Jul
09
2007
Aliases:
Trojan-Dropper.Java.Xideo (Kaspersky Lab) is also known as: TrojanDropper.Java.Xideo (Kaspersky Lab), JV/Xideo (McAfee),  Trojan Horse (Symantec),  Troj/JVXideo-A (Sophos),  Java/Xideo (H+BEDV),  Java/TrojanDropper.Xideo.A (Eset)
Description added    Nov 28 2006
Behavior                   TrojanDropper
Technical details:
This Trojan is designed to install other Trojan programs to the victim machine without the knowledge or consent of the user. It is written in Java. The file is 42,155 bytes in size.
Payload:
Once launched, the Trojan extracts the following files from itself, saves them to the Windows temporary directory, and launches them for execution:
xxxvideo.com (6 000 bytes, will be detected by Kaspersky Anti-Virus as Trojan.Win32.Alfora)
microsoft.com (15,360 bytes, will be detected by Kaspersky Anti-Virus as Trojan.Win32.Small.w) Removal instructions
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete xxxvideo.com and microsoft.com from the Windows temporary directory (%Temp%).
Update your antivirus databases and perform a full scan of the computer.
Jun
20
2007
Aliases:
Trojan-Downloader.JS.Weis.b (Kaspersky Lab) is also known as: TrojanDownloader.JS.Weis.b (Kaspersky Lab), VBS/Psyme (McAfee),  Downloader.Trojan (Symantec),  JS/Psyme (Grisoft),  Exploit.ADODB.Stream.Gen (SOFTWIN),  VBS/TrojanDownloader.Psyme.NAF (Eset)
Description added   May 10 2007
Behavior                   TrojanDownloader
Technical details:
This is a Trojan downloader program. It is written in JavaScript. It can be found on web pages.
Payload:
The Trojan uses Microsoft.XMLHTTP to download a file from an address which is given as a parameter. This file will be saved using ADODB.Stream to C:\Program Files\Internet Explorer\
The file will then be launched for execution by a function which will vary in accordance with the version of Windows. Removal instructions:
-Delete the page with the malicious code, if it was launched from a local resource.
-Update your antivirus databases and perform a full scan of the computer.
Jun
13
2007
Technical details:
This is the second macro-virus that also has pretensions to be The Number One in the “Macro.Visio” family. This virus is more complex than Macro.Visio.Radiant - it uses encryption and special tricks to hide its body in infected files.
The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes “Visio2k.Unstable” into their description and does not infect documents with such a mark.
To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor’s main window without any menus, toolbars and child windows.
The virus has a payload that triggers on the 31st, and it displays the message:
Visio2000.Unstable
Unstable, it’s hard to be the one who’s strong
Who’s always got a shoulder to cry on
Who’s got a shoulder for me?
The virus contains three procedures in module “ThisDocument” - “Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.
May
31
2007
Sydney-based PC Tools, purveyors of the popular Spyware Doctor antispyware utility, today announced their acquisition of Novatix Corporation.
Novatix’s flagship product is Cyberhawk, a real-time behavior-based anti-malware program. According to PC Tools, “Cyberhawk’s patent-pending ActiveDefense technology offers unsurpassed protection against both known and unknown viruses, worms, trojans, rootkits, buffer overflows and other forms of malware and provides effective protection against zero-day attacks.”
Mike Kronenberg, chief executive of Novatix, will become chief technical officer of North American operations for PC Tools.
Spyware Doctor has long been a PC Magazine Editor’s Choice for spyware protection, though the latest revision, Version 5.0 – a total rewrite with antivirus protection added – had some new-version problems. In testing, Cyberhawk Pro 2.0 was very effective at preventing malware from installing on a clean system. It doesn’t remove found threats, just bottles them up so they can’t do any harm. It’s a good match for Spyware Doctor, which thoroughly cleans up the malware infestations it finds.
According to PC Tools chief executive Simon Claussen, “This new technology will help strengthen our zero-day coverage and improve our ability to detect emerging threats”.
Kronenberg agreed. “We see this acquisition as a great fit for Novatix,” he said. “PC Tools is a leader in the anti-spyware and anti-virus space. Our combined efforts will ensure that consumers get the best protection possible. PC Tools’ broad reach in the consumer marketplace ensures our highly effective technology will have an even greater impact.”
When asked when customers would reap the benefits of this acquisition, Michael Greene, PC Tools’ vice president of product strategy, said immediately. “Consumers will start to recognize benefits right away.” Greene said. “The information that comes in from the Cyberhawk community protection feature will feed into our ongoing analysis of new threats, and our Threat Expert technology will help speed up processing”.
Cyberhawk Pro and the free Cyberhawk Basic will be backed by the PC Tools name and fully supported by PC Tools, Greene added.
Greene also declined to give a timetable on when both products would be integrated. “We don’t have a hard date for integrating the technology into Spyware Doctor, but it is part of the long-term plan. Not only will we have signatures for the stuff we know about, we’ll have behavioral technology for threats we haven’t seen.”
May
18
2007
Spyware Doctor is a dedicated tool that can do precisely this. It begins scanning your PC’s contents as soon as you complete the installation and provides precise details of each of the items it determines are potential threats. SD scanned our 120GB test machine in less than 10 minutes and identified 34 problems.
Unlike some spyware and antivirus programs that simply warn you of the number of nasties lurking on or attempting to access your system, Spyware Doctor actually tells you what the threats are, one by one.
In addition, it explains the level of threat they pose and, on the right of the pane listing them, explains why cookies from known dodgy websites put you at risk. Threats are separated into low, medium, elevated and high levels, categorised by type such as advertising and tracking cookies.
It outlines why these are a risk and provides a history of how they’ve been known to exploit vulnerabilities. This way you know which threats you should immunise your system against.
The main Spyware Doctor window offers to scan or immunise your computer, and to switch on or off the OnGuard Protection utility. By clicking on the Tools menu you can select which particular types of threat you want the program to alert you to and to protect you against. These include keystroke loggers, adware, phishing tools and Trojans, plus items that make changes to your PC’s Registry.
A Smart Update setting ensures you stay up-to-date with alerts. You can schedule the program to run automatically. A handy tool will undo changes you’ve asked Spyware Doctor to make, such as removing items you then find you need.
Verdict:
Spyware Doctor impressed us greatly with its detailed reporting tools and the ability to specify exactly what you want it to be on guard for and what doesn’t concern you. It’s well priced and it’s refreshing to find a program that takes the time to explain each risk, helping you make an informed decision about whether to erase it.
May
10
2007
Aliases:
Email-Worm.Win32.NetSky.t (Kaspersky Lab) is also known as: I-Worm.NetSky.t (Kaspersky Lab), W32/Netsky.t@MM (McAfee),  W32.Netsky.T@mm (Symantec),  Win32.HLLM.Netsky.based (Doctor Web),  W32/Netsky-T (Sophos),  Win32/Netsky.T@mm (RAV),  WORM_NETSKY.T (Trend Micro),  Worm/NetSky.#1 (H+BEDV),  W32/Netsky.T@mm (FRISK),  Win32:Netsky-T (ALWIL),  I-Worm/Netsky.T (Grisoft),  Win32.NetSky.T@mm (SOFTWIN),  Worm.SomeFool.Gen-2 (ClamAV),  W32/Netsky.T.worm (Panda),  Win32/Netsky.T (Eset
Technical details:Â
This worm spreads via the Internet as an attachment to infected emails.
The worm itself is a Windows PE EXE file of approximately 18KB, packed using UPX and written in Microsoft Visual C++.
Infected messages:
Message header
Approved
Hello
Hi
Important
My details
Re: Approved
Re: Hello
Re: Hi
Re: Important
Re: My details
Re: Request
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
Request
Thank you!
Your details
Your document
Your information
Message body (chosen at random from the texts below)
Approved, here is the document.
For more details see the attached document.
For more information see the attached document.
Hello!
Here is the “…”.
Here is the document.
Hi!
I have found the “…”.
I have sent the “…”.
I have spent much time for the “…”.
I have spent much time for your document.
My “…” is attached.
My “…”.
Note that I have attached your document.
Please have a look at the “…”.
Please have a look at the attached document.
Please notice the attached “…”.
Please notice the attached document.
Please read quickly.
Please read the “…”.
Please read the attached document.
Please see the “…”.
Please, “…”.
See the document for details.
Thank you
Thanks
The “…” is attached.
The “…”.
The requested “…” is attached!
Your “…” is attached.
Your “…”.
Your file is attached to this mail.
Yours sincerely
The worm inserts random characters from the list below between the quotation marks.
abuse list
account
answer
approved document
approved file
archive
bill
concept
contact list
corrected document
description
detailed document
details
developement
diggest
document
e-mail
excel document
file
final version
homepage
icq number
important document
improved document
improved file
info
information
instructions
letter
list
mail
message
movie document
new document
note
notice
number list
old document
order
personal message
phone number
photo document
picture document
postcard
powerpoint document
presentation document
release
report
requested document
sample
secound document
story
summary
text
textfile
user list
word document
Attachment:
A file with a .pif extension and a randomly generated name.
The worm is activated when the user opens the attached file.
Once launched, the worm installs inself to the system and starts propagating.
Installation:
When installating, the worm copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 ”EastAV”=”%windir%\EastAV.exe”
Mass mailing
The worm searches for files with the extensions listed below:
adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
mbx
 mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
rtf
sht
 shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls
xml
harvests email addresses and sends copies of itself to all addresses found.
Dec
26
2006
Computer viruses can be classified according to their environment and infection methods. The environment is the application or operating system required by any given virus to infect files within these systems. Infection methods are the techniques used to inject the virus code into an object.
Environment
Most viruses can be found in one of the following environments:
File systems
Boot sectors
Macro environments
Script hosts
File viruses use the file system of a given operating system (or more than one) to propagate. File viruses can be divided into the following categories:
Those that infect executable files (the largest group of file viruses)
Those that create duplicates of files (companion viruses)
Those that create copies of themselves in various directories
Those that utilize file systems features (link viruses)
Boot sector viruses write themselves either to the boot sector or to the master boot record or displace the active boot-sector. These viruses were widespread in the 1990s, but have almost disappeared since the introduction of 32-bit processors as standard and the decline of the floppy disks. It would be technically possible to write boot sector viruses for CDs and USB flash ROMs, but no such viruses have yet been detected.
Many word processing, accounting, editing and project applications have built-in macro scripts which automate frequently used sequences. These macro languages are often complex and include a wide range of commands. Macro viruses are written in macro languages and infect applications with built-in macros. Macro viruses propagate by exploiting macro language properties in order to transfer from an infected file to another file.
Infection Methods Continue Reading »
