Software: [Sticky] Virus Warning Updates

Nice work Ivan. I've stickied this post - I'm sure people rely on it!

To anyone - if you want to subscribe to these updates, just subscribe to the discussion (left hand panel).

I suppose a subscription fee would help take the pressure off Ivan.

Err, that was supposed to be a joke Ivan! Hence the wink.

Nemmind Ivan, I'm sure today will get better. Ornery? that's what I call stuff that's standard, like "ornery tea" rather than Earl grey or whatever. Ornery bieng a lazy way of saying ordinary.

"The large amounts of new malware created every day have made traditional solutions insufficient to combat malware. They simply cannot cope with it. These solutions need to be complemented with online tools capable of accessing a larger knowledge base and detecting much more malicious code," explains Luis Corrons, Technical Director of PandaLabs.

TotalScan Top 10

1 W32/Bagle.HX.worm
2 W32/Bagle.RC.worm
3 Adware/Comet
4 Adware/Starware
5 Adware/Lop
6 W32/Puce.E.worm
7 Trj/Spammer.ADX
8 Spyware/Virtumonde
9 Trj/Rebooter.J
10 Adware/NaviPromo

As for the most active codes this week, the list is headed by two
variants of the Bagle worm. The Comet adware, which shows ads to users
through banners, pop-ups, etc, comes in third place.

Regarding new strains of malware that have appeared this week, the PandaLabs report focuses on the Nabload.CXU Trojan and the Wow.SI, Lineage.HIT and Chike.B worms.

The Nabload.CXU Trojan spreads in emails with the subject "A Pessoa com o Maior Rabo do Mundo" and contains a text in Portuguese and a link to a video. However, if the user clicks the link, they will actually be downloading a copy of the Trojan onto their computers. Then, the Trojan plays a YouTube video to conceal its actions.

Also, this malicious code downloads two banker Trojans onto the computer to steal login data for accessing various banking entities' services.

Lineage.HIT is a worm with Trojan features. It is designed to steal sensitive information from the system as well as user names and passwords for the following online games:

* Lineage Lands of Aden
* Maple Story
* Legend of Mir
* World of Warcraft

Once run, WoW.SI copies itself to the root directory of all the system drives. Consequently, it can copy itself to removable devices (external hard disk, usb memory sticks ..) and run when connected to another computer.

The worm drops a rootkit on the system to hide its actions and make detection more difficult. It also connects to an HTTP address from which it downloads a malicious file and a copy of itself.

Chike.B is a worm that spreads by copying itself to removable drives and shared folders on the network. This malicious code changes the Windows explorer settings, disables the system restore feature and disables the Windows Registry.

Finally, it configures the Windows Registry to make sure it is run every time a session is started .

As for the most active codes this week, the list is headed by the spyware program Virtumonde, followed by two adware samples: NaviPromo and VideoAddon.

Most active malware:

1 Spyware/Virtumonde
2 Adware/NaviPromo
3 Adware/VideoAddon
4 Adware/Comet
5 Adware/SaveNow
6 Adware/Zango
7 Adware/Lop
8 Adware/OnlineAddon
9 Adware/OneStep
10 Spyware/Vundo

Of the thousands of malicious code that appeared this week, PandaLabs focuses on the Resentment.A and Nuwar.QI worms.

The first reaches computers disguised as a Windows folder. When run, it displays an error message and opens a Notepad file. It simultaneously creates several copies of itself on the system and edits a key in the Windows Registry to ensure it is run every time a session is started. It also replaces the Internet Explorer start page for a fake error page.
When users click on "actualizar" (update) the worm sends an email via a JavaScript form to an email address.

"The surprising thing is that the email is sent to a specific company, indicating that two employees' should be fired. This raises suspicions of personal quarrels between the worm distributor and the staff in question," comments Corrons.

Nuwar.QI on the other hand, is a worm designed to send spam. To do so, it uses users' PCs as servers, causing them to slow down.

The emails use romantic subjects - which are especially effective since they were distributed on Valentine's day - to tempt users into opening the attached file. If they do, users will view a romantic card while downloading a copy of the worm.

Madrid, March 21, 2008 - According to data gathered at the Infected or Not website (http://www.infectedornot.com) this week, 25.41% of computers with a security solution installed were infected.

"Given the vast amount of new samples of malware in circulation every day, security laboratories are saturated and solutions can no longer be updated in time. That's why traditional solutions need to be complemented with online tools capable of accessing a larger knowledge base and detecting much more malicious code," explains Luis Corrons, Technical Director of PandaLabs.

Among the thousands of malicious codes that have appeared this week, the present PandaLabs report focuses on the Bankolimb.AF Trojan and the Autorun.RS worm.

When it is run, Autorun.RS releases two files on the computer designed to steal passwords for online games.

"The use of worms that can steal passwords, a feature more often associated with Trojans, is a growing trend. The reason is that worms, unlike Trojans, can spread by themselves, which represents a real advantage for cyber-crooks", says Luis Corrons.

Theft of passwords for online games is motivated by the potential financial returns that this can generate. In these games, there are levels and items that can only be achieved through skill and experience.
However, many users are willing to pay for them on forums, web pages, etc. Cyber-crooks readily profit from this situation.

The Bankolimb.AF Trojan drops several libraries on the computer, one of which is registered as a BHO (Browser Helper Object). This allows it to monitor the Internet activity of the user, monitoring when they access online bank pages, and adding fields to forms that users see on these pages, in order to collect additional information.

The Trojan captures keystrokes to steal passwords entered into these pages. It then sends the information to its creator, uploading a file with the data to a server.

Madrid, April 4, 2008 - During the last week, the Virtumonde spy program has been the threat that has infected most computers according to data compiled by PandaLabs, the malware detection and analysis laboratory at Panda Security. The Bagle.HX worm and the adware NaviPromo are in second and third place in the week's Top 10 ranking.

Top 10 - TotalScan
1 Spyware/Virtumonde
2 W32/Bagle.HX.worm
3 Adware/NaviPromo
4 Adware/Comet
5 W32/Bagle.RP.worm
6 W32/Puce.E.worm
7 Adware/Zango
8 Adware/Lop
9 W32/Bagle.QV.worm
10 Adware/Starware

This week, over 23% of computers protected with a security solution were infected, while the figure for unprotected computers was over 32%.

From the malicious codes that have appeared over the last seven days, this week's PandaLabs report focuses on the QQHelper.Z Trojan, the adware AntispywareMaster and the Rungbu.D worm.

QQHelper.Z is designed to drop two rootkits on computers in order to hide its processes, thereby making it more difficult to detect. This Trojan connects to a web page and also makes a series of modifications to the system including adding a link in the Favorites folder.

The AntispywareMaster adware simulates an antispyware program to trick users into installing and running it on their computers. This adware also creates shortcuts in the Start menu and on the Desktop. When run, it appears as if it is scanning the computer for malicious code, displaying random 'detection' results.

"When we analyzed this malicious code we found a file containing information about the infections to display. So, seemingly, this 'antispyware' already knows the malicious code it will detect, before it has even begun to scan the computer! Evidently, this is a malicious program", explains Luis Corrons, technical director of PandaLabs.

Once the supposed scan has finished, if users try to disinfect their computers, they will be taken to a web page from which they can buy the product.

The Rungbu.D worm is designed to copy itself to all system drives. It also modifies certain Windows registry keys in order to carry out malicious action including hiding file extensions, changing Microsoft Word icons for another icon included in the worm's code and executing itself on every system restart.

Madrid, May 9, 2008 - PandaLabs' report this week focuses on the Manclick.B worm and the Kukuku.A and Kleste.A viruses. It also provides information about the WmaDownloader.G Trojan distributed through P2P networks and the Mozilla-Firefox plug-in that installs the Xorer.T malware on computers.

Manclick.B is a worm whose main function is to open specific web pages.
When run, it creates several copies of itself on the infected system and creates keys in the Windows registry.

Actions taken by this worm include; blocking several applications, disabling the Registry Editor and the Windows Start menu and preventing the computer from starting in secure mode.

Among the visible symptoms of the Kukuku.A virus are; changing the Internet Explorer home page and opening several windows displaying Asian websites. It also connects to an Internet address to download malware onto the computer (the Admoke adware, the Agent.ISE and Delf.AIN Trojans, etc.).

The Kleste.A virus uses the name net.exe and the default Windows executable file icon to distribute itself. When run, it copies itself to c:\, using the same name, net.exe, and drops the winini.exe file that acts as a downloader Trojan on the computer.

It also drops the winsys.sys file which acts as a rootkit to avoid being detected by antiviruses in the c:\Windows\system32\drivers directory.
Then, it infects the other executable files on the system by adding the necessary code, to connect to a web address from which to download up-to-date versions of the virus.

The WmaDownloader.G Trojan on the other hand, is distributed through P2P networks in the form of false files with MP3 and MPG extensions. When run, they connect to an Internet address that offers users the possibility of downloading a specific multimedia player.

Finally, PandaLabs informs about a Mozilla-Firefox plug-in that has been distributed from the Firefox website in the last few months. The plug-in was for the Vietnamese language and ran files on a specific web page, downloanding the Xorer.T malware onto the system.

Although the plug-in can no longer be downloaded from the official Firefox website, we recommend users who have downloaded it to scan their computers for free with the new ActiveScan 2.0 (available at
http://www.infectedornot.com) to check whether they are infected.