My Anti Spyware

First virus for StarOffice and OpenOffice

Kaspersky Lab have reported, first a macro virus - Virus.StarOffice.Stardust.a for StarOffice and OpenOffice has been found.
Stardust is a macro virus written for StarOffice. Macro viruses usually infect MS Office applications. It’s written in Star Basic. It downloads an image file (with adult content) from the Internet and then opens this file in a new document.

New ransomware found

A new piece of ransomware, called Ransom.a by most AV vendors, has been spotted in the wild.

Evidence received so far suggests that this Trojan can be found on P2P networks.

The malware poses as a Windows Mobile application, despite that description it will only work on Win32.

When the user is infected and reboots his machine, he will be greeted with a full screen message when he logs on.
The screen tries its best to stay on top of all windows and is highly annoying, it also shows pornographic images.

The message which is presented to the user is quite long, but in short:

Pay $10.99 via Western Union otherwise you will keep getting this screen.
One file per 30 minutes will be deleted from the hard drive. Deleted files will be restored when you have paid up and entered the proper unlock code.
Antivirus software can not detect this virus, nor can it detect the hidden folders in which the deleted files are stored.
When entering a false unlock code there’s also a message stating that the hard drive will crash in 3 days.

However there’s a catch: None of these destructive routines actually work!

I think we have an interesting development going on here, I think there are two different types of ransomware.

Real ransomware, which encrypts your data or does other nasty stuff.
And malware which claims to do all sorts of nasty stuff but actually doesn’t. It’s bluffing, like bluff poker.

How is an average user going to check if all of his files are still there? He’s not.
Losing a file every 30 minutes is a scary thought, made up by the criminal in an effort to pressure the user to act quickly and pay up.

Ransomware has gotten quite some media attention and now criminals are trying to simply bluff people into giving up their money, instead of having to write difficult code.

I just hope that people have remembered the most important thing about ransomware: Do not pay up, contact AV vendors for help.

LdPinch again spammed via ICQ

Over the weekend, Kaspersky Lab intercepted Trojan-PSW.Win32.LdPinch.ahe - the latest variant of LdPinch.
This malicious program sends itself to everyone on the victim’s ICQ contact list. It sends a Russian message which says:

[translation] How to trick WebMoney!
To find out how, read the Help instructions!

The message includes a link to the malicious program file, which is called Help.chm.

Nyxem/Kama Sutra/Blackworm return again

Today is the third day of the month, and “this destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter”.

More info about Nyxem/Kama Sutra/Blackworm
How to remove Nyxem/Kama Sutra/Blackworm
How to recovery lost files (due to W32.Blackmal.E@mm - BlackWorm virus or other reasons)

Crossover PC/Windows Mobile virus found

The Mobile Antivirus Researchers Association claims to have detected the first worm that can jump from a PC to a Windows Mobile-powered wireless device.
The ‘Crossover’ worm nests itself in a directory on a Windows PC where it will automatically activate once the user connects a Windows Mobile device using Microsoft ActiveSync.
The digital pest was sent to the association anonymously and is a proof-of-concept designed to show off its features but not cause any actual harm.
“This is proof-of-concept code for educational purposes only. This virus closes the gap between handhelds and desktops. Now it’s one big world open to all,” the worm creators said in a note attached to the virus.

Read more here.

New variant W32/Feebs found

A new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we’re still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to block access to

*.coconia.net
*.by.ru
*.kazan.bz
*.t35.com
*.freecoolsite.com
*.nm.ru

until the AV vendors have the patterns lined up.

New varian spreads as an email with subject “Secure Message from GMail.com user“, and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file “Encrypted Html File.hta”, which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

Update:
AV detection is available by now

BitDefender|7.2|02.22.2006|Win32.Worm.Feebs.1.Gen
Kaspersky|4.0.2.24|02.22.2006|Worm.Win32.Feebs.cb
McAfee|4703|02.22.2006|W32/Feebs.gen@MM
Panda|9.0.0.4|02.22.2006|Suspicious file
Sophos|4.02.0|02.22.2006|W32/Feebs-Gen
Symantec|8.0|02.22.2006|W32.Feebs

Thanks to SansBlog

New Bagle - W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ’shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.

Top Ten viruses and spyware most frequently detected by Panda ActiveScan in January

In January, Sdbot.ftp was the malware specimen most frequently detected by the free online antivirus solution Panda ActiveScan. In addition to this malicious code topping the ranking for the seventh month running, other notable aspects of this month’s list include the second place held by WMF Exploit and the presence of Tearec.A/W32.Blackmal.E@mm /BlackWorm virus or other reasons) in sixth place. With respect to spyware, New.net occupies first place in the ranking.

During the first month of this year, Sdbot.ftp was responsible for 2.99 percent of infections. Then comes Metafile(1.99%), Sober.AH (1.30%), and Netsky.P (1.25%). After them, with frequency percentages of less than 1 percent, come: Gaobot.gen; Tearec.A; Torpig.A; Qhost.gen; Alcan.A and Parite.B.

The following conclusions can be drawn from the Top Ten ranking of the threats most frequently detected by Panda ActiveScan in January:

- Sdbot.ftp:seven months at the head of the ranking.

Sdbot.ftp has been, since July 2005, the threat that has had most impact. This is a script used by certain malware specimens to download -via FTP- the Sdbot worm. It does this by exploiting several operating system vulnerabilities such as LSASS or RPC-DCOM.

- The high profile of WMF Exploit.

WMF Exploit, which first appeared towards the end of December 2005, was the second most prevalent threat in January 2006. This is an exploit or code written especially to take advantage of a security hole in GDI32.DLL -used by programs such as Windows Picture and Fax Viewer-, affecting the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003.

The impact of WMF Exploit, along with the pole position of Sdbot.ftp, once again highlights the success of malware creators in exploiting vulnerabilities in major programs to bolster the impact of their creations.

- Tearec.A/W32.Blackmal.E@mm /BlackWorm:social engineering once again hand-in-hand with Internet threats.

In mid-January, Tearec.A hit computers around the world, and was, for some days, the most frequently detected malware by the free, online antivirus solution Panda ActiveScan. Its successful propagation was based largely on the use of social engineering techniques by its creator. The e-mails in which Tearec.A spread used erotic themes in order to trick recipients.

-The growing presence of worms.

Seven out of ten of the viruses in January’s Top Ten are worms, reflecting the growing trend apparent in the previous ranking (in which six out of the Top Ten belonged to this category) with a corresponding decline in the presence of Trojans.

January’s spyware ranking sees the first place remain unaltered with respect to the previous month, with New.net (1.28%) in first place. The remaining examples of spyware in the Top Ten all have frequency percentages of less than 1%: Smitfraud, Virtumonde, RXToolbar, Altnet, BetterInet, Media-motor, SafeSurf, MarketScore and Petro-Line. The most notable aspects with respect to December’s classification is the appearance of Smitfraud and SafeSurf, replacing Cydoor and Premeter, which last month held second and third place respectively.

Remove Win32/Mywife.E@mm BlackWorm, W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi now

On systems that are infected by Win32/Mywife@E.mm, BlackWorm, W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts.

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

Customers using Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, or Windows Server 2003 Service Pack 1 may be at reduced risk from this malware; if the account password is blank, the account is not valid as a network credential. In an environment where you can guarantee physical security, you do not need to use the account across the network, and you are using Windows XP or Windows Server 2003, a blank password is better than a weak password. By default, blank passwords can only be used locally in Windows XP and Windows Server 2003.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

Customers who believe that they are infected with the Mywife malware, or who are not sure whether they are infected, should contact their antivirus vendor. Alternatively, Windows Live Safety Center Beta Web site provides the ability to choose “Protection Scan” to ensure that systems are free of infection. Additionally, the Windows OneCare Live Beta, which is available for English language systems, provides detection for and protection against the Mywife malware and its known variants.

Also you can try the how to for remove Win32/Mywife.E@mm malware

First reports of Nyxem damage

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you’re infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. F secure have already received first reports from users who’ve had files on their system overwritten by the worm.

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you’re taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd - most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named “Nyxem” because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website (www.nymex.com). We don’t know why.

Try the How to for remove virus or download free virus removal tool from F Secure.

New version GPCode virus

Kaspersky Lab intercepted a new variant of GPCode, Virus.Win32.GPCode.ac.

This program, like its predecessors, encrypts users’ files. The author of the program demands payment for decrypting the files.

The new variant of GPCode was widely spammed throughout the Russian segement of the Internet. In spite of our warnings not to open attachments to email if you don’t know the sender, Kaspersky Lab have received a large number of reports from infected users.

Yesterday Kaspersky Lab added decryption for encrypted files to our antivirus databases. However, GPCode uses a number of encryption keys. It may be that some users’ data has been encrypted by keys which we haven’t seen yet. These users therefore won’t be able to use our antivirus to restore their data.

In conclusion, as Kaspersky Lab have said many times before: sending money to the author(s) of these programs simply provides motivation to create another variant. Don’t ever send money to a cyber criminal.

How to remove BlackWorm, W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi

To manually recover from infection , perform the following steps:
1. Disconnect from the Internet.
2. End the worm process.
3. Delete the worm files from your computer.
4. Delete the worm registry entry.
5. Take steps to prevent re-infection.

Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

End the worm process
Ending the worm process will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.
To end the worm process
1. Press CTRL+ALT+DEL once and click Task Manager.
2. Click Processes and click Image Name to sort the running processes by name.
3. Select the process scanregw.exe, and click End Process.
4. Select the process rundll16.exe, and click End Process.

Delete the worm files from your computer
After you end the worm process, delete the worm code from your computer.
To delete the worm files from your computer
1. Click Start, and click Run.
2. In the Open field, type %windir%
3. Click OK.
4. Click Name to sort files by name.
5. If the file rundll16.exe is in the list, delete it.
6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
7. Click Yes.
Repeat the steps above, but in step two enter %system% and in step 5 look for scanregw.exe.
If deleting files fails, use the following steps to verify thatВ rundll16.exe and scanregw.exe are not running:
1. Press CTRL+ALT+DEL once and click Task Manager.
2. ClickВ Processes and click Image Name to sort the running processes by name.
3. Confirm that rundll16.exe and scanregw.exe are not in the list.

Delete the worm registry entry
To delete the worm registry entry
1. On the Start menu, click Run.
2. Type regedit and click OK.
3. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, right-click the value ScanRegistry scanregw.exe /scan
Select Delete.
5. Click Yes to delete the value.
6. Repeat steps 3 to step 6 for the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
7. Close the Registry Editor.

Take steps to prevent re-infection
Take the following steps to help prevent infection on your system:
1. Enable a firewall on your computer.
2. Get the latest computer updates.
3. Use up-to-date antivirus software.
4. Use caution with unknown attachments.
5. Use strong passwords.
6. Remove unneeded network shares.

Attention: new email virus

F-secure has information on a fairly aggressive new email virus. Their name for it is VB.bi although it’s aliases are…. W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi depending on which AV vendor you check with. It’s a worm as well, in that it tries to spread through remote shares. It attempts to disable antivirus software as well. Here are some details:

The e-mail subject is one the following:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

Read more here.

Fake MS Messenger 8 beta

F-Secure is warning about ads for a “leaked version” of Windows Messenger 8 beta. There is no public beta of this and it is a virus.
If you download and run BETA8WEBINSTALL.EXE, you won’t get a new chat client. Instead, your existing MSN Messenger will start to send download links to everyone in your contact list. It also connects your machine to a botnet server.

The download link always contains the recipients’ email address. For example, if you’d have a friend with email address huuhaa@foobar.com, he would get a download link like msgrbeta8.com/im.php?msn=huuhaa@foobar.com.

Beware Vcodec

Wondering how people get to these bogus security sites and download junk like SpyAxe?

Patrick Jordan and Adam Thomas on SunBelt spyware research team have been investigating Vcodec.com. This is a site that has a program called “VCodec v3.05b is new generation multimedia compressor/decompressor which registers into the Windows collection of multimedia drivers…”
This is bogus video utility. The file, VideoCodec3_05b, is a trojan which then starts the scam about “Your computer is infected!”.

I ran this through VirusTotal and here are the results (“No virus found” means the scanner did not detect the file as a trojan):

—————————————————————————————————

This is a report processed by VirusTotal on 12/14/2005 at 23:23:24 (CET) after scanning the file “VideoCodec3_05b.exe” file.

Antivirus Version Update Result
Kaspersky 4.0.2.24 12.14.2005 Trojan-Downloader.Win32.Zlob.cu
NOD32v2 1.1322 12.14.2005 probably a variant of Win32/TrojanDropper.Small.NCU
CAT-QuickHeal 8 12.13.2005 (Suspicious) - DNAScan
AntiVir 6.33.0.61 12.14.2005 no virus found
Avast 4.6.695.0 12.14.2005 no virus found
AVG 718 12.14.2005 no virus found
Avira 6.33.0.61 12.14.2005 no virus found
BitDefender 7.2 12.14.2005 no virus found
ClamAV devel-20051108 12.12.2005 no virus found
DrWeb 4.33 12.14.2005 no virus found
eTrust-Iris 7.1.194.0 12.14.2005 no virus found
eTrust-Vet 12.3.3.0 12.14.2005 no virus found
Fortinet 2.54.0.0 12.14.2005 no virus found
F-Prot 3.16c 12.13.2005 no virus found
Ikarus 0.2.59.0 12.14.2005 no virus found
McAfee 4650 12.14.2005 no virus found
Norman 5.70.10 12.14.2005 no virus found
Panda 8.02.00 12.14.2005 no virus found
Sophos 4.00.0 12.14.2005 no virus found
Symantec 8 12.14.2005 no virus found
TheHacker 5.9.1.055 12.14.2005 no virus found
VBA32 3.10.5 12.14.2005 no virus found

—————————————————————————————————

So,only Kaspersky (no surprise), NOD32 and CAT-QuickHeal are catching it.

Now available how to remove Vcodec trojan

by sunbeltblog

New email virus Beagle on the war path

A new Beagle/Bagle variant is making the rounds. It comes in an almost empty email, as a ZIP attachment containing the worm as an EXE. The attachment name, email subject and sole text content of the email all seem to be male or female names. Keep your eyes peeled, especially if your users are reading their mail over webmail, as it seems to take another couple of hours until the AV vendors have their patterns lined up.

It took most of the AV vendors their sweet time to get the patterns out for this one. Now things slowly start to look a bit more cheerful, though we know of at least one vendor where the Beagle/Bagle attachment still sails right through the filter, even though the vendor website claims that protection is in the current pattern. If you are not yet anyway already blocking all .exe (and .exe within .zip) on your email gateway, days like today should maybe make you reconsider.

by SansLab

New Sober Variants

Antivirus software does not provide any reliable protection against current threats. Viruses like Sober tend to change every few hours well in advance of AV signature updates. The fact that an attachment did not get marked is no indication that it is harmless. We do receive reports of up to date versions of AV software missing some of the recent Sober variants.
Sober is now considered the “largest virus outbreak of the year” according to F-Secure (thanks Matthias J. for pointing this out). It looks like the fake FBI e-mails are working for them.
Note from reader Marc R: Please do not have your AV software reply to viruses. All commonly seen viruses use fake ‘From:’ headers. Rumor has it that fbi.gov is having a hrad time keeping up with all the bounces in the first place.
One not of interested: We had another Sober outbreak last year in June, around the same time we had the “Download.ject”. Download.Ject (aka Berbew) used a Internet Explorer exploit to download and install a trojan. A number of well known, trusted, web sites had been compromissed and spread the trojan.
None of these does anything new or fancy. They all try to trick users into executing the attached ZIP file. The best defense at this point is probably to strip ZIP file attachments.
The subjects and the body text vary widely. Many of them suggest that the attachment was sent by some government authority (FBI, CIA) and requests that you open it in order to verify some charges brought against you. A version in German refers to the ‘BKA’ (German equivalent of FBI). Other versions claim to be sent by banks and ask you to open an attachment to verify account details.

List of links about Sober:

Symantec (Level 3 risk) W32.Sober.X@mm

http://securityresponse.symantec.com/avcenter/venc/data/w32.sober.x@mm.html

McAfee (currently Low risk) W32/Sober@MM!M681
http://vil.nai.com/vil/content/v_137072.htm

Trend Micro (Medium risk) WORM_SOBER.AG
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EAG

F-Secure (Radar Level 2) Sober.Y
http://www.f-secure.com/v-descs/sober_y.shtml

Sophos (low risk) W32/Sober-{X, Z}
http://www.sophos.com/virusinfo/analyses/w32soberx.html
http://www.sophos.com/virusinfo/analyses/w32soberz.html

Computer Associates (Medium risk) Win32.Sober.W
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=49473

Panda Antivirus (Medium risk) Sober.Y
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=92673&sind=0

New Email virus

New Sober variant in the wild

Yesterday we got some messages about a possible new variant of the Sober virus to be released today. The F-Secure Weblog was one of the sources that posted a press release of the Bavarian Police warning about the new variant. And looks like they got it right…At least according Symantec (calling Sober.S) and F-Secure (calling Sober.V) and CA (calling it Sober.S).
According the first reports received , is is spreading with an email with something that looks like a zipped excel attachment. But, Symantec only says about a zipped one…so I imagine that could be alot of different extensions.
The subject and body may be in english or german. Like the following subjects:

Thanks for your registration.
Hi, Ich bin's

Update: McAfee reports 3 different variants since yesterday (which may be today according your time zone…)
Sober.U
Sober.V
Sober.T

What are computer viruses?

Computer viruses are programs specifically written to wreak havoc on your system. The main intent of a virus is to cause problems with as many computers as possible. The problems caused could be minor, or could shut down the network of an entire company.