My Anti Spyware

MSN Worm Used to install Backdoor

F Secure have received reports from customers of suspicious pop-ups that were being spammed through MSN Messenger. Below is a sample message:

lol check http://peopleonline.pe.funpic.de/[REMOVED].pif

When the link in the message is clicked, it automatically downloads a file named photo942.PIF. This file is the backdoor component of Licat.C This is used to connect to go.cheap[Removed].info and go.links4[Removed].biz

These websites contains a malicious IP address. Access to this address will again download other malware and adware from www.uglyphotos.net/[Removed] and execute it on the infected machine.

One of the downloaded files is responsible for the pop-up messages that are being spammed via MSN Messenger. It arrives on the system with the filename sprT.exe. This file is also detected as IM-Worm.Win32.Licat.c.

Licat.C, a variant of Licat, is a Trojan. Licat.C can send instant messages or contact certain websites to inform malware authors about certain events and allows downloading files on the infected computer. Licat.C tries to connect to certain websites on Internet.

Licat.C also attempts to replace the original MSN Messenger application client, msnmsgr.exe, with its own copy. The original Messenger file is renamed and is started by the copy. Deleting the Licat.C copy and renaming the original file, msgs.exe, may repair the installation of Messenger.

The other downloaded files are adware related. One is a trojan that drops a variant of PurityScan adware onto the system - detected as Trojan-Dropper.Win32.PurityScan.ag. The other is a Softomate adware installer - detected as Softomate toolbar.

Worm uses MS04-007, MS05-017, MS05-039, MS06-040 bugs

For the past several days, ISC have received all kinds of emails about the recent increase in scanning on port 139. One of loyal readers out there on the ‘Information SuperHighway’, Alex Pettinger, wrote and and gave us some netstat and fport outputs from one of his machines that seemed to be affected by the worm, (as well as a nice copy of it). It appears, in typical antivirus fashion to be named several things: McAfee is calling it “W32/SDbot.worm!MS06-040“, Sophos is calling it, “W32/Vanebot-A“, and Symantec is calling it, “W32.Randex.GEL“. (Yes, it’s been out for a couple days)

Let’s take a look at this bad boy shall we? How does it spread.. well, it uses: MS04-007, MS05-017, MS05-039, and of course, our favorite bug of the moment, MS06-040.

This one should be relatively easy to catch, look for machines pounding away over port 139 (from reader submissions it’s about 150 machines in just a few seconds, so it should be noisy), look for connections via IRC to “forum.ednet.es” over port 4915. (Until the next variant changes it, and we know it will). It has the ability to do a bunch of things including spreading to network shares..

For protect your PC block 139 and 445 at the router/firewall. Netbios traffic shouldn’t be allowed to exit or enter your network from egress points anyway.

Update your antivirus. At least daily. Patch your Windows.

Thanks ISC

New worm disables Security Software

Sanbeltblog reported about new World Cup Soccer Worm. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:

Subjects:

1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know

Message Bodies:

1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos
5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait. View photos.

Upon execution, the worm copies itself to the following location:

%Sysdir%\msctools.exe

Attempts to download additional malware:

http://couple{removed}.com/tumbs/dianaimg.exe

The worm also attempts to disable the following processes:

AVP32.EXE, AVPCC.EXE, AVPM.EXE, AVP.EXE, iamapp.exe, iamserv.exe, FRW.EXE, blackice.exe, blackd.exe, zonealarm.exe, vsmon.exe, VSHWIN32.EXE, VSECOMR.EXE, WEBSCANX.EXE, AVCONSOLE.EXE, VSSTAT.EXE, OUTPOST.EXE, REGEDIT.EXE, NETSTAT.EXE, TASKMGR.EXE, MSCONFIG.EXE, NAVAPW32.EXE, UPDATE.EXE, msctools.exe

Banwarum Worm Offers Tickets for the WORLD CUP

The new mass mailing worm called Banwarum (also known as Zasran and Ranchneg) that is using World Cup themed email messages. The worm sends itself as a password protected archive and includes in the email the password for it. The emails sent by the worm are in German and some of them offer tickets for the football games in Germany next month.

There are already three functionally similar variants of this worm. FSAV detects .A and .B variants of the worm with update version number 2006-05-24_04 and variant .C with update version number 2006-05-25_01. One of the emails sent by the worm looks as follow:

Hi man,

ich hab gesehen, das du zu WM wolltest, frag nicht wer ich bin und warum ich es mache. Hier hast du 5 Stueck, das ist eine spezielle Online Version, drueck es aus und unterschreib. Password zu dem Archiv lautet (psw)

Mfg Niemand

This means in English:

Hi man,

I saw that you want to go to the World Cup. Don’t ask who am I and why I am doing this. Here you have 5 pieces, which are a special on-line version, print it and sign. Password to the archive is (psw).

With friendly greetings Nobody

Thanks to F-Secure.

Fake Windows Sites + WMF Explot + Keyloger = New Botnet

Adam Piggott of Proactive Computing received message from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server

For more details on this current exploit and botnet, see SunbeltBLOG’s blog, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note - the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at VirusTotal

New worm with File encrypt function found

Yesterday Kaspersky Lab came across a worm with a German (speaking) background, Email-Worm.Win32.Skowor.b.
In contrary to programs like GPCode, Skowor is able to replicate; it tries to spread via a share that it creates.

When installed, the worm displays a message telling the user that s/he has 5 pc reboots in order to get a password which can be used to uninstall the worm. If the user doesn’t do this, the worm will encrypt a number of important files and change the Administrator and current user password.
The worm also changes the IE start page to the author’s website.

Link here.

Leap.A - Worm for Mac OS X

Leap.A is a binary file compiled for Mac OS X. It arrives in an archive file, called ‘latestpics.tgz’. When the executable in the archive is opened the virus activates. First it drops an icon resource and an external hook bundle which is used for spreading through iChat.

Spreading through iChat

Leap.A installs a bundle to ‘~/InputManagers/apphook’ that hooks certain iChat functions. When any of the user’s buddies change their status, the worm initiates a file transfer and sends a copy of ‘ ‘latestpics.tgz’. The file transfer is not visible to the user as the worm hides the transfer status information.

File infection

The worm enumerates all applications on the computer that were used during the last month. Leap.A replaces the main executable of those applications with itself and saves the original file to a resource fork with the same filename. When the application is opened the worm activates first, then it runs the original application from the resource fork.

Thanks to F-Secure.

New Bagle - W32/Bagle.FM@mm, Email-Worm.Win32.Bagle.fm mass-mailer found

F Secure have received a new Bagle mass-mailer. This Bagle mass-mailer first appeared on February 9th, 2006. It spreads in e-mails sometimes pretending to be an antivirus definition file from Symantec. The worm also spreads to shared folders. In addition it drops a trojan downloader.
F Secure detect this new mass mailer as W32/Bagle.FM@mm.
When the worm’s file is started it displays a fake error messagebox:

Error!
Can’t find a viewer associated with the file.

The worm can send several different messages. The following text can be used in subject line ( %number% stands for a randomly generated number):

Your Receipt %number%-%number%
Order reminder: ID %number%
Billing department, order %number%-%number%

When the worm scans a hard drive, it looks for folders that have ’shar’ substring in their names. If such folder is found, the worm copies itself to that folder with the following names:

anna benson sex video.exe
kate beckinsale nude pictures.exe
jenna elfman sex anal deepthroat
miss america Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
barrett jackson nude photos, movies, porn video.exe
Britney Spears sex photos.exe
paris hilton Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 10.exe
Windown Vista Beta Leak.exe
IE beta 7.exe
Serials 2005 database.exe
XXX hardcore images.exe
Adobe Photoshop 9 full.exe

The worm also drops a file named winresw.exe to Windows folder and starts it. This file is a trojan downloader that downloads and runs files from Internet.

Also the worm starts a backdoor on port 6777. The backdoor allows to update the worm’s file from Internet.

How to remove BlackWorm, W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi

To manually recover from infection , perform the following steps:
1. Disconnect from the Internet.
2. End the worm process.
3. Delete the worm files from your computer.
4. Delete the worm registry entry.
5. Take steps to prevent re-infection.

Disconnect from the Internet
To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

End the worm process
Ending the worm process will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.
To end the worm process
1. Press CTRL+ALT+DEL once and click Task Manager.
2. Click Processes and click Image Name to sort the running processes by name.
3. Select the process scanregw.exe, and click End Process.
4. Select the process rundll16.exe, and click End Process.

Delete the worm files from your computer
After you end the worm process, delete the worm code from your computer.
To delete the worm files from your computer
1. Click Start, and click Run.
2. In the Open field, type %windir%
3. Click OK.
4. Click Name to sort files by name.
5. If the file rundll16.exe is in the list, delete it.
6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
7. Click Yes.
Repeat the steps above, but in step two enter %system% and in step 5 look for scanregw.exe.
If deleting files fails, use the following steps to verify thatВ rundll16.exe and scanregw.exe are not running:
1. Press CTRL+ALT+DEL once and click Task Manager.
2. ClickВ Processes and click Image Name to sort the running processes by name.
3. Confirm that rundll16.exe and scanregw.exe are not in the list.

Delete the worm registry entry
To delete the worm registry entry
1. On the Start menu, click Run.
2. Type regedit and click OK.
3. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, right-click the value ScanRegistry scanregw.exe /scan
Select Delete.
5. Click Yes to delete the value.
6. Repeat steps 3 to step 6 for the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
7. Close the Registry Editor.

Take steps to prevent re-infection
Take the following steps to help prevent infection on your system:
1. Enable a firewall on your computer.
2. Get the latest computer updates.
3. Use up-to-date antivirus software.
4. Use caution with unknown attachments.
5. Use strong passwords.
6. Remove unneeded network shares.

New IM Worm Targets AIM Users to Deliver Adware Payload

The new worm targets PC hosts infected with lockx.exe or palsp.exe and utilizes IRC enabled malware to connect the host to a server for further infection through a series of commands. One of the commands has the ability to control the AIM client on the infected host and send a message containing links to the AIM buddy list. When recipients click on the link they become infected with new variants of the IRC enabled malware along with an installation executable creame.exe which delivers multiple adware payloads including Zango and 180 solutions.

Users already infected with the files lockx.exe or palsp.exe are most at risk, but any user clicking on the wrong IM link can be infected. There’s an executable called creame.exe that delivers the adware including 180solutions and Zango. Facetime has a free online scan that detects and disable files such as lockx.exe. If you’re an AIM user and notice anything unusual, I’d say head for the free scan ASAP.

Santa IM Worm

A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they’re infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed “M.GiftCom.All,” is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a “Medium” threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a “Low” classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs. When users naively visit that site — which is billed as a harmless Santa site — a file is automatically downloaded to their computers. The file, usually named “gift.com” includes rootkit elements that cloaks it from security software. In addition, the downloaded executable tries to disable a number of anti-virus programs, adds a keylogger to the system to capture confidential information, and then spreads to others by snatching names from the user’s IM client contact list

Description: This worm broadcasts a URL out over IM clients which downloads an executable file, often named gift.com. When this file is executed, it hides itself and scans the registry, file system, and internet cache. By operating as a rootkit, the process is hidden from all tools and anti-virus software. It also attempts to shut down anti-virus software and makes several networking calls. Also it does keystroke logging and may attempt to propagate itself over IM client.

After examine the malware , found that 69.56.129.67 is hosting it. When executed, gift.com resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts connections to tcp/53, gift.com renames itself to c:\windows\winrpc.exe, and sets itself up as the service “Windows RPC Services”. There is no rootkit built in, it is totally dependant on download instructions from the command and control site. Rather than calling it a “worm” as was reported in the press, a more accurate description is that it’s a bot with replicating capabilities.

by sansblog

New AIM worm

Malware authors just opened their own holiday season. We received couple of reports of a new AIM worm spreading.
The worm is simple and doesn’t exploit any vulnerability; instead it relies on social engineering.

The user will receive the following AIM message:

“This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/index.pd?source=christmastheme?my_christmas_card.COM”

Instead of going to the AOLs site, this link actually points to a different site (http://..134.156/My_Christmas_Card.COM) from which the user will download the worm.
This file is a SDBot variant and at the moment the most popular AV programs detect it generically.

by Sans.lab

New Version of MYTOB is causing an escalation of Risk Alert

We just received notification that Trend Micro has raised the Alert for the new MYTOB virus to medium. Trend Micro has an excellent write up at:

Mytob.MX

The worm appears to be memory resident and spreads by sending a copy of itself as an attachment (account-password.zip) in an email message using its own Simple Mail Transfer Protocol (SMTP) engine. It also installs malware which Trend Micro is calling TROJ_MONURL.D. Trend Micro has removal instructions and more information about the malware at the link above.

Use extreme care when opening your email. Do not open zip files or other attachments that you are not expecting to receive or from suspicios emails.

Trick or treat: AIM worm delivers backdoor, rootkit and adware

Imagine you’re chatting with friends in an AOL IM chat room one minute, you click on a seemingly innocent link, and the next minute your computer is taken over by a worm delivering an extraordinarily nasty payload. That’s precisely what happened just a few days ago. CNET news has a good breakdown on this ugly trick, originally discovered and reported by Facetime. If that wasn’t bad enough, the worm also leaves the victim with adware including 180Solutions, Zango, the Freepod Toolbar, MaxSearch, Media Gateway and SearchMiracle.

Paperghost has an interesting theory about the inclusion of adware. Victims might be so focused on removing the adware, they could easily overlook the rootkit, a scary thought. He calls it “the art of stealth, using a 16-wheel juggernaut”. Paperghost also notes that this is the first time 180solutions’ Zango has been found in a stealth installation and asks “how could this happen?” Indeed, especially since 180solutions has been touting their efforts to clean up their distribution channels. Perhaps there will be an explanation on 180’s new blog. Wayne Porter, Facetime’s senior greynet director, blogged about the story and included links to additional coverage.