Numismatic Coin Club World Internet Numismatic Society

HOME | NEWSLETTER


From Behind The Green Curtain
- April 2009 -


Howdy everyone,

Here we are once again at the newsletter section that's probably the least hobby-related or exciting. Hopefully before you doze off you'll pick up a couple of tidbits that will save you some time and trouble down the road.



"Coins As Art" Contest, Part Deux - At the time of this writing there is still 1 week remaining to submit your entries. Take a look at the contest particulars and prizes here and consider entering. The prizes are well worth the effort.



WINS Email Lists - Traffic remains very light on the talk list and almost nonexistant on the trade list, but they both appear to be working problem free. If you are experiencing any List problems please let me know and I'll do what I can to help get it fixed.



Auction News - The 2009 auction schedule is posted on the Auction introduction web page. Auction 55 was a very good auction and funds were raised for both the club's Treasury and the Boy Scouts. Auction 56 is scheduled for May 2-9 and sellers still have a few days to submit their lots.



Infection and Malware Alerts - Listed below are some new and continuing problems reported in January/February to keep your eye out for. Information source, Panda Security's weekly "Virus Alerts" reports on viruses and intruders.

 - - WORMS: - -

Conficker.D the new variant of the Conficker worm connects to numerous servers to update. Like other variants in this family, this worm uses the MS08-067 Microsoft Windows vulnerability to spread. Apart from allowing the worm to enter the computer, this vulnerability lets the attacker take several actions on the infected computer, even allowing control of the computer. This worm also spreads through USB devices, such as memory sticks and MP3 players. This worm updates every day and downloads new versions of itself onto the infected computer from Web pages that constantly change their URL to make it more difficult to block.

The p2pworm.AF changes the extension of files such as Explorer.exe, Hh.exe and Regedit.exe to .hid. It also copies itself to the Windows folder with the .exe extension. To spread, it creates several copies of a malicious file in the system32\hidrofobus folder with names of various games and programs. Then, it shares the file through the kazaa P2P file-sharing application to infect other users.

MSNworm.FZ is a worm that spreads by using the instant messaging program MSN Messenger. It attaches itself to messages passing itself off as a picture file, and sends itself to the victim's contact list. To trick users, once run it shows an error message indicating that the "picture can not be displayed". The worm also modifies the Microsoft Internet Explorer home page and creates a key in the Windows Registry to ensure it is run every time the session is started.

Autorun.ITS is a worm designed to carry out several modifications to the Windows Registry, which prevent the computer from working correctly. However, due to a programming error it only prevents the user from taking the following actions:

* Running quick and direct searches, as it disables the Find option in the Start menu.
* Restoring the system to a previous status.

This worm also modifies the desktop background, replacing it with the Windows default background. It also modifies the homepage of Internet Explorer.

Conficker worm (also known as Downadup or Kido) can steal your data from your PC including your keystrokes and personal information and attack other PCs or send out email. It can also prevent you from accessing security websites to get help or update your virus definitions.

IRCBot.CML is a worm that allows remote intruders to access and control the computer via IRC. This worm passes itself off as a photo to reach computers, but once run displays an error message with the text: "Picture can not be displayed". Next, IRCBot.CML opens several ports and tries to connect to an FTP server to send the user's data, keystroke captures, etc. This worm spreads through MSN Messenger, trying to infect all the user's contacts.

Waledac.AX is a worm that is distributed through the SMTP mail protocol. It sends two types of mails, one to infect victims and another by the way of advertising messages or spam. Below are some of the subjects used:
"Can your health problems be solved"
"Give you lover new intimate feeling."
"Which one of enlarhing products really work?"

Additionally, it is distributed through different Web pages, one of which offers an application that supposedly allows users to read third-party SMSs. On downloading the application, users actually download the worm onto their computer. This worm is also designed to steal passwords and email addresses, which it encrypts and sends to different IP addresses

 - - TROJANS: - -

Bankolimb.CH Trogan is designed to obtain confidential user information such as passwords and user names. It also drops other malware on the infected computer. To do this, it adds itself to the list of programs allowed by the Microsoft Windows firewall. Then, it connects to a URL to download the Agent.KKI Trojan. This malware is created to take other malicious actions on the computer.

Whizz.A Trojan is designed to hinder the computer's performance. It shows a window with the title "System Error" and the message "Hallo du Nase dein Pc ist schrott". Next, the computer starts beeping. Also, the cursor moves on its own uncontrollably and the computer slows down considerably. Finally, the Trojan covers the screen progressively with red shading.

BadGorve.H Trojan is designed to eliminate files with certain extensions (JPG and WMV among others) from specific directories on the infected computer, causing a significant loss of user information.

Bancos.TZ Trogan once run on computers, displays an Internet Explorer window with special promotions from the Vodafone mobile phone company while it downloads malware from a URL. This malware steals users' bank details when they log on to the website of some specific banks. This information is later sent to the malware creator via email. The Trojan also accesses the targeted users' Microsoft Outlook and MSN contact list and sends them an email to infect them.

SpyForms.BZ Trogan is designed to steal instant messaging and email account information. It also steals information sent through different protocols: HTTP, FTP, POP3, IMAP and ICQ. Finally, it steals information entered by users in online forms. All this data is sent to the malware creator by connecting to a specific Web page.

Nabload.DLU Trogan passes itself off as a funny video to trick users while downloading another malicious code to the target computer in order to steal online banking details. The process is as follows:

The Trojan reaches the targeted computer as a greetings video. When the user opens the file, the Trojan loads a funny video from the Internet, while simultaneously downloading another malicious code: Banker.LRX. This malware is designed to steal login credentials for several online banking entities.

Nabload.DLU also modifies the Windows Registry in order to activate every time the user restarts the computer. This way, it ensures it is always active on the system.

Banker.LSJ Trogan when run, opens a spoof bank application which informs users that the program is about to update. It then displays a window requesting users' bank details. If users provide them, the information is sent by the Trojan to its creator.

Banker.LSL Trogan displays a Youtube religious video while it takes its malicious action. However, what it really does is steal data from the computer, mainly passwords. The Trojan uses keylogging techniques to capture the following:

* Key strokes
* Mouse movements
* Mouse clicks
* Screenshots
* Online forms filled in by the user.

The Trojan downloads a series of TXT files where it saves the information it has obtained, and tries to send them to an external host.

Hiloti.A Trojan sets the Mandatory Integrity Control level (MIC) to low. This way, it can run any file downloaded without the user noticing. In this case, it downloads the Lop adware, designed to show advertising messages. Additionally, this Trogan logs onto Internet Explorer as a BHO (Browser Helper Object), monitoring Internet browsing. If users use Firefox, the malware injects a code on the pages monitored (over a hundred) to redirect searches carried out on those domains to pages that contain more malware to be downloaded.

SMSlock.A this type of blackmailer Trojan blocks users' computers and asks for a ransom payment. To do so, once blocked it displays a screen in Russian requestng users to send an SMS with a specific text, which randomly changes, to a phone number.

 - - ADWARE: - -

AntiSpyware3000 is an adware aimed at selling users a fake antivirus. It is actually an update of another fake antivirus detected as Antivirus XP Pro. Like all fake antiviruses, AntiSpyware3000 installs on the computer trying to pass itself off as a security solution. Then, it starts a spoof scan of the system, making the user believe it is actually finding viruses on the computer, which is completely untrue. It then offers users the option to eliminate the malware by buying a pay version of the fake antivirus.

Malwaredefender 2009This adware is a fake antivirus. On reaching computers, this adware, like most of its kind, simulates a malware scan to pass itself off as an antivirus. During the scan it supposedly detects several examples of (non-existent) malware in order to worry users. It then invites them to buy the pay version of the fake antivirus to eliminate the malware it claims to have detected, opening a registration window. On registering, users are redirected to a Web page to download the Premium version of the fake antivirus.

Renus2008 is a fake antivirus type of adware. Once run, it shows a screen simulating a computer scan. The malicious code gives the possibility of performing a quick or an in-depth scan of the computer. Also, users can configure different aspects of the fake antivirus as if it was a real one. Once the fake scan finishes, a warning message is displayed indicating that some infected files have been found on the system. However, these files do not exist.

Users are offered the option to disinfect their computers through the "Remove Viruses" button on the scan screen. If they do so, a window is displayed inviting them to register and buy the paid version of the fake antivirus.

PrivacyCenter is a fake antivirus. Like other adware of this type, it makes users believe they are infected, displaying a warning and carrying out a spoof system scan from the Internet to display infections that do not exist. Once the scan is complete, it offers users the possibility of downloading a version of the antivirus. On accepting, users download a file called SCANNER.EXE. When run, this file is installed in the fake security program without the user being able to Cancel or Close the installation, as these options are disabled and the process of displaying false scans is repeated.

SystemProtector is an adware that installs on targeted computers from a malicious Web page. If a user visits the page, a message is displayed informing them that they are infected and offering a free antivirus to fix the problem. However, if the user downloads the 'antivirus', they will be letting the SystemProtector adware into their system. Once run, the adware carries out a false scan of the system and detects dozens of malware samples, which are actually not present on the PC. It then offers users the option to eliminate the malware, buying a paid version of the fake antivirus.

PersonalAntivirus is a fake antivirus. As with all such adware, PersoanlAntivirus is designed to convince users that the system is infected with malware. To do so, it performs a false scan of the affected system, during which it detects several malware samples. If users click "Remove", a form will be displayed asking users to pay for the license, and a false warning message will appear indicating the computer is at risk.

AVAAntiSpyware is adware aimed at selling users a fake antivirus. This adware, like all of its kind, simulates a system scan, detecting several malware variants which are really not on the computer. It then displays a window in which users can purchase a "Premium" version of a product to delete the supposed malware, or continue unprotected. If users decide to continue unprotected, the malicious code starts displaying warnings and windows informing users they are infected, so they purchase the Premium version.

However, if users decide to purchase the pay version, they will be asked to pay a "reasonable" sum. The only difference on activating the pay product is that false detection warnings will disappear in subsequent scans.



As always, your comments and suggestions are welcome.

Thanks for stoppin' by.  "See ya' at the auction".
JD White
WINS#7, Operations Admin




TOP OF PAGE

Information contained on this page is posted for WINS Club Members use.
If you have any comments or problems with this or any other Club Site page,
please contact the: Operations Admin.

Copyright © 2009 All Rights Reserved.        Legal Notices