Antivirus News

MicroWorld Technologies, provider of anti virus and content security products, presents a free Security Check up and repair for Virus and other malwares in computers, as part of its New Year celebrations.

MWAV 8.x from MicroWorld comes with come new power packed features to enhance its detection power and usability. Apart from the new and improved GUI, MWAV now detects and removes Spywares and Adwares, while also cleaning the registry entries made by these harmful programs.

“Many a times the first time users of MWAV are shocked to find out some nasty Trojans and spywares in their computers for months and years,” says Manoj Mansukhani, head, technology and marketing, MicroWorld Technologies.

“This free check up will benefit several computer users, while giving them a first hand experience of our technological edge over the competitors”.

The MWAV is simple in terms of installation of the software, as it consists of downloading and running the toolkit to scan the computer right away. MWAV even provides an option to add it to the startup list of programs on the PC so that the toolkit scans computer. The free version of MWAV can be downloaded from http://www.mwti.net/products/mwav/mwav.asp. This version will scan and clean the computer of any threats with the latest updates up to 15th February 2007.

“We are witnessing unprecedented growth in business volumes and market explorations in the last year, owing to intension of creating and enhancing a Futuristic Security Intelligence in each of them,” says Govind Rammurthy, CEO, MicroWorld Technologies.

MicroWorld updates its virus vaccines every hour in all its products, giving protection against Viruses, Worm, Trojans, Trojan Clickers, vulnerability exploits, Trojan Downloaders, Spyware, Adware, Keyloggers, Backdoors and Rootkits and many other such breeds.

Panda Software�??s weekly report on viruses and intruders looks at the Gagar CC and Mitglieder.LX Trojans, and the RaHack.BB worm.

Gagar CC is a Trojan that connects to a certain IP address and downloads another Trojan called Alanchum.MU. The latter, in turn, downloads the following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan, Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX. This malicious code downloads a file from several web pages and runs it on the computer. The downloaded file is a variant of the Bagle worm. It passes itself off as a crack (a tool for removing protection from original software) for a certain program.

RaHack.BB is a worm with no destructive effects. Its main purpose, as with all worms, is to spread to other computers. It can infiltrate computers which have the Radmin remote-administration application by exploiting weak passwords. Similarly, if the compromised computer is part of a network, RaHack.BB will try to access shared resources on the network and copy itself to them.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free, online solution. This allows users to thoroughly scan their computers if they suspect they have been infected.

Gagar CC is a Trojan that connects to a certain IP address and downloads
another Trojan called Alanchum.MU. The latter, in turn, downloads the
following malware onto the infected computer:

* Duel.A: This worm uses specific techniques in its code in order to
hide while it is active.

* Nuwar.B: This Trojan spreads via email and downloads another Trojan,
Gagar.CB, onto the infected computer.

* Spammer.ER: This is a Trojan that provides the email addresses to
which to send Nuwar.B.

The second Trojan we are looking at this week is Mitglieder.LX.  This
malicious code downloads a file from several web pages and runs it on
the computer. The downloaded file is a variant of the Bagle worm.  It
passes itself off as a crack (a tool for removing protection from
original software) for a certain program.

RaHack.BB is a worm with no destructive effects.  Its main purpose, as
with all worms, is to spread to other computers. It can infiltrate
computers which have the Radmin remote-administration application by
exploiting weak passwords. Similarly, if the compromised computer is
part of a network, RaHack.BB will try to access shared resources on the
network and copy itself to them.

All users that want to know whether their computers have been attacked
by these or other malicious code can use ActiveScan, the free, online
solution available at: www.pandasoftware.com/activescan. This allows
users to thoroughly scan their computers if they suspect they have been
infected.

Madrid, December 29, 2006 �?? PandaLabs has detected the presence of emails containing Nuwar.B, a new variant of the Nuwar family of worms. This malicious code uses the New Year as a ruse to infect computers. However, oddly enough, this is not a malicious code designed to cause an epidemic or damage computers but to artificially drive up certain prices on the stock market.

Nuwar.B reaches computers in a message with the subject Happy New Year!. The message text is blank, and includes a file with the name postcard.exe, which contains the worm. Also, in order to gain credibility, it spoofs the sender�??s address, pretending to come from various users.

If the target user runs the attached file, Nuwar.B copies itself to the system. However, instead of massively sending itself out like most email worms, it downloads a copy of the Spammer.EN Trojan to the computer. The Trojan then connects to certain email servers in order to send out spam to the addresses it finds on the affected system. This spam contains publicity trying to convince users to buy certain stocks to increase their price rapidly.

Everything seems to indicate that the creator(s) of Nuwar.B have sent out the worm as spam, manipulating certain email servers in an attempt to distribute it as quickly as possible. The proactive TruPreventTM Technologies have detected Nuwar.B without prior identification, so computers that have them installed have been protected from the outset

According to Mikel Perez, Director of the Malware Detection Department of PandaLabs, �??This is just another turn of the screw in the field of cyber-crime. In this case we see how an email worm, a type of threat clearly in decline as a result of the new financial motivation behind the actions of malware creators, is also being used to make money. Most probably this is a criminal that has bought stocks at a low price, and has endeavored to increase their price and obtain large benefits by spreading Nuwar.B�?�.

A rootkit-cloaked worm is being heavily spammed to users as an attachment to “Happy New Year!” messages, a security researcher warned Friday.
The new worm, dubbed “Tibs” by Kaspersky Lab but pegged as a “Nuwar” variant by Trend Micro, comes disguised as a file attachment named “postcard.exe,” said Ken Dunham, director of VeriSign iDefense’s rapid response team, in an e-mail. Users who launch the executable will infect their PCs.

With antivirus signature updates still thin and over 160 servers spamming the new worm, the threat is significant, added Dunham. “The period of greatest risk is through the New Year’s holiday, when antivirus protection is the lowest for this new threat and users are most apt to click on a ‘New Year’s’ related message,” he said. “Everyone should be on guard for e-mails and other content potentially harboring malicious code during the holiday period.”

On at least one network the worm is generating as many as five spammed messages a second, iDefense reported.

The security intelligence firm’s research has identified more than a dozen pieces of malicious code — including zombie-making bot Trojans — installed by Tibs after it has gained a foothold on a PC. Two rootkits are also installed to mask the malware from antivirus scanners, and the worm also disables the Windows firewall, as well as several security programs, including F-Secure’s BlackLight rootkit scanner. The worm spreads by spamming itself to addresses it steals from the user’s files.

“This is a classic iceberg threat,” said Dunham, “where multiple codes are installed and then protected with rootkit technology.”

A recent wave of web worms appearing on social networking websites represent a new generation of more sophisticated computer worms.

Early forms of the computer threats classified as “worms” were intended more for causing havoc or were designed for proof-of-concept purposes to determine if vulnerabilities could be exploited.

Recently, however, new worms have been discovered on social networking sites such as MySpace, which are designed to steal data.

These new worms employ cross-site scripting (XSS) flaws found on many websites.

XSS is defined on the Whatis.com website as a security exploit in which the attacker inserts malicious codes into a link that appears to be from a trustworthy source. When the user clicks on the link, the embedded programming is submitted as part of that user’s web request and can execute on the user’s computer, typically allowing the attacker to steal information.

Web server applications that generate the web pages dynamically are vulnerable to this type of exploit if they fail to validate user input.

The popular MySpace website was first hit with the Samy worm in October.

Adam Biviano, a senior systems engineer at security firm Trend Micro, said a MySpace.com user, called Samy, had created a “malicious” profile by taking advantage of a flaw in the website’s design. The profile, when viewed, automatically activated a code to add the visitor to Samy’s “friends” list. Additionally, the malicious code would be copied into the victim’s profile, so when that person’s profile was viewed, the infection spread.

According to Biviano, “The infection stays on the website and almost creates a denial-of-service attack, because there is an exponential explosion of entries in your friends list that will eventually consume the infrastructure.”

The apparent intent of the Samy worm creator was to increase his popularity on the social networking site. In terms of numbers of “friends,” it worked.

In an e-mail interview posted on Google Blogoscope, the young author said: “It didn’t take a rocket or computer scientist to figure out that it would be exponential, I just had no idea it would proliferate so quickly.”

“When I saw 200 friend requests after the first eight hours, I was surprised. After 2,000 a few hours later, I was worried,” he said.

“Once it hit 200,000 in another few hours, I wasn’t sure what to do but to enjoy whatever freedom I had left, so I went to Chipotle and ordered myself a burrito. I went home and it had hit 1,000,000.”

The Samy worm demonstrated the ease with which cross-site scripting could be used as an exploit and was quickly followed by a major phishing attack later in October.

One such exploit changes a user’s profile to include links to a pornographic website that hosts spyware.

Hackers are finding cross-site scripting “holes” in numerous large websites.

According to computer firm CGI, sites such as CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired and FBI.gov have one form or another of XSS bugs.

Protecting yourself will involve work.

For specific suggestions on steps to take consider visiting the website www.cgisecurity.com and searching for the article: xss-faq.

John Millar is the president of Digital Boundary Group, a London-based information technology security services firm. This article, written with the assistance of Deborah Washburn, a security specialist, contains general comment and suggestions. Digital Boundary may be reached at 519-652-6898. E-mail him at jmillar@digitalboundary.net.

What do you get when you cross a file sharing network with a person desperate for advertising dollars? A worm that drives hits to a website, of course. Dubbed by various antivirus vendors as Worm.Kazaa.Benja or W32/Benjamin, the Benjamin worm disguises itself as an array of popular music and video selections. Unsuspecting KaZaA users who search on one of these topics will be presented with a file list of appropriate titles that aren’t legitimate files but rather the Benjamin worm. When the file is downloaded and run, users will be presented with a fake error message:

Access error #03A:94574: Invalid pointer operation
File possibly corrupted. Behind the scenes, the worm is busy creating a new file share folder and adding hundreds of copies of itself - all with fake titles of popular search requests. Antivirus vendor F-Secure reports that over 2000 titles are used.

Examples include:
“Deepest Purple-The Very Best of Deep Purple - Smoke on the Water”
“Metallica - Until it sleeps”
“Johann Sebastian Bach - Brandenburg Concerto No 4″
“South Park Vol.3-divx-full-downloader”
“Star wars Episode 1-divx-full-downloader”
“F1 Racing Championship-Games-full-downloader”
“Chessmaster 8000-Games-full-downloader”
“Apparently the worm was written to make money for the virus writer”, comments Mikko Hypponen, Manager of Anti-Virus Research at F-Secure Corporation. The worm opens a webpage named benjamin.xww.de which contained advertisments. “Now the page has been taken down, but if the virus author got money based on ad views, he might have created some cashflow here”. After displaying the false error message, Benjamin creates a copy of itself named EXPLORER.SCR in the Windows\System direction and modifies the registry to load on startup. According to F-Secure, the Benjamin worm spreads only to and from computers that have the KaZaa network clients software installed. Manual Removal
If infected with the Benjamin worm, the following registry keys will have been modified to include the value shown:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“System-Service”=”C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR”
[HKEY_LOCAL_MACHINE\Software\Microsoft]
“syscod”=”0065D7DB20008306B6A1″Locate and delete the values shown.
Locate and delete the file EXPLORER.SCR.
Locate and delete the Sys32 subfolder located in the Windows Temp folder.

Proof-of-concept code for an unpatched vulnerability in all supported versions of Windows, including Vista, has gone public, prompting alerts from security vendors and a warning from its Russian discoverer that the flaw may be dangerous.

It is the first Windows Vista exploit made public since the operating system was released to volume license customers Nov. 30.

According Symantec and eEye Digital Security, the bug is a memory corruption vulnerability that pops up when the MessageBox function is called; eEye pegged the threat as “medium,” while Symantec labeled it as a “privilege escalation,” a type of threat generally considered low on the security scale. An attacker would need authorized access to a PC to exploit the bug.

The code first showed up on a Russian hacker site, and was subsequently posted to milw0rm.com.

Mike Reavy, program manager with the Microsoft Security Response Center, acknowledged that the team was “closely monitoring” the situation even as the holidays approached.

“Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings,” Reavy wrote on the center’s blog early Friday.

Windows 2000 SP4, Windows XP SP1 and SP2, Windows Server 2003 SP1, and Windows Vista are at risk, Reavy added.

The Russian researcher who first reported the bug to Microsoft on Dec. 16, however, observed that the vulnerability may be more dangerous than the “Less critical” rating that Danish bug tracker Secunia assigned. “There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function,” wrote “ZARAZA U 3APA3A” on the Full Disclosure security mailing list.

Reavy downplayed the Vista-is-vulnerable angle. “While I know this is a vulnerability that impacts Windows Vista, I still have every confidence that Windows Vista is our most secure platform to date,” he said. Microsoft has touted Vista, which released to corporations late last month and will debut Jan. 30 in consumer PCs, as significantly more secure than earlier versions of Windows.

Reavy also recommended users turn on a firewall, apply all Microsoft security updates, and install and/or update antivirus and anti-spyware software to protect their PCs.

Additional information on the threat will be posted to the center’s blog, or if necessary, in the form of a security advisory, the mechanism Microsoft uses to inform users of possible defensive workarounds in lieu of, or prior to, a security update.

PandaLabs has reported the appearance of a new spyware program:

- Appeared: 12/21/2006

- Name of the new program: Adware/MalwareAlarm (Alias: Win32/Adware.SpySheriff)

- Type: Spyware; Subtype: Adware

- Means of propagation: Download from malicious web pages.

- Distribution: Low.

- Effects: Informs users of the existence of false (non-existent) threats on their computers. This is a strategy to get users to buy a security application that supposedly eliminates these non-existent threats.

- Other features. The spyware goes resident in the computer and, from time to time, shows an on-screen message informing that the system is infected and needs disinfecting.

- Detected by Panda Software solutions: Yes, by the signature file dated 12/21/06

Panda Software will publish updated information about this threat in the Virus Encyclopedia at http://www.pandasoftware.com/com/virus_info/encyclopedia/

Always use effective security solutions to combat spyware. Panda Software products incorporate one of the best anti-spyware technologies on the market, as acknowledged by such prestigious publications as PC World USA or PC Magazine. Also, Panda Software solutions that incorporate the TruPrevent(tm) proactive protection technologies can detect unknown spyware through behavioral analysis, with no need for updates. More information about Panda Software’s anti-spyware technologies at http://www.pandasoftware.com

Spain’s Guardia Civil has this Thursday claimed to have broken up an important cybercriminal gang that carried out phishing attacks in the country. A total of six people were detained in the province of Malaga in the south of Spain following a year-long investigation carried out by the authorities in Navarre, a province in the northeast of the country.

The gang is thought to have been led by a 19-year-old youth of Moroccan origin. At least five of the gang’s members have been named as Moroccans, while the sixth detainee, a 21-year-old woman, originally came from Ceuta, a Spanish enclave in North Africa. The leader of the gang is a well-known hacker who has been involved in the business since he was 12 years old. Spanish authorities believe him to be one of the most eminent hackers in Europe at the moment.

Operation “Siluro”, as Spanish investigators named it, began after a complaint registered in Elizondo, Navarre, in April this year. From then on the police began monitoring phishing campaigns in Spain and looking for similarities that could lead them to identify the perpertators. Having collected the necessary evidence they carried out organised raids in the Malaga region, finding at least 500 fake bankcards and a lot of counterfeit European passports in the process. The group is known to have collected personal banking details on at least 20,000 persons and held a database of 200,000 emails that was used in their phishing campaigns. Another peculiar method was to offer a half-price online mobile phone account charging service. Users attracted by the offer entered their bank details, which were then collected for later use in fraud operations. In order to launder stolen money they employed cybermules who transferred funds for a cut of the sum, as well as other methods suc! h as making online purchases. In order to hide their trail the group used hacked computers and also hijacked unprotected wi-fi connections.

Spanish authorities have so far declined to quantify the damages caused by this gang, but the figure is thought to be “extremely significant”. Vicente Ripa, a representative of Navarre’s regional government tasked with explaining the operation to the press, called it an amazing success, citing the nature of the crime and the size of the gang that was apprehended. This is not the only success Spanish cybercrime fighters have enjoyed this year: Spain’s National Police dismantled another sizeable criminal group last September, detaining 23 people in the three coastal regions of Catalonia, Valencia and Andalusia.