First virus for StarOffice and OpenOffice

Kaspersky Lab have reported, first a macro virus – Virus.StarOffice.Stardust.a for StarOffice and OpenOffice has been found.
Stardust is a macro virus written for StarOffice. Macro viruses usually infect MS Office applications. It’s written in Star Basic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document.

YapBrowser is back online

Some time ago we`ve reported about the adware:

YapBrowser, potentially dangerous application that pre-installs 180Solutions Zango and does nothing but apparently redirect you to a porn site. Read more: YapBrowser and Yapsearch(dot)com

now yapbrowser site back online.

The website claims:

YapBrowser is a browser which will make searching for any information online much simpler. Download YapBrowser for free and forget about getting to sites containing harmful exploits. Your computer will be free from viruses breeding online. Attention! You can download a 100% free adult version of YapBrowser. Using it you will be able to search for and browse adult content for free. There is a 100% guarantee no system infection will occur when using our software. YapBrowser is the only browser which gives you safe search and browsing capabilities. Now you can download it for no cost at all. So it is an adult version this time around and the user is getting a warning upfront and you guessed it- it’s free and now backed by a 100% guarantee you won’t experience a system infection.

Read more about yapbrowser on Spyware Guide: Return of The Yap Browser

New Winamp Fixes Major Security flaw

AOL’s Nullsoft division released a new version of its popular Winamp music and video player on Thursday, in part to fix a “major” security flaw in the program, according to the accompanying advisory.

Winamp 5.22 includes a huge list of stability updates and at least a couple of security tweaks, though the advisory doesn’t get too far into specifics on the latter front.

We have seen active exploitation of Winamp flaws in the past,

Winamp Remote Code Execution
Winamp exploit used to push spyware
Multiple vulnerabilities in WinAmp – Affected all versions (including 5.13)

so please do not put off downloading and installing this new version now, if you use Winamp.

Spam emails and fake Microsoft patch

Internet Storm Center have received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of “a new vulnerability [that] has been discovered in the Microsoft WinLogon Service”. It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir 6.34.1.34 05.29.2006 Heuristic/Crypted.Modified
BitDefender 7.2 05.30.2006 Trojan.BeastPWS.C
Kaspersky 4.0.2.24 05.30.2006 Trojan-Spy.Win32.Delf.jq
NOD32v2 1.1566 05.30.2006 Win32/Spy.Delf.NBR
Panda 9.0.0.4 05.29.2006 Suspicious file
Sophos 4.05.0 05.30.2006 Troj/BeastPWS-C
Symantec 8.0 05.30.2006 Infostealer

Update:

Kaspersky Lab also reported about  fake Microsoft patch. They released an urgent update for Trojan-PSW.Win32.Sinowal.u.Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.

Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.

Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.

Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.

The email looks like this:

From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com]
Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Sehr geehrte Benutzer Microsoft Windows XP!

Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer “hängt” genau nach einer Minute nach dem nächsten Hochfahren.

Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.

Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.

Mit freundlichen Grüßen,

Windows Update

As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.

And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.

ZonedOut – Free tool for manage Internet Explorers Zones

ZonedOut is a complete Internet Explorer Security Zone Manager. Manage Zone Sites at the Current User and Local Machine level in style.

Continue reading ZonedOut – Free tool for manage Internet Explorers Zones…

Banwarum Worm Offers Tickets for the WORLD CUP

The new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed email messages. The worm sends itself as a password protected archive and includes in the email the password for it. The emails sent by the worm are in German and some of them offer tickets for the football games in Germany next month.

There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the emails sent by the worm looks as follow:

Hi man,

ich hab gesehen, das du zu WM wolltest, frag nicht wer ich bin und warum ich es mache. Hier hast du 5 Stueck, das ist eine spezielle Online Version, drueck es aus und unterschreib. Password zu dem Archiv lautet (psw)

Mfg Niemand

This means in English:

Hi man,

I saw that you want to go to the World Cup. Don’t ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw).

With friendly greetings Nobody

Thanks to F-Secure.

Yahoo IM worm hijacks Internet Explorer Installs fake browser

A worm that installs a ‘Safety Browser’ and plays screeching music is circulating via IM.

The annoyance starts with a link apparently sent by a friend in Yahoo’s IM program.

IM security company FaceTime Communications described the malware, which it calls “yhoo32.explr”,

The malware infects the PC with two elements. The first element is a web browser called “Safety Browser.” This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser’s homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser. The second element is the self-propagating worm. This worm installs an .exe file that spreads the infection through Yahoo Messenger to everyone on the Contacts List.

as “insidious” in a security advisory last week.

When the link is clicked, a worm installs the so-called ‘Safety Browser’, a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.

Malware spread through instant-messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user’s permission.

The bug also hijacks Internet Explorer’s home page, directing users to the Safety Browser’s site.

After it is launched, the worm sends itself to others on the user’s instant-messaging contact list.

The malware is engineered to overwrite instant messages typed by a user, the infected message can be changed on the fly, the company said.

Read more here.

Kaspersky lab released detection for malware exploiting the MS Word vulnerability

Some days ago we have reported about vulnerability in the Microsoft Word.

Malware which spreads via email is exploiting the vulnerability as a specially crafted MS-Word .DOC attachment.If the attachment is launched, this triggers a process which results in a backdoor being installed.

Kaspersky lab released detection for the malware, a dropper and backdoor. As ever, users should update their databases as soon as possible. Kaspersky products will detect the dropper as Trojan-Dropper.MSWord.1Table.bd, and the backdoor as Backdoor.Win32.Gusi.a.

I just go to Amazon and Citibank, so why am I seeing pop-ups for Adult Friend Finder?

A typical lament: “I just go to Amazon and Citibank, so why am I seeing pop-ups for Adult Friend Finder?” Parents, we have an answer – your teenager.

One of the benefits of testing so much of the Web is that we’ve developed a good sense of where the bad guys concentrate. And smiley sites are one of those dark alleys. For those of you who don’t know, smileys (aka emoticons) are graphic punctuation marks that people use to add emotion to their text communications, whether IM (Instant Messaging), SMS (mobile phone texting) or plain old e-mail. Now, who does the most IM’ing in your house? Yup, it’s your teen. What follows are five smiley sites that will leave you and your computer frowning. But first, a little background.

ComScore Networks estimates that a whopping 69 million Americans use instant messenger software. AOL, Yahoo! and MSN are the most common providers.

Unfortunately, many smiley packs, often accessible as a free download, contain unrelated programs that harm users’ computers. SiteAdvisor tests show that spammers and adware distributors often find new users by offering “free” smileys. Fortunately, there’s still reason to smile. Free smiley downloads are available without Web safety threats. More on those later.

Navigating the Spyware Minefield

How do your kids get smileys in the first place? The major IM providers include a default set, but these get old fast. You can imagine the exchange: Jane IM’s John: “Cool smiley. Where did you get it?” John IM’s back. “Don’t remember. It was free on Google.” Jane searches Google for “free smiley.” The next thing you know, Jane’s installing a piece of adware with the pack of emoticons. Just how risky is that search?

Of the 20 links on this result page, eight (40%) point to sites that SiteAdvisor rates yellow or red. If Jane picks a random site from this list, she faces a 40% risk of infection. Do two such searches and the risk increases to 64%. Three times, 78%. So for useres making a series of unsafe searches, it’s not unusual to find the family computer hosed.

Read more here.

Good tool for manage your HOSTS file

HOSTS Secure is a utility that you can use to automatically download, unzip and install the MVPS HOSTS file.

Continue reading Good tool for manage your HOSTS file…