My Anti Spyware

How to remove cnn.com and msnbc.com fake breaking news spam-virus and joke-bluescreen malware

Joke-bluescreen malware is a malware that also installs rogue security applications (Antivirus XP, IE Defender) and display false alert on compromised computer, infects systems via spam emails with header “cnn.com breaking news” or “msnbc.com breaking news”. If your computer infected, then you have:

• background turned blue and a box came up that says that you computer has been infected with spyware and you need to download some kind of software to clean PC
• McAfee keeps telling you that the virus is called joke-bluescreen
• system is running slow

Download HijackThis and Combofix.
Run HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items (if exists):

O4 – HKLM\..\Run: [DLI32] C:\WINDOWS\dli32.exe
O4 – HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 – HKCU\..\Run: [CDriver] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [DDriver] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [alpha] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [beta] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [gamma] c:\microsoft\svchost.exe
O4 – HKLM\..\Run: [SMrhcjlaj0ee91] C:\Program Files\rhcjlaj0ee91\rhcjlaj0ee91.exe
O4 – HKLM\..\Policies\Explorer\Run: [CDriver] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [DDriver] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [alpha] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [beta] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [gamma] c:\microsoft\svchost.exe
O9 – Extra button: (no name) – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 – Extra ‘Tools’ menuitem: IE Anti-Spyware – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.securesoftwarefeed.com/redirect.php (file missing)
O22 – SharedTaskScheduler: cariniana – {5c770fbc-cc2f-4acd-93e8-e6f0594307fd} – C:\WINDOWS\system32\gnjsjc.dll (file missing)

Note: Where is c:\microsoft\svchost.exe can be c:\google.com\svchost.exe
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Close HijackThis. Double click on combofix.exe and follow the prompts.

If you are still having problems, then I would recommend you follow these instructions and post your logs in the spyware removal forum. I will check your logs and advise you on joke-bluescreen removal.

First virus for StarOffice and OpenOffice

Kaspersky Lab have reported, first a macro virus – Virus.StarOffice.Stardust.a for StarOffice and OpenOffice has been found.
Stardust is a macro virus written for StarOffice. Macro viruses usually infect MS Office applications. It’s written in Star Basic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document.

New ransomware found

A new piece of ransomware, called Ransom.a by most AV vendors, has been spotted in the wild.

Evidence received so far suggests that this Trojan can be found on P2P networks.

The malware poses as a Windows Mobile application, despite that description it will only work on Win32.

When the user is infected and reboots his machine, he will be greeted with a full screen message when he logs on.
The screen tries its best to stay on top of all windows and is highly annoying, it also shows pornographic images.

The message which is presented to the user is quite long, but in short:

Pay $10.99 via Western Union otherwise you will keep getting this screen.
One file per 30 minutes will be deleted from the hard drive. Deleted files will be restored when you have paid up and entered the proper unlock code.
Antivirus software can not detect this virus, nor can it detect the hidden folders in which the deleted files are stored.
When entering a false unlock code there’s also a message stating that the hard drive will crash in 3 days.

However there’s a catch: None of these destructive routines actually work!

I think we have an interesting development going on here, I think there are two different types of ransomware.

Real ransomware, which encrypts your data or does other nasty stuff.
And malware which claims to do all sorts of nasty stuff but actually doesn’t. It’s bluffing, like bluff poker.

How is an average user going to check if all of his files are still there? He’s not.
Losing a file every 30 minutes is a scary thought, made up by the criminal in an effort to pressure the user to act quickly and pay up.

Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code.

I just hope that people have remembered the most important thing about ransomware: Do not pay up, contact AV vendors for help.

LdPinch again spammed via ICQ

Over the weekend, Kaspersky Lab intercepted Trojan-PSW.Win32.LdPinch.ahe – the latest variant of LdPinch.
This malicious program sends itself to everyone on the victim’s ICQ contact list. It sends a Russian message which says:

[translation] How to trick WebMoney!
To find out how, read the Help instructions!

The message includes a link to the malicious program file, which is called Help.chm.

Nyxem/Kama Sutra/Blackworm return again

Today is the third day of the month, and “this destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter”.

More info about Nyxem/Kama Sutra/Blackworm
How to remove Nyxem/Kama Sutra/Blackworm
How to recovery lost files (due to W32.Blackmal.E@mm – BlackWorm virus or other reasons)

Crossover PC/Windows Mobile virus found

The Mobile Antivirus Researchers Association claims to have detected the first worm that can jump from a PC to a Windows Mobile-powered wireless device.
The ‘Crossover’ worm nests itself in a directory on a Windows PC where it will automatically activate once the user connects a Windows Mobile device using Microsoft ActiveSync.
The digital pest was sent to the association anonymously and is a proof-of-concept designed to show off its features but not cause any actual harm.
“This is proof-of-concept code for educational purposes only. This virus closes the gap between handhelds and desktops. Now it’s one big world open to all,” the worm creators said in a note attached to the virus.

Read more here.

New variant W32/Feebs found

A new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we’re still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to block access to

*.coconia.net
*.by.ru
*.kazan.bz
*.t35.com
*.freecoolsite.com
*.nm.ru

until the AV vendors have the patterns lined up.

New varian spreads as an email with subject “Secure Message from GMail.com user“, and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file “Encrypted Html File.hta”, which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

Update:
AV detection is available by now

BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen
Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb
McAfee|4703|02.22.2006|W32/Feebs.gen@MM
Panda|9.0.0.4|02.22.2006|Suspicious file
Sophos|4.02.0|02.22.2006|W32/Feebs-Gen
Symantec|8.0|02.22.2006|W32.Feebs

Thanks to SansBlog

New Bagle – W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ‘shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.

Top Ten viruses and spyware most frequently detected by Panda ActiveScan in January

In January, Sdbot.ftp was the malware specimen most frequently detected by the free online antivirus solution Panda ActiveScan. In addition to this malicious code topping the ranking for the seventh month running, other notable aspects of this month’s list include the second place held by WMF Exploit and the presence of Tearec.A/W32.Blackmal.E@mm /BlackWorm virus or other reasons) in sixth place. With respect to spyware, New.net occupies first place in the ranking.

During the first month of this year, Sdbot.ftp was responsible for 2.99 percent of infections. Then comes Metafile(1.99%), Sober.AH (1.30%), and Netsky.P (1.25%). After them, with frequency percentages of less than 1 percent, come: Gaobot.gen; Tearec.A; Torpig.A; Qhost.gen; Alcan.A and Parite.B.

The following conclusions can be drawn from the Top Ten ranking of the threats most frequently detected by Panda ActiveScan in January:

- Sdbot.ftp:seven months at the head of the ranking.

Sdbot.ftp has been, since July 2005, the threat that has had most impact. This is a script used by certain malware specimens to download -via FTP- the Sdbot worm. It does this by exploiting several operating system vulnerabilities such as LSASS or RPC-DCOM.

- The high profile of WMF Exploit.

WMF Exploit, which first appeared towards the end of December 2005, was the second most prevalent threat in January 2006. This is an exploit or code written especially to take advantage of a security hole in GDI32.DLL -used by programs such as Windows Picture and Fax Viewer-, affecting the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003.

The impact of WMF Exploit, along with the pole position of Sdbot.ftp, once again highlights the success of malware creators in exploiting vulnerabilities in major programs to bolster the impact of their creations.

- Tearec.A/W32.Blackmal.E@mm /BlackWorm:social engineering once again hand-in-hand with Internet threats.

In mid-January, Tearec.A hit computers around the world, and was, for some days, the most frequently detected malware by the free, online antivirus solution Panda ActiveScan. Its successful propagation was based largely on the use of social engineering techniques by its creator. The e-mails in which Tearec.A spread used erotic themes in order to trick recipients.

-The growing presence of worms.

Seven out of ten of the viruses in January’s Top Ten are worms, reflecting the growing trend apparent in the previous ranking (in which six out of the Top Ten belonged to this category) with a corresponding decline in the presence of Trojans.

January’s spyware ranking sees the first place remain unaltered with respect to the previous month, with New.net (1.28%) in first place. The remaining examples of spyware in the Top Ten all have frequency percentages of less than 1%: Smitfraud, Virtumonde, RXToolbar, Altnet, BetterInet, Media-motor, SafeSurf, MarketScore and Petro-Line. The most notable aspects with respect to December’s classification is the appearance of Smitfraud and SafeSurf, replacing Cydoor and Premeter, which last month held second and third place respectively.

Remove Win32/Mywife.E@mm BlackWorm, W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi now

On systems that are infected by Win32/Mywife@E.mm, BlackWorm, W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts.

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

Customers using Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, or Windows Server 2003 Service Pack 1 may be at reduced risk from this malware; if the account password is blank, the account is not valid as a network credential. In an environment where you can guarantee physical security, you do not need to use the account across the network, and you are using Windows XP or Windows Server 2003, a blank password is better than a weak password. By default, blank passwords can only be used locally in Windows XP and Windows Server 2003.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

Customers who believe that they are infected with the Mywife malware, or who are not sure whether they are infected, should contact their antivirus vendor. Alternatively, Windows Live Safety Center Beta Web site provides the ability to choose “Protection Scan” to ensure that systems are free of infection. Additionally, the Windows OneCare Live Beta, which is available for English language systems, provides detection for and protection against the Mywife malware and its known variants.

Also you can try the how to for remove Win32/Mywife.E@mm malware