Xnet
OS Protector is an intelligent circuit card which protects PC system configuration and protect data on hard disk in simple and fast way. The installation and operation is simple and can be done in minutes without technical staff involvement. The form factor is a small PCI card.
The concept is simple. Instead of Blacklisting (ie keeping track of all the new viruses and their signatures) OS Protector uses Whitelisting. It keeps track of what is good. So all it needs to do is know what files are clean and so protects that only.
How does it do this? Using parity bits, protection is offered at the hardware level (hence the title: hardware anti-virus). It kicks in before Windows boots, so Windows Viruses will not be able to attack it. This way it is even able to protect the BIOS from being changed.
Labels: bits protection, Hardware, Virus, Worm
First OpenOffice virus emerges
22nd May 2007 Dan Warne Linux, Mac, Windows
Oh what a sweet, sweet day it must be for Microsoft. The first worm specifically targeting the open-source office package OpenOffice has emerged.
It runs on Windows, Mac and Linux computers, but anti-malware vendor Sophos admits it poses a low threat, especially as it's only a proof-of-concept that hasn't actually been discovered 'in the wild'.
The OpenOffice worm uses the inbuilt StarBasic scripting language in the office suite to save scripts to disk in several other languages.
The worm attempts to download and display an indecent JPEG image of a man wearing a bunny suit performing a sexual act in woodland.
The SB/Badbunny-A worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux:
Windows: The worm drops a file called drop.bad which is then moved to system.ini in your mIRC folder (if you have one) and also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
MacOS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb).
Linux: The worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files.
The dropped XChat and mIRC scripts are used to replicate and distribute the virus, and they initiate DCC transfers to others of the original badbunny.odg OpenOffice file.
Sophos says the worm has not been found 'in the wild' but, in an odd move, was sent to their security labs for analysis directly by the makers. The worm, which has not been reported at any customer sites, also downloads and displays a pornographic picture of a scantily clad woman with a man dressed as a rabbit.
"The group responsible for writing the BadBunny malware don't seem to have much confidence in it spreading as they have sent it directly to our labs. The hackers have written plenty of StarBasic malware in the past, but the most 'in the wild' this one is likely to get is by displaying a picture of a furvert in the woods," said Graham Cluley, senior technology consultant for Sophos.
"This is old-school malware - seemingly written to show off a proof of concept rather than a serious attempt to spy on and steal from computer users. A financially motivated hacker would have targeted more widely used software and not incorporated such a bizarre image. This is not a piece of malware which we expect to see spreading in the wild, despite its use of a photograph of unusual wildlife."
Labels: Virus
Infostealer.Banker.CRisk Level 1: Very Low
SUMMARY Discovered: April 2, 2007
Updated: April 2, 2007 9:02:00 AM
Type: Trojan
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Infostealer.Banker.C is a Trojan horse that may steal sensitive information from the compromised computer.
Threat Assessment Wild
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Medium
Payload: May steal sensitive information from the compromised computer.
Distribution
Distribution Level: Low
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
W32/Poebot-KN Type Spyware Worm
How it spreads Network shares
Affected operating systems Windows
Side effects Allows others to access the computer; Steals information; Downloads code from the internet; Installs itself in the Registry; Exploits system or software vulnerabilities
W32/Poebot-KN is a worm for the Windows platform.
W32/Poebot-KN spreads through network shares protected by weak passwords and by exploiting common vulnerabilities including:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
WKS (MS03-049)
Dameware (CAN-2003-1030)
PNP (MS05-039)
W32/Poebot-KN runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Poebot-KN copies itself to
\spooIsv.exe.
The following registry entry is created to run spooIsv.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spooler SubSystem App
\spooIsv.exeLabels: Microsoft, Virus, Worm
Microsoft Windows Animated Cursor Handling Vulnerability
".. any web page, email or content that can load an animated cursor can allow an attacker to take advantage of the vulnerability and run arbitrary code on the users system."
A short overview by SANS of how the different email clients are reacting to the animated cursor vulnerability.
An unofficial fix for the animated cursor vulnerability from Eeye.
Related Articles:
Microsoft confirms animated-cursor flaw: Microsoft confirmed on Thursday that attacker could take control of a user's system by exploiting a flaw in the way the company's Windows software handles animated-cursor files.
========================================
http://secunia.com/advisories/24659/
Microsoft Windows Animated Cursor Handling Vulnerability Secunia Advisory: SA24659
Release Date: 2007-03-30
Critical:
Extremely critical Impact: System access
Where: From remote
Solution Status: Unpatched
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference:
CVE-2007-0038 Description:
A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified error in the handling of animated cursors and can e.g. be exploited by tricking a user into visiting a malicious website using Internet Explorer or opening a malicious e-mail message.
Successful exploitation allows execution of arbitrary code.
NOTE: The vulnerability is currently being actively exploited.
Solution:
Do not browse untrusted sites or view untrusted e-mails.Provided and/or discovered by:
Discovered as a 0-day.
Independently discovered by Determina Security Research.
Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
http://blogs.technet.com/msrc/archive...-security-advisory-935423-posted.aspx
Determina:
http://www.determina.com/security_cen...ries/securityadvisory_0day_032907.asp
Other References:
US-CERT VU#191609:
http://www.kb.cert.org/vuls/id/191609
================================================================
Labels: Advisory, Microsoft, Virus, Vulnerability
Trojan.Optimizer.BSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References: CVE-2003-0111, CVE-2005-4560, CVE-2006-0005, CVE-2006-3866, CVE-2006-4868, CVE-2006-6121
Trojan.Linkoptimizer.B is a generic detection for a family of Trojan horse programs that download dialer components, display pop-up advertisements and attempt to prevent removal by blocking security-related applications.
It has been reported that variants of Trojan.Linkoptimizer.B may be installed by visiting several different malicious Web sites while making legitimate searches on some popular search engines.
The initial domains returned by search engines may redirect users to other .com domains with random names which host different browser exploits.
Variants of Trojan.Linkoptimizer.B are installed by exploiting browser vulnerabilities including the following:
Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (Security Focus Bugtraq ID 6221)
Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (Security Focus Bugtraq ID 16644)
Microsoft WMF Remote Code Execution Vulnerability (Security Focus Bugtraq ID 16074).
Microsoft Internet Explorer VML Remote Code Execution Vulnerability (Security Focus Bugtraq ID 20096).
Acer LunchApp.APlunch ActiveX Control Remote Code Execution Vulnerability (Security Focus Bugtraq ID 21207)
NOTE: At the time of writing, it has been reported that the installation of Trojan.Linkoptimizer.B and its variants works only for users with Italian IP addresses.
The exploits drop an executable file in the following folder:
%Temp%\[RANDOM NAME1].exe
Once executed, the variants of Trojan.Linkoptimizer.B create the following mutexes to ensure that only one copy of the threat is running on the compromised computer:
_x_mgr_
_x_hlp_
The variants may check to see if a modem is installed on the compromised computer by retrieving the Remote Access devices and checking for the presence of one of the following strings, terminating if none are not found:
modem
isdn
It may create the following registry entries so that the threat will be executed everytime Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[8 RANDOM LETTERS].[EXT]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\"Debugger" = "%System%\[FIXPART1][FIXPART2].exe"
NOTE: The security permissions of these keys are modified so that Administrator users will not be able to remove or change them.
The variants reportedly may create some of the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared\"sr" = "[RANDOM HEXIDECIMAL VALUE]"
It may create some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\ShockPlayer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\[5 RANDOM LETTERS]
The Trojan variants attempt to resolve the following domain:
aondskwje.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The variants may try to download the following encrypted file:
[http://]196.238.242.23/view/logo[REMOVED]
csr
ctf
drv
dsk
hlp
lsa
man
mod
mon
net
sql
srv
svc
sys
tsk
upd
win
While copying itself into %System% folder, the variant appends itself to a variable amount of
random data and patches the security permissions of the file. It then locks the file so that the malicious file cannot be accessed, deleted or renamed.
If the operating System is Windows XP, 2000 or 2003 the variants may start the
Task Scheduler service and add the following task in order to run when Windows starts:
Run: %System%\[FIXED_STRING][5 RANDOM LETTERS].exe
Run as: NT AUTHORITY\System
Schedule: At System Startup
The task is saved in the following file and has the security permissions set to prevent removal.
%Windir%\Tasks\[5 RANDOM LETTERS].job
Next, the Trojan variants attempt to resolve one of the following domains:
itqoipyqsq.com
addwjf6zoy.com
c5ehm8fp.com
NOTE: The numeric IP address obtained from the DNS server is invalid. The address is decrypted and converted to a different IP address value depending on the variant.
The Trojan variant tries to download the following encrypted file:
[http://]85.255.115.133/styles/deskt[REMOVED]
NOTE: At the time of writing the file is downloaded only if the compromised machine has an Italian IP address. It has been observed that non-Italian IP addresses get a 500 error message from the remote Web server.
The downloaded file may install multiple dialer components that will dial high-cost numbers.
The Trojan.Linkoptimizer.B variant checks for the presence of debuggers or monitoring tools. It will not run on computers running on VMWare environment or with any of the following drivers active:
SIWVIDSTART - Numega SoftICE Debugger
FILEMON - Sysinternals Filemon
REGMON - Sysinternals Regmon
PROCMON - Sysinternals Procmon
It may inject a thread into EXPLORER.EXE that attempts to terminate any program which has the following text in window title:
antidialer
avenger
avz antiviral
catchme
ccleaner
dumphive
gmer
hardware upgrade forum
hijackthis
listdlls
p2p forum italia
pjf(ustc)
restore ssdt
runalyzer
silent runners
suspectfile
swreg
Systemscan
unhook selected
unlockerassistant
It may create a copy of itself with one the following names:
%System%\[8 RANDOM LETTERS].[EXT]
%System%\[FIXPART1][FIXPART2].exe
[EXT] is one of the following strings:
bak
dat
log
old
tmp
txt
ver
[FIXPART1] is one of the following strings:
admin
auto
boot
cfg
chat
defrag
demo
dump
edit
key
note
office
power
reg
run
set
sys
sys32
System
task
video
win
win32
[FIXPART2] is one of the following strings:
audit
backup
cache
check
clean
config
control
debug
event
find
info
init
load
lookup
mode
notify
setup
stat
tray
viewer
wizard
Variants of Trojan.Linkoptimizer.B have XML configuration data that can be updated from a remote site and allows the variant to download or install multiple dialer components. The configuration data that can be updated includes high cost numbers to dial with the following prefixes:
899
00881
The variant will also use the updated configuration data to contact one of the following URLs:
[http://]www.webcont.net/CONTENTS/adul[REMOVED]
[http://]www.keycont.net/CONTENTS/audl[REMOVED]
Updated configuration data will also include valid account information for the URLs dialed.
Writeup By: Elia Florio
Labels: Microsoft, Trojan, Virus
Name ELF/Loathe-A
Type Virus
How it spreads: Infected files
ELF/Loathe-A is an overwriting virus for the
AROS platform.
ELF/Loathe-A overwrites files in the current folder with itself.
The virus displays the following message:
Infected by AROS.Libido by [WarGame/doomriderz]
Labels: Virus
Name Troj/DwnLdr-GSP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Small.bur
Troj/DwnLdr-GSP is a Trojan for the Windows platform.
Troj/DwnLdr-GSP includes functionality to communicate with a remote server via HTTP.
When Troj/DwnLdr-GSP is executed, it downloads and creates the file
\mensagem.exe. This file is not available at the time of writing.Labels: Microsoft, Trojan, Virus
W32.Zhosu@mmRisk Level 1: Very Low
Discovered: March 20, 2007
Updated: March 21, 2007 4:02:06 AM
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Zhosu@mm is a worm that spreads by sending itself to email addresses that it finds in the Windows Address Book.
Symantec Security Response is currently investigating this threat and will post more information as it becomes available.
Threat Assessment
Wild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
Damage
Damage Level: Low
Distribution
Distribution Level: Low
Writeup By: Chen Yu
Labels: Microsoft, Virus, Worm
Name Troj/Singu-AQ
Type Spyware Trojan
Affected operating systems Windows
Side effects Steals information, Records keystrokes, Installs itself in the Registry, Installs a browser helper object
Troj/Singu-AQ is a password-stealing Trojan for the Windows platform.
When first run, Troj/Singu-AQ copies itself to
\gdien32.exe and creates the following files:
\lmrtend.dll
\shlapi.dll
lmrtend.dll is also detected as Troj/Singu-AQ
shlapi.dll contains logged keypresses
The Trojan creates the following registry entries in order to be run automatically:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
gdien32
\gdien32.exe
lmrtend.dll is installed as a BHO (browser helper object).Labels: Anti-Virus, Microsoft, Virus
More and more businesses are experimenting with Bluetooth advertisements. In doing so they are doing consumers a disservice - because it is almost impossible to tell where a Bluetooth message comes from, they are smoothing the way for the distribution of mobile viruses.
In the age of fast mobile communication, marketing is also becoming ever more flexible, so it comes as no surprise that advertisers are attempting to make use of Bluetooth. After all, Bluetooth opens up new ways of sending advertising messages to mobile phones and PDAs. These adverts can include images, videos, java games or applications, which can be transmitted to passers-by at trade shows, exhibitions, airports and stations or in the vicinity of restaurants or shopping centres.
full story
hereLabels: News Article, Symbian, Virus
Malware type: JavaScript
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No
Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: High
Malware Overview
This malicious JavaScript is usually embedded in a malicious Web site and is run on a system when a user visits the said Web site. It may also arrive on a system as an attachment to a mass-mailed email message.
Upon execution, it decodes and drops a file detected by Trend Micro as WORM_FEEBS.OV. As a result, routines of the related worm may be exhibited on the affected system.
It also displays a fake loading page that displays the following message:
Error while decrypting file
Solution:
(Note: Close all instances of Internet Explorer before proceeding with the solution below.)
Important Windows ME/XP Cleaning InstructionsUsers running Windows ME and XP must disable System Restore to allow full scanning of infected computers.
Users running other Windows versions can proceed with the succeeding solution set(s).
Running Trend Micro Antivirus
If you are currently running in safe mode, please restart your computer normally before performing the following solution.
Scan your computer with Trend Micro antivirus and delete files detected as JS_FEEBS.JM and WORM_FEEBS.OV. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
Labels: http, Microsoft, Virus
Win32/Nirbot Family
Threat AssessmentOverall Risk: Low
Wild: Low
Destructiveness: Medium
Pervasiveness: Medium
Characteristics
Type: Worm
Category: Win32
Also known as
W32/Delbot (Sophos),
W32.Rinbot (Symantec), Backdoor.Win32.VanBot (Kaspersky)
Description Win32/Nirbot is a family of IRC-controlled backdoors that can be used to gain unauthorized access to a victim's machine. They can also exhibit worm-like functionality by exploiting many different software vulnerabilities, including SYM06-010 and MS06-040.
Method of Infection When executed, Win32/Nirbot copies itself to the %System% directory using filenames such as:
arman.exe
atievx.exe
crcss.exe
lemsrv.exe
msync.exe
navscnr.exe
netadp.exe
prevx.exe
rinsv.exe
symmec.exe
It then makes the following registry modification to ensure this copy is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
= ""
where differs depending on the variant, for example:
ATI Active Graphics Card Monitor
JW Manager
LEMSRV
Network Bridge
Random Interface Network Manager
Symmetrical Network
Syncronization
Nirbot continuously checks for and sets the above registry entry.
The worm also creates a mutex to avoid running multiple instances of itself.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Method of Distribution
Via Exploit
Win32/Nirbot spreads by exploiting a number of vulnerabilities in Windows operating systems and third party applications. Nirbot's spreading routine starts with scanning for vulnerable target machines. The worm can generate random values for all or part of each IP address it targets.
Nirbot variants can spread by exploiting the following vulnerabilites: Symantec Client Security and Symantec AntiVirus Elevation of Privilege (SYM06-010)
The worm opens a configurable port on the compromised machine and runs a TFTP server. The worm probes remote machines on port 2967 to determine if they are prone to the SYM06-010 vulnerability. If successful, the worm executes a small amount of code on the target machine that instructs it to connect back to the running TFTP server and retrieve a copy of the worm.
For more information on this vulnerability, please visit the following:
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2630
Microsoft Windows Server service buffer overflow vulnerability (TCP port 139)
The worm creates an HTTP server on the system on a random port. The worm also checks if the IP address of the local machine partially matches a list of IPs contained in its code, for example:
192.168.*.*
10.*.*.*
111.*.*.*
15.*.*.*
16.*.*.*
101.*.*.*
110.*.*.*
112.*.*.*
170.65.*.*
If the IP does not match, the worm instructs the machine vulnerable to this exploit to connect back to the HTTP server running on the system and retrieve a copy of the worm. If the IPs do match, the worm executes a small amount of code on the targeted machine that instructs it to download a copy of the worm from a specific domain. The following is a list of domains and IPs that Nirbot variants have been observed to download from:
66.29.116.82
58.20.109.39
digiflex.info
t3arj3rk.com
sw1tchbck.net
pennysheet.com
jimmybuttons.com
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34486
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx
Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
If the worm finds a machine vulnerable to this exploit, it executes a small amount of code on the targeted machine that instructs it to retrieve a copy of the worm. This is also done through a TFTP server the worm creates on the compromised system on a configurable port.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
If Win32/Nirbot finds an exploitable machine, it attempts to log into SQL server accounts 'sa', 'root' and 'admin'. It attempts to authenticate these accounts using several passwords stored in its code. If the worm successfully logs into an account, it sends code to the remote machine instructing it to retrieve a copy of itself.
For more information on this vulnerability, please visit the following:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Payload: Backdoor Functionality
Nirbot is an IRC-controlled backdoor. Variants of the worm usually attempt to connect to between two to four IRC servers before joining a specific channel. The following is a list of some known IRC servers Nirbot variants have attempted connection to (generally on port 8080, however this differs between variants):
crusade.godhatesfags.com
is.wayne.brady.gonna.have.to.chokeabitch.us
lol.godhatesfags.com
phatcamp.org
x.anti-viral.us
x.pennysheet.com
x.rofflewaffles.us
When the worm connects to one of these servers and joins a channel, it then has control of the compromised machine. Once the victim's computer is under control, the overseer is able to instruct Nirbot to attempt to perform malicious operations such as spreading.
Via its backdoor, the trojan can also be instructed to:
- Retrieve system information such as operating system details
- Download and execute files from the Internet
- Run a SOCKS proxy on the affected host
- Perform a Denial of Service attack
- Execute commands on the affected host
- Update itself
- Remove itself
- Steal CD keys
- Downloads and Executes Arbitrary Files
When first run, some Nirbot variants download and execute a file. The file is downloaded from a specific domain and is usually executed from the C:\ directory. Downloaded files are usually Win32/Amahkey trojan variants - for example, Win32/Amahkey.F.
Analysis by Amir FoudaLabels: Anti-Virus, Microsoft, Virus, Worm
Troj/IMspam-B is a Trojan for the Windows platform.
Name Troj/IMspam-B
Type Trojan
Affected operating systems Windows
Side effects Forges the sender's email address. Uses its own emailing engine. Downloads code from the internet
Troj/IMspam-B is a mass spamming tool that targets MSN Messenger, Windows Live Messenger, AOL Instant Messenger and email addresses.
When run Troj/IMspam-B closes all other instances of itself and removes all EXEs in the root folder of the C drive.
Sample text appears as:
"Heeey i saw a pic of u online HAHAHA check
"
At the time of writing, the EXE downloaded from the malicious link is detected as W32/Delbot-U.Labels: Anti-Virus, Microsoft, Trojan, Virus
Name Troj/DownLdr-QP
Type Trojan
Affected operating systems Windows
Side effects Downloads code from the internet
Aliases Trojan-Downloader.Win32.Delf.yj
Troj/DownLdr-QP includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/DownLdr-QP copies itself to:
\niw.exe
\impai.exe
and creates the following files:
\Content.IE5\89irkl2n\cd321[1].htm
\Content.IE5\od6fwfox\677977[1].htm
These files may be deleted.Labels: Microsoft, Virus
Brian Krebs on Computer Security
Online Anti-Virus Scans: A Free Second OpinionPeriodic online virus scanning is a good idea for Windows users, even for people already using up-to-date anti-virus tools. There are a couple of reasons I suggest this: First, anti-virus software is frequently slow to spot new threats. Take a gander at the daily "unrecognized" stats posted by
Shadowserver.org, which tracks the performance (or lack thereof) of several popular tools in spotting new variants. That list currently examines the performance of several free programs, but the reality is not much different with the commercial tools. Just have a look at performance metrics and virus detection failure rates chronicled
here (virustotal.com) and
here.
The second reason follows from the first: If something nasty does make it past your security defenses, usually the first thing it will try to do is disable the active protection and update features in those tools. In such cases, you probably would not know about the infection unless you turned to a third-party program that is not already installed on your computer.
In my experience, two of the better free online anti-virus scanners are Panda Software's
PandaScan and Kaspersky Lab's
Free Virus Scan. Both require that you run the scans using Internet Explorer, as both require the installation of an ActiveX plug-in to do the job.
F-Secure Corp.,
CA and
BitDefender also offer free online scanners that also use IE and ActiveX, but I haven't yet tried those so I can't offer an opinion on them.
TrendMicro's
HouseCall service lets you install and run a free scanning tool from inside an IE or Firefox browser. However, I found the program both annoying -- it emitted a series of very loud and startling tones through my computer speakers while downloading virus definitions -- and ineffective. It crashed halfway through the scan, taking all of my other open Firefox windows with it, including an earlier, unsaved version of this blog post. (I had hoped Firefox 2.0's crash-recovery feature would save what I had typed as it had in previous crashes, but no such luck this time.)
If you have just a single file or archive that you'd like to scan, I'd suggest submitting it to
VirusTotal, a free online anti-virus engine that will scan your submission against more than two dozen of the most well-known tools.
Depending on the speed of your PC and the number of files and hard drives you have, conducting an online scan can take between a few minutes to several hours to complete. It's not a bad idea to run the scan only when you can afford to be away from the PC for a few hours, or perhaps right before bedtime. Even on my test machine -- which sports a 2.2 GHz processor and 2 gigabytes of memory -- running several of the online scanners interfered with the simplest of tasks, such as composing an e-mail.
Labels: Microsoft, Virus
Kaspersky AntiVirus UPX File Decompression DoS Vulnerability
I. BACKGROUND
Kaspersky Antivirus is a popular client and gateway virus scanner for Unix and Windows. UPX, the ultimate packer for executables, is a method for compressing executable files to reduce their size on disk. For more information, visit the vendor's site at the following URL.
http://www.kaspersky.com/
II. DESCRIPTION
Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host.
The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly.
III. ANALYSIS
Exploitation allows an attacker to conduct a DoS attack.
If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server.
The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner.
V. WORKAROUND
iDefense is currently unaware of any workarounds for this issue.
VI. VENDOR RESPONSE
Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following.
"There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix."
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
VIII. DISCLOSURE TIMELINE
01/24/2007 Initial vendor notification
03/01/2007 Initial vendor response
03/02/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Labels: Advisory, Anti-Virus, Microsoft, Virus, Vulnerability
W32/Rbot-GHF
Spyware Worm
W32/Rbot-GHF is a network worm with IRC backdoor functionality for the Windows platform.
When first run W32/Rbot-GHF copies itself to
\msnmsgsr.exe and creates the file \a.bat.
The file a.bat is detected as Troj/Batten-A.Labels: Microsoft, Virus
[This article blames IT security for not updating their Symantec AV, but the basic problem is that MS Windows is insecure - Ed.]
===============================================================================
Turner Broadcasting System a division of Time Warner and parent of news giant CNN, was hit by a malicious bot program on Thursday, CNNMoney.com reported.
The pest--dubbed Delbot or Rinbot by antivirus companies Sophos and Symantec, respectively--spreads through several holes in Microsoft code as well as a
known flaw in Symantec's antivirus software.
When installed on a PC, Rinbot opens a back door in the system and connects to an Internet Relay Chat server to let the remote attacker control the compromised computer, according to a description of the
Delbot Virus on the Sophos Web site.
Full story=================================================================================
From the Sophos site:
W32/Delbot-I is an IRC worm with backdoor functionality which allows a remote intruder to gain access and control over the computer.
W32/Delbot-I spreads to other network computers by scanning network shares for weak passwords and by exploiting common buffer overflow vulnerabilities, including Symantec (SYM06-010).
When first run W32/Delbot-I copies itself to
\resvs.exe.
The following registry entry is created to run resvs.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Service
System\resvs.exe
Labels: Microsoft, Virus, Vulnerability
Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities February 20, 2007
CVE ID: CVE-2007-1070
Affected Vendor: Trend Micro
Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.
The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.
Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy
Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy
The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.
Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More details can be found at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
Disclosure Timeline: 2007.01.16 Digital Vaccine released to TippingPoint customers
2007.02.01 Vulnerability reported to vendor
2007.02.20 Coordinated public release of advisory
Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.
Labels: Anti-Virus, Microsoft, Virus, Vulnerability
Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities February 20, 2007
CVE ID: CVE-2007-1070
Affected Vendor: Trend Micro
Affected Products:
ServerProtect for Windows 5.58
ServerProtect for EMC 5.58
ServerProtect for Network Appliance Filer 5.61
ServerProtect for Network Appliance Filer 5.62
TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this vulnerability since January 16, 2007 by a pre-existing Digital Vaccine protection filter ID 5101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
Vulnerability Details: These vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Trend Micro ServerProtect. Authentication is not required to exploit these vulnerabilities.
The specific flaws exist within the StCommon.dll library and are reachable remotely through a DCE/RPC endpoint on TCP port 5168 bound to by the service SpntSvc.exe. The RPC endpoint is exposed from TmRpcSrv.dll with the following IDL stub information:
// opcode: 0x00, address: 0x65741030
// uuid: 25288888-bd5b-11d1-9d53-0080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
[in] long trend_req_num,
[in][size_is(arg_4)] byte overflow_str[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
[in] long arg_6
);
The upper half of the 'trend_req_num' DWORD RPC argument from above is used within TmRpcSrv.dll as an index into a call table. It must specifically be 0x0003 which results in a call to StRpcSrv.65671000(). The original arguments to the RPC endpoint are then passed to this called routine:
657416E6 mov eax, opnum0_call_table[eax*4]
657416ED test eax, eax
657416EF jnz short loc_65741707
...
65741707 loc_65741707:
65741707 mov [ebp+var_4], 0
6574170E mov edx, [ebp+sizeof_arg5]
65741711 push edx
65741712 mov edx, [ebp+arg5_array]
65741715 push edx
65741716 mov edx, [ebp+sizeof_overflow_str]
65741719 push edx
6574171A mov edx, [ebp+overflow_str]
6574171D push edx
6574171E push ecx ; trend_req_num
6574171F call eax ; call handler
The lower half of the 'trend_req_num' DWORD RPC argument is then used within StRpcSrv.dll as an index into a second call table. The value of this lower half controls the code flow to the following vulnerabilities and is hereto referred to as the 'subcode'.
Vulnerability One
A subcode value of 0x0004 results in a call to ENG_SetRealTimeScanConfigInfo() which subsequently calls through Eng50.61181940() -> Eng50.611819E0() -> Eng50.61190F60() and can result in a stack overflow due to an unbounded widechar string copy into a ~600 byte stack-based buffer as shown in the following relevant excerpt:
61190FC7 lea edx, [esp+288h+szShortPath]
61190FCB push esi
61190FCC push edx
61190FCD call _wcscpy
Vulnerability Two
A subcode value of 0x0047 results in a call to ENG_SendEMail() which can result in a stack overflow due to an unbounded widechar string copy into a ~2k stack-based buffer as shown in the following relevant excerpt:
6118A161 mov esi, [esp+780h+arg_0]
6118A168 lea eax, [esp+780h+var_778]
6118A16C push esi
6118A16D push eax
6118A16E call _wcscpy
The resulting stack overflows can be leveraged to execute arbitrary code under the privileges of the SYSTEM user.
Vendor Response:
Trend Micro has issued an update to correct this vulnerability. More details can be found at:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290
Disclosure Timeline: 2007.01.16 Digital Vaccine released to TippingPoint customers
2007.02.01 Vulnerability reported to vendor
2007.02.20 Coordinated public release of advisory
Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team.
Labels: Anti-Virus, Microsoft, Virus, Vulnerability
Discovered: January 17, 2006
Updated: February 13, 2007 12:50:39 PM
Also Known As: CME-24, Win32.Blackmal.F [Computer Ass, Email-Worm.Win32.Nyxem.e [F-Se, Email-Worm.Win32.Nyxem.e [Kasp, W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], Win32/Mywife.E@mm [Microsoft], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Blackmal.E@mm is a mass-mailing worm that attempts to spread through network shares and lower security settings. On the third day of every month it attempts to rewrite files with certain extensions with custom text.
High level detection - Here are some symptoms that may help determine the presence of W32.Blackmal.E@mm.
Uses its own SMTP engine to send an email with a copy of itself as an attachment.
Look for non-mail server machines sending port 25 traffic
Enumerates the computers in the same domain as the host computer by using WNetOpenEnum. The worm then executes the command "net use \\[COMPUTER NAME] /user:administrator """ to connect to that computer. However, if the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection.
Look for locked user accounts due to brute password attacks
Attempts to access the following URL: [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247
Look for any computer that accessed this website. Isolate and use the repair tool or scan with updated defs
Labels: Microsoft, Virus