My Anti Spyware

How to remove Antivirus XP 2008 and tdssserv.sys trojan

Antivirus XP 2008 is a rogue antispyware application that is starting to infect a lot of users. This particular infection is harder to remove. Also Antivirus XP 2008 installed in your Internet Explorer browser that hijacks searches you input into the Google search engine. This program usually installed itself onto your PC without your permission, through trojans (trojan.tdsserv, trojan.agent, trojan.fakealert) and browser security holes.

HijackThis shows infection:

F2 – REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O4 – HKLM\..\Run: [lphc31tj0ev99] C:\WINDOWS\system32\lphc31tj0ev99.exe

Continue reading How to remove Antivirus XP 2008 and tdssserv.sys trojan…

How to remove cnn.com and msnbc.com fake breaking news spam-virus and joke-bluescreen malware

Joke-bluescreen malware is a malware that also installs rogue security applications (Antivirus XP, IE Defender) and display false alert on compromised computer, infects systems via spam emails with header “cnn.com breaking news” or “msnbc.com breaking news”. If your computer infected, then you have:

• background turned blue and a box came up that says that you computer has been infected with spyware and you need to download some kind of software to clean PC
• McAfee keeps telling you that the virus is called joke-bluescreen
• system is running slow

Download HijackThis and Combofix.
Run HijackThis. Click “Do a system scan only.” and put a checkmark next to the following items (if exists):

O4 – HKLM\..\Run: [DLI32] C:\WINDOWS\dli32.exe
O4 – HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 – HKCU\..\Run: [CDriver] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [DDriver] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [alpha] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [beta] c:\microsoft\svchost.exe
O4 – HKCU\..\Run: [gamma] c:\microsoft\svchost.exe
O4 – HKLM\..\Run: [SMrhcjlaj0ee91] C:\Program Files\rhcjlaj0ee91\rhcjlaj0ee91.exe
O4 – HKLM\..\Policies\Explorer\Run: [CDriver] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [DDriver] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [alpha] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [beta] c:\microsoft\svchost.exe
O4 – HKLM\..\Policies\Explorer\Run: [gamma] c:\microsoft\svchost.exe
O9 – Extra button: (no name) – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.securesoftwarefeed.com/redirect.php (file missing)
O9 – Extra ‘Tools’ menuitem: IE Anti-Spyware – {9034A523-D068-4BE8-A284-9DF278BE776E} – http://www.securesoftwarefeed.com/redirect.php (file missing)
O22 – SharedTaskScheduler: cariniana – {5c770fbc-cc2f-4acd-93e8-e6f0594307fd} – C:\WINDOWS\system32\gnjsjc.dll (file missing)

Note: Where is c:\microsoft\svchost.exe can be c:\google.com\svchost.exe
Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Close HijackThis. Double click on combofix.exe and follow the prompts.

If you are still having problems, then I would recommend you follow these instructions and post your logs in the spyware removal forum. I will check your logs and advise you on joke-bluescreen removal.

How to remove trojans that uses autorun.inf file

These trojans uses autorun.inf file for infects systems. Once infected with autorun.inf trojan your computer will display many popups, Internet Explorer start page can to be change, TaskManager and Registry editor can be disabled. Also autorun.inf trojan configures itself to run automatically every time, when you start your computer. In addition the autorun.inf trojan creates a files with strange names, some examples:

ampfrb.cmd, hbs.exe, yfog8p.exe, as.bat, phwe.com, o0s.cmd, xa2c.exe, AutoStart.exe, ncyrf.bat, rcukd.cmd, 2u.com, q.com, RavMon.exe, x6.bat, rqq2v.bat, t.com, xp19.com, x0.cmd, yg.cmd, ntde1ect.com, tio8×6.cmd, d6fagcs8.cmd, gbiehbsb.dll, tio8×6.cmd, fooool.exe, 8ng8w.com, x.com, xn1i9x.com, invwft2h.com, selamat_berposa_dari_umt.js, ktnquo.exe, NewVirusRemoval.vbs, kinza.exe, rs.cmd, yssjnngm.cmd, h3.bat, 6fnlpetp.exe, boot.exe, winde32.exe, 6j2j.com, kjibu.com, fun.xls.exe, iqe68o.bat, boot.exe, killVBS.vbs, autorun.pif, lin32.exe, USB.exe, RisinG.exe. f.bat, uxdeiect.com, awda2.exe, clshsy.cmd, kongxsg.exe, autorunme.exe, x2tpc.cmd, winconfig.dll.vbs, w1hva13.exe, jun.exe, xpbkh.com, nfdmg.com, m9ma.exe, pbudsara.exe, herss.exe

The trojans may drastically slow the performance of your computer.

Step1: Remove autorun.inf files from all your drives, include any usb/flash drives.

1. Manually:

• Reboot your PC in Safe mode.
  

  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

• Click Start -> Run.
• In the type box enter cmd and press Enter.
• In the command console type del /a:h /f c:\autorun.*
• Repeat previous step to all drives, make replacing “c” with the appropriate drive letter.

2. Automatically.

• Download Flash_Disinfector by sUBs and save it to your desktop.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.
• Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will remove any autorun.inf files, create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder. It will help protect your drives from future infection.

Step 2: Remove autorun.inf trojan from the windows registry.

Download and install HijackThis.
Run HijackThis, click Do a system scan only button.
Put a checkmark next to the following items (if exists):

F2 – REG:system.ini: Shell=Explorer.exe csrcs.exe
O4 – HKLM\..\Run: [SystemDrive] c:\windows\system32\SVCH0ST.EXE
O4 – HKCU\..\Run: [avp] C:\WINDOWS\system32\avp.exe
O4 – HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 – HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 – HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 – HKCU\..\Run: [tava] C:\WINDOWS\system32\tavo.exe
O4 – HKCU\..\Run: [TaskMonitor] C:\WINDOWS\system32\TaskMonitor.exe
O4 – HKCU\..\Run: [Realshade] C:\WINDOWS\system32\realshade.exe
O4 – HKCU\..\Run: [cftmonn] C:\WINDOWS\system32\cftmonn.exe
O4 – HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\kamsoft.exe
O4 – HKCU\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe
O4 – HKCU\..\Run: [kmmsoft] C:\WINDOWS\system32\revo.exe
O4 – HKCU\..\Run: [cdoosoft] C:\WINDOWS\system32\olhrwef.exe
O4 – HKCU\..\Run: [cdoosoft] %Temp%\herss.exe
O4 – HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe
O4 – HKCU\..\Run: [jvsoft] C:\WINDOWS\system32\j3ewro.exe
O4 – HKCU\..\Run: [ckvo] c:\windows\system32\ckvo.exe
O4 – HKLM\..\Run: [winconfig] C:\WINDOWS\winconfig.dll.vbs
O4 – HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 – HKCU\..\Run: [WinUpdater AutoRun] C:\AutoProtect\DrvMonitor.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Step 3: Remove autorun.inf trojans files.

Download Avenger from here and unzip to your desktop.
Run Avenger, copy,then paste the following text in Input script Box:

Files to delete:
c:\0jbnlnu8.exe
C:\11rhbu.cmd
c:\1q8p0y.com
C:\2fiy.bat
c:\2g.com
C:\32agsg.exe
c:\39ysi89.com
c:\3jkka91.com
c:\6fnlpetp.exe
C:\6fnlpetp.exe
C:\6j2j.com
C:\8.bat
c:\80avp08.com
C:\8ng8w.com
c:\92j11sm.com
c:\9fo3ar0j.exe
c:\a.exe
C:\a2h2.com
c:\ampfrb.cmd
c:\as.bat
c:\AutoRun\autorun.pif
c:\AutoRun\AutoStart.exe
c:\AutoRun\AutoStart.exe
C:\AutoProtect\DrvMonitor.exe
c:\awda2.exe
c:\bo1dhu.bat
C:\bwpncb6.com
c:\boot.exe
c:\cjrp8.com
c:\clshsy.cmd
C:\d1vmq.exe
C:\d6fagcs8.cmd
c:\dp.exe
C:\e.cmd
C:\eaywxx.cmd
C:\f9cvum.exe
C:\fooool.exe
c:\fun.xls.exe
C:\gbiehbsb.dll
C:\gfqgq.cmd
C:\gi2ky.exe
C:\gldegkby.cmd
c:\gumkrhf.bat
C:\qxty9be.cmd
C:\gy.exe
c:\h3.bat
c:\hbs.exe
c:\ioockw.bat
C:\ij.bat
C:\imo.exe
c:\invwft2h.com
C:\ioockw.bat
c:\iqe68o.bat
C:\j60osk9.cmd
C:\jeorels.cmd
c:\jg6w3yx.com
c:\killVBS.vbs
c:\kinza.exe
C:\kjibu.com
c:\ktnquo.exe
c:\m9ma.exe
c:\main.vbs
c:\MicrosoftPowerPoint.exe
c:\NewVirusRemoval.vbs
c:\nfdmg.com
C:\ntde1ect.com
c:\ntnq.exe
c:\nw0t1l0d.exe
c:\o0s.cmd
c:\pbudsara.exe
c:\phwe.com
C:\pook.com
c:\q0rppr.exe
C:\qphdin.com
C:\rcukd.cmd
c:\Recycled\ctfmon.exe
c:\resycled\boot.com
c:\RECYCLED\appmgmt.exe
C:\rqq2v.bat
c:\rs.cmd
C:\sq.com
C:\system.exe
c:\System\DriveGuard\DriveProtect.exe
C:\t.com
C:\tio8x6.cmd
c:\tj8odymw.exe
C:\tjjqtejq.bat
C:\tvlx2fg.exe
c:\uh31.exe
c:\usbcash.exe
c:\USBFlash.exe
C:\uvsqfgwd.cmd
c:\uxdeiect.com
c:\vnkucvv.com
c:\VirusCleaner.vbe
c:\VirusRemoval.vbs
c:\w1hva13.exe
C:\x0.cmd
c:\x2tpc.cmd
c:\xa2c.exe
C:\x.com
C:\x.cmd
C:\x2csvg.exe
C:\xih9.cmd
C:\xn1i9x.com
C:\xp19.com
c:\xpq63xl.exe
c:\xwpehlv.com
c:\yfog8p.exe
C:\yg.cmd
c:\yssjnngm.cmd
C:\w98.com
%Temp%\cvasds0.dll
%Temp%\cvasds1.dll
%Temp%\dwg3gngs.exe
%Temp%\herss.exe
%Temp%\kxvo.exe
%Temp%\new folder\ufjtre.exe
%Temp%\o2g.exe
%Temp%\ufjtre.exe
%Windir%\expiorer.exe
%windir%\system32\afmain0.dll
%Windir%\system32\amvo.exe
%Windir%\system32\avp.exe
%windir%\system32\avpo.exe
%Windir%\system32\Bitkv0.dll
%Windir%\system32\Bitkv1.dll
%Windir%\system32\cftmonn.exe
%Windir%\system32\ckvo0.dll
%Windir%\system32\ckvo.exe
%Windir%\system32\expiorer.exe
%Windir%\system32\fool0.dll
%Windir%\system32\fool1.dll
%Windir%\system32\fool2.dll
%Windir%\system32\gasretyw0.dll
%Windir%\system32\gasretyw1.dll
%Windir%\system32\haozs0.dll
%Windir%\system32\ieso0.dll
%Windir%\system32\j3ewro.exe
%Windir%\system32\jwedsfdo0.dll
%Windir%\system32\kamsoft.exe
%Windir%\system32\kavo0.dll
%Windir%\system32\kavo1.dll
%Windir%\system32\kavo.exe
%Windir%\system32\kxvo.exe
%windir%\system32\locale.exe
%windir%\system32\nmdfgds1.dll
%windir%\system32\nmdfgds0.dll
%windir%\system32\olhrwef.exe
%windir%\system32\optyhww0.dll
%windir%\system32\optyhww1.dll
%Windir%\system32\RavMon.exe
%Windir%\system32\realshade.exe
%Windir%\system32\revo.exe
%Windir%\system32\revo1.dll
%Windir%\system32\revo2.dll
%Windir%\system32\revo6.dll
%Windir%\system32\revo5.dll
%Windir%\system32\revo4.dll
%Windir%\system32\revo3.dll
%Windir%\system32\SCVVHSOT.exe
%Windir%\System32\taskmagr.exe
%Windir%\system32\TaskMonitor.exe
%Windir%\system32\tavo0.dll
%Windir%\system32\tavo1.dll
%Windir%\system32\tavo.exe
%Windir%\system32\urretnd.exe
%Windir%\system32\usbmons.exe
%Windir%\system32\usbmons.dll
%Windir%\system32\vamsoft.exe
%Windir%\system32\vbsdfe0.dll
%Windir%\system32\vbsdfe1.dll
%Windir%\system32\wincab.sys
%Windir%\winconfig.dll.vbs

Then click on ‘Execute’.
Your computer will be reloaded.
Note: if you still having any files with strange names, then manually remove them.

If you are still having problems with your PC, I would recommend that you follow the instructions – how to use Spyware Removal Forum.

Related articles: How to disable the autorun feature to prevent malware from spreading, Cannot open C Drive – How to fix it using Flash Disinfector.

Trojan Vundo/Virtumonde turns a good file into a Trojan-Dropper

VirusList posted about new variant Trojan Vundo/Virtumonde. Vundo Authors are now using file infection so Virtumonde checks which files run at Windows startup and tries to infect them. Effectively this means that Virtumonde turns the original host file into a Trojan-Dropper.

Dropper code is prepended to the original host file, with a copy of Virtumonde being appended to the same file. When the infected file is launched it drops the original host file to %temp% and the Virtumonde file to the system directory.

Although Virtumonde is using an infection marker to prevent re-infecting the same file over and over again, this doesn’t always work. There are samples of already infected files being re-infected and the host file then won’t run. However, re-infection doesn’t prevent Virtumonde itself from running.

If your computer infected with trojan Vundo then follow these instructions How to remove Trojan Vundo.

Found some new fake codecs

Sunbelt blog reported about some new fake codecs:

codechq – codechq(dot)net
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codechq(dot)net/download/codechq(dot)dmg; Windows: codechq(dot)net/download/codechq(dot)exe.

vplprocedure – vplprocedure(dot)com
Sample binary vplprocedure(dot)com/download.php?id=10581

codectime – codectime(dot)com
Pushes both Windows and Mac TrojanDNSChanger. Sample binaries: Mac: codectime(dot)com(dot)/download/codectime(dot)dmg; Windows: codectime(dot)com(dot)/download/codectime(dot)exe

If you cannot remove fake codecs follow the steps in the topic Spyware removal – Read Before Posting.

How to remove shell.exe, spoolvs.exe trojan

Shell.exe and spoolvs.exe are components of trojan known as TROJ_RENOS.BX, Trojan.Win32.Qhost.abh , Trojan.Dropper, TR/Crypt.XDR.Gen, W32/Blocker-based!Maximus, Mal/TinyDL-T.

Shell.exe and spoolvs.exe trojan symptoms:

• Start > Settings -> Control panel is missing
• Task bar icons informing you of an infection and taking you to legit looking security panel
• System pop ups and IE pop ups
• When you start PC, you can get a message: “Windows cannot find ‘C:\Windows\shell.exe’ Make sure you typed the file name correctly….”

Continue reading How to remove shell.exe, spoolvs.exe trojan…

VundoFix – freeware removal tool for Trojan.Vundo

VundoFix is a freeware removal tool for many of the known variants of Trojan.Vundo, Trojan.Conhook and other similar infections.

Continue reading VundoFix – freeware removal tool for Trojan.Vundo…

Some new fake codecs

Fake codec is actually a trojan download installer, It will change your home page to one a scam site. It produces unwanted popup to sell rough security software.

These sites hosted codecs:

gneprogram(dot)com
ndcperformance(dot)com
mzdsoftware(dot)com
pkbsolution(dot)com
zerocodec(dot)com

Also zangcodec, playcodec. They Pushes Windows and Mac TrojanDNSChanger.

Block them now! Use for that any hosts file manager.

Read more at Sunbeltblog – New fake codec: playcodec, New fake codec site: zangcodec, Some more fake codec sites

the binaries are hidden and getting them depends on where the developer hides them. With certain sites, you can often get a sample through /download/(sitename).exe (there are always more binaries in the same directory as well, each numbered for affiliates). For other codec sites, /download.php?id=4082 will get a binary (that number is just an affiliate ID — other numbers work as well). If you are hunting for Mac fake codecs, remember to change your user agent to a Mac. And please — don’t touch these binaries unless you know what you’re doing, as they are live Trojans.

How to remove trojan DNSChanger/DNS hijacker (Redirect Virus/Trojan Fix)

Trojan DNSChanger also known as rootrkit TDSS and redirect virus is name of a group of trojans (zlob dns changer, Troj/Rustok-N, W32/Tidserv. gaopdxserv.sys trojan, UACd.sys trojan, …) that once installed, redirects you to malicious websites and stealing personal identities.

Trojan DNSChanger Symptoms

• Windows Update redirects you to msn.com.
• Search results in Google, Yahoo, MSN and other redirect you to other non related sites.
• Google/Yahoo/MSN results redirects you via copy-book.com or another fake site.
• Google/Yahoo/MSN has become slower when doing searches.
• Facebook and youtube redirects to different sites.
• “Waiting for 7.7.7.0…” at the bottom left corner of IE while Google search results were loading. It is caused by the file C:\Windows\system32\wdmaud.sys (reported as Rootkit.Win32.Agent.fwt). The legitimate wdmaud.sys actually exists at C:\Windows\system32\drivers\.
• Any web page loads really slowly.
• System restore function is blocked.
• Vimax pills banner ads are popping up on some sites, include security sites.
• Cannot run msconfig.
• Cannot update antivirus and antispyware programs.
• Trojan affects all browsers (IE7 and Firefox).
• HijackThis shows infection.
  

  O17 – HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer = 85.255.116.86,85.255.112.157

Continue reading How to remove trojan DNSChanger/DNS hijacker (Redirect Virus/Trojan Fix)…

Fake codecs story continue … found some new fake codecs

Fake codec is actually a trojan download installer, It will change your home page to one a scam site. It produces unwanted popup to sell rough security software.

The codecs also install one of the Anti-spyware rogues currently AntiVirGen. They give false positives along with alert bubbles to scare users into buying their software which they own the online billing sites used so you would be giving your credit card number to the same people who infected you.

These sites hosted codecs:

zsvcompany.com
bcnproduction.com
mojtechnology.com
vaulimited.com

block them now! Use for that any hosts file manager.

Read more at Sunbeltblog – Some new fake codecs

For remove fake codecs from your PC try smitfraudfix

Found fake microsoft update popup

Many individuals reported to the MySpace abuse team about very realistic fake update popup.

This thing is quite realistic. And if you click “Download”, you get an offer to install a nasty little Trojan. The trojan, “updateKB890830.exe”, downloads from a site that looks like a Microsoft url, so it’s all quite realistic to the user.

Once infected, your computer will display fake security alert stating that tells you to install a rogue antispyware application to delete the infection.

Download and run MalwareBytes Anti-malware (MBAM) for removing the trojan.

Found trojan that attempts to steal money by selling a fake iPhone

Sunbelt team reported about new trojan that attempts to steal money by selling a fake iPhone. The malware produces a popup, triggered by going to yahoo.com or google.com. There are multiple types of popups, including one saying “supported by Google” and one “supported by Yahoo”.

Normally, when you go to iPhone.com, you get redirected to Apple’s site — http://www.apple.com/iphone/. On an infected system, you get directed to a custom “iphone.com” which actually is a fake site. The Trojan is pulling content from your local disk in a file that has been created in %system%\confg.xml and creating BHO (Browser Helper Object)

BHO: {AA7F2000-EA05-489d-900C-3C7C0A5497A3} – C:\WINDOWS\system32\rwera21s1.dll

They are using this BHO to inject code into Internet Explorer to make it appear as if you are on a website owned by Apple. The same technique is used by malware to target banking websites.

Read more: iPhone madness: This hot phone now sold through malware

Automatic removal HaxDoor trojan

This trojan allows others to access the computer, drops more malware, installs itself in the Registry.

For check your PC, Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Now you need to run HijackThis and click “Do a system scan only”. If your found any simulat entry

O20 – Winlogon Notify: pptp32 – C:\WINDOWS\SYSTEM32\pptp32.dll
O20 – Winlogon Notify: avpe32 – C:\WINDOWS\SYSTEM32\avpe32.dll

then you have HaxDoor trojan infection!

For remove the serious infection, please follow these instructions step by step.

Download haxfix.exe. Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark “Create a desktop icon”.
Click “Next”.
When the installation is completed, make sure that the checkmark “Launch HaxFix” is placed.
Click “Finish”.
A red “dos window” (dos box) will open.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you’ll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.

Haxdoor can drops more malware, also if you are still having problems with your PC , then please follow the steps outlined in the topic linked below Spyware removal – Read Before Posting

Trojan Zlob spreading on MySpace

F-Secure labs found something new spreading on MySpace. It ends up modifying existing profiles, overlaying the content with a message like this:

If you follow the link, you’ll end up with a download. This is a Zlob variant.

Zlob is a Trojan. Zlob attempts to hiddenly download and run other files from remote web sites and shows fake error messages. Zlob copies itself to the Windows folder and changes startup and search pages of Internet Explorer.

Continue reading Trojan Zlob spreading on MySpace…

Putin’s death can kill your computer

Viruslist reported about new spam message.

Subject: ATTENTION !!! President of Russia has dead.Attention!!!
Vladimir Putin has dead. Visit immediately to http://news.bbc.co.uk/go/click/rss/1.0/-/8/hi/russia/********.stmBBC, BBC World and their respective logos are trade marks of the British Broadcasting Corporation, Logos © 1996

The link in this ‘sensational’ message appears to lead to the BBC site – an organization with a worldwide reputation. But if the user clicks on the link, s/he will be sent to a Russian site which has nothing at all to do with the BBC. This is made possible by the use of HTML in the message – although the user sees one link, there’s another, invisible link underneath, which leads to a totally different site.

And what’s the point? After all, the message isn’t selling anything. Well, according to our virus analysts, when you visit this site, Exploit.JS.ADODB.Stream.o is used to download a Trojan-Downloader (Trojan-Downloader.Win32.Agent.uj) onto your machine. And once a Trojan-Downloader is on your machine, it will probably start downloading other malicious programs…

In other words, curiosity can kill your computer. And put your personal data at risk.

SpamThru Trojan – malware who detects and removes another malware

Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\drivers\etc\hosts file pointing the AV update sites to the localhost address. In the past, we’ve also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

Read more about SpamThru Trojan : SpamThru Trojan Analysis

SMS text messages used to spread malware/keylogger

CA has received reports of Win32/Bambo.CF being distributed via SMS text messages sent to mobile phones, enticing people to visit a malicious website. The messages may contain the following:

Thanks for subscribing to *****.com dating service. If you don’t unsubscribe you will be charged $2 per day.

The text message then directs the recipient to visit a website in order to unsubscribe from the service and avoid being charged. This website contains a fake dating service page, which entices users to enter their phone number, at which point it attempts to load an executable file called “unregister.exe“. The web page instructs users to click the “Run”
button on each warning page that Windows displays, to allow the program to execute. If the program is run, it installs the Win32/Bambo.CF trojan.

Please see below for examples of fake dating service pages displayed by the malicious website.

Anyone loading the webpage and following the instructions in the message will pick up the trojan, which CA has named Win32/Bambo.CF. The keylogger looks for passwords and other information which it sends via emails and perhaps through other means.

Thanks CA SecurityAdvisor.

More fake codecs – nvidcodec, media-codec

Found new fake codec – nvidcodec. The codec is malicious programecs that deliver popup advertisements and hijack search engine results. Some AV vendors detected the codec as Trojan.Downloader.Zlob
Continue reading More fake codecs – nvidcodec, media-codec…

Pornmagpass – free pass to get popups, rogue antispyware, toolbar.

Sunbeltblog reported about new adware – pornmagpass. There’s a new adware detected some AV engines as trojan:

AVG – Downloader.Zlob.AOI
ClamAV – Trojan.Downloader.Zlob-471
EtrustVet – Win32/Beovens.FT
Fortinet – suspicious
Ikarus – Trojan-Downloader.Win32.Zlob.ni

The EULA says:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to PORNMAGPASS or its affiliates during this process. Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.

After run, this trojan will install rogue antispyware SpywareQuake and adds a new IE Toolbar called “Safety Bar”.

As a final note, pornmagpass malware site hosted by Intercage, the Best Friend Ever of all malware authors.

Read more: PornMagPass — your pass to hell

Spam emails and fake Microsoft patch

Internet Storm Center have received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of “a new vulnerability [that] has been discovered in the Microsoft WinLogon Service”. It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir 6.34.1.34 05.29.2006 Heuristic/Crypted.Modified
BitDefender 7.2 05.30.2006 Trojan.BeastPWS.C
Kaspersky 4.0.2.24 05.30.2006 Trojan-Spy.Win32.Delf.jq
NOD32v2 1.1566 05.30.2006 Win32/Spy.Delf.NBR
Panda 9.0.0.4 05.29.2006 Suspicious file
Sophos 4.05.0 05.30.2006 Troj/BeastPWS-C
Symantec 8.0 05.30.2006 Infostealer

Update:

Kaspersky Lab also reported about  fake Microsoft patch. They released an urgent update for Trojan-PSW.Win32.Sinowal.u.Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.

Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.

Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.

Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.

The email looks like this:

From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com]
Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Sehr geehrte Benutzer Microsoft Windows XP!

Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer “hängt” genau nach einer Minute nach dem nächsten Hochfahren.

Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.

Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.

Mit freundlichen Grüßen,

Windows Update

As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.

And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.