Difference Worm, Trojan, and Virus

Worm, Trojan, Virus

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.

To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.

Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.

W32.Pesin.A

If you are playing internet on internet cafe or transferring file data between another user , check is there yourdiskette contain file like this:

* My Love.exe
* Kenangan.exe
* Hallo.exe
* Puisi Cinta.exe
* My Heart.exe
* Jangan Dibuka.exe
* Mistery.exe

If contain, your diskette infected pesin virus, and if your antivirus not updated so the virus pesin Pesin was able generously to spread itself.

Simple but Efective

In fact the Pesin spreading technique very simple, in fact might beconsidered to be old.
But apparently this method really agreed with the condition for the user of the computer (warnet) in Indonesia that the utilisation of his diskette still quite high.
Pesin spread through the diskette mediation that was put into the computer that was infected to afterwards infect the other clean computer if the diskette that was infected was accessed by the other computer.
This method same like the beginning virus in the year 1986an like Brain or the local Denzuko virus that spread itself only melaui the diskette, but at that time the internet media does not yet develop like today so as his spreading was not phenomenal like Lovebug or Klez.
As additional information, unlike the virus that often spreads now, Pesin in fact not dienkripsi.
Might be his creator followed the view "Why in enkrip, sooner or later definitely will be successful in dekrip by vendor antivirus".
And this view had correctly him or might be said exact because enkripsi will not make the surviving virus older, only made more was difficult to in oprek then.
That made one virus surviving more for a long time was the manufacturer's care of the virus made use of the situation and the available condition and the virus that succeeded in spreading widely must not have the sophisticated programming or enjelimet.
One of the proof were the Annakournikova virus where the virus that succeeded in throwing the users of the internet into turmoil in 2001 was created by the Dutch adolescent who did not have knowledge that was extraordinary in the programming by using the manufacturer's program of the Kalamar virus, but this virus succeeded in deceiving the user of the internet to mengklik attachments to the dual extension that came because of promising the picture of the pretty tennis player Anna Kournikova.


Method
The first time being undertaken, Pesin would "undercover" as the process windows by the name of SysTask.exe (and not the application) so as to be not seen in the application in Task Manager.
Moreover, Pesin would copying himself to the directory C:\MyDocuments by the name of MyHeart.exe.
So that windows undertook himself automatically every time start, Pesin will change registri as follows:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run LoadService="%System%\Systask.exe /run"

Where "%System% was the system directory to OS Windows like:"

* C:\Windows\System (Win 95/98/ME), C:\Windows\System32 (Win XP) dan C:\WINNT\System32 (Win NT/2000).

If succeeding in being active in the memory, Pesin will try to infect the available diskette with copying himself with one of the names below this:

*

My Love.exe
*

Kenangan.exe
*

Hallo.exe
*

Puisi Cinta.exe
*

My Heart.exe
*

Jangan Dibuka.exe
*

Mistery.exe

Seldom resembled Swen, Pesin tried to obstruct access to the application:

* Registry Editor
* System Configuration
* System Configuration Utility

So as the computer that was infected would the difficulty undertook to three applications above because of Mouse access and Keyboard to to three applications in the bloc. This was clever enough and definitely confused the user of the computer with the middle capacity although:). The dangerous matter that was contained by Pesin was him will try to change "Autoexec.bat" to remove the Windows folder and the Files Program. Saw that in lurked was the directory and the program data that did not have the economical value and could in install again repeated then could be concluded that this Pesin manufacturer did not mean bad like the manufacturer Explorezip or Kelz.E that destroyed all the datas of Ms Office from the user of the computer that was infected.

Disinfection
To disinfection Pesin, the step that must be carried out was as follows:

1.

For Windows ME and Windows XP activated beforehand System Restore.

2.

(Windows 95/98/ME), undertook Windows in Safe Mode or (Windows NT/2000/XP), entered Task Manager [Ctrl] [Shift] [Esc], the Clique of tabulation [Processes], the clique [the Name Image] to put the process in order in a manner the alphabet and looked for the process by the name of "SysTask.exe", then the clique very much in the "Systask.exe" process and the clique [End Process] to kill Pesin.

3.

Scan the computer with the program antivirus that terupdate and could recognise Pesin, we used Norman Virus Control that could in download in ftp.cbn.net.id/the vaccine and cleaned all file that was detected as Pesin.

4.

Cleaned registri that was changed by Pesin by means of (don't forget the back up beforehand registri you, all the mistakes in changed registri will cause OS damage to become your responsibility):

*

Undertook registry the editor by means of [Start] [Run] typed [Regedit] and pressed [Enter] you will get the menu of Registry Editor

*

Enter to registri:
HKEY LOCAL MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and in the right column removed registri
"LoadService"="%System%\SysTask.exe/run"
By means of the right clique and chose delete.

*

Kept came back registri you and restart the computer and now your computer clean from pesin

W32.Renco@mm

W32.Renco@mm


Summary

Discovered: June 21, 2007
Updated: June 21, 2007 5:15:16 PM
Type: Worm
Infection Length: 34,880 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Renco@mm is a mass-mailing worm that may dial premium-rate numbers from the compromised computer.

Technical Details

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the worm is executed, it copies itself as the following file:
%SystemDir%\ShellExt\i[ORIGINAL FILENAME]

The worm also drops the following files:
%System%\laura.exe
%System%\eml32.dll
%Temp%\tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].out
%Temp%\tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].js

These files are deleted by the worm.

It attempts to terminate any processes with the following window name:
AOL

Creates a mutex called "{24E90DEE-C20C-44AF-9E43-38EEB7F8B88C}" to prevent multiple instances running.

The worm modifies the following file to create a new modem connection:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

The following registry entry is modified to disable the use of a proxy:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"

The worm may also change the Internet Explorer Start Page.

The worm then gathers emails addresses from the Windows Address Book and sends itself as a .zip file attachment to the addresses collected.

The email has the following characteristics:
Sender name: [CURRENT USER]@gmail.com
From: [CURRENT USER] <[CURRENT USER]@gmail.com>

The message header contains the following:
Message-ID: <003901c77c2c$3f18bea0$0600150a@id>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_01C77F5B.9367BFB0"
X-UIDL: 4:>!!SWm"!]Y""!*\m"!
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C77F5B.9367BFB0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0009_01C77F5B.9367BFB0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=".zip"
------=_NextPart_000_0009_01C77F5B.9367BFB0--

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Removal Instruction

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions.

    If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.

    If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To run a full system scan
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.

    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.

    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
  2. Run a full system scan.
  3. If any files are detected, follow the instructions displayed by your antivirus program.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
  4. Restore the following registry entries to their original values, if required:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page"
  5. Exit the Registry Editor.
source: www.symantec.com

Trojan.Spamdes

Trojan.Spamdes


Summary
Discovered: June 21, 2007
Updated: June 21, 2007 8:14:36 AM
Type: Trojan
Infection Length: 91,648 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Trojan.Spamdes is a Trojan horse that infects a Windows system file and sends spam.

Technical Details
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the Trojan infects the following file:
%System%\driver\ndis.sys

When the infected file is loaded, it will drop a .dll file into the following location:
C:\cd[FOUR NUMBERS].nls

The dropped .dll file then attempts to connect to the following site to download configuration files to send spam:
fimart.biz

It then sends spam to email addresses contained in the configuration files.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Removal Instruction
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions.
    If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.

    If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To run a full system scan
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.

    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
  2. Run a full system scan.
  3. If any files are detected, follow the instructions displayed by your antivirus program.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode.

source: www.symantec.com

ParasiteWare, Adware, Spyware, Malware, Page Hijackers, Dialers

ParasiteWare


ParasiteWare is the term for any Adware that by default overwrites certain affiliate tracking links. These tracking links are used by webmasters to sell products and to help fund websites. The controversy is centered on companies like WhenU, eBates, and Top Moxie, a popular maker of Adware applications. These companies have release their software to assist users in getting credit for rebates, cash back shopping, or contributions to funds. To the end user ParasiteWare represents little in the way of a security threat.

Adware

Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then profile a user's surfing activity for study.

AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall.

A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA.

It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification.

Spyware

Spyware is potentially more dangerous beast than Adware because it can record your keystrokes, history, passwords, and other confidential and private information. Spyware is often sold as a spouse monitor, child monitor, a surveillance tool or simply as a tool to spy on users to gain unauthorized access. Spyware is also known as: snoopware, PC surveillance, key logger, system recorders, Parental control software, PC recorder, Detective software and Internet monitoring software.

Spyware covertly gathers user information and activity without the user's knowledge. Spy software can record your keystrokes as you type them, passwords, credit card numbers, sensitive information, where you surf, chat logs, and can even take random screenshots of your activity. Basically whatever you do on the computer is completely viewable by the spy. You do not have to be connected to the Internet to be spied upon.

The latest permutations of Spyware include the use of routines to mail out user activity via e-mail or posting information to the web where the spy can view it at their leisure. Also many spyware vendors use "stealth routines" and "polymorphic" (meaning to change" techniques to avoid detection and removal by popular anti-spy software. In some cases Spyware vendors have went as far as to counter-attack anti-spy packages by attempting to break their use. In addition they may use routines to re-install the spyware application after it has been detected.

Malware

Malware is slang for malicious software. Malware is software designed specifically to disrupt a computer system. A trojan horse , worm or a virus could be classified as Malware. Some advertising software can be malicious in that it can try to re-install itself after you remove it.

For the purpose of simplicity Malware is software specifically engineered to damage your machine or interrupt the normal computing environment.

Examples of Malware include:

Page Hijackers

Hijackers are applications that attempt to usurp control of the user's home page and reset it with one of the hijackers choosing. They are a low security threat, but obnoxious. Most Hijackers use stealth techniques or trick dialogue boxes to perform installation.

Dialers

A dialer is a type of software used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem's usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature because they can cause huge financial harm to the victim.

Source: http://www.spywareguide.com/txt_intro.php

About Spyware

What Is Spyware?

Spyware is a general term used to describe software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent first.

Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.

That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but you "pay" for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.

Other kinds of spyware make changes to your computer that can be annoying and can cause your computer slow down or crash.

These programs can change your Web browser's home page or search page, or add additional components to your browser you don't need or want. These programs also make it very difficult for you to change your settings back to the way you originally had them.

The key in all cases is whether or not you (or someone who uses your computer) understand what the software will do and have agreed to install the software on your computer.

There are a number of ways spyware or other unwanted software can get on your computer. A common trick is to covertly install the software during the installation of other software you want such as a music or video file sharing program.

Whenever you install something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes the inclusion of unwanted software in a given software installation is documented, but it might appear at the end of a license agreement or privacy statement.

Source: www.microsoft.com

Downloader-BCS

Profile

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/18/2007
Date Added: 6/18/2007
Origin: N/A
Length: game.class (24,739 bytes)
Type: Trojan
SubType: Downloader
DAT Required: 5055

Virus Characteristics

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

The trojan exploits a Buffer Overflow Vulnerability in Java Runtime Environment (JRE) while parsing certain image file formats like GIF.

When the applet is run on the victim machine having a vulnerable installation of Java Runtime Environment, the trojan downloads another malware from the remote server and executes it.

The following files are downloaded . The applet file (game.class) is of 24,739 bytes in size.

  • game.class --> Malicious Java applet
  • picsj.exe --> variant of Proxy-Agent.o

The trojan automatically connects to the following domain to download additional malware.

  • http://216.32.92[blocked]/

Indications of Infection

  • Outgoing HTTP traffic to the domain http://216.32.92[blocked]/

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is run on the victim machine in a way that assists in masking its activity.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Aliases

Exploit.java.gimsh.a (Kaspersky), Troj/Dloadr-AYQ (Sophos)

W32/Naplik.a

Profile

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/18/2007
Date Added: 6/18/2007
Origin: N/A
Length: N/A
Type: Virus
SubType: Win32
DAT Required: 5055

Virus Characteristics

W32/Naplik.a is an appending virus for the Windows platform. This file infector infects .EXE files by copying its code to the end of the file, in a new section ".k0kus" and the file's entry point is modified to point to the virus code. (Note: The virus did not replicate when we test it).

Upon execution, it injects its dll routine "VirusBoot.dll" into explorer.exe, which is in charge of the infection.
It also contacts three different pages from the following website:

http://www.aabbcc.us/sys/lm/

  • to download an eventual update of the virus (the downloaded updates are stored in %Sysdir%\svchost.exe.)
  • to report that a machine has been infected
  • to send information collected from the machine.

Note: this virus is currently being investigated and more information will probably come later.

Indications of Infection

  • Attempts to connect to www.aabbcc.us
  • Increase the size of EXE files

Method of Infection

W32/Naplik.a is a file infecting virus. Infection starts with manual execution of the binary.

Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Aliases

W32.Naplik (NAV)

W32/Zaflen.a

Profile

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/15/2007
Date Added: 6/15/2007
Origin: N/A
Length: 1,72,032 bytes
Type: Virus
SubType: Win32
DAT Required: 5054

Virus Characteristics

When this malware is executed, it creates the following folders.

  • %My Documents%\Rated R Pictures
  • %Windir%\gorgle
  • %Windir%\setup

This malware creates multiple copies of itself in several locations. Some of these are,

  • c:\CoolWorld.exe
  • c:\Documents and Settings\All Users\Desktop\Microsoft Word Document.scr
  • c:\Documents and Settings\All Users\Start Menu\New Microsoft Word Document.scr
  • c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word Document.scr
  • c:\Documents and Settings\All Users\Start Menu\Programs\Startup\folderwiz.com
  • %userprofile%\My Documents\My Picture.com
  • %userprofile%\My Documents\Rated R Pictures.com
  • %userprofile%\My Documents\My Pictures\mskernel.exe
  • %userprofile%\NetHood\Hot Picture.com
  • %userprofile%\PrintHood\Printing Information.com
  • %userprofile%\SendTo\Image Editor.com
  • %userprofile%\Start Menu\Image Viewer.com
  • c:\Program Files\phil.constitution.scr
  • c:\WINDOWS\agila.scr
  • c:\WINDOWS\AutoRun.ini
  • c:\WINDOWS\lsass.exe
  • c:\WINDOWS\services.exe
  • c:\WINDOWS\gorgle\csrss.exe
  • c:\WINDOWS\setup\mskernel.exe
  • c:\WINDOWS\system32\mskernel.exe

It copies itself into multiple drives in the system.

It also creates the following file, for executing the malware when the drive is accessed.

  • C:\autorun.inf

This malware then searches for and infects the files with the following extensions

  • doc
  • rtf
  • jpg
  • gif
  • png

It infects the above files by prepending itself to these files.
It changes the icon of the infected files to M.S.Word icon and the extension to scr or exe.
It also appends 35 bytes to the end of file along with the extension of the original file.

This malware adds the follwing registry entries for loading at system startup

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinRun" Data - C:\WINDOWS\AutoRun.ini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)" Data - \WINDOWS\lsass.exe

It adds the following registry entries to disable Run, folder options and to hide the file extensions.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "Run"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt "CheckedValue"

It also adds/modifies certain other registry entries for its functioning.

This malware also drops the file "email32.vbs" into the Windows directory, which is a mass mailer component detected as W32/PetTick.vbs.
This is used to send out copies of the file infector via e-mail using harvested e-mail addresses from the system.

Indications of Infection

Changing of the file icon for the file types - png, jpg, gif to M.S.Word icon.

Increase in file size by 172067 bytes for the infected files.

Presence of the files and registry entries mentioned.

Method of Infection

This parasitic file infector spreads by copying itself to multiple locations and to different drives in the system.
It also spreads by using the mass mailing component detected as W32/PetTick.vbs.
The files get infected when the user executes the malware which is disguised as being an M.S.Word document.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Downloader-BCV Virus

Profile Virus

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/20/2007
Date Added: 6/20/2007
Origin: N/A
Length: 8.192
Type: Trojan
SubType: Downloader
DAT Required: 5059

Virus Characteristics

Detection was added to cover for a malicious 32 bit PE downloader file originally called "systime.exe" , having a filesize of 8.192 bytes.

Upon running, it runs silently, no gui messageboxes appear on the screen.

It immediately copies itself onto the %system32 folder and creates a registry entry to run automatically upon system start, for example on win2k:

  • c:\WINNT\system32\systime.exe

It might also copy itself to the root of the c: drive, with the c:\systime.exe location actually hardcoded inside.

It tries to download a binary called "network.exe" from : http://drsun####.go#.icp##.## , but at test time the binary was not accessible. The exact address is changes on purpose here with # markings.

Indications of Infection

  • Presence of "systime.exe" , having a filesize of 8.192 bytes.
  • Network connections to http://drsun####.go#.icp##.## , the exact address is changes on purpose here with # markings.
Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Fantibag.B/Email-Worm.Win32.Bagle.bs

Summary

Fantibag.B is a trojan that installs a packet filter for preventing of downloading AV companies database updates and security patches. It is related to recent Bagle/Mitglieder trojans.

 Detailed Description

System installation

When the trojan's file is executed, it copies itself in Windows directory with the name 'firewall_anti.exe'. It installs the following registry key for ensuring it will be executed at system startup: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"firewall_anti" = "%WinDir%\firewall_anti.exe"

The trojan drops a DLL 'firewall_anti.dll' in the Windows direcory and injects this file in address space of Internet Explorer.

Packet filtering

When the dropped DLL is activated, it modifies the network interface with Microsoft RAS packet filtering API. It adds a filter that blocks access to following AV companies and other security related sites: 

 ftpav.ca.com
www.pandasoftware.com
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com
antivir.de
www.antivir.de
216.200.68.152
212.113.20.69
63.210.193.12
84.53.142.22
84.53.142.6
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net
Source: http://www.f-secure.com/v-descs/fantibag_b.shtml

MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?

What is the MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?

The MSBLAST.A worm infects machines via network connections. It can attack entire of computers or one single computer connected to the Internet. The worm exploits a known windows that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and machines and exploits the DCOM RPC Vulnerablity. Depending on the system date it will start a Denial of Service attack against windowsupdate.com, this makes it difficult to download the needed patches and allow the worm to infect as many machines as it can before being disabled. However, as of August 15th, Microsoft decided to kill the windowsupdate.com to lessen the impact from this denial of service attack. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of , changes to Control Panel, inability to use functions in browser, and many more oddities

Download the Windows patches for this vulnerability by clicking on the links below:
  • http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
  • http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
These Windows vulnerabilities are patched by using Windows Update to download all the critical updates for your system. However in some cases, people have reported getting an error 0x800A138F when trying to download updates. If you are receiving an error similar to this, read Marc Liron's excellent article about solving this at his updatexp.com website.

What is the DCOM Vulnerability?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

What are the Symptoms of the MSBLAST worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will read

"Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"



You can disable this shutdown by following the steps below during the countdown
  • Click on Start, Run
  • Type in CMD and press ENTER
  • Type in the following command and press Enter and than SHUTDOWN -A
This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does MSBLAST Infect My Computer?

  1. The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
  2. Adds the value:
     ”windows auto update" = MSBLAST.EXE (variant A)
    ”windows auto update" = PENIS32.EXE (variant B)
    ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
    "Nonton Antivirus=mspatch.exe" (variant E)
    "Windows Automation" = "mslaugh.exe" (variant F)
    "www.hidro.4t.com"="enbiei.exe" (variant G)

    to the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the worm runs when you start Windows.
  3. Calculates the IP address, based on the following algorithm, 40% of the time:
     Host IP: A.B.C.D
    sets D equal to 0.
    if C > 20, will subtract a random value less than 20.
    Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
    This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.
  4. Calculates the IP address, based on many random numbers, 60% of the time:
     A.B.C.D
    set D equal to 0.
    sets A, B, and C to random values between 0 and 255.
  5. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:
     Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

    NOTE:     Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.
  6. Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.
  7. Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.
  8. If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
     With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

    The worm contains the following text, which is never displayed:

    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!

    Windows 2000 Machines

    On Windows 2000 machines, I have seen the Control Panel icons switch to the left pane, functions like FIND in the browser stop working, and many other oddities.

How can remove MSBLAST Worm?

Follow these steps in removing the MSBLAST or MSBLASTER worm.
  1. Disconnect your computer from the local area network or Internet
  2. Terminate the running program
    • Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
    • Locate one of the following programs (depending on variation), click on it and End Task or End Process

      MSBLAST.EXE
      PENIS32.EXE
      TEEKIDS.EXE
      MSPATCH.EXE
      MSLAUGH.EXE
      ENBIEI.EXE

    • Close Task Manager
  3. Install the patches for the DCOM RPC Exploit, you can download the patches from the links below before disconnecting
    • http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
    • http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
    • http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
    • http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
    • http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe
    • http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629390b9/WindowsServer2003-KB823980-x86-ENU.exe
    • http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c50425/WindowsServer2003-KB823980-ia64-ENU.exe
    • If you receive a "cryptographic service" error when you try to apply the patch, please read the following excellent article on how to fix this error:
      http://www.updatexp.com/cryptographic-service.html
  4. Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
    • TCP Port 135, "DCOM RPC"
    • UDP Port 69, "TFTP"
  5. Remove the Registry entries
    • Click on Start, Run, Regedit
    • In the left panel go to
      HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
    • In the right panel, right-click and delete the following entry
      ”windows auto update" = MSBLAST.EXE (variant A)
      ”windows auto update" = PENIS32.EXE (variant B)
      ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
      "Nonton Antivirus"=MSPATCH.EXE (variant E)
      "Windows Automation" = "mslaugh.exe" (variant F)
      "www.hidro.4t.com"="enbiei.exe" (variant G)
    • Close the Registry Editor
  6. Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
    • Click Start, point to Find or Search, and then click Files or Folders.
    • Make sure that "Look in" is set to (C:\WINDOWS).
    • In the "Named" or "Search for..." box, type, or copy and paste, the file names:
      msblast*.* (or other filenames listed above)
    • Click Find Now or Search Now.
    • Delete the displayed files.
    • Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.
  7. Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
  8. Now check for the worm again, if it returns, complete these steps once more until the virus is gone. With the patch in place, the virus wont be able to exploit the system, but sometimes it is difficult to remove the files for good.
For Automatic Removal of MSBLAST, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the MSBLAST program from running, remove the items in the registry, and delete the infected files.

Source : http://www.pchell.com/virus/msblast.shtml

About Trojan Horse

History of Trojan Horse

The original trojan horse was built by Odysseus, the King of Ithica, during the legendary Trojan Wars. The Greeks were losing the siege of the city of Troy. Odysseus had a large wooden horse built and left as a "gift" outside the walls of the city of Troy. He then ordered the Greek army to sail away.

The Trojans believed the horse to be a peace offering from Odysseus. Instead, the horse was filled with Greek warriors, including Odysseus and Menelaus. As the Trojans slept, the Greek army sailed back to Troy and the soldiers hiding in the wooden horse snuck out and opened the gates of the city for them.

A Computer Trojan Horse

A computer trojan horse is a program which appears to be something good, but actually conceals something bad.

One way to spread a trojan horse is to hide it inside a distribution of normal software. In 2002, the sendmail and OpenSSH packages were both used to hide trojan horses. This was done by an attacker who broke into the distribution sites for these software packages and replaced the original distributions with his own packages.

A more common method of spreading a trojan horse is to send it via e-mail. The attacker will send the victim an e-mail with an attachment called something like "prettygirls.exe." When the victim opens the attachment to see the pretty girls, the trojan horse will infect his system.

A similar technique for spreading trojan horses is to send files to unsuspecting users over chat systems like IRC, AIM, ICQ, MSN, or Yahoo Messenger.


The Trojan Horse Virus

Unlike viruses, trojan horses do not normally spread themselves. Trojan horses must be spread by other mechanisms.

A trojan horse virus is a virus which spreads by fooling an unsuspecting user into executing it.

An example of a trojan horse virus would be a virus which required a user to open an e-mail attachment in Microsoft Outlook to activate. Once activated, the trojan horse virus would send copies of itself to people in the Microsoft Outlook address book.

The trojan horse virus infects like a trojan horse, but spreads like a virus.


Effects of a Trojan Horse

The victim running the trojan horse will usually give the attacker some degree of control over the victim's machine. This control may allow the attacker to remotely access the victim's machine, or to run commands with all of the victim's privileges.

The trojan horse could make the victim's machine part of a Distributed Denial of Service (DDoS) network, where the victims machine is used to attack other victims.

Alternatively, the trojan horse could just send data to the attacker. Data commonly targeted by trojan horses includes usernames and passwords, but a sophisticated trojan horse could also be programmed to look for items such as credit card numbers.


Protecting Against The Trojan Horse

Anti-virus programs detect known trojan horses. However, trojan horse programs are easier to create than viruses and many are created in small volumes. These trojan horse programs will not be detected by anti-virus software.

The best defense against a trojan horse is to never run a program that is sent to you. E-mail and chat systems are not safe methods of software distribution.


Spyware and Adware

Many people consider spyware and adware to be forms of a trojan horse.

Spyware programs perform a useful function, and also install a program that monitors usage of the victim's computer for the purpose of marketing to the user.

Adware programs are similiar to spyware programs, except the additional software they install shows advertising messages directly to the user.



Win32/Lightmoon.M

Description

Win32/Lightmoon.M is a worm that spreads via email and network shares. It makes trivial changes to its PE header as it replicates in order to evade detection methods such as MD5 matching.

Method Infection

When executed, the worm makes many copies of itself on the affected system and drops several additional component files. It creates the follwing copies:
  • %Windows%\lsass.exe
  • %Windows%\.exe (the worm creates 3 copies of itself with different filenames that follow this format)
  • %System%\\.cmd
  • %System%\>.exe
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.

It also creates the following files:
  • %Windows%\cypreg.dll
  • %Windows%\moonlight.dll
  • %System%\systear.dll - data file used to store the random filename.
A folder with Recycle Bin attributes is created to store more copies of the worm:
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.com
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.exe
  • %Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip

The following registry modifications are made in order to ensure that the worm is executed:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD = ""%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.com""
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RUN\ = "%System%\<random 14 characters>.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, "%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.exe""
  • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell = "l.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RUN\ = "%Windows%\.exe"
The worm also creates a copy of itself in each subfolder under My Documents, using the same name as the subfolder it is created in, for example:
  • \Documents and Settings\My Documents\My Pictures\My Pictures.exe
  • \Documents and Settings\\My Documents\My Music\My Music.exe

The worm makes several additional registry modifications that are not critical to its replication:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = 1
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue = 0
  • HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig = 1
  • HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 1
  • HKCR\exefile\(Default) SUCCESS "File Folder"
  • HKCR\scrfile\(Default) SUCCESS "File Folder"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "%Windows%\notepad.exe"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "%Windows%\notepad.exe"
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 0

The worm uses the File Folder icon.

Copies of the worm, as many as 10, are inserted into ZIP files found in the infected system. The inserted filenames are selected from below:

  • RealPlayer13-5GOLD.exe
  • Icon Cool-Editor 3.4.30315.exe
  • CheatEngine52.exe
  • framework-4.4.exe
  • Vista Transformation Pack 4.0.exe
  • Pack_Vista_Inspirat_1.6.exe
  • DeepUnfreezerU1.6.exe
  • Pack_Longhorn_Inspirat_1.6_code32547.exe
  • TeamViewer_Setup.exe
  • License.exe

Method of Distribution

Via Email

The worm spreads via e-mail with a variable Subject and Message Body. The attachment also uses a variable filename and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system. The e-mail address of the infected user is also used.

E-mail sent by the worm have the following characteristics:

Possible Subjects:

  • miss Indonesian
  • Cek This
  • hello
  • Japannes Porn
  • xxx

Possible Message Bodies:

  • hey Indonesian porn
  • Agnes Monica pic's
  • Fucking With Me :D
  • sisilia
  • Hilda
  • please read again what i have written to you
  • Hot ...

The attachment is a ZIP file that contains one executable with a filename selected from this list:

  • Licence.exe
  • Pictures.exe
  • Secret.exe
  • Documents.exe
  • Vivid.exe
  • update.exe
  • XXX.exe
  • cool.exe
  • vitae.exe
  • error.exe

The ZIP filename consists of a string selected from this list, following by a random number:

  • Miyabi
  • nadine
  • hell
  • video
  • Doc
  • file
  • thisfile
  • need you
The sender address may be "spoofed" using one of these names and domains in addition to those collected from the affected system:
  • Agnes
  • Ami
  • Anata
  • Anton
  • Cicilia
  • Claudia
  • CoolMan
  • Davis
  • Emily
  • Firmansyah
  • Fransisca
  • Fransiska
  • Fria
  • HellSpawn
  • Joe
  • Joko
  • Julia
  • JuwitaNingrum
  • Lanelitta
  • Lia
  • Linda
  • Nana
  • Natalia
  • Riri
  • Rita
  • sasuke
  • SaZZA
  • Susi
  • Titta
  • Valentina
  • Vivi

The spoofed domain names are:

  • hackersmail.com
  • hotmail.com
  • gmail.com
  • msn.com
  • yahoo.com.sg
  • Lovemail.com

The worm collects email addresses to send itself to by searching files on all local fixed drives. It searches in any files with the following extensions:

  • txt
  • tml
  • asp
  • php
  • rtf
  • eml
  • .pl
  • spx
  • .js

It avoids using addresses containing any of the following strings:

  • security
  • avira
  • norman
  • norton
  • panda
  • mcafee
  • Syman
  • sophos
  • Trend
  • vaksin
  • novell
  • virus
Via Mapped Drives

A copy of the worm is written to the root of all mapped drives, and ZIP files found on the drive, using one of these filenames:

  • RealPlayer13-5GOLD.exe
  • Icon Cool-Editor 3.4.30315.exe
  • CheatEngine52.exe
  • framework-4.4.exe
  • Vista Transformation Pack 4.0.exe
  • Pack_Vista_Inspirat_1.6.exe
  • DeepUnfreezerU1.6.exe
  • Pack_Longhorn_Inspirat_1.6_code32547.exe
  • TeamViewer_Setup.exe

Via Network Shares

A copy of the worm is written to all subfolders, using the subfolder name as the filename, on all network shares to which the affected user has write access. For example, with a target subdirectory of \MyDocs, \Mydocs\MyDocs.exe is created.

If the network share is found to contain the Windows directory, the worm creates a subdirectory "moon" off the root of the network share. It then creates two files:

  • Elitta.htt
  • moonlight.exe
Desktop.ini is then modified to activate "Elitta.htt", which in turn executes "moonlint.exe".


Payload

Before the worm takes any further actions, it checks http://www.google.com/ to determine whether the affected system has Internet access.

Deletes Services

The worm attempts to delete these NT services (these services are components of Norman Virus Control):

  • nipsvc
  • Norman NJeeves
  • nvcoas

Norman Zanda

Deletes Registry Values

The worm deletes these registry values from

  • HKCU\Software\Microsoft\Windows\CurrentVersion\run and HKLM\Software\Microsoft\Windows\CurrentVersion\run:

  • ADie suka kamu
  • AllMyBallance
  • Alumni Smansa
  • AutoSupervisor
  • avgnt
  • BabelPath
  • Bron-Spizaetus
  • CueX44_stil_here
  • dago
  • dkernel
  • DllHost
  • Driver
  • drv_st_key
  • Grogotix
  • lexplorer
  • MomentEverComes
  • MSMSG
  • norman zanda
  • norman_zanda
  • Pluto
  • Putri_Bangka
  • Putri_Indonesia
  • SaTRio ADie X
  • service
  • SMA_nya_Artika
  • SMAN1_Pangkalpinang
  • SysDiaz
  • SysRia
  • SysYuni
  • Task
  • templog
  • Tok-Cirrhatus
  • TryingToSpeak
  • ViriSetup
  • Winamp
  • winfix
  • WinUpdateSupervisor
  • Word
  • YourUnintended
  • YourUnintendes

Delete Files

Selected files are deleted from Desktop, Favorities, Application Data, Startup and Windows folder. The correct path to the folders are identified by calling system API, so the function is language independent. Examples shown below are from English Windows:

  • \Documents and settings\\Desktop\windows*
  • \Documents and settings\\Favorites\*.exe
  • \Documents and settings\\Favorites\*.vbs
  • \Documents and settings\\Local Settings\Application Data\*.exe
  • \Documents and settings\\Start Menu\Programs\Startup\*.pif
  • \Documents and settings\\Start Menu\Programs\Startup\Romantic*
  • %WinDir%\MyHeart.exe
  • %WinDir%\KesenjanganSosial.exe
  • %WinDir%\FirstLove.exe*
  • %WinDir%\eksplorasi*
  • %WinDir%\CintaButa*
  • %WinDir%\ShellNew\*.exe

Source: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=61987
Subscribe to: Posts (Atom)