My Anti Spyware

How to remove Koobface worm (Removal guide)

Koobface worm infects computers via messages thats spreads through Facebook, Twitter, Myspace and other social networks. The contents of the SPAM message is:

Saw thhat vvideo yesterdday… How coulld you do succh a thingg?
Sweet!! Yourr ass loooks greaat on thiss video!!
WWow! Is tthat reeally you in thaat videeo?
Funny vide0 with me
HHolly sshit! Are you rreally in thiss viideo?
Hollyy shhit! You are on hiidden cameera!

The message also contains a link. After clicking on this link a site opens that asking user to download an adobe flash update, which in reality is an installer of koobface worm. Koobface includes a bot-like component that could install other malicious programs at a later time.
Continue reading How to remove Koobface worm (Removal guide)…

How to remove Conficker worm (Downadup or Kido)

Win32/Conficker.AA also known W32/Worm.AHGV, Net-Worm.Win32.Kido.bg, Worm:Win32/Conficker, W32/Conficker.worm.gen, Mal/Conficker is a worm that uses Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread on other computers in the local network. The worm blocks user access to security websites, deletes all the System Restore points prior to infection, protects itself from deletion by removing all NTFS file permissions,except execute and directory traversal and more. Starting in April 2009, this worm also installs Spyware Protect 2009.
Continue reading How to remove Conficker worm (Downadup or Kido)…

MSN Worm Used to install Backdoor | How to remove

F Secure have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

lol check http://peopleonline.pe.funpic.de/[REMOVED].pif

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C, a variant of Licat, is a Trojan. Licat.C can send instant messages or contact certain websites to inform malware authors about certain events and allows downloading files on the infected computer. Licat.C tries to connect to certain websites on Internet.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system – detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer – detected as Softomate toolbar.
Continue reading MSN Worm Used to install Backdoor | How to remove…

Worm uses MS04-007, MS05-017, MS05-039, MS06-040 bugs

For the past several days, ISC have received all kinds of emails about the recent increase in scanning on port 139. One of loyal readers out there on the ‘Information SuperHighway’, Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it “W32/SDbot.worm!MS06-040“, Sophos is calling it, “W32/Vanebot-A“, and Symantec is calling it, “W32.Randex.GEL“. (Yes, it’s been out for a couple days)

Let’s take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it’s about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to “forum.ednet.es” over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..

For protect your PC block 139 and 445 at the router/firewall. Netbios traffic shouldn’t be allowed to exit or enter your network from egress points anyway.

Update your antivirus. At least daily. Patch your Windows.

Thanks ISC

New worm disables Security Software

Sanbeltblog reported about new World Cup Soccer Worm. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:

Subjects:

1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know

Message Bodies:

1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos
5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait. View photos.

Upon execution, the worm copies itself to the following location:

%Sysdir%\msctools.exe

Attempts to download additional malware:

http://couple{removed}.com/tumbs/dianaimg.exe

The worm also attempts to disable the following processes:

AVP32.EXE, AVPCC.EXE, AVPM.EXE, AVP.EXE, iamapp.exe, iamserv.exe, FRW.EXE, blackice.exe, blackd.exe, zonealarm.exe, vsmon.exe, VSHWIN32.EXE, VSECOMR.EXE, WEBSCANX.EXE, AVCONSOLE.EXE, VSSTAT.EXE, OUTPOST.EXE, REGEDIT.EXE, NETSTAT.EXE, TASKMGR.EXE, MSCONFIG.EXE, NAVAPW32.EXE, UPDATE.EXE, msctools.exe

Banwarum Worm Offers Tickets for the WORLD CUP

The new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed email messages. The worm sends itself as a password protected archive and includes in the email the password for it. The emails sent by the worm are in German and some of them offer tickets for the football games in Germany next month.

There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the emails sent by the worm looks as follow:

Hi man,

ich hab gesehen, das du zu WM wolltest, frag nicht wer ich bin und warum ich es mache. Hier hast du 5 Stueck, das ist eine spezielle Online Version, drueck es aus und unterschreib. Password zu dem Archiv lautet (psw)

Mfg Niemand

This means in English:

Hi man,

I saw that you want to go to the World Cup. Don’t ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw).

With friendly greetings Nobody

Thanks to F-Secure.

Fake Windows Sites + WMF Explot + Keyloger = New Botnet

Adam Piggott of Proactive Computing received message from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server

For more details on this current exploit and botnet, see SunbeltBLOG’s blog, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note – the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at VirusTotal

New worm with File encrypt function found

Yesterday Kaspersky Lab came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.
In contrary to programs like GPCode, Skowor is able to replicate; it tries to spread via a share that it creates.

When installed, the worm displays a message telling the user that s/he has 5 pc reboots in order to get a password which can be used to uninstall the worm. If the user doesn’t do this, the worm will encrypt a number of important files and change the Administrator and current user password.
The worm also changes the IE start page to the author’s website.

Link here.

Leap.A – Worm for Mac OS X

Leap.A is a binary file compiled for Mac OS X. It arrives in an archive file, called ‘latestpics.tgz’. When the executable in the archive is opened the virus activates. First it drops an icon resource and an external hook bundle which is used for spreading through iChat.

Spreading through iChat

Leap.A installs a bundle to ‘~/InputManagers/apphook’ that hooks certain iChat functions. When any of the user’s buddies change their status, the worm initiates a file transfer and sends a copy of ‘ ‘latestpics.tgz’. The file transfer is not visible to the user as the worm hides the transfer status information.

File infection

The worm enumerates all applications on the computer that were used during the last month. Leap.A replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename. When the application is opened the worm activates first, then it runs the original application from the resource fork.

Thanks to F-Secure.

New Bagle – W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ‘shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.