Software: [Sticky] Virus Warning Updates

I cleaned up most of the advertising fluff from this one.

Madrid, January 18, 2008 - According to data gathered at the Infected or Not website (http://www.infectedornot.com) the Bagle.HX worm was responsible for most infections over the last week. Two strains of adware, Comet and Starware, come next in the ranking of the most active malware.

Top 10 TotalScan:

1 W32/Bagle.HX.worm
2 Adware/Comet
3 Adware/Starware
4 Adware/VideoAddon
5 W32/Bagle.QV.worm
6 Spyware/Virtumonde
7 Trj/Downloader.RZC
8 Adware/Lop
9 Trj/Rebooter.J
10 Adware/NaviPromo

Regarding new strains of malware that have appeared, the weekly report from PandaLabs looks at the MSNworm.BU and P2PShared.C worms.

MSNworm.BU spreads through MSN Messenger by sending a message with an attached compressed file to all the infected user's contacts. If any of these extract and run the file they will be infected. The messages have text similar to the following: "I cant remember anything from this picture", "is this you?", etc.

This worm connects to a web page, from which it downloads another malicious file. It also creates a key in the Windows Registry to ensure it is run every time the session is started up.

P2PShared.C reaches computers with an icon of two tools. When run, it shows an error message. To spread, it is copied to P2P directories with names such as "Windows Vista x86 MultiLang AutoPatcher.rar" or "MSN Messenger 8 Fully Patched for XP Sp2 and ViSTA.rar".

I think it's invaluable, If you know what you're likely to invite in! Thanks again Ivan, your efforts are very much appreciated.

Cool! Oh man, now i feel the pressure. Subscribers.

Hmm, I don't think I would get very far charging for someone else's content.

Yeah, I know. Hence the ras. Don't mind me, I am just in an ornery mood this morning.

Madrid, January 25, 2008 - According to data gathered at the Infected or Not website (http://www.infectedornot.com) this week, 22.86% of protected computers were infected by some type of malware.

As for the most harmful codes this week, the list is headed by the Virtumonde spyware. Virtumonde has been designed to log keystrokes entered by users while they surf the Web and sporadically display adverts.

The list is completed by adware (NaviPromo, VideoAddon, etc.), designed to show ads to users through banners, pop-ups, etc.

TotalScan Top 10:

1 Spyware/Virtumonde
2 Adware/NaviPromo
3 Adware/VideoAddon
4 Adware/SaveNow
5 Adware/Lop
6 Adware/Comet
7 W32/Bagle.HX.worm
8 Adware/Gator
9 Adware/OneStep
10 Adware/AdRotator

"Many unscrupulous companies pay the creators of these malicious codes for advertising. This way, cyber-crooks profit financially from their infections", says Corrons.

This week's PandaLabs report also includes information about two new Trojans: Asprox.A and Romeo.C.

Asprox.A is designed to open a port on the infected computer and turn it into a proxy server. This could allow cyber-crooks to perform malicious actions (bank transfers with money coming from scams, send spam, etc.) from the infected user's computer using its IP address.

"This way, if the illegal action is detected and the authorities start looking for those responsible, the evidence will point to the infected user, whereas it will be very difficult to find the real culprit", says Corrons.

Romeo.C is installed on computers disguised as a Windows folder. This code has been designed to create or modify several keys in the Windows Registry, which allows it to perform malicious actions such as disable the system restore feature, hide the "Start" menu "Run" option, or hide file extensions.

Finally, every time the user starts up the computer, the Trojan will display the following text: "Su PC esta infestada por un virus de ultima generación" ("Your PC is infected by a latest generation virus".

Percoban.A reaches computers disguised as a Word file. When run, it makes a copy of itself with names such as Rahasiamu.exe or Jangan Dibuka.exe. It also creates a Windows registry key to ensure that it is run on every session startup. In addition, it disables the Registry editor and the task manager and hides the search function in the Start menu.

Manclick.A is a worm that installs on computers under the guise of a Windows folder. When this worm is run, it passes itself off as the web page of the Google search engine. The appearance of this page is very similar to the original one and the results, if a user were to click them, could lead to malicious websites that download malware or take other malicious action.

The worm creates several copies of itself on the system and it also creates two registry keys to ensure it is run every time the system is started up. Similarly, it deletes certain Windows registry keys to prevent the computer from starting up in any of the available save modes.

Dung.A is a worm that also enters computers using the icon of a Windows folder. This malicious code opens a random system port and waits to receive commands, sending requests to a certain web page.

This worm makes several copies of itself on the system and edits two Windows registry keys to be able to run every time a session is started.

I apologize for the lack of updates but my new job has taken a lot of free time I had away from me. As I ease into this new position things should start returning back to normal. Here is this week's update:

Regarding the most prevalent malicious codes last week, the list is headed by the Comet adware, which shows ads while users surf the
Internet.

The Bagle.RP and Puce.E worms take second and third place respectively.
These malicious codes use their own means to spread from one computer to another.

Top 10 TotalScan

Adware Comet
Worm Bagle.RP
Worms Puce.E
Adware Starware
Spyware Virtumonde
Worm Archivarius.A
Worm Bagle.SB
Trojan Rebooter.J
Worm Bagle.RC
Adware SaveNow

As for the thousands of new codes that have appeared this week, the PandaLabs report looks at EbayRob.B and WinFake.A.

EbayRob.B is a Trojan designed to steal data entered in online forms on sites like eBay. This data is later on sent to the malware creator by email.

The Trojan modifies the Windows Registry in order to register itself as a service, which allows it to run automatically every time Windows is started up. It also edits the hosts file to redirect access to a series of websites to the affected computer. By doing this, the Trojan will be able to monitor access to those addresses.

When run by the user, EbayRob.B displays a series of cars photos.

Winfake.A is a worm that infects all available drives. It also prevents certain utilities, functions (like regedit) or the Windows console from being run, and hinders the normal use of the clipboard.

The worm appears as a Microsoft Word icon called Love. Once run, it makes several copies of itself on the system and names them after songs to entice users to run them.

Madrid, March 28, 2008 - According to the data gathered at the Infected or Not website (http://www.infectedornot.com) this week, 21% of protected computers were infected by malware.

"Traditional solutions are no longer enough to combat the increasing number of new malware samples that appear every day. The solutions need to be complemented with online tools that access a larger knowledge base and detect more malware," says Luis Corrons, Technical Director of PandaLabs.

The Comet adware, designed to display ads while users surf the Web, is the malicious code that has infected most computers this week. The Puce.E and Bagle.RP worms are next on the list.

Top 10 TotalScan

1 Adware/Comet
2 W32/Puce.E.worm
3 W32/Bagle.RP.worm
4 Adware/OneStep
5 W32/Archivarius.A.worm
6 Adware/Zango
7 Adware/Starware
8 W32/Bagle.RP.worm
9 Trj/Downloader.SZW
10 Adware/SpyAxe

Regarding new strains of malware that have appeared, the weekly report from PandaLabs looks at the Nakuru.A and Selex.B Trojans, and the RenameLoi.A worm.

When run, Nakuru.A slows down the infected computer's Internet connection. It also modifies the Internet Explorer windows by including the title: "Welcome to Your New Home Page".

Selex.B on the other hand, is a Trojan designed to capture system information and send it to its creator; it steals email addresses from the infected computers to spam them.

To fool users, the first time it runs, it displays a page which looks like it's downloading a download manager called: "Fastlane Downloader 3.34b".

When run for the first time, the RenameLoi.A worm displays a beeping Internet screen with a green background and a religious text, which it establishes as the Internet Explorer home and search page, and which it displays every time the PC is restarted. .

When the computer is started, it shows another screen, with the text "[Day of judgment]". To spread, this worm copies itself to the removable drives on the computer and to the system. .

Additionally, it modifies the Internet browser home and search page and carries out annoying and malicious actions like hiding files with system file attributes.

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Madrid, April 30, 2008 - This week's PandaLabs report looks at the Bless.A and VirusRemoval.A worms and the Qhost.HU Trojan.

Bless.A is a worm that modifies the Windows registry, so that all Microsoft Internet Explorer windows have the title .:iscus-X SAY MET LEBARAN! [HAPPY LEBARAN ?!], in reference to a Muslim holiday.

The worm creates several copies of itself on the system and also generates the autorun.inf file in the root directory of all hard disks, shared drives and removable drives.

The VirusRemoval.A worm is designed to delete files associated with other types of malware on all removable drives on the computer. It also creates the autorun.inf file in order to run automatically every time a drive is connected.

VirusRemoval.A also changes the Microsoft Internet Explorer start page and disables the Windows Registry editor and task manager.

Finally, the Qhost.HU Trojan hides behind a legitimate web page to change the Host file of computers that visit the page. Then, when users try to enter certain web pages related with banks, they will be redirected to fraudulent pages and their confidential information could be stolen.

To distract the user, the Trojan redirects the browser to a web page displaying an article about the death of a journalist. However, at the same time and without the user realizing, it modifies the system Host file.

Madrid, May 30, 2008 - PandaLabs reports this week about the adware AdvancedXPFixer, the Banbra.FTI Trojan and the Tixcet.A worm.

AdvancedXPFixer is adware (a program designed to display adverts) that tricks users into installing the program and tries to convince them that the computer has been infected.

When the file containing the adware is run, a warning message appears indicating that the computer has been infected by spyware. Then a screensaver appears with cockroaches eating the desktop.

Then other warning messages may appear and finally, a window with the adware itself, pretending to scan the system for other threats. Needless to say, it always finds a great deal of them, and offers the user the chance to remove them for a fee. If the fee is not paid, the adware continues to display warning messages.

Next in today's report, we look at the Banbra.FTI Trojan, a new member of the extensive family of Trojans of the same name. The file containing this malicious code has a typical Windows image file icon.

When run, the Trojan creates several files on the infected system and keys in the Windows registry. With this, the Trojan waits until the user connects to a particular online banking service to steal the login details.

Finally today, Tixcet.A is a worm designed to delete MSOffice documents, disable several Windows functions and restart the computer.

The worm is in a file with the Microsoft Word icon. When run, it creates several copies of itself on the infected system and keys in the Windows registry.

It is easy to recognize when a computer has been infected by this worm, as the word CETIX appears next to the clock in the taskbar and it changes the name with which the system has been registered to CETIX BALi.

Tixcet.A spreads by making copies of itself in the drives that it accesses, and creates the file AUTORUN.INF, so it runs automatically.

Madrid, June 20, 2008 - This week's PandaLabs report looks at the PGPCoder.E and NoFreedom.A Trojans, as well as an application for creating worms, called Constructor/Wormer.

PGPCoder.E is a ransomware Trojan, i.e. it is designed to seize information and blackmail the user into paying to recover it. It does this by encrypting all non-operating-system files (such as those with DOC, XLS, PDF, TXT, JPG, BMP, etc. extensions) contained on a computer when the file containing PGPCoder.E is run.

At the same time, it releases two files. One of these is called ¡_READ_ME_!.txt, and contains a message informing users that the files have been encrypted and that to obtain the tool for decrypting them, they have to write to a certain email address.

The second file has the same name as the malware, but with a .vbs extension. This file displays a message similar to the one described above.

NoFreedom.A on the other hand, reaches computers in a file called svch0st.exe with a peculiar icon. When run, it opens Internet Explorer and connects to YouTube to show a video of a certain cartoon series.

However, at the same time it creates several files and Windows registry entries, hiding the clock in the taskbar, disabling permissions to shut down or restart the PC and preventing the task manager from being run.

Finally today, Constructor/Wormer is a tool for creating worms through a console in Visual Basic.

Among other characteristics, this malicious tool includes options for compressing the malicious code created, enabling MuteX and selecting the icons to use. The most curious option however, is that users can choose to prevent the malicious code created from infecting removable drives, such as pen drives, etc.