Archive: Viruses
Classic tech tips filed under Viruses.
-
Facebook Fan Check Virus
There's a rumor going around and a lot of unconfirmed information that a facebook application known as fan check is actually a virus. I'm seeing several claims that if someone becomes a fan of this f…
-
Virus Warning - Email Subjects - IRS Notice - Important Information from the IRS
I've seen a couple of these emails today and wanted to give a post just to warn people that these are bogus and you should NOT follow the link suggested in the email. I HOPE no one reading this falls…
-
Watching out for MORE fake video codecs
sunbelt blog has yet MORE fake codec sites to watch out for. All are bad and should be AVOIDED... details after the jump.... IP: 85.255.118.195 vccodec(dot)com IP: 69.50.188.109 hqcodec(dot)com IP: 6…
-
Would you like spyware with that? Apple too....
These stories come up from time to time. A free giveaway of some sort and it turns out that there's spyware or a virus embedded, company gives a big "whoops" and fixes things by replacing them.... Mc…
-
Hiding malware may evade antivirus
Sans had an interesting malware analysis this morning about a blob that appeared to be ascii text (gibberish) that was retrieved by a piece of malware. It turns out that the ascii text was a cleverly…
-
Google search for malware accessible to all...
The metasploit project is now hosting a malware search that uses Google. It essentially uses a binary google search technique that was referenced last week to find malicious files hosted on the web. …
-
Another Microsoft Office Vulnerability
Hot on the heels of the Microsoft Word patch there's a new threat to Microsoft Office. This vulnerability is with Excel documents. According to the MS security response center blog, they've received …
-
Web 2.0 could lead to virus 2.0...
The last couple days, there's been a virus spreading making use of yahoo mail's interface. Usually web mail is considered a fairly safe way to get email, but in this case all that was done was the us…
-
Another wolf in sheeps clothing to watch for
Wolves in sheeps clothing are the label I give to those rogue antispyware, or antivirus programs that bring pests instead of protect against them, or are otherwise questionable in their tactics. Tita…
-
The Great Cyberwar
It went un-noticed by most people for a few years. After all, the ones that were affected were just those that were "asking for it". Where to start. Let's see, back in the day there were some that se…
-
Bad malware storms brewing
ADTMAG.com has an interesting article talking of the convergance of spyware and more sophisticated phishing attacks. They talk about the convergance of viruses and spam engines that happened in 2003 …
-
Big trouble - you don't have any viruses....
You know, I've seen soooo many antivirus vendors that are somewhat ethically challanged claim that cookie files are a big threat, or in worse cases files that the "free" antivirus test downloaded are…
-
New malware sightings
Incidents.org had an entry in the last couple days on a malware infestation that was interesting and showed a couple things. 1) You can't bet on antivirus to keep you safe (the initial installer was …
-
Circuit City Support forum serving up trojan....
Embarrasing.... and a big pain in the neck for any of their visitors... It seems as though if you've visited Circuit City's Support Forum with an unpatched Internet Explorer, you likely have a trojan…
-
Symantec Antivirus Remotely Exploitable Vulnerability
This is bad - whose defending the defender? eEye security has a bulletin announced that regards a remotely exploitable vulnerability in Symantec Antivirus 10.x and Symantec Client Security 3.x They s…
-
Zero-day ( 0-day) Microsoft Word exploit
There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was v…
-
Nugache the latest in bot-net technology... and why you should care about botnets...
To show you where the threat with bot networks is going there's a story today on Nugache (Symantec summary) which is a bot that takes advantage of a number of clever tricks to avoid having the whole …
-
Multi-OS virus?
The multi-OS virus may be a proof of concept, but it could be a sign of bad things to come. Let's face it, there have been viruses that have taken advantage of multiple ways of spreading (email/open …
-
The Blackworm, Nyxem, KamaSutra Worm...
Lot's of news following up on the Nyxem worm in the last few days. It's currently going under a number of names, the Kama Sutra Worm, Blackworm are some of the more common names. Sans has a page for …
-
A Deeper look at Nyxem
First I should raise an alarm of warning on this one, this virus is supposed to overwrite all accessible document files (network shares too) on the 3rd of the month, so February 3rd we may be seeing …
-
Nyxem.E virus delete files payload
F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this viru…
-
New mass mailing virus
F-secure has information on a fairly aggressive new email virus. Their name for it is VB.bi although it's aliases are.... W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi depending…
-
Clamav 0.88 for Mandrake 10.0
I've got a couple of older Mandrake 10.0 servers that I'm still maintaining. They're systems that it hasn't been practical (yet) to do an upgrade to a more recent release of the base operating system…
-
Sober virus watch...
Well, antivirus vendors and IT security folks are waiting now for the expected activation of the sober.y worm searching for a new downloads and a new revision of the pest. kaspersky's log indicates t…
-
Another Sober.y reminder
f-secure.com has another warning for us about the pending awakening of the sober worm. From reports it's expected to start looking for sites to download from January 5th into January 6th. There is an…
-
Antivirus vs. WMF exploit
There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There…
-
Another trojan using WMF exploit in SPAM
F-Secure is reporting on another SPAM attack that tries to get people to click on a link to a site with an exploit-crafted WMF file. The message is along the lines of a claimed Professor at Yale anno…
-
Microsoft advisory on Sober "Awakening"
Microsoft has posted a security advisory (912920) on the previously reported "awakening" of the Sober worm, expected January 6th. Systems that are infected with Win32/Sober.Z@mm may download and run …
-
More testing on the second WMF exploit
After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this secon…
-
Version 2 of the WMF exploit vs Windows 98 SE
Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being…
-
More WMF exploit testing on Windows 98
I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infe…
-
WMF exploit situation summary...
Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exp…
-
WMF Exploit -- it's worse...
This is going to be a rough start to the new year for IT staff and computer users.... There's coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG …
-
NEW exploit for the WMF vulnerability
Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone …
-
New IM worm using WMF vulnerability
There is news this morning of a new twist in the WMF vulnerability (it was only a matter of time.) There are reports of an instant messenger worm using the vulnerability to spread. Currently incident…
-
WMF exploit and DEP
There's a bit of controversy over the suggestion that Hardware DEP seemed to protect against the WMF zero day exploit. Sunbeltblog has responded to the controversy. George Ou in the first link above …
-
Lotus Notes WMF vulnerability
This is really the same zero-day wmf vulnerability, but there is a twist. It's been found that Lotus Notes v. 6.x and up are vulnerable to the Windows Meta File (WMF) exploit that's making the rounds…
-
Another workaround for the 0-day WMF Exploit
I notice that the Sunbelt Blog has some instructions up for blocking the zero-day Windows Meta File (WMF) exploit with their newly acquired kerio firewall. (Free or full version.) Either version can …
-
Spyware, viral cleanup disabling system restore
Sorry, but to get into the guts of what I found in the wake of the WMF exploit, I did leave out another important step in the cleanup process. IF you are trying to clean up an infested machine one of…
-
Update on the WMF exploit - more sites to block
I haven't checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure).... toolbarbizbiz toolbarsitebiz toolbart…
-
http://60.topnssearch.com popups in infestation
One other note from the previous series on WMF exploit infestation cleanup. Among the multiple popups that came when launching internet explorer, most were directed at the site http://60.topnssearch.…
-
Cleaning up after WMF Exploit - summary
Can I say enough times that after a bad trojan infestation you should format and reinstall? I've cleaned up the infested image that I "sacrificed" to the WMF exploit and as I've said you're pestware …
-
Cleaning up after WMF exploit - BHO removal
Browser helper objects (BHO's) are listed in the registry and load with explorer when it runs (Internet Explorer/ File explorer are so closely tied it affects both.) I've used BHOdemon in the past to…
-
Cleaning up after WMF exploit - is it clean?
So, I've got most of the baddies cleaned out and I'm not getting popups anymore. No nags on boot, the boot process is quicker, but is it really clean? I found a few files (winlogon.exe, alg.exe in pa…
-
C:\windows\system32\kernels64.exe not found
On the next boot I was greeted with the above message C:\windows\system32\kernels64.exe not found please make sure the path......correct.... blah blah blah. Back to msconfig. Everything there now loo…
-
Cleaning up after WMF exploit third party boot disc
At this point, I needed to rename or delete some files that windows would not let me touch. I had this winlogon.exe running from a suspect directory c:\windows\inet20001 and windows wouldn't let me k…
-
Removing items from MSCONFIG after WMF exploit
OK, so, I'm busy killing off running processes and fire up MSConfig to try to keep them from coming back on the next boot. To launch msconfig go to start, run... type in msconfig and click ok. The st…
-
Task Manager Suspicious Processes after WMF exploit
After getting into Task Manager I saw a number of suspicious processes. There were a lot of things running as my user that I didn't recognize. kernels64.exe, vxgame6.exe, vxgame4.exe, mm4.exe, vxh8jk…
-
Task manager has been disabled by your administrator
The first problem I ran into in cleaning up after my infested Windows XP image was this error message. One of the first things I do in cleaning an infested system is try to kill off running process t…
-
Cleaning up after the WMF exploit
OK, I mentioned that I infested a virtual machine with the current WMF 0-day exploit. First I should probably clarify. An exploit is a means of getting in to a system. The payload is the software tha…
-
WMF 0-day update
Last night while I was in the midst of infecting a virtual machine, Microsoft issued a release that there's a "possible vulnerability"... fortunately, their technical document is a bit more straightf…
-
WMF zero-day exploit first hand experience
Well, I've just spent the better part of 6 hours (maybe a bit more) "sacrificing" a virtual machine to the zero-day Windows Meta File (WMF) exploit and all the malware that comes in. I picked one sit…
-
Another workaround for WMF exploit
There are at least two other workarounds for the Windows Meta File (WMF) exploit that I've been looking into this afternoon. These from sunbelt blog. First up... 2. Change file associations for WMF f…
-
Workaround for the critical WMF zero-day exploit
The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious ema…
-
Windows Metafile zeroday exploit
There's more on the WMF 0-day exploit... According to f-secure it's being used to distribute the following nasties.... Trojan-Downloader.Win32.Agent.abs Trojan-Dropper.Win32.Small.zp Trojan.Win32.Sma…
-
More on the Windows WMF zero-day exploit
There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get at…
-
Fake MS Messenger 8 beta and other IM warnings...
F-Secure is warning about ads for a "leaked version" of Windows Messenger 8 beta. There is no public beta of this and it is a virus.... If you download and run BETA8WEBINSTALL.EXE from that site, you…
-
A Tip for cleaning up an infected PC
There's a joke that many people bring out when new Windows viruses hit big.... it goes along the lines of, "download a fix here" and the link points to a knoppix linux livecd download, or a Mandriva …
-
Disinfecting a PC… part 11
All in all, what I've documented was a bit over three hours worth of attention to the machine (much more for the full scans, but I didn't have to stand and watch them.) I didn't document a sidetrip t…
-
Disinfecting a PC… part 10
Before I get things wrapped up, I like to scan rinse and repeat until the scans come up clean. So, this scan of AVG gives a chance to delete the archive entry I mentioned the first pass it took. And …
-
Disinfecting a PC… part 9
Ok - about 22 or 23 critical updates for Windows ME. I'm suspecting it's never visited the Windows update site. While it's going I make sure that the adware scanners and antivirus scanner get to pull…
-
Antivirus update response times
We know that for Windows systems especially antivirus is a must. Up to date antivirus is the MOST important though. So how do the different vendors do in responsiveness and quick antivirus definition…
-
Spyaxe Spytrooper spysherriff et al removal
There are so many "wolves in sheeps clothing" or maybe I should say wolves in sheepdogs clothing... Anyway, so many nasty malware's that pose as protective utilities. Spyaxe, spytrooper, spy sherriff…
-
The Santa Worm
More coverage is being given to the instant messaging worm that poses as a come on for a Santa Claus related site today. The only thing I think that I left out in last nights post was the name of the…
-
Disinfecting a PC… part 8
All right, now it's time to give ad-aware a spin. I like being able to use several spyware scanners to get full coverage and cleaning. Ad-aware and spybot s&d are usually my first two choices. Realiz…
-
IM worm acts as a come on to a Santa Claus site
According to Information Week, there's a new IM worm out hitting the MSN, ICQ, Yahoo and AIM networks. It poses as a come on for a Santa Claus site. On visiting the site, users receive an unexpected …
-
The CIA/FBI virus revisited
I'm sure you remember the CIA/FBI virus a few weeks back. There was a German version of this and apparently one individual took the warning email to heart and turned himself in for child pornography.…
-
Disinfecting a PC… part 7
Ok, another reboot after the BHO cleaning. Things are a good deal more responsive now, less disc swapping going on. (I suspect that those three missing BHO entries may have been causing the slow down…
-
Another example of how we're vulnerable for identity theft
The SecurityFix is reporting on a security breech at reevesnamepins.com a company that supplies (among others) law enforcement personnel. Apparently, CardCops (which monitors for possible stolen data…
-
More wolves in sheeps clothing - rogue or suspect antispyware
(or for that matter, rogue or suspect antivirus.) What's fascinating about this category is most of these products either use security vulnerabilities to get into a system, or merely convince a perso…
-
Disinfecting a PC… part 6
Ok, it's BHOdemon time... installed from cd and on starting: BHOdemon bhotb-all.html not found, no web connection downloading on other machine. Finally get it to work copying from another machine. Bu…
-
Disinfecting a PC… part 5
OK, we're moving on to BHOdemon to take care of the browser helper objects. Unfortunately it looks like BHODemon is not being currently maintained, the developer has had a housefire. I am very sorry,…
-
Disinfecting a PC… part 4
So, AVG has been scanning away finding things we've really got a foothold on the system and the malware has a fight on it's hands. It's good to see progress. Up to this point we've had multiple Spool…
-
Disinfecting a PC… part 3
Picking up from last time... AVG was failing to install with a peculiar registry error. (Which I didn't see much reference to online.) OK, so here is another fruit of the online search (so many bugs …
-
Another beagle virus variant
Incidents.org is reporting this as well... A new Beagle variant is making the rounds. It comes in an almost empty email, as a ZIP attachment containing the worm as an EXE. The attachment name, email …
-
How festive - the dasher worm...
The securityfix is reporting on a new worm that exploits an older Windows vulnerability. The worm is called dasher and is in at least it's second iteration. Sans noticed an odd increase in port 1025 …
-
Disinfecting a PC... part 2
Ok, the last post got a bit long with the hijackthis log, but I wanted to include the whole picture. I put a few comments in, but thought it might be useful to include the notes I took at the time. F…
-
A couple warnings related to fake security sites
Sunbelt has this warning about yet another fake security site. This one is laid out a bit different than the others we've seen in recent days. It's not quite the same spoof of the Windows Security Ce…
-
Disinfecting a PC... part 1
This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par…
-
Clamantivirus may get support from eEye?
This would be a good thing for clamantivirus. eEye is considering "adopting" clamav for inclusion in their Blink product. The idea is that they would improve clamantivirus and then start integrating …
-
Microsoft Security Bulletin Email
There is a trojan making the rounds that is acquired by clicking on links in an email. That's not necessarily new, however.... this email represents itself as an authentic-looking Microsoft security …
-
Another interesting spyaxe note
Incidents.org has a note on a recently noted trojan.spaxe.exe, that when on a system will mimic the windows notification dialogue "bubble" near the system tray with the following text. "Your computer…
-
F-secure list of sober virus urls
When the news was first out that an antivirus firm (f-secure) had cracked the psuedo-random algorithm that the sober worm uses to determine where to download "updates" from, they said that they had p…
-
More details on Sober worm
There's a bit more detail in this betanews article on the sober worm. They basically say that the next expected "release" is January 8th, that f-secure has cracked the "code" of the worm. You see it …
-
Interesting vector for browser vulnerability exploit...ebay
incidents.org has received a tip on an ebay item that contained some malicious script... ISC reader Gareth Attrill pointed us to an eBay auction that has some escaped HTML code that sneaks in a link …
-
New variation of Sober virus coming in January
Now, we seem to be getting "coming attractions" previews in virus-land.... Anyway, I've read at several sources that we are to expect a new variation on the sober worm around January 5th, 2006. It's …
-
16,000 new viruses this year
This is for all those people that say to me. "There haven't been any new viruses lately have there?" It's really amazing to me that people think if it's not on the national news it doesn't happen....…
-
AIM worm in the wild
There was an article in the last few days about Instant messengers being a tempting new vector for viral infections... Well.... Incidents.org has information on a new AIM worm seen in the wild. It do…
-
MS IE Javascript exploit for zero-day (0-day) vulnerability
An exploit for last weeks zero-day (0-day) javascript vulnerability in Microsoft's Internet Explorer is in the wild. I saw this post from Sunbelt a couple nights ago go up and disappear, at the time …
-
Viruses and worms can come in from many directions
For a long time, email was the primary vector for viruses, before that floppy discs carried bugs from pc to pc. Then came network worms exploiting windows security vulnerabilities which led to the ri…
-
The virus arms race? is locking down systems the key?
The securityfix has a post on the "dirty little secret" about antivirus. Eugene Kaspersky of Kaspersky antivirus has posted an introspective article on the antivirus industry and it's current problem…
-
Ooops... hard drive maker ships trojan on storage media
Oooops... According to the Sunbelt blog a Japanese storage maker (I-O Data Device) has offered to exchange drives that were discovered to have been shipped out with the Tompai-A, a worm which would g…
-
FBI / CIA virus
Well... the media has taken the drab name of w32sober.X@mm or w32sober.x or w32sober.y, W32/Sober.AD-mm or any of those other drab names that we've been looking at the last week and dubbed the latest…
-
New Beagle/Bagle variant?
So, I submitted the suspicious attachment I received to virustotal (scan@virustotal.com with SCAN in the subject and suspicious file as attachment.) What follows below is the report I received. It lo…
-
New Sober variants..
Ok - there are some new variants on the Sober worm circulating. I received one on an address that's unfiltered (no virus/spam filtering) and must say, I can see people being duped into looking at the…
-
Keyloggers a growing problem
It's interesting some years ago when viruses on Windows machines were SOOOO plentiful it seemed like that's all I spent my time cleaning up, I thought... "you know, most viruses are prankster-ish pro…
-
New Sober virus variant coming
This is unusual, but there is advance notice from the Bavarian Police warning about a new variant on the Sober worm which will be released tomorrow. More information can be found at f-secure, as well…
-
Sony BMG is still having a bad week....
Unfortunately a LOT of people that have bought Sony-BMG cds (or borrowed, whatever...) are going to have some headaches too. By stock in Tylenol or Aleve or something.... anyway... here's todays roun…
-
MS05-053 Microsoft Windows Image Viewing Vulnerability
Two notes on the Windows vulnerability patched day before yesterday. There is a trojan in the wild exploiting it and Symantec's AV definition to detect such an exploit is a bit too paranoid and flags…
-
XML RPC worm new variant
There seems to be a new variation on the xml rpc worm spreading about, so patch patch patch. If you have php and vulnerable software on a web facing server, patch.