2006 June | My Anti Spyware

Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

New malware poses as Windows Genuine Advantage Validation Notification

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named “Windows Genuine Advantage Validation Notification”, as seen in this line in the HijackThis log.

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

Suzi tested it on her virtual machine running XP Pro, totally unpatched. On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On her virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it’s unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Thanks to Suzi Turner, her post about it.

June 30, 2006 on 6:27 am | In Malware | 4 Comments |

OpenOffice.org fixes three security vulnerabilites

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, They urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.

The three vulnerabilities involve:

Java Applets, CVE-2006-2199

It is possible for some Java applets to break out of the secure “sandbox” in which they are normally constrained. The applet code could potentially have access to the entire system with whatever privileges the current user has.

A workaround is provided to temporarily disable support for Java applets. Instructions are provided for both 1.1.x and 2.0.x.

Macro, CVE-2006-2198;
A flaw with the macro mechanism could allow an atatacker to include certain macros that would be executed even if the user has disabled document macros. Such macros could potentially have access to the entire system with whatever privileges the current user has.There is no workaround for this issue
File Format, CVE-2006-3117
A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents. The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.There is no workaround for this issue.

Update OpenOffice now.

June 30, 2006 on 5:04 am | In Exploits & Vulnerabilities | No Comments |

SMS text messages used to spread malware/keylogger

CA has received reports of Win32/Bambo.CF being distributed via SMS text messages sent to mobile phones, enticing people to visit a malicious website. The messages may contain the following:

Thanks for subscribing to *****.com dating service. If you don’t unsubscribe you will be charged $2 per day.

The text message then directs the recipient to visit a website in order to unsubscribe from the service and avoid being charged. This website contains a fake dating service page, which entices users to enter their phone number, at which point it attempts to load an executable file called “unregister.exe“. The web page instructs users to click the “Run”
button on each warning page that Windows displays, to allow the program to execute. If the program is run, it installs the Win32/Bambo.CF trojan.

Please see below for examples of fake dating service pages displayed by the malicious website.

bambo malware

Anyone loading the webpage and following the instructions in the message will pick up the trojan, which CA has named Win32/Bambo.CF. The keylogger looks for passwords and other information which it sends via emails and perhaps through other means.

Thanks CA SecurityAdvisor.

June 27, 2006 on 4:50 am | In Malware, Trojan | No Comments |

Found new rogue antispyware – AdwareFinder

Found new rogue antispyware – AdwareFinder.

The program claims it detects and destroys spyware, yet it is part of engagemarketing(dot)com which is being bundled via Dollarrevenue.

adware finder

URL: www(dot)adwarefinder(dot)com/AdwareFinder_download(dot)html

Thanks to Sunbeltblog.

June 26, 2006 on 11:35 pm | In Rogue Anti Spyware | No Comments |

Found Mailbot family that use ADS hidden streams to hide themselves

F-Secure reported Mailbot family that use hidden streams to hide themselves.

Let’s take Mailbot.AZ(aka Rustock.A) as an example.

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is a Spamtool with backdoor capabilities.

There’s only a single component lying on the disk, and that is a kernel-mode driver. It’s stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that’s not readily visible, it’s very likely that many security products will have a tough time dealing with this one.

F-Secure have just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

To remove the infection, perform the following steps:

Reboot your system using the Windows Recovery Console (using your Windows installation CD – click on the hyperlink for details).
Copy a non-executable file from the Windows directory over the Alternate Data Stream.

For example, run the following command:

copy c:\windows\win.ini c:\windows\system32:18467

Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.

June 23, 2006 on 9:21 am | In Rootkit | No Comments |

New worm disables Security Software

Sanbeltblog reported about new World Cup Soccer Worm. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:

Subjects:

1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know

Message Bodies:

1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos
5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait. View photos.

Upon execution, the worm copies itself to the following location:

%Sysdir%\msctools.exe

Attempts to download additional malware:

http://couple{removed}.com/tumbs/dianaimg.exe

The worm also attempts to disable the following processes:

AVP32.EXE, AVPCC.EXE, AVPM.EXE, AVP.EXE, iamapp.exe, iamserv.exe, FRW.EXE, blackice.exe, blackd.exe, zonealarm.exe, vsmon.exe, VSHWIN32.EXE, VSECOMR.EXE, WEBSCANX.EXE, AVCONSOLE.EXE, VSSTAT.EXE, OUTPOST.EXE, REGEDIT.EXE, NETSTAT.EXE, TASKMGR.EXE, MSCONFIG.EXE, NAVAPW32.EXE, UPDATE.EXE, msctools.exe

June 20, 2006 on 7:41 pm | In Worms | 2 Comments |

Another rogue antispyware app for your blacklist – Trust Cleaner

Bleepingcomputer blog and Sunbelt blog reported about rogue antispyware – Trust Cleaner. At first view, this rogue anti-spyware application works the same way as the other ones that have been released lately like SpyFalcon and SpywareQuake as it uses trojans to display fake warnings that act as a goad to make you purchase the full commercial version of its software.

After the malware is installed the rogue anti-spyware program Trust Cleaner is set to to start automatically when your computer starts. It then scans your computer for supposed Spyware and malware and displays a list of the items found. It is quite funny, though, as it finds its own components and labels them as Spyware as shown in the image below.

trust cleaner

After install, Trust Cleaner change your Internet Explorer homepage to a html page that is loaded from a file on your local computer called C:\Windows\local.html. This page will generate a home page that looks strikingly like Google. In fact, it states at the bottom of the page that it is powered by Google. In reality, though, this page that actually uses results from the site www.mswindowssearch.com and not from Google.

Trust Cleaner use these addresses, block them now:

mswindowssearch. com
trustcleaner. com
trustinbar. com
813aw0nr01jsxfj374ca. com
adelinatech. com
adsforsite. com
azebar. com
blablablablablablablablabla. com
fandl. net
finditanyway. com
globosoft. info
googlecaches. com
trustclicks. com
trustincash. com
trustincontextual. com
trustinpopups. com
trustinsearch. com

If you can`t uninstall or remove, ask about help: Spyware Removal Forum

June 16, 2006 on 9:42 am | In Rogue Anti Spyware | No Comments |

Found new vulnerability in Microsoft Excel

ISC and Microsoft reported about new vulnerability in Microsoft Excel. Also found exploit using the vulnerability for install malware.

Now Symantec can to detect this attack.

Trojan.Mdropper.J is a Trojan horse that drops Downloader.Booli.A on the compromised computer. It exploits an undocumented vulnerability in Microsoft Excel.

The Symantec website also reports … Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name: %System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
Attempts to download a file from the following location: [http://]210.6.90.153:7890/svcho[REMOVED]
Saves the file as the following and if the download was successful, executes the file: c:\temp.exe
Creates an empty file before exiting: c:\bool.ini

Now we recommend use the same defenses as for lastest Microsoft Word vulnerability: How to block Microsoft Word vulnerability, recommended defenses.

June 16, 2006 on 8:49 am | In Exploits & Vulnerabilities | No Comments |

Update your systems

Microsoft released twelve updates addressing various issues yesterday. There are several for different flavors of Windows and IE, and others for Word (MS06-027), PowerPoint (MS06-028), and Media Player 10 (MS06-024).The patch for Word fixes an issue that was found in May.

Make update soon. ISC reported about newly released exploits for these vulnerabilities.

Here a quick lists of what we have seen so far:

MS06-024: Windows Media Player.