Main

May 6, 2007

Trojan.Kardphisher spoofs Windows Activation

Symantec has an interesting article on Trojan.Kardphisher It appears that this trojan

pretends to be a legitimate Microsoft activation program and tricks the user into entering their credit card details to activate Windows.

The Trojan shuts down the compromised computer if the user does not enter their credit card numbers.

The Trojan prevents the user from running or switching to another application or task manager.

NEVER respond to emails or requests of this type as Microsoft does not send emails for this process and does not ask for credit card details, EVER !
Please read the Symantec article as it also contains graphics of what the trojan displays when it has been executed.

Posted by MowGreen at 10:01 AM | | Comments (0) | TrackBacks (0)

October 22, 2006

SpamThrough Trojan Analysis

From SpamThrough Trojan Analysis

Sometimes, when we shine a light on a particular piece of malware, we find some interesting things that would otherwise go unnoticed. One such piece of malware is the trojan sometimes called "Troj/SpamThru", among other names.
[snip]
Overall, detection by AV vendors is sparse, but that's to be expected given that SpamThru is a money-making operation, and the author takes great care to make sure that detection by the major vendors is avoided by frequently updating the code.
[snip]
Basically SpamThru is designed to send spam from an infected computer. This type of operation is now years old, however, SpamThru has some new twists.
[snip]
Anti-Virus Scanning
Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\drivers\etc\hosts file pointing the AV update sites to the localhost address. In the past, we've also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.
[snip]
Although we've seen automated spam networks set up by malware before (Sober, Bobax, Bagle, etc) this is one of the more sophisticated efforts. The complexity and scope of the project rivals some commercial software. Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income.


Pretty slick, eh ?

Posted by MowGreen at 9:11 PM | | Comments (0) | TrackBacks (0)

October 10, 2006

Haxdor Variant Being Spammed

McAfee reports

A recent spamming has been reported intended to download a variant of Backdoor-BAC. The spammed email message supposedly from Walmart is sent as follows:

From: info@walmart.com
Subject: Order Confirmation number: 37679041
Body:

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!

The spam has also been reported as to originating with Dell, Sony, etc.
TrendMicro reports
Malware Overview

This backdoor arrives on a system either downloaded from the Internet or dropped by other malware.

When executed, it drops several files in the Windows system folder. It creates certain registry keys and entries to enable this backdoor to execute even when the affected system is running in safe mode.

It uses rootkit technology to hide its files and processes, making detection more difficult.

This backdoor opens a random port and allows a remote malicious user to perform several commands on the affected system. This routine compromises system security and opens the affected machine to further attacks.


Beware of emails that state that you've purchased something, especially when you have NOT !
Excercise caution when opening email attachments and keep your antivirus program up to date !

Posted by MowGreen at 7:54 PM | | Comments (0) | TrackBacks (0)

October 6, 2005

Sober.R

Again, from Harry Waldron, MS-MVP and Moderator at McAfee Support Forums :

" Batten down the hatches ... Trafton provided an early warning for us in the McAfee forums for a well designed new variant of the Sober.R worm.

Cleaning this new variant is difficult as some new techniques used by the virus writer lock down security
of infected files, (blocks access to files using special registry settings), so that you have to clean in SAFE MODE until McAfee releases it's next DAT file (which will reset file access permissions to allow direct cleaning).

Sober.R -- McAfee declares MEDIUM RISK
http://forums.mcafeehelp.com/viewtopic.php?t=56045 "


McAfee's latest DAT detects Sober.R. Be sure to check for it !!!

Continue reading "Sober.R" »

Posted by MowGreen at 6:33 PM | | Comments (1) | TrackBacks (0)

October 5, 2005

W32.Spybot.YCL

Alert received from MS-MVP Harry Waldron who says :

" This new version of Spybot has to be one of the most comprehensive attacks I've seen today for this large family of viruses. It attacks weak passwords, uses existing back door infections, plus attacks through some of the most prominent security vulnerabilities if a system is unpatched.

Users should be completely up-to-date on all security patches, avoid weak passwords, and ensure their PC is free of infections that might create a backdoor. "
http://msmvps.com/harrywaldron/archive/2005/10/04/68991.aspx

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ycl.html

W32.Spybot.YCL is a worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting vulnerabilities and backdoors left by other malware.

Spreads to other computers by exploiting the following vulnerabilities:

* The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
* The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011)http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
* The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
* The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
* The Microsft Windows ASN.1 Vulnerability (as described in Microsoft Security Bulletin MS04-007)http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
* The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213).http://www.securityfocus.com/bid/9213
* The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability.http://seer.support.veritas.com/docs/273420.htm

Spreads to compromised computers by using back doors left behind by other malware such as:

* W32.Mydoom@mm
* W32.Beagle@mm
* Backdoor.Netdevil
* Backdoor.Optix
* Backdoor.Subseven

Posted by MowGreen at 4:16 AM | | Comments (0) | TrackBacks (0)