My Anti Spyware

Trojan Redbrowser.A steal money

Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.

The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.

Crossover PC/Windows Mobile virus found

The Mobile Antivirus Researchers Association claims to have detected the first worm that can jump from a PC to a Windows Mobile-powered wireless device.
The ‘Crossover’ worm nests itself in a directory on a Windows PC where it will automatically activate once the user connects a Windows Mobile device using Microsoft ActiveSync.
The digital pest was sent to the association anonymously and is a proof-of-concept designed to show off its features but not cause any actual harm.
“This is proof-of-concept code for educational purposes only. This virus closes the gap between handhelds and desktops. Now it’s one big world open to all,” the worm creators said in a note attached to the virus.

Read more here.

SpyBot 2006-02-24 Update Available

Hijacker
+ CoolWWWSearch.Feat2Installer + CoolWWWSearch.Service + CoolWWWSearch.Feat2DLL + CoolWWWSearch + MaxSearch ++ Hyperlinker ++ SecureServicePack.BadBHO
Malware
++ ADWareBazooka ++ HitVirus + Command Service ++ Smitfraud-C. (2) + Mailbot ++ SpyFalcon + MagicControl.Agent ++ Win32.Agent.acf ++ Win32.Agent.acr
PUPS
++ SpyiBlock
Spyware
+ Targetsaver ++ NiceSpy
Trojan
+ PestTrap ++ Teslaplus.com

Read more and download Free Anti Spyware - SpyBot.

New worm with File encrypt function found

Yesterday Kaspersky Lab came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.
In contrary to programs like GPCode, Skowor is able to replicate; it tries to spread via a share that it creates.

When installed, the worm displays a message telling the user that s/he has 5 pc reboots in order to get a password which can be used to uninstall the worm. If the user doesn’t do this, the worm will encrypt a number of important files and change the Administrator and current user password.
The worm also changes the IE start page to the author’s website.

Link here.

Panda DesktopSecure for Linux workstations

Security firm Panda Software yesterday unveiled the beta version of its Panda DesktopSecure for Linux workstations.

As Linux systems become increasingly prominent for home use and in corporate environments, the firm said that DesktopSecure aims to protect both types of workstations, providing anti-malware protection managed via a graphic console.

The product also includes an enhanced firewall for workstations, and an intrusion prevention system to guard against network threats such as worms.

The final release version of DesktopSecure will be offered free to home users, and can be installed on all distributions of Linux.

Mac OS X File Association Meta Data Shell Script Execution

Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of file association meta data in ZIP archives (stored in the “__MACOSX” folder) and mail messages (defined via the AppleDouble MIME format). This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment.

This can also be exploited automatically via the Safari browser when visiting a malicious web site.

Secunia has constructed a test, which can be used to check if your system is affected by this issue.

New rogue Anti Spyware - “The Spyware Shield”

Spyware Warrior reports about new rogue anti spyware - The Spyware Shield

The Spyware Shield uses inadequate detection scheme.
This app as Ad-Purge Spyware Remover, Privacy Crusader, & Spy Reaper

Downloadable from thespywareshield.com

New variant W32/Feebs found

A new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we’re still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to block access to

*.coconia.net
*.by.ru
*.kazan.bz
*.t35.com
*.freecoolsite.com
*.nm.ru

until the AV vendors have the patterns lined up.

New varian spreads as an email with subject “Secure Message from GMail.com user“, and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file “Encrypted Html File.hta”, which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

Update:
AV detection is available by now

BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen
Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb
McAfee|4703|02.22.2006|W32/Feebs.gen@MM
Panda|9.0.0.4|02.22.2006|Suspicious file
Sophos|4.02.0|02.22.2006|W32/Feebs-Gen
Symantec|8.0|02.22.2006|W32.Feebs

Thanks to SansBlog

Multiple vulnerabilities in WinAmp - Affected all versions (including 5.13)

Multiple vulnerabilities have been identified in Winamp, which could be exploited by remote attackers to take complete control of the affected system.

The first flaw is due to a buffer overflow error when processing a specially crafted playlist containing an overly long media filename, which could be exploited by remote attackers to compromise a vulnerable system via a specially crafted playlist.

The second issue is due to a buffer overflow error when processing a playlist (.m3u) with an overly long filename, which could be exploited by remote attackers to execute arbitrary commands and take complete control of an affected system via a specially crafted web page.

Read more here.

Leap.A - Worm for Mac OS X

Leap.A is a binary file compiled for Mac OS X. It arrives in an archive file, called ‘latestpics.tgz’. When the executable in the archive is opened the virus activates. First it drops an icon resource and an external hook bundle which is used for spreading through iChat.

Spreading through iChat

Leap.A installs a bundle to ‘~/InputManagers/apphook’ that hooks certain iChat functions. When any of the user’s buddies change their status, the worm initiates a file transfer and sends a copy of ‘ ‘latestpics.tgz’. The file transfer is not visible to the user as the worm hides the transfer status information.

File infection

The worm enumerates all applications on the computer that were used during the last month. Leap.A replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename. When the application is opened the worm activates first, then it runs the original application from the resource fork.

Thanks to F-Secure.

Found DVD disks contains a copy protection mechanism which uses rootkit-like cloaking technology.

Heise Online is reporting about yet another example of the ever-warming relationship of copy protection and rootkit technologies. The affair started with the digital rights management system Sony BMG was using to protect audio CD’s. Now, F-Secure can also confirm that at least the German DVD release of the movie “Mr. & Mrs. Smith” contains a copy protection mechanism which uses rootkit-like cloaking technology .

The Settec Alpha-DISC copy protection system used on the DVD contains user-mode rootkit-like features to hide itself. The system will hide its own process, but does not appear to hide any files or registry entries. This makes the feature a bit less dangerous, as anti-virus products will still be able to scan all files on the disk.

If you suspect you have this copy protection system installed on your computer and you wish to remove it, the manufacturer is providing an uninstaller.

Exploit for Vulnerability in Windows Media Player has been released

The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it’s a good idea to get it patched ASAP.

Read more about Vulnerability and how to patch here.

Adware SE 14.02.2006 update now available

New definitions:
====================
Malware.Azesearch
The Spy Guard
Win32.Trojan.Downloader +53
Win32.Trojan.Keylogger

Updated definitions:
====================
Adware.CasinoClient
Adware.DollarRevenue +75
Adware.FreeProd Toolbar
BargainBuddy
IstBar
Lop +15
SpywareNo
SurfSideKickBHO
Win32.Backdoor.Agent +2
Win32.Trojan.StartPage
Win32.TrojanClicker
Winfixer
VX2 +56
YourSiteBar

Read more and download here.

Vulnerability in Windows Media Player Could Allow Remote Code Execution

Windows Media player has a unchecked buffer that will allow for remote code execution if users view or open a specially crafted .bmp file. Keep in mind there are many ways for this to be exploited and .bmp files are not the only way. Microsoft states: “An attacker could also attempt to exploit this vulnerability by embedding a specially crafted Windows Media Player (.wmp) image within another file, such as a Word document and convince a user to open this document.”

Affected Software:
∙ Windows Media Player for XP on Microsoft Windows XP Service Pack 1
∙ Windows Media Player 9 on Microsoft Windows XP Service Pack 2
∙ Windows Media Player 9 on Microsoft Windows Server 2003
∙ Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Affected Components:
∙ Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4
∙ Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1
∙ Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2

Download patches now.

How to remove AlfaCleaner

AlfaCleaner is a rogue anti spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version.
AlfaCleaner is a variant of the Anti Virus Pro, Winhound Spyware Remover, & XSRemover
Downloadable from alfacleaner.com, innovagest2000.com

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
AlfaCleaner
AlfaCleaner.com
Desktop Uninstall

Download smitRem and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Next, Download, install, and update the free version of Ewido trojan scanner:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 - BHO … C:\Windows\SYSTEM32\hp*.tmp (the name changes)
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Using Windows Explorer, locate and delete the following file:
C:\Program Files\AlfaCleaner\
C:\Windows\System32\intell321.exe
C:\Windows\System32\voi640.exe
C:\Windows\warnhp.html
c:\winstall.exe
C:\Windows\uninstDsk.exe
C:\Windows\System32\voi271.exe
Where “C:\Windows\SYSTEM32 ” - patch to your Windows\System32 directory.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Reboot your computer back to normal mode.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present.
Download and run CCleaner.

CCleaner (Crap Cleaner) is a freeware system optimization and privacy tool. That removes unused and temporary files from your system - allowing Windows to run faster, more efficiently and giving you more hard disk space.

Reboot your computer.

Perform an online scan with Panda Active Scan. Do a full system scan. Make sure the autoclean box is checked!

Your computer should now be free of the AlfaCleaner infection.
If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting

Hoster - Hosts File Manager

Hoster is an ultra-groovy Hosts file Manager, Editor and Helper-outter.

Below you’ll find a list of Hoster’s functions.

Append File - Allows selection of a file to be appended to your current hosts file.
Replace File - Allows selection of a file to replace your hosts file.
Merge File - Allows selection of a file to be merged with your current hosts file.
Create Backup - Creates a Backup of you current hosts file. Backup file will be placed where ever Hoster.exe resides on your Hard drive.
Restore Backup - Restores the backup hosts file.
Restore MS Hosts - Restores the hosts file to Microsoft’s original hosts file.
Add to Hosts Files - Adds the line item into your hosts file.
Delete Line - Deletes highlighted line from hosts file.
Toggle Comment - Toggles whether or not a line is a comment (’#').
Sort File - Sorts the current hosts file in alphanumeric order, removes all comment lines.
Swap Localhost - Swaps the current hosts file between 127.0.0.1 and 0.0.0.0
Remove Block Items - Removes all blocking lines in the current hosts file.
Copy to Clipboard - Copies the current hosts file to the clipboard.
Make Hosts read-only/writable toggle

Download Hoster.

Read more about what is hosts file and how to use hosts file here and here.

Microsoft Internet Explorer Drag-and-Drop Vulnerability

Microsoft Internet Explorer suffers from a vulnerability in its handling of certain drag-and-drop events. As a result, it is possible for a malicious web site to predict and exploit the timing of a drag-and-drop operation such that any drag operation (including using scroll-bars) could potentially lead to the installation of arbitrary files in sensitive locations that may enable further system compromise.

Affected Systems:
* Microsoft Internet Explorer 5.01
* Microsoft Internet Explorer 5.5
* Microsoft Internet Explorer 6.0
- Windows 98
- Windows 98 Second Edition
- Windows Millennium Edition
- Windows 2000
- Windows XP
- Windows Server 2003

How to block Drag-and-Drop Vulnerability:
1. Set a Kill Bit on the Shell.Explorer Control
Setting a kill bit on this control will prevent Internet Explorer from displaying the rich folder view interface that gives rise to this attack. For more information about setting kill bits, please see Microsoft Knowledge Base Article 240797: http://support.microsoft.com/kb/240797

The CLSID of this component as deployed on Windows XP is: {8856F961-340A-11D0-A96B-00C04FD705A2}

Tools to automate the process of setting this kill bit have been provided at: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip PGP signature: http://student.missouristate.edu/m/matthew007/tools/shellkill.zip.asc

Included in this archive are an Administrative Template (.adm) and a VBScript file (.vbs) which implement this setting. The Administrative Template also allows an administrator to work around a specific case of functionality loss caused by the implementation of this workaround. Instructions on using both files are contained within the readme file in the archive.

IMPACT:

This workaround will cause Internet Explorer to no longer render folder views for local directories, network file shares, FTP directories and web folders by default. The ability to browse FTP directories in Internet Explorer can be restored by clearing the “Enable Folder View for FTP Sites” option in Internet Explorer’s “Advanced” options. However, this countermeasure is known to expose another security vulnerability that does not appear to have been fixed as of this writing: http://lists.grok.org.uk/pipermail/full-disclosure/2003-June/005321.html

For ordinary browsing purposes, the Windows Explorer tool is unaffected by this change. This defensive measure has been successfully implemented in at least one commercial software product and tested on a significant scale prior to the release of this advisory. Therefore, it is the belief of the author that potential loss of functionality *should* be minimal. As with all measures, you are encouraged to test the impact of this workaround prior to making any decision about deployment.

2. Prevent Automatic Navigation to Local Intranet Zone (Windows XP SP2, Windows Server 2003 SP1)
This workaround will prevent Internet content in Internet Explorer from automatically navigating to URLs within the Local Intranet Zone. This effectively prevents the introduction of malicious code to the local system via the network redirector. To implement this workaround, follow these steps:
1. In Internet Explorer’s Tools menu, choose “Internet Options…”

2. Select the “Security” tab and choose “Local Intranet”

3. Click the “Custom Level” button

4. Set the “Web sites in less privileged content zone can navigate into this zone” setting to “Disable” or “Prompt”.

5. Click OK to close any dialogs and optionally, close Internet Explorer.

IMPACT:

This workaround will block or prompt before allowing any navigation to LAN resources from the Internet Zone. Direct access to LAN resources continues to function normally. As a result of this workaround, attempts to access local intranet content (for instance, web applications on corporate Intranets) from web sites outside of the LAN will fail or produce prompts, depending upon the chosen setting.

3. Disable Active Scripting
This workaround will prevent Internet content from executing script that could potentially cause the exploitation of this vulnerability. To implement this workaround, follow these steps:

1. In Internet Explorer’s Tools menu, choose “Internet Options…”

2. Select the “Security” tab and choose “Internet”

3. Click the “Custom Level” button

4. Set the “Active scripting” option to “Prompt” or “Disable”.

IMPACT:

This workaround will block or prompt before allowing web sites to execute any script statement. Scripting in more-privileged zones (Local Intranet, Trusted Sites) continues to function normally. Setting this option to “Prompt” may cause a significant increase in the number of security prompts received while browsing and may be ineffective in closing this vulnerability for users not capable of making an assessment of a web site’s relative trustworthiness.

Read more here.

HTML Help Workshop vulnerability - Found New Exploit

Only 5 days after the release of the vulnerability, two exploits are on the street. Both exploits, tested on WINXP SP2, will give the attacker the ability to run code of her or his choosing on the compromised machine. As of this writing, a patch has not been made available, as far as we know.

Windows XP SP2 is not vulnerable in its default configuration. Microsoft noted that the HTML Help Workshop SDK has to be installed in order for the exploit to work. This SDK is a self contained download and at this point we are not aware of anything that would bundle this SDK. Given that is is an issue with this particular application, there is a chance that it may be exploitable on Windows versions other then XP SP2.

Read more here and here.

New Bagle - W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ’shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.

How to remove SpyFalcon

SpyFalcon is a rogue anti spyware program that is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. If you are infected with this program you may receive warnings in your task bar that appear to be from Microsoft Security Center stating that you are infected with spyware and to run its special anti-spyware tool.
This tool turns out to be the commercial version of SpyFalcon. These warnings are fake and are a goad to have you buy the commercial version of this software.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: SpyFalcon
Then using Windows Explorer, delete the following folder: C:\Program Files\SpyFalcon

Download smitRem and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Next, Download, install, and update the free version of Ewido trojan scanner:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

If you do not already have Ad-Aware SE installed, follow these download and setup instructions. Also check for updates.

Again, do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 - BHO … C:\Windows\SYSTEM32\hp*.tmp (the name changes)
O4 - HKLM\..\Run: [SpyFalcon] C:\Program Files\SpyFalcon\SpyFalcon.exe /h

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again — this is normal.
Wait for the tool to complete and Disk Cleanup to finish — this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report”. This will create a text file. Make sure you know where to find this file again.

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck “Security Info” if present.

Using Windows Explorer, locate and delete the following file:
C:\WINDOWS\system32\dxmpp.dll.
C:\Program Files\SpyFalcon\

Perform an online scan with Panda Active Scan.

Where “C:\Windows\SYSTEM32 ” - patch to your Windows\System32 directory.

if you can`t remove these files, use KillBox, download here.

Your computer should now be free of the SpyFalcon infection.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below

Spyware removal - Read Before Posting