Trojan

When you run the program, it actually displays some nice pictures of some of the Olympic Stadiums, so people may not notice the payload of installing a keylogger onto their computers.The trojan drops two files named ‘wuauct.exe’ and ‘81.dll’, and launches ‘wuauct.exe’ which tries to connect to the IP address in China on port 81 by injecting code into Explorer.exe.

http://blogs.technet.com/mmpc/default.aspx

{ 0 comments }

Flagged red at Site Advisor

Internet Storm Center 2008-04-29 Scripts in ASF files

Reported 2008 Apr 07 at Bit Defender as Trojan.Downloader.WMA.Wimad.N
Spreading: very low

Not any more. Helped along by P2P users, this one is now spreading fast. When a user attempts to load one of these MP3 and MPG files, which are fake and contain no media clips, they are directed to download a file named PLAY_MP3.exe.

McAfee May 6, 2008 Fake MP3s Running Rampant

Detection of a trojan named Downloader-UA.h was added to the McAfee DAT files several days ago. Since that time more than 360,000 McAfee VirusScan Online users have reported detections, a whopping 32% of those reporting in the past 24 hours alone. Now Downloader-UA.h is not your everyday trojan, this detection covers fake music and video files associated with fastmp3player.com.

Users say they have downloaded this .exe using P2P clients such as Limewire, now why would you want to do that eh?

.exe means executable, no stopping, no pass go.

{ 0 comments }

Be mindful of malicious spam pushing screensavers with backdoor trojan payloads.

According to Sunbelt’s blog, the trail of this new wave of spam leads back to malware loading group “Loads.cc”; who are using a new domain for their botnets after being taken off-line in January 2008 by a DDoS attack from a rival malware gang.

October 2007 Article at PCWorld.

{ 0 comments }

New Rogues:

WinReanimator is a rogue security program that is advertised and installed by the Vundo Trojan and other malware. The Vundo infection is typically installed by visiting or downloading executables from certain pornographic or crack sites. Once installed, the infections will bombard the infected computer with popups and fake security alerts stating that your computer is infected or has security risks. When you click on these popups you will be presented with variety of rogue anti-spyware programs, including WinReanimator, stating that you are infected and that you should install their products. Remember, that these are all scams and ads delivered by the infections and should be ignored.

Another byproduct of these infections is an alert icon (Fake Taskbar alert) that appears in your Windows taskbar that periodically displays fake security alerts and warnings. The title of these alerts are Windows antivirus and they contain the following text:

Windows has detected spyware infection!

It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you

Click here to protect your computer from spyware!

Removal Instructions.

SpyBurner is a program classified as a rogue anti-spyware program. Rogue anti-spyware programs are ones that are installed or advertised via malware, use deceptive advertising, or use false positives in the scan results to convince a user to purchase the commercial version of the software. These programs also typically will not allow you to remove anything it finds without first paying to register the program. SpyBurner is classified as one of these programs as it is advertised through the use of malware and Trojans that display fake security alerts on your Windows taskbar.

Removal Instructions.

{ 0 comments }

I saw this article over at NetWorkWorld dated 01/31/08. Google blog used to spread malware

A Google-hosted blog is running phony security content that’s linked to malware, as well as using Google’s automated notification service to try to entice subscribers to click on an infected link, says one security expert.

“This is the first time we’ve seen something like this,” Elzam says. “If you get a message from a Google alert, you might think this is a service you can trust. But it’s directing you to a rogue site with fake security software.

This stuff is not new, but it is getting worse. A few days ago one of my alerts for Google Blogs provided a link which opened to a graphic pOrn page complete with videos, ‘click this to play’. Shortcut to infection via codecs, don’t ever click that junk.

I was watching for blogs containing the word of an outfit not usually associated with pOrn.

Fellow MVP TeMerc has been tracking Malware dispensing Google Blogs for some time:
More Blogspot Malware
Google Blogger Blogs Carry WinAntiVirus Ads

{ 0 comments }

Storm is evolving into a very complex beast.

From rbnexploit.blogspot

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links

# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

RBN – New and Improved Storm Botnet for 2008

Source: Harry Waldron

Intertwined. Malware on Google Blogspot

Users are getting infected every day with no interaction required.
Unlike some of these Zlob\Codec sites where users are duped into
downloading something. Or the current run of Storm variants being
pushed via Blogspot for that matter.

If you have the misfortune to be infected, I suggest you seek help at one of the sites listed in the right side column under “Security Forums”.

{ 0 comments }

Storm mutates yet again.

Do not click on the links or attachments you may receive. These particular ones are so clearly spam don’t be tempted to play chicken.

I am hammering it home as many will fall victim, especially during this holiday season with people receiving new computers for Christmas.

I tested this in a virtual machine:

Microsoft added detection of the Storm family of malware to the September build of its Malicious Software Removal Tool (MSRT) which is released as part of the monthly security update cycle. I recommend downloading and running each month’s updated version along with your other Microsoft updates.

However MSRT is released but once a month, please keep all your security software up to date.

{ 5 comments }

With the New Year at hand, malicious email is on the rise.

You may receive something similar to this:

It’s the new Year
Joyous new year

Containing a link that obviously one should not click to open.

Which during two separate downloads, was detected as delivering TR/Rootkit.Gen, TR/Renos.31288.28

{ 3 comments }

A MSN Messenger Trojan spreading like wildfire via an IRC botnet is infecting thousands of computer systems worldwide.

The malware poses as pictures with a message similar to “hey, this your pic” “hey, is this your pic on this site” with an URL from a site that hosts a picture rating service. Click on that and soon you will be part of a malware spreading botnet. Owned.

The usual common sense applies, do not open files sent unexpectedly from friends or strangers.

The eSafe CSRT (Content Security Response Team) at Aladdin —a security company—detected the new threat propagating around noon EST on Nov. 18. At 18:00 UTC (Coordinated Universal Time), eSafe had detected 1 operator and more than 500 on-command bots in the network. Less than three hours later, or by 2:30 EST, when eWEEK spoke with Roei Lichtman, eSafe director of product management, the number had soared to several thousand PCs and was growing by several hundred systems per hour.

Lisa Vaas eWeek

eSafe reports the Trojan is the first they have tracked trying to scan for VNC (Virtual Network Computing).

{ 0 comments }