There is a trojan making the rounds that is acquired by clicking on links in an email. That’s not necessarily new, however…. this email represents itself as an authentic-looking Microsoft security bulletin and the links are supposedly to updates (sorted by Windows version.) It’s important to point out that Microsoft does not send registered users security notices in this manner and if you are concerned about security updates you should either enable automatic updates or visit http://windowsupdate.microsoft.com
Category: Viruses
-
Another interesting spyaxe note
Incidents.org has a note on a recently noted trojan.spaxe.exe, that when on a system will mimic the windows notification dialogue “bubble” near the system tray with the following text.
“Your computer is infected!
Windows has detected spyware infection.It is recommended to use special antispyware tools to prevent data loss.
Windows will now download and install the most up-to-date antispyware for you.Click here to protect your computer from spyware.”
-
F-secure list of sober virus urls
When the news was first out that an antivirus firm (f-secure) had cracked the psuedo-random algorithm that the sober worm uses to determine where to download “updates” from, they said that they had previously notified German authorities where the free hosting sites were located so that they could deal with the sites. I did find that they have announced a list of the addresses for the January 5th update (and the January 6th as well.)
-
More details on Sober worm
There’s a bit more detail in this betanews article on the sober worm. They basically say that the next expected “release” is January 8th, that f-secure has cracked the “code” of the worm. You see it appears that the URL’s that new versions of the worm are downloaded from are not hardcoded, but “psuedorandom” and they’ve cracked the algorithm the worm uses.
-
Interesting vector for browser vulnerability exploit…ebay
incidents.org has received a tip on an ebay item that contained some malicious script…
ISC reader Gareth Attrill pointed us to an eBay auction that has some escaped HTML code that sneaks in a link that tries to get a trojanized .jar (usage.jar) file loaded on anyone who loads the listing. The latest .dat for McAfee immediately detected (and deleted) the code as Exploit-ByteVerify. The lister most likely managed to bypass other protections that otherwise prevents this kind of code from being inserted into item listings. Both eBay and the ISP that is hosting the malware have been notified.
-
New variation of Sober virus coming in January
Now, we seem to be getting “coming attractions” previews in virus-land…. Anyway, I’ve read at several sources that we are to expect a new variation on the sober worm around January 5th, 2006. It’s said that the date was chosen to mark the formation of the Nazi Party. In the past, variants have spouted pro-nazi sentiments and redirected users to pro-nazi web sites.
-
16,000 new viruses this year
This is for all those people that say to me. “There haven’t been any new viruses lately have there?” It’s really amazing to me that people think if it’s not on the national news it doesn’t happen…. According to Pc Pro, Sophos has reported that 16000 new viruses have been added to their database this year. Along with that comes a flood of 1940 new viruses last month added to Sophos’ virus signatures. (That mark is a record for one month.)
-
AIM worm in the wild
There was an article in the last few days about Instant messengers being a tempting new vector for viral infections… Well…. Incidents.org has information on a new AIM worm seen in the wild. It doesn’t travel via a security hole, but uses the good old standby of social engineering to get from place to place.
-
MS IE Javascript exploit for zero-day (0-day) vulnerability
An exploit for last weeks zero-day (0-day) javascript vulnerability in Microsoft’s Internet Explorer is in the wild. I saw this post from Sunbelt a couple nights ago go up and disappear, at the time I didn’t have long enough to read it… It’s back today and there are instructions for mitigating the risk. However, there is still no patch from Microsoft and no word on when to expect one. According to the Sunbelt post the exploit in the wild is being used for browser hijacking/spyware install stuff.
-
Viruses and worms can come in from many directions
For a long time, email was the primary vector for viruses, before that floppy discs carried bugs from pc to pc. Then came network worms exploiting windows security vulnerabilities which led to the rise of firewalls and the increase in viruses piggy-backing into the system through browser bugs. But, any program that listens for data coming from the network could be an entry way for good traffic, or bad. The Securityfix is talking today about November being a record month for Instant Messenger worms.