwords from the browser auto-fill service and from the Windows cache. To do so, the malicious code registers as a BHO (Browser Helper Object). It is also designed to open a backdoor on the computer and connect to remote servers. Banker.LAX affecting Firefox only this Trojan is designed to steal bank details. To do this, it drops a library on targeted computers passing itself off as a legitimate Firefox plug-in. Then, if the user accesses the website of their bank, the malicious code will capture all the information entered. The malware creator will then use this information to empty the users' accounts. This malware can steal passwords from more than one hundred banking institutions. Sinowal.VXR is designed to steal bank passwords and send them to its creators, allowing them to steal money from users' accounts. To obtain this information, Sinowal.VXR monitors users' activity on the Internet and when they access certain bank Web pages, the Trojan redirects them to a spoof page. There they will be asked for a series of data including their user name and password, as well as other memorable information such as their favorite film, book or destination. Cyber-crooks collect this extra information to access the user's email accounts or similar services which often use these type of questions in the event that the user has forgotten their password and gain access to private data. The information is encrypted and sent via HTTP POST to an external server which saves all the data gathered. Emogen (named Jumper Trojan by its creators) is a backdoor Trojan which includes a tool that allows cyber-crooks to manage infections. Through this malicious code, attackers can; manage files, capture screenshots, capture camshots, capture keystrokes (keylogger activity), steal passwords, manage installed applications, manage processes, etc. Emogen can even chat with the infected victim, and obtain statistical data of its infections through the console. Here is an image of this malicious code's management console.
Azero.Bis designed to infect executable files by inserting malicious code at the beginning of their code. Also, it replaces the computer wallpaper with an image with the following text: ""Hello Administrator! If you have seen me you are same as a Fool guy". View an image of this wallpaper here. Salita.AN is a virus with a malicious payload that prevents the computer from functioning correctly. It stops Internet Explorer from working in offline mode, it disables access to the Windows Registry and Task Manager, and deactivates warnings from the "Windows Security Center". It also deletes Windows Registry entries related with safe mode, to prevent accessing the system in this way. The virus spreads by copying itself to all system drives, USB devices and shared drives.
AntivirusPro 2009 is a malicious code that passes itself off as a trial anti-malware solution. Once installed on the computer, it makes users believe their computer is infected to make them purchase the full, pay version of the fake antivirus. This way, cyber-crooks gain financial benefits from their infections. Data collected estimate that over 30 million computers worldwide could be infected by fake antiviruses. WinWebSecurity2008 is a fake antivirus type of adware. On running on the computer, it simulates the downloading of a security tool. Once on the computer, it pretends to scan the system, finding dozens of infections. It then offers the option of eliminating the supposed malware. If users accept, the malicious code informs them they are not registered and redirects them to a Web page, in which they have to pay a sum of money to disinfect the computer. In reality, none of this is true, as the infections detected and the security tool are fake. The aim of this malicious code is to convince users they are infected and get them to buy the tool promoted by the adware, in short, the creators are out to profit financially. The PCDefender2008is a "fake antivirus" adware that reaches computers with the name pcdefender2008Install.exe. Once installed, it simulates a computer scan to make users believe they are infected by dozens of malware samples. Its aim is for users to purchase the fake antivirus promoted by this adware. Once the fake scan is over, users are offered the option of neutralizing the supposed infections, and if they accept, a screen is displayed in which users are given two options: to buy the antivirus or remain infected. On purchasing the product, users are redirected to the Web page of the fake product, created by cyber-crooks. If they do not purchase it, the adware will constantly display reminder messages to infected users, which is extremely annoying. Antivirus360 is a fake antivirus. As with all this type of malware, this example is designed to make users believe that their computers are infected and then try to sell them a version of the fake antivirus (view image here). If users decide to buy the product, they will see a Web page on which they can enter their payment details (view image here). Auction News - With only 6 days before the Christmas Auction was due to start so few items had been submitted that I was considering canceling the auction. I figured maybe the times were too tough for anyone to be interested, but I was mistaken. Auction 53, our Christmas Auction was quite a success made possible by the 16 members who offered 172 hobby-related items. Ithere were 35 participants in total, not too shaby for such turbulent economic times. As many of you know we had another problem pop up during the auction requiring Board intervention. I won't rehash it, suffice it to say that the Board handled the problem and we all hope that the member with the problem can get things straightened out and rejoin us soon. Unfortunately, this little problem has also necessitated that the Auction Rules be revised. That is being addressed and should be in place before the next auction. Auction ScheduleThe 2009 auction schedule is posted on the Auction intoduction webpage. Auction 54 is scheduled for January 24-31, 2009 and sellers may submit their lot data and images at anytime, but remember earlier is always better. As always, your comments and suggestions are welcome. Thanks for stoppin' by. "See ya'
at the auction". |
| Information
contained on this page is posted for WINS Club Members use. If you have any comments or problems with this or any other Club Site page, please contact the: Operations Admin. Copyright © 2008 All Rights Reserved. Legal Notices |