My Anti Spyware

Fake codecs story continue … found some new fake codecs

Fake codec is actually a trojan download installer, It will change your home page to one a scam site. It produces unwanted popup to sell rough security software.

The codecs also install one of the Anti-spyware rogues currently AntiVirGen. They give false positives along with alert bubbles to scare users into buying their software which they own the online billing sites used so you would be giving your credit card number to the same people who infected you.

These sites hosted codecs:

zsvcompany.com
bcnproduction.com
mojtechnology.com
vaulimited.com

block them now! Use for that any hosts file manager.

Read more at Sunbeltblog – Some new fake codecs

For remove fake codecs from your PC try smitfraudfix

Found fake microsoft update popup

Many individuals reported to the MySpace abuse team about very realistic fake update popup.

This thing is quite realistic. And if you click “Download”, you get an offer to install a nasty little Trojan. The trojan, “updateKB890830.exe”, downloads from a site that looks like a Microsoft url, so it’s all quite realistic to the user.

Once infected, your computer will display fake security alert stating that tells you to install a rogue antispyware application to delete the infection.

Download and run MalwareBytes Anti-malware (MBAM) for removing the trojan.

Found trojan that attempts to steal money by selling a fake iPhone

Sunbelt team reported about new trojan that attempts to steal money by selling a fake iPhone. The malware produces a popup, triggered by going to yahoo.com or google.com. There are multiple types of popups, including one saying “supported by Google” and one “supported by Yahoo”.

Normally, when you go to iPhone.com, you get redirected to Apple’s site — http://www.apple.com/iphone/. On an infected system, you get directed to a custom “iphone.com” which actually is a fake site. The Trojan is pulling content from your local disk in a file that has been created in %system%\confg.xml and creating BHO (Browser Helper Object)

BHO: {AA7F2000-EA05-489d-900C-3C7C0A5497A3} – C:\WINDOWS\system32\rwera21s1.dll

They are using this BHO to inject code into Internet Explorer to make it appear as if you are on a website owned by Apple. The same technique is used by malware to target banking websites.

Read more: iPhone madness: This hot phone now sold through malware

Automatic removal HaxDoor trojan

This trojan allows others to access the computer, drops more malware, installs itself in the Registry.

For check your PC, Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Now you need to run HijackThis and click “Do a system scan only”. If your found any simulat entry

O20 – Winlogon Notify: pptp32 – C:\WINDOWS\SYSTEM32\pptp32.dll
O20 – Winlogon Notify: avpe32 – C:\WINDOWS\SYSTEM32\avpe32.dll

then you have HaxDoor trojan infection!

For remove the serious infection, please follow these instructions step by step.

Download haxfix.exe. Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark “Create a desktop icon”.
Click “Next”.
When the installation is completed, make sure that the checkmark “Launch HaxFix” is placed.
Click “Finish”.
A red “dos window” (dos box) will open.

Select option 2. Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you’ll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.

Haxdoor can drops more malware, also if you are still having problems with your PC , then please follow the steps outlined in the topic linked below Spyware removal – Read Before Posting

Trojan Zlob spreading on MySpace

F-Secure labs found something new spreading on MySpace. It ends up modifying existing profiles, overlaying the content with a message like this:

If you follow the link, you’ll end up with a download. This is a Zlob variant.

Zlob is a Trojan. Zlob attempts to hiddenly download and run other files from remote web sites and shows fake error messages. Zlob copies itself to the Windows folder and changes startup and search pages of Internet Explorer.

Continue reading Trojan Zlob spreading on MySpace…

Putin’s death can kill your computer

Viruslist reported about new spam message.

Subject: ATTENTION !!! President of Russia has dead.Attention!!!
Vladimir Putin has dead. Visit immediately to http://news.bbc.co.uk/go/click/rss/1.0/-/8/hi/russia/********.stmBBC, BBC World and their respective logos are trade marks of the British Broadcasting Corporation, Logos © 1996

The link in this ‘sensational’ message appears to lead to the BBC site – an organization with a worldwide reputation. But if the user clicks on the link, s/he will be sent to a Russian site which has nothing at all to do with the BBC. This is made possible by the use of HTML in the message – although the user sees one link, there’s another, invisible link underneath, which leads to a totally different site.

And what’s the point? After all, the message isn’t selling anything. Well, according to our virus analysts, when you visit this site, Exploit.JS.ADODB.Stream.o is used to download a Trojan-Downloader (Trojan-Downloader.Win32.Agent.uj) onto your machine. And once a Trojan-Downloader is on your machine, it will probably start downloading other malicious programs…

In other words, curiosity can kill your computer. And put your personal data at risk.

SpamThru Trojan – malware who detects and removes another malware

Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\drivers\etc\hosts file pointing the AV update sites to the localhost address. In the past, we’ve also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

Read more about SpamThru Trojan : SpamThru Trojan Analysis

SMS text messages used to spread malware/keylogger

CA has received reports of Win32/Bambo.CF being distributed via SMS text messages sent to mobile phones, enticing people to visit a malicious website. The messages may contain the following:

Thanks for subscribing to *****.com dating service. If you don’t unsubscribe you will be charged $2 per day.

The text message then directs the recipient to visit a website in order to unsubscribe from the service and avoid being charged. This website contains a fake dating service page, which entices users to enter their phone number, at which point it attempts to load an executable file called “unregister.exe“. The web page instructs users to click the “Run”
button on each warning page that Windows displays, to allow the program to execute. If the program is run, it installs the Win32/Bambo.CF trojan.

Please see below for examples of fake dating service pages displayed by the malicious website.

Anyone loading the webpage and following the instructions in the message will pick up the trojan, which CA has named Win32/Bambo.CF. The keylogger looks for passwords and other information which it sends via emails and perhaps through other means.

Thanks CA SecurityAdvisor.

More fake codecs – nvidcodec, media-codec

Found new fake codec – nvidcodec. The codec is malicious programecs that deliver popup advertisements and hijack search engine results. Some AV vendors detected the codec as Trojan.Downloader.Zlob
Continue reading More fake codecs – nvidcodec, media-codec…

Pornmagpass – free pass to get popups, rogue antispyware, toolbar.

Sunbeltblog reported about new adware – pornmagpass. There’s a new adware detected some AV engines as trojan:

AVG – Downloader.Zlob.AOI
ClamAV – Trojan.Downloader.Zlob-471
EtrustVet – Win32/Beovens.FT
Fortinet – suspicious
Ikarus – Trojan-Downloader.Win32.Zlob.ni

The EULA says:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to PORNMAGPASS or its affiliates during this process. Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.

After run, this trojan will install rogue antispyware SpywareQuake and adds a new IE Toolbar called “Safety Bar”.

As a final note, pornmagpass malware site hosted by Intercage, the Best Friend Ever of all malware authors.

Read more: PornMagPass — your pass to hell

Spam emails and fake Microsoft patch

Internet Storm Center have received samples of an e-mail which is being actively spammed at the moment. The e-mail purports to be from Microsoft and it is notifying the recipient of “a new vulnerability [that] has been discovered in the Microsoft WinLogon Service”. It further states that the vulnerability can allow an attacker access to the unpatched system.

Of course, the user is advised to install the patch which can be downloaded from the included link.

As the e-mail body is an HTML message, the displayed link (http://www.microsoft.com/patches-win-logon-critical/winlogon_patchV1.12.exe) is not where the user will really be sent:

http:// www.redcallao.com/ [REMOVED] / winlogon_patchV1.12.exe

AV detection although a better then first time when we tried it, is still pretty bad. Only 8 products from VirusTotal detected this:

AntiVir 6.34.1.34 05.29.2006 Heuristic/Crypted.Modified
BitDefender 7.2 05.30.2006 Trojan.BeastPWS.C
Kaspersky 4.0.2.24 05.30.2006 Trojan-Spy.Win32.Delf.jq
NOD32v2 1.1566 05.30.2006 Win32/Spy.Delf.NBR
Panda 9.0.0.4 05.29.2006 Suspicious file
Sophos 4.05.0 05.30.2006 Troj/BeastPWS-C
Symantec 8.0 05.30.2006 Infostealer

Update:

Kaspersky Lab also reported about  fake Microsoft patch. They released an urgent update for Trojan-PSW.Win32.Sinowal.u.Sinowal is a family of password stealing Trojans which steals usernames/passwords entered via forms in an internet browser. It particularly targets certain banking domains and also has the ability to steal other locally stored passwords.

Sinowal has a special trick: when an infected user visits certain banking domains Sinowal inserts some of its own HTML code into the page. This is done to create a customized pop up which asks the user for personal info.

Sinowal variants are normally downloaded by Trojan-Downloaders which are installed by visiting certain websites which exploit security vulnerabilities in the browser or operating system.

Today the authors decided to try something different by spamming .de email addresses with an email that pretends to be from Microsoft Windows Update.

The email looks like this:

From: MS Windows Update [msrobot_donotreply|trickthespider|windowsupdate.com]
Subject: Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Achtung! Wichtige Nachrichten von Microsoft Windows Update!

Sehr geehrte Benutzer Microsoft Windows XP!

Gestern haben unbekannte Hacker den neuen Wurm-Virus eingesetzt. Nachdem er ins system reingreift, wird er von sich selbst nach Ihrer mailadressenliste ausgesendet, und alle Ihren Kontakte werden angesteckt. Nach der Ansteckung fängt das System instabil zu arbeiten, und der Komputer “hängt” genau nach einer Minute nach dem nächsten Hochfahren.

Um die Benutzer des Systems Microsoft Windows XP zu schützen, haben unsere
Sicherheitsspezialisten eine Erneuerung fur das System entwickelt.

Sie sollen die an den E-Mail angehängte Datei offnen damit das System erneut
wird und vollständig von neuem Wurm geschützt wird.

Mit freundlichen Grüßen,

Windows Update

As you hopefully know Microsoft never sends executables along with their emails. So social engineering attempts like these can be spotted easily, at least in theory.

And don’t forget, if you got infected with Sinowal, even if you have cleaned your system you still have to change your passwords.

Found new fake codec – emcodec

Emcodec is a Trojan horse that drops and executes a copy of Trojan-Zlob-J, a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

The Trojan is an installer for eMediaCodec that is a codec for Windows Media Player.

If you can`t uninstall or remove, post to spyware removal forum about your problem.

Related articles: How to remove malicious codecs.

How to remove Trojan Vundo

Trojan Vundo also known as VirtuMonde and Adware.VirtuMonde is a very dangerous infection. The trojan uses rootkit-specific techniques designed to hide the software presence in the system (random names, random autorun locations and random CLSIDs). Once running, trojan Vundo will displays popup advertisements and a fake security alerts, offers to install other potentially unwanted software and rogue antispyware applications.

Trojan Vundo infection symptoms.

• Popups.
• Slow computer speeds.
• Security alerts with a message stating that your computer is infected with spyware and that you must download and install a rogue (fake) antispyware.
• Your antivirus program notify you via an alert that you have a Trojan Vundo.

Continue reading How to remove Trojan Vundo…

Trojan Horse keylogger steal end-user information for popular online games.

Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code’s filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.

The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files.
These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created

Exchange rate conversion tool load Trojan.Downloader and Trojan.Muldrop

If you searching for a “currency” or “exchange rate” conversion tool with one of the more popular search engines, you can found a link or site like this one

This site is present the user with a lovely, extensive and complete list of currencies and exchange rates to convert from and to. All for free. The only catch being, the user gets the “result” of his calculation as … an EXE download

The download contains what some of the AV vendors refer to as Dropped:Trojan.Downloader and Trojan.Muldrop. If you are using any sort of URL filter, web-url.de and wechselkursrechner.de should maybe be part of your filter list if exe downloads make it past your perimeter otherwise.

Thanks to SansDiary.

Trojan Redbrowser.A steal money

Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.

The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.

New Bagle – W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ’shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.

Top Ten viruses and spyware most frequently detected by Panda ActiveScan in January

In January, Sdbot.ftp was the malware specimen most frequently detected by the free online antivirus solution Panda ActiveScan. In addition to this malicious code topping the ranking for the seventh month running, other notable aspects of this month’s list include the second place held by WMF Exploit and the presence of Tearec.A/W32.Blackmal.E@mm /BlackWorm virus or other reasons) in sixth place. With respect to spyware, New.net occupies first place in the ranking.

During the first month of this year, Sdbot.ftp was responsible for 2.99 percent of infections. Then comes Metafile(1.99%), Sober.AH (1.30%), and Netsky.P (1.25%). After them, with frequency percentages of less than 1 percent, come: Gaobot.gen; Tearec.A; Torpig.A; Qhost.gen; Alcan.A and Parite.B.

The following conclusions can be drawn from the Top Ten ranking of the threats most frequently detected by Panda ActiveScan in January:

- Sdbot.ftp:seven months at the head of the ranking.

Sdbot.ftp has been, since July 2005, the threat that has had most impact. This is a script used by certain malware specimens to download -via FTP- the Sdbot worm. It does this by exploiting several operating system vulnerabilities such as LSASS or RPC-DCOM.

- The high profile of WMF Exploit.

WMF Exploit, which first appeared towards the end of December 2005, was the second most prevalent threat in January 2006. This is an exploit or code written especially to take advantage of a security hole in GDI32.DLL -used by programs such as Windows Picture and Fax Viewer-, affecting the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003.

The impact of WMF Exploit, along with the pole position of Sdbot.ftp, once again highlights the success of malware creators in exploiting vulnerabilities in major programs to bolster the impact of their creations.

- Tearec.A/W32.Blackmal.E@mm /BlackWorm:social engineering once again hand-in-hand with Internet threats.

In mid-January, Tearec.A hit computers around the world, and was, for some days, the most frequently detected malware by the free, online antivirus solution Panda ActiveScan. Its successful propagation was based largely on the use of social engineering techniques by its creator. The e-mails in which Tearec.A spread used erotic themes in order to trick recipients.

-The growing presence of worms.

Seven out of ten of the viruses in January’s Top Ten are worms, reflecting the growing trend apparent in the previous ranking (in which six out of the Top Ten belonged to this category) with a corresponding decline in the presence of Trojans.

January’s spyware ranking sees the first place remain unaltered with respect to the previous month, with New.net (1.28%) in first place. The remaining examples of spyware in the Top Ten all have frequency percentages of less than 1%: Smitfraud, Virtumonde, RXToolbar, Altnet, BetterInet, Media-motor, SafeSurf, MarketScore and Petro-Line. The most notable aspects with respect to December’s classification is the appearance of Smitfraud and SafeSurf, replacing Cydoor and Premeter, which last month held second and third place respectively.

How to remove VideoCodec3_05b – ICQCHK.exe – MSX.DLL

ICQCHK Trojan is installed by VideoCodec3_05b.exe to help you play “funny” movies. Now the Trojan’s web sites are closed.

Related files in the %SysDir% folder (usually c:\ Windows\System32):
kaboom.dll
iewatch.exe
A0003016.exe
VideoCodec3_05b.exe
sysmon.exe
msx.dll
gtrack.dll
ietool[1].exe
ietool[2].exe
ietool[3].exe

Removal Instructions

• Download special software:
  RegRun Reanimator
  Unzip it to any folder on your hard drive.
  * RegRun users need to open RegRun Start Control.
• Save icqchk_kill.rnr to the same folder.

  * Script file works if Windows is installed to “C:\Windows”.
  * Script file deletes Trojan’s files and registry entries. If not, open icqchk_kill.rnr in the Notepad.exe and replace “c:\Windows” to your path.

• Restart your computer to the Safe mode.
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.
• Open Reanimator.exe (or RegRun Start Control). Open Reanimator menu, “Execute Reanimator Job”. Choose icqchk_kill.rnr file.
• Restart your computer again to the Safe mode. Repeat the job execution.
• Restart to the Normal Windows mode. Open Reanimator and choose “Scan for Viruses” to be sure that it is complete.
• Visit RegRun Support center if you have any questions.
  Open a support ticket and attach your detailed system report made by RegRun.

New trojan download spammed

New trojan downloader is just being heavily spammed. It comes with subject “YOUR BILL PAYMENT NOT APPROVED!” and message like this: “We are unable to obtain the bill payment from your bank account. Your bank returned the following error to us: BILL PAYMENT NOT APPROVED BILL #5563880″.

Attached in the message is a small downloader that tries to activate file from dalvabrothersinc.com. F-secure detect the downloader as W32/Small.CGS in the update 2006-01-27_01.