General: [Sticky] Virus Warning Updates

The Singu.AM backdoor copies itself on computers under the name inetput.exe. When run, it installs itself as a computer service and opens a port on the victim's computer, so the attacker can control it remotely and carry out malicious actions: administer connections, capture keystrokes, configure connection parameters, access the Windows Registry, etc.

This malicious code is distributed through P2P networks. To tempt users into downloading it, it uses social engineering techniques, passing itself off as a fake program, an erotic photo, etc.

The Goldun.TB and Sinowal.VTJ Trojans are distributed in a similar way.

Goldun.TB reaches the victim's computer on an email attachment (photo
here: http://www.flickr.com/photos/panda_security/2865375408/)
pretending to be an ICS warning (an incorrect abbreviation of IPCS:
Internet Service Provider Consortium), and indicating that the Internet connection will be suspended due to the user's violation of alleged author rights.

The email attaches a supposed 6-month activity report which it refers to in the message body. This report is compressed in a .ZIP file. If users decompress and try to open the false report, they will be allowing a copy of the Goldun.TB Trojan onto their computer.

The Sinowal.VTJ Trojan, on the other hand, reaches mailboxes in an email pretending to come from a user who accuses the recipient of sending a virus to his computer via email.

The email subject is "I am wait (sic) your reply"
(http://www.flickr.com/photos/panda_security/), and it has an attached file it refers to in the email body, which supposedly contains proof of the user's sending of malicious emails.

On opening the file (.ZIP format) and running the content (executable file that looks like a PDF document), users will be entering a copy of the Sinowal.VTJ Trojan onto their computer.

Once on the computer, this malicious code tries to download a configuration file from a Russian domain, previously used to distribute banker malware. It also releases a series of malicious files on the system.

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Fakegooglebar.Z, a Trojan that modifies the page of the popular Google search engine to distribute fake antivirus programs, the Eranc.A worm and the Slenfbot.C bot are the subject of this week's PandaLabs report.

On opening Internet Explorer, Fakegooglebar.Z displays a warning informing that the computer might get damaged on visiting the web page the user is about to view. Then, if the user goes to the Google page, the malicious code inserts a message in it indicating that an unregistered version of "Antivirus 2009" has been detected and encouraging the user to activate the product through a link. If they do that, they are taken to a website to download this fake antivirus. You can see a picture of the modified Google page here:
http://www.flickr.com/photos/panda_security/2909336058/).

"Fake antiviruses are a growing threat. Up to now, these rogue software programs were mainly distributed through spam messages with malicious links. In this case, however, cyber-criminals use a Trojan that changes the Google web page. This aims at avoiding raising suspicion among users, as this is a web page they might have visited hundreds of times.
All this makes it more tempting to download the fake antivirus", explains Luis Corrons, technical director of PandaLabs.

Earanc.A is a worm that spreads by copying itself to all removable drives on the computer. This way, whenever any such drive is connected to a new computer, it will infect it.

Once run, the worm opens Windows Media Player and plays the video of a clock whose hour hand moves from 1 to 12 (see image http://www.flickr.com/photos/panda_security/2908481131/). This video is deleted after being played and replaced by a copy of the worm.

Then Earanc.A deletes all multimedia files on the infected computer and replaces them with a copy of itself with the following format: original file name.original extension.exe. It also changes the Registry so that file extensions and hidden files are not displayed, and disables the system restore feature and the registry tools.

Finally, it changes the Internet Explorer window title to this:
++++ Makanya jangan handak buka BF ja, neh rasain oleh2 dari amang
hacker ++++

Slenfbot.C is a bot that spreads by sending itself to users' MSN Messenger and IRC contacts. The file it sends out is called "MVC-Imagen008" and is compressed in zip format.

Once run, this malicious code closes all open security applications for monitoring computer processes and traffic in order to make detection more difficult. It also creates some entries in the Windows Registry to ensure it runs even in Windows safe mode.

Finally, it disables the Windows administration tools and prevents users from displaying hidden folders on the computer and using the Command Prompt window.

The Banbra.GBQ banker Trojan, the APop.A malicious Java Script and the Spammer.AJR Trojan are the focus of this week’s PandaLabs report.

Banbra.GBQ is designed to obtain bank information from the user. This malicious code is distributed through email. To fools users, the executable file passes itself off as a Word document, and when run it opens a document in Portuguese in which users are asked to appear in the regional electoral committee (see image: http://www.flickr.com/photos/panda_security/2947407316).

The idea is to distract users while the Trojan is infecting their computers.

APop.A is a Java Script file that opens a series of Internet Explorer windows when run. One of these opens a page which claims to offer downloads of eMule, the well-known P2P file-sharing application.

Both the Web page and the program are very similar to the originals, however, if users read the installation license carefully, they will see a text warning that the Navipromo adware will also be installed on their computer.

The Spammer.AJR Trojan is designed to send spam from infected computers. These emails have interesting sounding subjects and include a link to a fake YouTube page (see image: http://www.flickr.com/photos/panda_security/2946552395/). If users visit the page, a fake antivirus program will be installed on their system.

This week, PandaLabs has launched an orange alert warning of the danger of these fake antivirus programs, which according to data gathered by the laboratory, have already infected more than 30 million users around the world and are generating as much as €10 million a month for their creators.

Two Trojans, Gimmiv.A and Aidreden.A, and theP2PShared.P worm are the subject of this week's PandaLabs report.

Gimmiv.A allows its creator to take full control of infected systems.

Once a computer has been infected, the Trojan starts gathering the following information:

* User names and passwords entered in web pages.
* MSN Messenger passwords
* Outlook Express passwords
* System user name
* Computer name
* Patches installed
* Information about the browser

All stolen information is encrypted using the Advanced Encryption Standard (AES) and sent to a remote server.

Aidreden.A is a Trojan designed to dupe users into buying a fake antivirus. To do this, it modifies the Host file on the infected computer so that users that visit certain Web pages are taken to a fake Microsoft web page and encouraged to download an anti-spyware software (see image here:
http://www.flickr.com/photos/panda_security/2989258406/).

Finally, P2PShared.P is a worm with bot features that steals password for all kinds of programs, applications, email and even banking details.
All this information is then sent to cyber-crooks.

Once run, it copies itself to the system and all the P2P file sharing directories under names like:

Windows Live Password reveal.exe
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
eMule-0-48a-VeryCD080902-Update.exe
MsnCleaner.exe

A new fake antivirus (the AntivirusPro 2009 adware), and the Gimmiv.C and Boface.C worms designed to spread on social networks such as Facebook and MySpace are the subjects of this week's PandaLabs report.

AntivirusPro 2009 is a malicious code that passes itself off as a trial anti-malware solution. Once installed on the computer, it makes users believe their computer is infected to make them purchase the full, pay version of the fake antivirus. This way, cyber-crooks gain financial benefits from their infections. According to data collected by PandaLabs, over 30 million computers worldwide could be infected by fake antiviruses (http://www.pandasecurity.com/spain/homeusers/media/press-releases/viewn
ews?noticia=9393)

Gimmiv.C is a worm designed to exploit one of the latest Microsoft Windows vulnerabilities (MS08-067). When run on the computer, it drops two malicious files onto the system.

One of the malicious files is vista.exe, an IP scanner that scans the subnet range of the local network searching for computers with port 445 open. Then, the worm runs another file downloaded (Mrosconfig.exe), which is used to exploit the MS08-067 vulnerability. Gimmiv.C uses this malicious code on the vulnerable computers found in the scan. It also makes one of the computers download other malware by connecting to a certain URL.

Finally, Boface.G is a worm designed to spread on social networks such as MySpace or Facebook.

This worm posts a link to a fake YouTube video on the infected user's profile or contacts panel, or sends the contacts a private message with the link. When they try to watch the video (which seems to come from one of their friends) they are taken to a Web page where they are encouraged to download a Flash Player update to watch it. However, if they do so, they will let a copy of the worm into their computers and will infect all of their contacts.

BankoLimb.BW modifies the Web pages of banks in order to steal users'
passwords when they access the page.

To do this, it registers as a Browser Helper Object (BHO), so it can monitor the pages users visit on the Internet. When a user visits a certain banking Web page, the Trojan injects its HTML code into the page and captures all information entered. This is then sent to the creator of the Trojan.

As if this wasn't dangerous enough, this Trojan allows remote execution of code permitting an external attacker to control the system.

Spammer.AKE is designed to send junk mail to email addresses from infected computers. Once it has infected a computer, it downloads a file from the Internet containing addresses to spam and the subjects to use.
These include:

Hoje vai ser especial
Uma longa jornada
Palavras dos maiorais
Um seculo de sabedoria

These messages contain a link claiming to point to some photos but which actually take users to a malicious file.

Nakhatar.A. installs on computers disguised as a Windows folder. When run, it closes some security and registry monitoring tools. It also disables other options including the Windows Task Manager.

Antivirus360 is a fake antivirus. As with all this type of malware, this example is designed to make users believe that their computers are infected and then try to sell them a version of the fake antivirus.
(Image here: http://www.flickr.com/photos/panda_security/3119340477/)

If users decide to buy the product, they will see a Web page on which they can enter their payment details (image here:
http://www.flickr.com/photos/panda_security/3120158812/)

Sinowal.VXR is designed to steal bank passwords and send them to its creators, allowing them to steal money from users' accounts. To obtain this information, Sinowal.VXR monitors users' activity on the Internet and when they access certain bank Web pages, the Trojan redirects them to a spoof page. There they will be asked for a series of data including their user name and password, as well as other memorable information such as their favorite film, book or destination.

"The reason for collecting this extra information is that cyber-crooks can then access the user's email accounts or similar services which often use these type of questions in the event that the user has forgotten their password", explains Luis Corrons, technical director of PandaLabs.

The information is encrypted and sent via HTTP POST to an external server which saves all the data gathered.

Salita.AN is a virus with a malicious payload that prevents the computer from functioning correctly. It stops Internet Explorer from working in offline mode, it disables access to the Windows Registry and Task Manager, and deactivates warnings from the "Windows Security Center". It also deletes Windows Registry entries related with safe mode, to prevent accessing the system in this way.

The virus spreads by copying itself to all system drives, USB devices and shared drives.

PandaLabs has also offered information this week on a vulnerability recently corrected by Microsoft which affects Internet Explorer. More information is available in the PandaLabs blog.
http://pandalabs.pandasecurity.com/archive/Critical-updated-of-Microsoft
-Security-Bulletin-MS08_2D00_078.aspx

Emogen.B is a backdoor Trojan that connects to a server and lets attackers take control of the targeted computer remotely. They will then be able to monitor system activities and take actions such as downloading malware, stealing user information, controlling the Command Prompt window remotely and even starting a chat session with the infected user.

See an image of the Emogen.B console here:
http://www.flickr.com/photos/panda_security/3128211878/

This backdoor Trojan cannot spread automatically, but uses the usual means of propagation: P2P networks, physical devices such as CDs or floppy disks, Internet downloads or FTP file transfers.

SystemSecurity is a fake antivirus-type adware that displays a false infection report to trick users. If the user clicks the button to disinfect the computer, it displays a page asking for a fee. (Image
here: http://www.flickr.com/photos/panda_security/3159368914/).

"This type of fraud has become quite popular lately. Malware like this shows the real financial motivation behind malicious code. Cyber-crooks will turn to anything to profit from infected users", explains Luis Corrons, Technical Director of PandaLabs.

Finally in this week's report, we mention Gafermus.A, a Trojan that tries to connect to certain Web pages to download other malware. Then, it makes several copies of itself on the infected system using random names from the Windows services. It cannot spread automatically using its own means but requires user intervention.

Had not updated this since my brother came to visit and I took a vacation. Getting back into the groove of things.

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

MSNWorm.FU is a worm that spreads through MSN Messenger. To do so, it opens conversations with the infected user's contacts and offers them a file as if it were a photo for the contact to accept and consequently become infected. The file is sent together with sentences such as:

"me puedes marcar en esta foto de facebook?" (can you tag me in this facebook photo) "me cerraron mi cuenta por subir esta foto. si esta muy mal?" (they closed my account for loading this photo. Is it that bad?) "viste esta super fiesta de año nuevo?" (check out the New Year party) "toma, esta perfecta esta foto como wallpaper" (here, this photo is perfect as wallpaper)

The file is usually compressed in a .zip file to avoid being detected by the Messenger.

DirDel.A is a worm that reaches computers with a folder icon, to fool users into running it. When run, it does not display any message or open any folder. This malware replaces folders in different directories with a copy of itself. For example, if there is a folder called Example, it creates a copy of itself in the same directory called Example.exe and deletes all the original folders and their content.

This worm spreads by copying itself to all the system drives and shared folders.

P2PShared.AB reaches computers disguised as an email file, with names related to trademarks, such as Ikea.exe. To spread, it copies itself onto the shared files of P2P programs, with names of programs, disks, and so on. For example:

Youtube Music Downloader 1.0.exe
Absolute Video Converter 6.2.exe
FOOTBALL MANAGER 2009.exe
Password Cracker.exe

This worm also spreads via email by sending spam emails with subjects such as You´ve received a Hallmark E-Card, and an attached file called postcard.zip which contains malware. You can see an image here: http://www.flickr.com/photos/panda_security/3256919391/

In addition, this week PandaLabs has informed about a new phishing attack used by Facebook as bait. French users received a message inviting them to view specific content in Facebook. When they did, they were redirected to a fake Facebook page, similar to the original. Any details they entered were sent to cyber-crooks. More information here: http://pandalabs.pandasecurity.com/archive/Facebook-Phishing-Site-Targets-French-Users.aspx

The new variant of the Conficker worm (Conficker.D) that has appeared this week connects to numerous servers to update. Like other variants in this family, this worm uses the MS08-067 Microsoft Windows vulnerability to spread. Apart from allowing the worm to enter the computer, this vulnerability lets the attacker take several actions on the infected computer, even allowing control of the computer. This worm also spreads through USB devices, such as memory sticks and MP3 players.

This worm updates every day and downloads new versions of itself onto the infected computer from Web pages that constantly change their URL to make it more difficult to block.

The Malwaredefender 2009 adware on the other hand, is a fake antivirus.
On reaching computers, this adware, like most of its kind, simulates a malware scan to pass itself off as an antivirus. During the scan it supposedly detects several examples of (non-existent) malware in order to worry users (image:
http://www.flickr.com/photos/panda_security/3348889715/).

It then invites them to buy the pay version of the fake antivirus to eliminate the malware it claims to have detected, opening a registration window (image: http://www.flickr.com/photos/panda_security/3348889711/).

On registering, users are redirected to a Web page to download the Premium version of the fake antivirus: (image of the store here:
http://www.flickr.com/photos/panda_security/3348889717/)

Finally, the BadGorve.H Trojan is designed to eliminate files with certain extensions (JPG and WMV among others) from specific directories on the infected computer, causing a significant loss of user information.

Ooh, site updates? certainly seems sleeker.

anyway, does anyone know of a virus for phones with touchscreen that disables the touchscreen?

KillAV.KP is designed to prevent users from accessing websites of antivirus companies and IT security forums. This way, users cannot check security-related issues nor download updates.

This malicious code reaches computers in what looks like an image file with an icon of a cat. To avoid being detected, once run KillAV.KP shows users a .GIF animation (image here:
http://www.flickr.com/photos/panda_security/3574720713/ )

Meanwhile, it downloads a file to the system which modifies the Windows Registry to prevent users accessing websites of security companies, etc.

The PasswordStealer.BM worm on the other hand, steals users'
confidential information, i.e. passwords stored on Internet Explorer.
It also steals information regarding the affected computer (version of the operating system, user name and IP address). The information is stored and sent to its creator later on via IRC.

There are several tell-tale signs of the presence of this worm. When run, it displays an image of a young person smoking a cigarette (image
here: http://www.flickr.com/photos/panda_security/3575542298/ ). It also modifies the homepage of Internet Explorer (image here:
http://www.flickr.com/photos/panda_security/3575542334/ )

PasswordStealer.BM uses several techniques to make it more difficult to
delete:
- It hides files and folders.
- It conceals file extensions.
- It conceals operating system files.

Additionally, PasswordStealer.BM tries to spread through IRC channels.
To do so, it sends random messages with a file called MYPIC.ZIP which contains a compressed copy of itself, to all the users connected to the channel the affected user connects to.

Finally, the MSNWorm.GI worm is designed to spread through MSN Messenger. To do so, it sends an instant message to the infected user's contacts, tempting them to view a photo.

The message includes a link with a URL that resembles Facebook's. On clicking the link, a download window is opened for users to run or save the file (supposedly a photo). The file has a double extension (JPG and
EXE) to fool users. This file really consists of an up-to-date copy of the worm.

If users open the downloaded file, Facebook's legitimate page will open to fool them and get them to believe there has been an error when they cannot find the new photo.

More information about these and other malicious codes is available in the Panda Security Encyclopedia
((http://www.pandasecurity.com/homeusers/security-info)

This week's PandaLabs report looks at the Terminator2009 adware, the KillRDLL.A Trojan and the Rimecud.E worm.

Terminator2009 is a fake antivirus (a type of adware). When it runs, it simulates a scan (although this is started when users click the scanner button). It then claims to have detected malware. If users follow the program's recommendations, they are redirected to a page where they can purchase a Premium version of the fake antivirus. If not, the adware starts displaying warnings to users claiming that the computer is infected and suggesting they purchase the pay version to eliminate these
(non-existent) threats.

The overall objective for the creators of this malicious code is to profit from the sale of pay versions of the fake antivirus.

You can view the images here:
http://www.flickr.com/photos/panda_security/tags/terminator2009/

KillRDLL.A is a Trojan that creates copies of itself every time users access a directory. This file has a Windows folder icon with a hidden extension to make users believe it is a folder. It also creates a copy of itself when users access a subdirectory.

Fake folders use names including:

Angelina Jolie
Clips
Documents
Favorites
Flash Games
Games
My Documents
My Folder
Picture
Video
WallPapers

When run, it opens the Web page of a search engine that dislplays false results. You can see an image here:
http://www.flickr.com/photos/panda_security/3662238086/

Finally, the Rimecud.E worm downloads malware from certain Web pages. It is designed to send spam messages while it downloads more malware. Being infected by this worm could result in the user suffering an avalanche of malicious programs.

In order to spread, this worm copies itself to folders of P2P applications such as Bearshare and eMule. It also spreads through MSN Messenger. To do so, it sends a copy of the worm to the contacts of the affected user (if connected).

It also copies itself to the USB devices connected to the computer and creates an autorun.inf file to be run whenever the infected device is connected to a computer.