My Anti Spyware

How to remove Trojan Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A)

For last week Vundo at second place in the top 10 spyware by Sunbelt.

DesktopScam 1,646 3%
Virtumonde 1,194 2%
Vcodec 915 2%
Hotbar 872 2%
SpyAxe 833 2%
WhenU.SaveNow 832 2%
Looking-For.Home Search Assist… 810 2%
EliteMedia 749 1%
NewDotNet 746 1%
CmdService 728 1%

Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A) is an adware program that downloads and displays popup advertisements. It also offers to install other potentially unwanted software.

Standart symptoms:

computer work slow
pop ups from Adult Friend Finder
you have found rogue anti-spyware

If you found Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A) on your computer, read these steps. If you have problems with your computer and don`t know WHY, read also

Also you can use CounterSpy for automatic removal Vundo.

Download VundoFix and save the file to your desktop.

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Double-click VundoFix.exe to run it.

Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Now you need to run HijackThis and click “Do a system scan only.” Place a check next to the following entries (if they are still there):

O2 - BHO: WTLHelper Object - {75DC57F8-D831-4AB8-86B7-4F826F4A0873} - C:\WINDOWS\system32\*****.dll
O20 - Winlogon Notify: ***** - C:\WINDOWS\system32\*****.dll

Where ***** is a random name, BUT all names are identical.

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

If you are still having problems with spyware after completing these instructions, then please follow the steps outlined in the topic linked below: Spyware removal - Read Before Posting

Trojan Horse keylogger steal end-user information for popular online games.

Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.

The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created

Exchange rate conversion tool load Trojan.Downloader and Trojan.Muldrop

If you searching for a “currency” or “exchange rate” conversion tool with one of the more popular search engines, you can found a link or site like this one

This site is present the user with a lovely, extensive and complete list of currencies and exchange rates to convert from and to. All for free. The only catch being, the user gets the “result” of his calculation as … an EXE download

The download contains what some of the AV vendors refer to as Dropped:Trojan.Downloader and Trojan.Muldrop. If you are using any sort of URL filter, web-url.de and wechselkursrechner.de should maybe be part of your filter list if exe downloads make it past your perimeter otherwise.

Thanks to SansDiary.

Trojan Redbrowser.A steal money

Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.

The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.

New Bagle - W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ’shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.

Top Ten viruses and spyware most frequently detected by Panda ActiveScan in January

In January, Sdbot.ftp was the malware specimen most frequently detected by the free online antivirus solution Panda ActiveScan. In addition to this malicious code topping the ranking for the seventh month running, other notable aspects of this month’s list include the second place held by WMF Exploit and the presence of Tearec.A/W32.Blackmal.E@mm /BlackWorm virus or other reasons) in sixth place. With respect to spyware, New.net occupies first place in the ranking.

During the first month of this year, Sdbot.ftp was responsible for 2.99 percent of infections. Then comes Metafile(1.99%), Sober.AH (1.30%), and Netsky.P (1.25%). After them, with frequency percentages of less than 1 percent, come: Gaobot.gen; Tearec.A; Torpig.A; Qhost.gen; Alcan.A and Parite.B.

The following conclusions can be drawn from the Top Ten ranking of the threats most frequently detected by Panda ActiveScan in January:

- Sdbot.ftp:seven months at the head of the ranking.

Sdbot.ftp has been, since July 2005, the threat that has had most impact. This is a script used by certain malware specimens to download -via FTP- the Sdbot worm. It does this by exploiting several operating system vulnerabilities such as LSASS or RPC-DCOM.

- The high profile of WMF Exploit.

WMF Exploit, which first appeared towards the end of December 2005, was the second most prevalent threat in January 2006. This is an exploit or code written especially to take advantage of a security hole in GDI32.DLL -used by programs such as Windows Picture and Fax Viewer-, affecting the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003.

The impact of WMF Exploit, along with the pole position of Sdbot.ftp, once again highlights the success of malware creators in exploiting vulnerabilities in major programs to bolster the impact of their creations.

- Tearec.A/W32.Blackmal.E@mm /BlackWorm:social engineering once again hand-in-hand with Internet threats.

In mid-January, Tearec.A hit computers around the world, and was, for some days, the most frequently detected malware by the free, online antivirus solution Panda ActiveScan. Its successful propagation was based largely on the use of social engineering techniques by its creator. The e-mails in which Tearec.A spread used erotic themes in order to trick recipients.

-The growing presence of worms.

Seven out of ten of the viruses in January’s Top Ten are worms, reflecting the growing trend apparent in the previous ranking (in which six out of the Top Ten belonged to this category) with a corresponding decline in the presence of Trojans.

January’s spyware ranking sees the first place remain unaltered with respect to the previous month, with New.net (1.28%) in first place. The remaining examples of spyware in the Top Ten all have frequency percentages of less than 1%: Smitfraud, Virtumonde, RXToolbar, Altnet, BetterInet, Media-motor, SafeSurf, MarketScore and Petro-Line. The most notable aspects with respect to December’s classification is the appearance of Smitfraud and SafeSurf, replacing Cydoor and Premeter, which last month held second and third place respectively.

How to remove VideoCodec3_05b - ICQCHK.exe - MSX.DLL

ICQCHK Trojan is installed by VideoCodec3_05b.exe to help you play “funny” movies. Now the Trojan’s web sites are closed.

Related files in the %SysDir% folder (usually c:\ Windows\System32):
kaboom.dll
iewatch.exe
A0003016.exe
VideoCodec3_05b.exe
sysmon.exe
msx.dll
gtrack.dll
ietool[1].exe
ietool[2].exe
ietool[3].exe

Removal Instructions

• Download special software:
  RegRun Reanimator
  Unzip it to any folder on your hard drive.
  * RegRun users need to open RegRun Start Control.
• Save icqchk_kill.rnr to the same folder.

  * Script file works if Windows is installed to “C:\Windows”.
  * Script file deletes Trojan’s files and registry entries. If not, open icqchk_kill.rnr in the Notepad.exe and replace “c:\Windows” to your path.

• Restart your computer to the Safe mode.
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.
• Open Reanimator.exe (or RegRun Start Control). Open Reanimator menu, “Execute Reanimator Job”. Choose icqchk_kill.rnr file.
• Restart your computer again to the Safe mode. Repeat the job execution.
• Restart to the Normal Windows mode. Open Reanimator and choose “Scan for Viruses” to be sure that it is complete.
• Visit RegRun Support center if you have any questions.
  Open a support ticket and attach your detailed system report made by RegRun.

New trojan download spammed

New trojan downloader is just being heavily spammed. It comes with subject “YOUR BILL PAYMENT NOT APPROVED!” and message like this: “We are unable to obtain the bill payment from your bank account. Your bank returned the following error to us: BILL PAYMENT NOT APPROVED BILL #5563880″.

Attached in the message is a small downloader that tries to activate file from dalvabrothersinc.com. F-secure detect the downloader as W32/Small.CGS in the update 2006-01-27_01.

3 new Trojans for Symbian operating system

Symantec today has posted 3 new trojans identified that impact your operating system.

SymbOS.Sendtool.A - The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.

SymbOS.Pbstealer.D - The Trojan sends the user’s contact information database, Notepad, and Calendar To Do list to other Bluetooth-enabled devices.

SymbOS.Bootton.E - A Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart.

Panda Software publishes a free tool to eliminate the Nabload.U and Banker.BSX Trojans

The explosive propagation of the Nabload.U and Banker.BSX Trojans has left thousands of computers around the world infected. Panda Software has therefore made its PQRemove utility available to all users to detect and remove these Trojans from any infected computer. This utility can be downloaded from http://www.pandasoftware.com/download/utilities/. Currently, Banker.BSX and Nabload.U hold first and second place in the list of viruses most frequently detected by the Panda ActiveScan online antivirus solution.

Nabload.U and Banker.BSX launch a combined attack in order to install themselves on computers. The infection process is as follows: users receive, through MSN Messenger, a message with the text “ve esa vaina” (look at this), and displaying an Internet address. In order to trick users, the message appears to have come from one of the users’ contacts stored in the application.

If the user visits the link that they have received, the Nabload.U Trojan is downloaded onto their system. At the same time, this downloads the Banker.BSX Trojan.

Banker.BSX is designed to steal access details to various online banking services in Spanish-speaking countries. It does this by monitoring the addresses visited and waiting for the user to access one of these services. When this happens, the Trojan captures the information and sends it to an email address where the creator of the malicious code can collect the data which could then be used fraudulently. Finally, Banker.BSX sends new malicious messages to all MSN Messenger contacts.

Trojan targets Spanish-speaking bank customers

Utilising a new fusion of spyware and phishing techniques, a recently discovered Trojan is threatening Spanish-speaking bank customers. Nabload.U, which distributes using MSN Messenger, has made a target of online bank users in traditionally Spanish-speaking countries. Both technical and social engineering techniques have been used to get PC users to download the Trojan.
Once it infects a computer, Nabload.U downloads another trojan, Banker.bsx, which captures a user’s password and emails the information back to its author.
PandaLabs said the trojan is unusual because it captures passwords without the use of a traditional keylogger, thus leaving the user unaware of the breach. Banks that use virtual keyboards have not been immune from the virus.

New exploit blows by fully patched Windows XP systems

SecurityFocus just posted a bulletin on it.

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability.
The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file.
The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine.
Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Any application that automatically displays a WMF image will cause the users machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is a really bad exploit.

Santa Claus leaves you a Trojan for Christmas

- A new Trojan, MerryX.A, reaches victims in an email with the subject “MERRY CHRISTMAS!”, and hides behind an animation with Santa Claus and Christmas music

- This Trojan joins the list of malware species that take advantage of the massive sending of Christmas cards via email to enter users’ computers

PandaLabs reports the appearance of a new Trojan, MerryX.A, which uses the theme of Christmas to distract users’ attention while infecting their computers. This Trojan, distributed in email messages, aims mainly at gathering information from the affected system.

Infection starts with arrival of an email with the subject “MERRY CHRISTMAS!”, and the text line: “Merry Christmas and a Happy New Year!”. This email includes two attached files: an animated GIF image called A_LIGHTSMC10.GIF, which shows the phrase “Merry Christmas” among bright lights, and a self-extracting RAR file which contains two files: a copy of the Trojan (called SQLServer.exe), and a Flash animation.

Whereas the GIF image does not infect the user’s computer, the self-extracting RAR file does trigger the infection process. As soon as the file is run, it opens the Flash file, which displays an animation accompanied by music, showing Santa Claus leaving presents in a Christmas tree against a red background, and runs the Trojan invisibly to users so that the computer becomes infected without the user realizing.

Once run, MerryX.A records information about the computer that -IP address, hardware data, etc- and sends it to a remote server. It also tries to download files from several web pages, which indicates that the Trojan could serve as an entry point for other malware specimens.

As result, i can tell you, don`t open attached files!

Adware in exchange for videos and music in P2P

PandaLabs has detected a series of files being circulated across the Internet that supposedly contain music and videos, but also contain a poisonous gift: in order to get the videos and music, users must install adware. The excuse used is that a license is needed in order to play the files, which involves agreeing to install adware. The files received by PandaLabs up until now do not actually contain any type of video or music. However, this possibility has not been ruled out. These files are detected by Panda Software as WmaDownloader.B.

The problem starts when the user downloads an alleged video file (*.wmv) or de audio file (*.wma). When the user tries to run these files in order to view them on the computer, a window is displayed that prompts the user to acquire a license. The message explains that in order to get the free license, the user must install IST Toolbar, a known adware program that is used as an entry-point for many other threats.

Although users are warned that adware will be installed and gives the user the opportunity to read the license agreement, it is formulated in clearly abusive terms, and also exploits the fact that few users are aware of the impact that installing this spyware program can have on their computers, as this spyware allows many other threats to get into the system,

explains Luis Corrons, director of PandaLabs.

What’s more, it is important not to forget that in the samples received by PandaLabs, the system is even more fraudulent, as there is not even a video or music in the files.

When this message is displayed, the user is also asked to install an ActiveX Control, which is the IST Toolbar mentioned in this window. If users do not agree to install it, they will not be affected, but neither will they be able to play the video or audio file. If users agree to install it, the IST Toolbar (detected by Panda Software as ISTBar) will be downloaded, infecting the system and allowing the file to be played, if it exists. A window notifying users that they must acquire a license will also appear.

However, this might not always be the case, says Luis Corrons.

The warning about the installation of the ActiveX Control is not always displayed in computers with the security level configured as low, which could occur because the user has configured it in this way or because one of the many other malware specimens with this function has already affected the computer. For this reason it is extremely important to check the browser settings in order to neutralize installation of ActiveX Controls of dubious origin.

This process is only valid in computers with Windows Media Player 9 or later version installed.

If you`ve found IST Bar on your PC, go here for removal “how to“.

Beware Vcodec

Wondering how people get to these bogus security sites and download junk like SpyAxe?

Patrick Jordan and Adam Thomas on SunBelt spyware research team have been investigating Vcodec.com. This is a site that has a program called “VCodec v3.05b is new generation multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers…”
This is bogus video utility. The file, VideoCodec3_05b, is a trojan which then starts the scam about “Your computer is infected!”.

I ran this through VirusTotal and here are the results (“No virus found” means the scanner did not detect the file as a trojan):

—————————————————————————————————

This is a report processed by VirusTotal on 12/14/2005 at 23:23:24 (CET) after scanning the file “VideoCodec3_05b.exe” file.

Antivirus Version Update Result
Kaspersky 4.0.2.24 12.14.2005 Trojan-Downloader.Win32.Zlob.cu
NOD32v2 1.1322 12.14.2005 probably a variant of Win32/TrojanDropper.Small.NCU
CAT-QuickHeal 8 12.13.2005 (Suspicious) - DNAScan
AntiVir 6.33.0.61 12.14.2005 no virus found
Avast 4.6.695.0 12.14.2005 no virus found
AVG 718 12.14.2005 no virus found
Avira 6.33.0.61 12.14.2005 no virus found
BitDefender 7.2 12.14.2005 no virus found
ClamAV devel-20051108 12.12.2005 no virus found
DrWeb 4.33 12.14.2005 no virus found
eTrust-Iris 7.1.194.0 12.14.2005 no virus found
eTrust-Vet 12.3.3.0 12.14.2005 no virus found
Fortinet 2.54.0.0 12.14.2005 no virus found
F-Prot 3.16c 12.13.2005 no virus found
Ikarus 0.2.59.0 12.14.2005 no virus found
McAfee 4650 12.14.2005 no virus found
Norman 5.70.10 12.14.2005 no virus found
Panda 8.02.00 12.14.2005 no virus found
Sophos 4.00.0 12.14.2005 no virus found
Symantec 8 12.14.2005 no virus found
TheHacker 5.9.1.055 12.14.2005 no virus found
VBA32 3.10.5 12.14.2005 no virus found

—————————————————————————————————

So,only Kaspersky (no surprise), NOD32 and CAT-QuickHeal are catching it.

Now available how to remove Vcodec trojan

by sunbeltblog

Trojan masquerading as Microsoft Update

Reported in Codefish. We checked out this Trojan and it’s not very friendly.

Here is what the email looks like:

Microsoft Security Bulletin MS05-039

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)

Summary:

Who should receive this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution and Local Elevation of Privilege
Maximum Severity Rating: CRITICAL
Recommendation: Customers should apply the update immediately.
Security Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:

Affected Software:

•

Microsoft Windows 2000 Service Pack 4 – Download the update

•

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update

•

Microsoft Windows XP Professional x64 Edition – Download the update

•

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update

•

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

•

Microsoft Windows Server 2003 x64 Edition – Download the update

Non-Affected Software:

•

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Executive Summary:

This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Conclusion: We recommend that customers apply the update immediately.

© 2005 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement

I checked the file at Virustotal and here are the results are as follows (“No virus found” means that the virus scanner did not detect it):

This is a report processed by VirusTotal on 12/12/2005 at 18:59:39 (CET) after scanning the file “Windows-KB899588-x86-ENU.exe” file.

Antivirus Version Update Result
Avast 4.6.695.0 12.10.2005 No virus found
AVG 718 12.08.2005 No virus found
McAfee 4648 12.12.2005 No virus found
NOD32v2 1.1319 12.12.2005 No virus found
Norman 5.70.10 12.12.2005 No virus found
TheHacker 5.9.1.053 12.12.2005 No virus found
F-Prot 3.16c 12.09.2005 security risk or a “backdoor” program
AntiVir 6.33.0.61 12.12.2005 TR/Luhn
Avira 6.33.0.61 12.12.2005 TR/Luhn
Panda 8.02.00 12.12.2005 Trj/Spy.Luhn
Sophos 4.00.0 12.12.2005 Troj/Dropper-BV
Symantec 8 12.12.2005 Trojan.Dropper
DrWeb 4.33 12.12.2005 Trojan.Sklog
BitDefender 7.2 12.12.2005 Trojan.Spy.Luhn.A
ClamAV devel-20051108 12.12.2005 Trojan.Spy.W32.Luhn
CAT-QuickHeal 8 12.12.2005 TrojanSpy.Luhn.a
Kaspersky 4.0.2.24 12.12.2005 Trojan-Spy.Win32.Luhn.a
VBA32 3.10.5 12.12.2005 Trojan-Spy.Win32.Luhn.a
Fortinet 2.54.0.0 12.11.2005 W32/SpyLuhn.A-dr
eTrust-Iris 7.1.194.0 12.11.2005 Win32/Luhn!Spy!Dropper
eTrust-Vet 12.3.3.0 12.12.2005 Win32/Luhn.A

by Sunbelt research

How to Remove Trojan Vundo / Winfixer / Virtumonde?

VirtuMonde is an adware program that downloads and displays popup advertisements. It may also hijack the browser to unwanted advertising related sites.

There is a free removal tool offered by Symantec here:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html

Follow the removal directions on the download page. Run the tool twice with a reboot inbetween to be sure it got everything.

Read also How to remove Trojan Vundo (VirtuMonde, WindowsUpd, Adware.VirtuMonde, TrojanDownloader.Win32.Agent.e, ADW_TARGETSOFT.A)