Difference Worm, Trojan, and Virus

Worm, Trojan, Virus

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.

To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.

Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.

W32.Pesin.A

If you are playing internet on internet cafe or transferring file data between another user , check is there yourdiskette contain file like this:

* My Love.exe
* Kenangan.exe
* Hallo.exe
* Puisi Cinta.exe
* My Heart.exe
* Jangan Dibuka.exe
* Mistery.exe

If contain, your diskette infected pesin virus, and if your antivirus not updated so the virus pesin Pesin was able generously to spread itself.

Simple but Efective

In fact the Pesin spreading technique very simple, in fact might beconsidered to be old.
But apparently this method really agreed with the condition for the user of the computer (warnet) in Indonesia that the utilisation of his diskette still quite high.
Pesin spread through the diskette mediation that was put into the computer that was infected to afterwards infect the other clean computer if the diskette that was infected was accessed by the other computer.
This method same like the beginning virus in the year 1986an like Brain or the local Denzuko virus that spread itself only melaui the diskette, but at that time the internet media does not yet develop like today so as his spreading was not phenomenal like Lovebug or Klez.
As additional information, unlike the virus that often spreads now, Pesin in fact not dienkripsi.
Might be his creator followed the view "Why in enkrip, sooner or later definitely will be successful in dekrip by vendor antivirus".
And this view had correctly him or might be said exact because enkripsi will not make the surviving virus older, only made more was difficult to in oprek then.
That made one virus surviving more for a long time was the manufacturer's care of the virus made use of the situation and the available condition and the virus that succeeded in spreading widely must not have the sophisticated programming or enjelimet.
One of the proof were the Annakournikova virus where the virus that succeeded in throwing the users of the internet into turmoil in 2001 was created by the Dutch adolescent who did not have knowledge that was extraordinary in the programming by using the manufacturer's program of the Kalamar virus, but this virus succeeded in deceiving the user of the internet to mengklik attachments to the dual extension that came because of promising the picture of the pretty tennis player Anna Kournikova.


Method
The first time being undertaken, Pesin would "undercover" as the process windows by the name of SysTask.exe (and not the application) so as to be not seen in the application in Task Manager.
Moreover, Pesin would copying himself to the directory C:\MyDocuments by the name of MyHeart.exe.
So that windows undertook himself automatically every time start, Pesin will change registri as follows:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run LoadService="%System%\Systask.exe /run"

Where "%System% was the system directory to OS Windows like:"

* C:\Windows\System (Win 95/98/ME), C:\Windows\System32 (Win XP) dan C:\WINNT\System32 (Win NT/2000).

If succeeding in being active in the memory, Pesin will try to infect the available diskette with copying himself with one of the names below this:

*

My Love.exe
*

Kenangan.exe
*

Hallo.exe
*

Puisi Cinta.exe
*

My Heart.exe
*

Jangan Dibuka.exe
*

Mistery.exe

Seldom resembled Swen, Pesin tried to obstruct access to the application:

* Registry Editor
* System Configuration
* System Configuration Utility

So as the computer that was infected would the difficulty undertook to three applications above because of Mouse access and Keyboard to to three applications in the bloc. This was clever enough and definitely confused the user of the computer with the middle capacity although:). The dangerous matter that was contained by Pesin was him will try to change "Autoexec.bat" to remove the Windows folder and the Files Program. Saw that in lurked was the directory and the program data that did not have the economical value and could in install again repeated then could be concluded that this Pesin manufacturer did not mean bad like the manufacturer Explorezip or Kelz.E that destroyed all the datas of Ms Office from the user of the computer that was infected.

Disinfection
To disinfection Pesin, the step that must be carried out was as follows:

1.

For Windows ME and Windows XP activated beforehand System Restore.

2.

(Windows 95/98/ME), undertook Windows in Safe Mode or (Windows NT/2000/XP), entered Task Manager [Ctrl] [Shift] [Esc], the Clique of tabulation [Processes], the clique [the Name Image] to put the process in order in a manner the alphabet and looked for the process by the name of "SysTask.exe", then the clique very much in the "Systask.exe" process and the clique [End Process] to kill Pesin.

3.

Scan the computer with the program antivirus that terupdate and could recognise Pesin, we used Norman Virus Control that could in download in ftp.cbn.net.id/the vaccine and cleaned all file that was detected as Pesin.

4.

Cleaned registri that was changed by Pesin by means of (don't forget the back up beforehand registri you, all the mistakes in changed registri will cause OS damage to become your responsibility):

*

Undertook registry the editor by means of [Start] [Run] typed [Regedit] and pressed [Enter] you will get the menu of Registry Editor

*

Enter to registri:
HKEY LOCAL MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and in the right column removed registri
"LoadService"="%System%\SysTask.exe/run"
By means of the right clique and chose delete.

*

Kept came back registri you and restart the computer and now your computer clean from pesin

W32.Renco@mm

W32.Renco@mm


Summary

Discovered: June 21, 2007
Updated: June 21, 2007 5:15:16 PM
Type: Worm
Infection Length: 34,880 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Renco@mm is a mass-mailing worm that may dial premium-rate numbers from the compromised computer.

Technical Details

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When the worm is executed, it copies itself as the following file:
%SystemDir%\ShellExt\i[ORIGINAL FILENAME]

The worm also drops the following files:
%System%\laura.exe
%System%\eml32.dll
%Temp%\tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].out
%Temp%\tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].js

These files are deleted by the worm.

It attempts to terminate any processes with the following window name:
AOL

Creates a mutex called "{24E90DEE-C20C-44AF-9E43-38EEB7F8B88C}" to prevent multiple instances running.

The worm modifies the following file to create a new modem connection:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

The following registry entry is modified to disable the use of a proxy:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"

The worm may also change the Internet Explorer Start Page.

The worm then gathers emails addresses from the Windows Address Book and sends itself as a .zip file attachment to the addresses collected.

The email has the following characteristics:
Sender name: [CURRENT USER]@gmail.com
From: [CURRENT USER] <[CURRENT USER]@gmail.com>

The message header contains the following:
Message-ID: <003901c77c2c$3f18bea0$0600150a@id>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_01C77F5B.9367BFB0"
X-UIDL: 4:>!!SWm"!]Y""!*\m"!
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C77F5B.9367BFB0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0009_01C77F5B.9367BFB0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=".zip"
------=_NextPart_000_0009_01C77F5B.9367BFB0--

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Removal Instruction

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.
  4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions.

    If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.

    If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To run a full system scan
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.

    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.

    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
  2. Run a full system scan.
  3. If any files are detected, follow the instructions displayed by your antivirus program.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
  1. Click Start > Run.
  2. Type regedit
  3. Click OK.

    Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
  4. Restore the following registry entries to their original values, if required:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page"
  5. Exit the Registry Editor.
source: www.symantec.com

Trojan.Spamdes

Trojan.Spamdes


Summary
Discovered: June 21, 2007
Updated: June 21, 2007 8:14:36 AM
Type: Trojan
Infection Length: 91,648 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Trojan.Spamdes is a Trojan horse that infects a Windows system file and sends spam.

Technical Details
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once executed, the Trojan infects the following file:
%System%\driver\ndis.sys

When the infected file is loaded, it will drop a .dll file into the following location:
C:\cd[FOUR NUMBERS].nls

The dropped .dll file then attempts to connect to the following site to download configuration files to send spam:
fimart.biz

It then sends spam to email addresses contained in the configuration files.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Removal Instruction
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions.
    If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.

    If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To run a full system scan
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.

    For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
  2. Run a full system scan.
  3. If any files are detected, follow the instructions displayed by your antivirus program.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode.

source: www.symantec.com

ParasiteWare, Adware, Spyware, Malware, Page Hijackers, Dialers

ParasiteWare


ParasiteWare is the term for any Adware that by default overwrites certain affiliate tracking links. These tracking links are used by webmasters to sell products and to help fund websites. The controversy is centered on companies like WhenU, eBates, and Top Moxie, a popular maker of Adware applications. These companies have release their software to assist users in getting credit for rebates, cash back shopping, or contributions to funds. To the end user ParasiteWare represents little in the way of a security threat.

Adware

Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then profile a user's surfing activity for study.

AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall.

A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA.

It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification.

Spyware

Spyware is potentially more dangerous beast than Adware because it can record your keystrokes, history, passwords, and other confidential and private information. Spyware is often sold as a spouse monitor, child monitor, a surveillance tool or simply as a tool to spy on users to gain unauthorized access. Spyware is also known as: snoopware, PC surveillance, key logger, system recorders, Parental control software, PC recorder, Detective software and Internet monitoring software.

Spyware covertly gathers user information and activity without the user's knowledge. Spy software can record your keystrokes as you type them, passwords, credit card numbers, sensitive information, where you surf, chat logs, and can even take random screenshots of your activity. Basically whatever you do on the computer is completely viewable by the spy. You do not have to be connected to the Internet to be spied upon.

The latest permutations of Spyware include the use of routines to mail out user activity via e-mail or posting information to the web where the spy can view it at their leisure. Also many spyware vendors use "stealth routines" and "polymorphic" (meaning to change" techniques to avoid detection and removal by popular anti-spy software. In some cases Spyware vendors have went as far as to counter-attack anti-spy packages by attempting to break their use. In addition they may use routines to re-install the spyware application after it has been detected.

Malware

Malware is slang for malicious software. Malware is software designed specifically to disrupt a computer system. A trojan horse , worm or a virus could be classified as Malware. Some advertising software can be malicious in that it can try to re-install itself after you remove it.

For the purpose of simplicity Malware is software specifically engineered to damage your machine or interrupt the normal computing environment.

Examples of Malware include:

Page Hijackers

Hijackers are applications that attempt to usurp control of the user's home page and reset it with one of the hijackers choosing. They are a low security threat, but obnoxious. Most Hijackers use stealth techniques or trick dialogue boxes to perform installation.

Dialers

A dialer is a type of software used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem's usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature because they can cause huge financial harm to the victim.

Source: http://www.spywareguide.com/txt_intro.php

About Spyware

What Is Spyware?

Spyware is a general term used to describe software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent first.

Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.

That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but you "pay" for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.

Other kinds of spyware make changes to your computer that can be annoying and can cause your computer slow down or crash.

These programs can change your Web browser's home page or search page, or add additional components to your browser you don't need or want. These programs also make it very difficult for you to change your settings back to the way you originally had them.

The key in all cases is whether or not you (or someone who uses your computer) understand what the software will do and have agreed to install the software on your computer.

There are a number of ways spyware or other unwanted software can get on your computer. A common trick is to covertly install the software during the installation of other software you want such as a music or video file sharing program.

Whenever you install something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes the inclusion of unwanted software in a given software installation is documented, but it might appear at the end of a license agreement or privacy statement.

Source: www.microsoft.com

Downloader-BCS

Profile

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/18/2007
Date Added: 6/18/2007
Origin: N/A
Length: game.class (24,739 bytes)
Type: Trojan
SubType: Downloader
DAT Required: 5055

Virus Characteristics

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

The trojan exploits a Buffer Overflow Vulnerability in Java Runtime Environment (JRE) while parsing certain image file formats like GIF.

When the applet is run on the victim machine having a vulnerable installation of Java Runtime Environment, the trojan downloads another malware from the remote server and executes it.

The following files are downloaded . The applet file (game.class) is of 24,739 bytes in size.

  • game.class --> Malicious Java applet
  • picsj.exe --> variant of Proxy-Agent.o

The trojan automatically connects to the following domain to download additional malware.

  • http://216.32.92[blocked]/

Indications of Infection

  • Outgoing HTTP traffic to the domain http://216.32.92[blocked]/

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is run on the victim machine in a way that assists in masking its activity.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Aliases

Exploit.java.gimsh.a (Kaspersky), Troj/Dloadr-AYQ (Sophos)

W32/Naplik.a

Profile

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/18/2007
Date Added: 6/18/2007
Origin: N/A
Length: N/A
Type: Virus
SubType: Win32
DAT Required: 5055

Virus Characteristics

W32/Naplik.a is an appending virus for the Windows platform. This file infector infects .EXE files by copying its code to the end of the file, in a new section ".k0kus" and the file's entry point is modified to point to the virus code. (Note: The virus did not replicate when we test it).

Upon execution, it injects its dll routine "VirusBoot.dll" into explorer.exe, which is in charge of the infection.
It also contacts three different pages from the following website:

http://www.aabbcc.us/sys/lm/

  • to download an eventual update of the virus (the downloaded updates are stored in %Sysdir%\svchost.exe.)
  • to report that a machine has been infected
  • to send information collected from the machine.

Note: this virus is currently being investigated and more information will probably come later.

Indications of Infection

  • Attempts to connect to www.aabbcc.us
  • Increase the size of EXE files

Method of Infection

W32/Naplik.a is a file infecting virus. Infection starts with manual execution of the binary.

Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Aliases

W32.Naplik (NAV)

W32/Zaflen.a

Profile

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/15/2007
Date Added: 6/15/2007
Origin: N/A
Length: 1,72,032 bytes
Type: Virus
SubType: Win32
DAT Required: 5054

Virus Characteristics

When this malware is executed, it creates the following folders.

  • %My Documents%\Rated R Pictures
  • %Windir%\gorgle
  • %Windir%\setup

This malware creates multiple copies of itself in several locations. Some of these are,

  • c:\CoolWorld.exe
  • c:\Documents and Settings\All Users\Desktop\Microsoft Word Document.scr
  • c:\Documents and Settings\All Users\Start Menu\New Microsoft Word Document.scr
  • c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word Document.scr
  • c:\Documents and Settings\All Users\Start Menu\Programs\Startup\folderwiz.com
  • %userprofile%\My Documents\My Picture.com
  • %userprofile%\My Documents\Rated R Pictures.com
  • %userprofile%\My Documents\My Pictures\mskernel.exe
  • %userprofile%\NetHood\Hot Picture.com
  • %userprofile%\PrintHood\Printing Information.com
  • %userprofile%\SendTo\Image Editor.com
  • %userprofile%\Start Menu\Image Viewer.com
  • c:\Program Files\phil.constitution.scr
  • c:\WINDOWS\agila.scr
  • c:\WINDOWS\AutoRun.ini
  • c:\WINDOWS\lsass.exe
  • c:\WINDOWS\services.exe
  • c:\WINDOWS\gorgle\csrss.exe
  • c:\WINDOWS\setup\mskernel.exe
  • c:\WINDOWS\system32\mskernel.exe

It copies itself into multiple drives in the system.

It also creates the following file, for executing the malware when the drive is accessed.

  • C:\autorun.inf

This malware then searches for and infects the files with the following extensions

  • doc
  • rtf
  • jpg
  • gif
  • png

It infects the above files by prepending itself to these files.
It changes the icon of the infected files to M.S.Word icon and the extension to scr or exe.
It also appends 35 bytes to the end of file along with the extension of the original file.

This malware adds the follwing registry entries for loading at system startup

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinRun" Data - C:\WINDOWS\AutoRun.ini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)" Data - \WINDOWS\lsass.exe

It adds the following registry entries to disable Run, folder options and to hide the file extensions.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "Run"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt "CheckedValue"

It also adds/modifies certain other registry entries for its functioning.

This malware also drops the file "email32.vbs" into the Windows directory, which is a mass mailer component detected as W32/PetTick.vbs.
This is used to send out copies of the file infector via e-mail using harvested e-mail addresses from the system.

Indications of Infection

Changing of the file icon for the file types - png, jpg, gif to M.S.Word icon.

Increase in file size by 172067 bytes for the infected files.

Presence of the files and registry entries mentioned.

Method of Infection

This parasitic file infector spreads by copying itself to multiple locations and to different drives in the system.
It also spreads by using the mass mailing component detected as W32/PetTick.vbs.
The files get infected when the user executes the malware which is disguised as being an M.S.Word document.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Downloader-BCV Virus

Profile Virus

Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/20/2007
Date Added: 6/20/2007
Origin: N/A
Length: 8.192
Type: Trojan
SubType: Downloader
DAT Required: 5059

Virus Characteristics

Detection was added to cover for a malicious 32 bit PE downloader file originally called "systime.exe" , having a filesize of 8.192 bytes.

Upon running, it runs silently, no gui messageboxes appear on the screen.

It immediately copies itself onto the %system32 folder and creates a registry entry to run automatically upon system start, for example on win2k:

  • c:\WINNT\system32\systime.exe

It might also copy itself to the root of the c: drive, with the c:\systime.exe location actually hardcoded inside.

It tries to download a binary called "network.exe" from : http://drsun####.go#.icp##.## , but at test time the binary was not accessible. The exact address is changes on purpose here with # markings.

Indications of Infection

  • Presence of "systime.exe" , having a filesize of 8.192 bytes.
  • Network connections to http://drsun####.go#.icp##.## , the exact address is changes on purpose here with # markings.
Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations
Subscribe to: Posts (Atom)