General: [Sticky] Virus Warning Updates

Nice work Ivan. I've stickied this post - I'm sure people rely on it!

To anyone - if you want to subscribe to these updates, just subscribe to the discussion (left hand panel).

I suppose a subscription fee would help take the pressure off Ivan.

Err, that was supposed to be a joke Ivan! Hence the wink.

Nemmind Ivan, I'm sure today will get better. Ornery? that's what I call stuff that's standard, like "ornery tea" rather than Earl grey or whatever. Ornery bieng a lazy way of saying ordinary.

"The large amounts of new malware created every day have made traditional solutions insufficient to combat malware. They simply cannot cope with it. These solutions need to be complemented with online tools capable of accessing a larger knowledge base and detecting much more malicious code," explains Luis Corrons, Technical Director of PandaLabs.

TotalScan Top 10

1 W32/Bagle.HX.worm
2 W32/Bagle.RC.worm
3 Adware/Comet
4 Adware/Starware
5 Adware/Lop
6 W32/Puce.E.worm
7 Trj/Spammer.ADX
8 Spyware/Virtumonde
9 Trj/Rebooter.J
10 Adware/NaviPromo

As for the most active codes this week, the list is headed by two
variants of the Bagle worm. The Comet adware, which shows ads to users
through banners, pop-ups, etc, comes in third place.

Regarding new strains of malware that have appeared this week, the PandaLabs report focuses on the Nabload.CXU Trojan and the Wow.SI, Lineage.HIT and Chike.B worms.

The Nabload.CXU Trojan spreads in emails with the subject "A Pessoa com o Maior Rabo do Mundo" and contains a text in Portuguese and a link to a video. However, if the user clicks the link, they will actually be downloading a copy of the Trojan onto their computers. Then, the Trojan plays a YouTube video to conceal its actions.

Also, this malicious code downloads two banker Trojans onto the computer to steal login data for accessing various banking entities' services.

Lineage.HIT is a worm with Trojan features. It is designed to steal sensitive information from the system as well as user names and passwords for the following online games:

* Lineage Lands of Aden
* Maple Story
* Legend of Mir
* World of Warcraft

Once run, WoW.SI copies itself to the root directory of all the system drives. Consequently, it can copy itself to removable devices (external hard disk, usb memory sticks ..) and run when connected to another computer.

The worm drops a rootkit on the system to hide its actions and make detection more difficult. It also connects to an HTTP address from which it downloads a malicious file and a copy of itself.

Chike.B is a worm that spreads by copying itself to removable drives and shared folders on the network. This malicious code changes the Windows explorer settings, disables the system restore feature and disables the Windows Registry.

Finally, it configures the Windows Registry to make sure it is run every time a session is started .

As for the most active codes this week, the list is headed by the spyware program Virtumonde, followed by two adware samples: NaviPromo and VideoAddon.

Most active malware:

1 Spyware/Virtumonde
2 Adware/NaviPromo
3 Adware/VideoAddon
4 Adware/Comet
5 Adware/SaveNow
6 Adware/Zango
7 Adware/Lop
8 Adware/OnlineAddon
9 Adware/OneStep
10 Spyware/Vundo

Of the thousands of malicious code that appeared this week, PandaLabs focuses on the Resentment.A and Nuwar.QI worms.

The first reaches computers disguised as a Windows folder. When run, it displays an error message and opens a Notepad file. It simultaneously creates several copies of itself on the system and edits a key in the Windows Registry to ensure it is run every time a session is started. It also replaces the Internet Explorer start page for a fake error page.
When users click on "actualizar" (update) the worm sends an email via a JavaScript form to an email address.

"The surprising thing is that the email is sent to a specific company, indicating that two employees' should be fired. This raises suspicions of personal quarrels between the worm distributor and the staff in question," comments Corrons.

Nuwar.QI on the other hand, is a worm designed to send spam. To do so, it uses users' PCs as servers, causing them to slow down.

The emails use romantic subjects - which are especially effective since they were distributed on Valentine's day - to tempt users into opening the attached file. If they do, users will view a romantic card while downloading a copy of the worm.

Madrid, March 21, 2008 - According to data gathered at the Infected or Not website (http://www.infectedornot.com) this week, 25.41% of computers with a security solution installed were infected.

"Given the vast amount of new samples of malware in circulation every day, security laboratories are saturated and solutions can no longer be updated in time. That's why traditional solutions need to be complemented with online tools capable of accessing a larger knowledge base and detecting much more malicious code," explains Luis Corrons, Technical Director of PandaLabs.

Among the thousands of malicious codes that have appeared this week, the present PandaLabs report focuses on the Bankolimb.AF Trojan and the Autorun.RS worm.

When it is run, Autorun.RS releases two files on the computer designed to steal passwords for online games.

"The use of worms that can steal passwords, a feature more often associated with Trojans, is a growing trend. The reason is that worms, unlike Trojans, can spread by themselves, which represents a real advantage for cyber-crooks", says Luis Corrons.

Theft of passwords for online games is motivated by the potential financial returns that this can generate. In these games, there are levels and items that can only be achieved through skill and experience.
However, many users are willing to pay for them on forums, web pages, etc. Cyber-crooks readily profit from this situation.

The Bankolimb.AF Trojan drops several libraries on the computer, one of which is registered as a BHO (Browser Helper Object). This allows it to monitor the Internet activity of the user, monitoring when they access online bank pages, and adding fields to forms that users see on these pages, in order to collect additional information.

The Trojan captures keystrokes to steal passwords entered into these pages. It then sends the information to its creator, uploading a file with the data to a server.

Madrid, April 4, 2008 - During the last week, the Virtumonde spy program has been the threat that has infected most computers according to data compiled by PandaLabs, the malware detection and analysis laboratory at Panda Security. The Bagle.HX worm and the adware NaviPromo are in second and third place in the week's Top 10 ranking.

Top 10 - TotalScan
1 Spyware/Virtumonde
2 W32/Bagle.HX.worm
3 Adware/NaviPromo
4 Adware/Comet
5 W32/Bagle.RP.worm
6 W32/Puce.E.worm
7 Adware/Zango
8 Adware/Lop
9 W32/Bagle.QV.worm
10 Adware/Starware

This week, over 23% of computers protected with a security solution were infected, while the figure for unprotected computers was over 32%.

From the malicious codes that have appeared over the last seven days, this week's PandaLabs report focuses on the QQHelper.Z Trojan, the adware AntispywareMaster and the Rungbu.D worm.

QQHelper.Z is designed to drop two rootkits on computers in order to hide its processes, thereby making it more difficult to detect. This Trojan connects to a web page and also makes a series of modifications to the system including adding a link in the Favorites folder.

The AntispywareMaster adware simulates an antispyware program to trick users into installing and running it on their computers. This adware also creates shortcuts in the Start menu and on the Desktop. When run, it appears as if it is scanning the computer for malicious code, displaying random 'detection' results.

"When we analyzed this malicious code we found a file containing information about the infections to display. So, seemingly, this 'antispyware' already knows the malicious code it will detect, before it has even begun to scan the computer! Evidently, this is a malicious program", explains Luis Corrons, technical director of PandaLabs.

Once the supposed scan has finished, if users try to disinfect their computers, they will be taken to a web page from which they can buy the product.

The Rungbu.D worm is designed to copy itself to all system drives. It also modifies certain Windows registry keys in order to carry out malicious action including hiding file extensions, changing Microsoft Word icons for another icon included in the worm's code and executing itself on every system restart.

Madrid, May 9, 2008 - PandaLabs' report this week focuses on the Manclick.B worm and the Kukuku.A and Kleste.A viruses. It also provides information about the WmaDownloader.G Trojan distributed through P2P networks and the Mozilla-Firefox plug-in that installs the Xorer.T malware on computers.

Manclick.B is a worm whose main function is to open specific web pages.
When run, it creates several copies of itself on the infected system and creates keys in the Windows registry.

Actions taken by this worm include; blocking several applications, disabling the Registry Editor and the Windows Start menu and preventing the computer from starting in secure mode.

Among the visible symptoms of the Kukuku.A virus are; changing the Internet Explorer home page and opening several windows displaying Asian websites. It also connects to an Internet address to download malware onto the computer (the Admoke adware, the Agent.ISE and Delf.AIN Trojans, etc.).

The Kleste.A virus uses the name net.exe and the default Windows executable file icon to distribute itself. When run, it copies itself to c:\, using the same name, net.exe, and drops the winini.exe file that acts as a downloader Trojan on the computer.

It also drops the winsys.sys file which acts as a rootkit to avoid being detected by antiviruses in the c:\Windows\system32\drivers directory.
Then, it infects the other executable files on the system by adding the necessary code, to connect to a web address from which to download up-to-date versions of the virus.

The WmaDownloader.G Trojan on the other hand, is distributed through P2P networks in the form of false files with MP3 and MPG extensions. When run, they connect to an Internet address that offers users the possibility of downloading a specific multimedia player.

Finally, PandaLabs informs about a Mozilla-Firefox plug-in that has been distributed from the Firefox website in the last few months. The plug-in was for the Vietnamese language and ran files on a specific web page, downloanding the Xorer.T malware onto the system.

Although the plug-in can no longer be downloaded from the official Firefox website, we recommend users who have downloaded it to scan their computers for free with the new ActiveScan 2.0 (available at
http://www.infectedornot.com) to check whether they are infected.

Madrid, June 13, 2008 - PandaLabs' report this week focuses on the Banbra.FUD and Dadobra.APK Trojans, and the MalwareProtector 2008 adware.

The Banbra.FUD Trojan uses the Microsoft Internet Explorer icon. When run, the file with the malicious code establishes an FTP connection with a specific IP address, loading the file with the name of the affected computer followed by the word Aviso (Warning).

Banbra.FUD creates several files on the infected system and keys in the Windows registry. When users connect to specific online Brazilian banks, an error message is displayed and a window with a spoof bank url is opened where users are asked to enter their login details. .

On reentering their credentials, the Trojan intercepts them and adds them to the text file, which is later sent via FTP to the IP address mentioned earlier.

Additionally, this Trojan deletes security application files and other banker malware files.

The Dadobra.APK Trojan is designed to download other files infected by banker malware, generically detected as Banbra.FTX by Panda Security solutions.

When users run a file infected by Dadobra.APK, a video in which a football field is shown is played, to fool users while the Trojans continue carrying out malicious actions. .

Finally, MalwareProtector 2008 is an adware (program designed to show unwanted advertising) which simulates system scans and encourages users to buy software to delete the malware which has supposedly been found.

When run, it modifies the desktop wallpaper, displaying a message informing users the computer is infected by spyware. Then, a window is displayed recommending users to download anti-spyware software. If the download is rejected, a screensaver with cockroaches eating the desktop wallpaper is displayed.

If users download the application, it simulates a computer scan and displays a list of the malware supposedly installed on the system. If users choose to delete the malicious code, a message is returned claiming the software is not registered and users must pay to use it.

Sinowal.VPB uses the Windows API to intercept network communications carried out by users. It is also designed to monitor users' access to online banks and capture the data entered (credit card numbers, passwords, etc.). Additionally, Sinowal.VPB creates a copy of itself on the system.

The Antivirus2008Pro adware tries to pass itself off as an antivirus to fool users. To do so, once run it displays a screen informing users they are infected. Soon after, it starts to scan the system and reports fake infections (see photo here:
http://www.flickr.com/photos/9696103@N03/2678703471/).

In this case, hackers are after the money obtained by selling a pay-version of a false antivirus (see photo here:
http://www.flickr.com/photos/9696103@N03/2679524216/)

The Spammer_AIT Trojan is designed to steal all email addresses stored on the system and save them to a file. Then, it opens a port on the computer and adds itself to the list of authorized applications in the Windows Firewall so that cyber-crooks can access the stolen data.

The information stolen from the infected computers is then stored on a web page. This Trojan's aim is to allow cyber-crooks to store a large number of email addresses for spamming purposes.

Banbra.FXT reaches computers by email and passes itself off as a warning from Brazil's Federal Ministry (see photo here:
http://www.flickr.com/photos/2695780604@N03/2678703471/). With information about a supposed investigation, the email encourages users to open an attached .Zip file.

However, if the user downloads and runs the file, they will be introducing a Trojan into their computer. The Trojan loads several services to the system in order to monitor users' access to the web pages of some Brazilian banks and steal the confidential data they enter (passwords, account numbers, etc.).

The Pushdo.C Trojan is designed to steal confidential data and send it to different servers to make it available to its creator. The data sent includes the infected computer's IP address, whether the infected user has administrator permissions or not, the hard disk serial number, the hard disk file system, etc.

The danger to the infected computer increases as the malicious code is also designed to download other malware strains from the same servers it sends information to.

The Agent.JEN Trojan spreads in emails that inform users about UPS'
inability to deliver a package. These emails use subjects such as "UPS packet N3621583925". The message body informs the recipient that it was impossible to deliver a postal package sent by them and encourages them to print out a copy of the attached invoice copy.

The invoice is included in an attached ".zip" file that contains an executable file disguised as a Microsoft Word document with names like "UPS_invoice". However, if the targeted user runs the file, they will be saving a copy of the Trojan to their computer.

This malicious code copies itself to the system, replacing the Userinit.exe file in the Windows operating system. This file runs the Internet Explorer browser, the system interface and other essential processes. For the computer to continue working properly and to avoid raising suspicion of the infection, the Trojan copies the actual system file to another location under the name userini.exe.

Finally, Agent.JEN connects to a Russian domain (already used by other banker Trojans) and uses it to send a request to a German domain to download a rootkit and an adware detected by PandaLabs as Agent.JEP and
AntivirusXP2008 respectively.

This week's PandaLabs report looks at the Oscarbot.UG worm, the Spammer.AJF Trojan and a series of P2P applications used to distribute the adware Lop.

Oscarbot.UG is a worm with backdoor features, which spreads using AOL Instant Messenger - AIM. When run, it copies itself to the system as well as USB drives that connect to it.

The worm connects to a Web page and uses IRC to send and receive information. To prevent detection, it stops running if it finds that it is being tried on virtual machines such as vmware, a sandbox or in a honeypot (these tools are often used to check in a controlled environment if an executable file is running malicious commands).

The Spammer.AJF Trojan is designed to send spam from infected computers.
The email that it sends is written in Italian and has the following
subject: Ci sono i problemi con la potenzialita? D'ora innanzi non ci saranno piu

The Trojan creates several copies of itself on the infected system. It also creates a series of Windows Registry entries affecting Internet security, including one which prevents Internet Explorer from warning about non-secure or dubious Web pages.

PandaLabs has also detected two spoof P2P application installers, BitRoll-5.0.0.0 and Torrent101-4.5.00.0, which are being used to install the Lop adware on users' systems.

YTFakeCreator is a program that allows cyber-crooks to create spoof YouTube videos aimed at infecting users with malware. Potential victims receive an email promoting a video supposedly containing sensational content (erotic images of celebrities, death of famous people, etc.) and invite users to click a link to the video. This technique is known as social engineering.

If they take the bait, users will be directed to a spoof YouTube page (image at: http://www.flickr.com/photos/panda_security/2840011688/), and will see an error message explaining that the video cannot be loaded until a certain component is downloaded (a codec, an Adobe Flash update, etc.). They will be prompted to download it. However if they do this, they will actually be downloading some type of malware onto their computers.

YTFakeCreator makes it easy to create these spoof YouTube pages; customizing the error message text and the time it takes to appear. It also allows cyber-crooks to insert the link to the malware to be downloaded onto users' computers, and even to create a false YouTube profile to enhance the realism of the page. And all of this can be done with just a single program (image:
http://www.flickr.com/photos/panda_security/2839993538/).

The malicious code distributed through these spoof pages can be chosen by the person creating the page: Viruses, worms, adware, Trojans...

Trj/PHilto.A is an executable file that displays a video with adult content. It has an icon with an image of Paris Hilton, which when clicked displays a screen prompting users to download and view the video.

If users choose the option to view the video, two new windows appear on the screen and the system connects to a web page to download the components needed (codecs) to view the video.

A randomly-named, 303104-byte executable is downloaded, detected as Adware/NaviPromo.

The W32/MSNBot.D.worm is a Messenger bot designed to steal data (usernames, passwords, addresses...) which could then be used fraudulently.

The file has an MSN Messenger icon in order to confuse users. When the file is run the process goes resident on the system, and the MSN Messenger process is continually injected in the system's services, with the obvious intention of waiting to capture data from the computer and then distribute it.

The file makes a copy of itself in C:\Windows and adds a registry entry in order to run on every system startup and to continue stealing data from the computer.

This malware is normally distributed via email to contacts it captures in Messenger.

Finally, it creates a .txt in C:\Windows to compile and save the stolen data.