A new threat that comes under the guise of a genuine antivirus program has become increasingly prevalent over the past year. Offering to locate and remove malware from your PC, this rogue will actually install a Trojan on your unsuspecting system. The process is usually initiated when you click a link for what you believe is valid security software or its vendor's site.
Such adverts are not only a nuisance when browsing online -- fake ads appear on reputable sites that make use of third-party advertising -- but they are designed to rip off consumers by tempting them to pay for a worthless program. Worse still, these rogue applications infect your PC with a problem they claim can only be 'fixed' by purchasing extra software.
If a fake antimalware app is installed on your PC, you will begin to receive fairly persistent warning messages that your system has been infected and be advised to visit a particular site and pay for the necessary protection. You'll be told that you have a trial version of the software installed and need to upgrade to remove all threats.
Such has been the success of these scams that several of the fake programs have become infamous. WinAntiSpyware, Antivirus 2008 (recently updated to 2009), Antispyware Pro XP and AntiVirus Lab 2009 are all suspect -- and no doubt others will soon emulate them.
With similar tactics having been previously used to perpetrate fraud such as phishing, the scammers have latched on to a very effective way to play on people's existing security fears.
Should one break through your defences, we'll show you how to remove it from your system.
1. The exact method for removing fake antivirus software will differ depending on the particular variety you've been blessed with. We've concentrated on Antivirus 2009. If it sounds familiar, you've probably endured fake warning alerts, increased pop-ups and the hijacking of your home page.
2. Such programs can be difficult to uninstall, and you may need to use a dedicated application such as ParetoLogic's XoftSpySE. In general, you will find that using antispyware software is simpler, although it can't be guaranteed to work in every instance.
3. Uninstall Antivirus 2009 using the Add/Remove Programs utility in the Control Panel, then restart your PC in Safe mode. Launch your antispyware application and allow it to scan system files and folders and remove any suspect applications. Now boot up your PC as normal.
4. If antispyware software doesn't get rid of the fake program, you'll need to remove it manually. Be sure to back up any important files first. Next, press Ctrl, Alt, Del to bring up the Task Manager. Click Image Name and select Antivirus 2009, then choose End Process to stop it running.
5. Go to Start, Run. Type regedit to start the Registry Editor, where you will delete the entries for WinAntiVirus. Browse to the Hkey_Local_Machine\Software folder from the My Computer folder and delete the series of Registry entries that are described on this PC Advisor forum thread.
6. The same thread lists a number of spyware files that will need to be manually deleted from your Windows folder, but note that you may need to stop the file processes in the Task Manager before you can delete them. As before, make sure you back up your system before you start.
Source:
http://www.pcworld.com
Review Norton AntiVirus 2009 16.0
Norton AntiVirus 2009 provides fast, responsive defense against all types of malicious software including viruses, spyware, worms, and other software threats. It protects your system without slowing it down. Rapid pulse updates every 5 to 15 minutes help to ensure that you're protected from the latest threats.
Working quickly and quietly in the background, Norton AntiVirus requires little memory and system resources. The new Norton Insight relies on extensive online intelligence to target only those processes at risk, resulting in faster, shorter, fewer scans. And the new Norton Protection System employs a multilayered set of security technologies that work in concert to detect, identify, and block attacks. Version 2009 improves on product performance.
Screenshot
Download for review/trial [DOWNLOAD]
Working quickly and quietly in the background, Norton AntiVirus requires little memory and system resources. The new Norton Insight relies on extensive online intelligence to target only those processes at risk, resulting in faster, shorter, fewer scans. And the new Norton Protection System employs a multilayered set of security technologies that work in concert to detect, identify, and block attacks. Version 2009 improves on product performance.
Screenshot
Download for review/trial [DOWNLOAD]
Review Kaspersky Anti-Virus 2009 8.0.0.454
Kaspersky Anti-Virus 2009 8.0.0.454 – The backbone of your PC’s security system, offering protection from a range of IT threats. Kaspersky Anti-Virus 2009 provides the basic tools needed to protect your PC. This easy-to-use solution provides complete antivirus protection that keeps you safe while your are online.
Features :
Kaspersky Anti Virus 8.0 – is a new line of Kaspersky Labs products, which is designed for the multi-tiered protection of personal computers. This product is based on in-house protection components, which are based on variety of technologies for maximum levels of user protection regardless of technical competencies. This product utilizes several technologies, which were jointly developed by Kaspersky Labs and other companies; part of them is implemented via online-services.
Our products for home and home office are specifically designed to provide hassle-free and quality protection against viruses, worms and other malicious programs, as well as hacker attacks, spam and spyware.
During product preparation several competitor offerings were considered and analyzed - firewalls, security suites systems, which position themselves as proactive in defence and HIPS systems. Combination of in-hosue innovative developments and results from analysis gathered through the industry allowed to jump onto a new level of protection for personal users, whereby offering even more hardened and less annoying computer protection from all types of electronic threats – malicious programs of different types, hacker attacks, spam mailings, program-root kits, phishing emails, advertisement popup windows etc.
Essential Protection
* Protects from viruses, Trojans and worms
* Blocks spyware and adware
* Scans files in real time (on access) and on demand
* Scans email messages (regardless of email client)
* Scans Internet traffic (regardless of browser)
* Protects instant messengers (ICQ, MSN)
* Provides proactive protection from unknown threats
* Scans Java and Visual Basic scripts
Preventive Protection
* Scans operating system and installed applications for vulnerabilities
* Analyzes and closes Internet Explorer vulnerabilities
* Disables links to malware sites
* Detects viruses based on the packers used to compress code
* Global threat monitoring (Kaspersky Security Network)
Advanced Protection & Recovery
* The program can be installed on infected computers
* Self-protection from being disabled or stopped
* Restores correct system settings after removing malicious software
* Tools for creating a rescue disk
Data & Identity Theft Protection
* Disables links to fake (phishing) websites
* Blocks all types of keyloggers
Usability
* Automatic configuration during installation
* Wizards for common tasks
* Visual reports with charts and diagrams
* Alerts provide all the information necessary for informed user decisions
* Automatic or interactive mode
* Round-the-clock technical support
* Automatic database updates
Download for trial Here [DOWNLOAD]
Features :
Kaspersky Anti Virus 8.0 – is a new line of Kaspersky Labs products, which is designed for the multi-tiered protection of personal computers. This product is based on in-house protection components, which are based on variety of technologies for maximum levels of user protection regardless of technical competencies. This product utilizes several technologies, which were jointly developed by Kaspersky Labs and other companies; part of them is implemented via online-services.
Our products for home and home office are specifically designed to provide hassle-free and quality protection against viruses, worms and other malicious programs, as well as hacker attacks, spam and spyware.
During product preparation several competitor offerings were considered and analyzed - firewalls, security suites systems, which position themselves as proactive in defence and HIPS systems. Combination of in-hosue innovative developments and results from analysis gathered through the industry allowed to jump onto a new level of protection for personal users, whereby offering even more hardened and less annoying computer protection from all types of electronic threats – malicious programs of different types, hacker attacks, spam mailings, program-root kits, phishing emails, advertisement popup windows etc.
Essential Protection
* Protects from viruses, Trojans and worms
* Blocks spyware and adware
* Scans files in real time (on access) and on demand
* Scans email messages (regardless of email client)
* Scans Internet traffic (regardless of browser)
* Protects instant messengers (ICQ, MSN)
* Provides proactive protection from unknown threats
* Scans Java and Visual Basic scripts
Preventive Protection
* Scans operating system and installed applications for vulnerabilities
* Analyzes and closes Internet Explorer vulnerabilities
* Disables links to malware sites
* Detects viruses based on the packers used to compress code
* Global threat monitoring (Kaspersky Security Network)
Advanced Protection & Recovery
* The program can be installed on infected computers
* Self-protection from being disabled or stopped
* Restores correct system settings after removing malicious software
* Tools for creating a rescue disk
Data & Identity Theft Protection
* Disables links to fake (phishing) websites
* Blocks all types of keyloggers
Usability
* Automatic configuration during installation
* Wizards for common tasks
* Visual reports with charts and diagrams
* Alerts provide all the information necessary for informed user decisions
* Automatic or interactive mode
* Round-the-clock technical support
* Automatic database updates
Download for trial Here [DOWNLOAD]
Norton 360 v3.0 for review
Norton 360 description
Offers a full circle of protection and eliminates the need to purchase and manage multiple products, Norton 360 will offer a full circle of protection and eliminates the need to purchase and manage multiple products.
PC security defends you against a broad range of online threats�protects your computer and makes your online experience more secure, Identity protection safeguards you against online identity theft�protects against fraud and theft, Automatic backup and restore protects your important files from loss�safeguards irreplaceable photos, movies, music, and more.
PC tuneup keeps your PC running at peak performance�helps your PC run faster and keeps it running the way it�s supposed to, Network monitoring�helps protect your home network.
Here are some key features of "Norton 360":
Enhanced performance - Provides industry-leading protection without sacrificing performance:
� Fast scan and browse speeds
� Less memory use than the average used by competing products
� PC Security with industry leading virus, spyware and firewall protection
� And much more...........
Backup and restore:
� Protects photos, music, and documents with automated backup
� Supports new backup destinations including Blu-ray Disc, HD-DVD, and iPod
� Automatically detects and backs up your critical files
� Includes 2 GB of secured online storage (with option to purchase additional storage)
Network monitoring:
� Lets you view your wireless network and each device connected to it
� Displays the security status of all the Norton products on your network
� Alerts you when you connect to an unsecured wireless network
� And much more..........
Easy protection of your PC and online activities�Norton 360 threat handling, scans, and tuneups are conducted quietly in the background:
� Automatically optimizes and maintains your PC for peak performance
� Automatically cleans up unnecessary Internet clutter and temporary files
� Helps optimize Windows performance by removing unneeded registry files
One-click support - Provides one-click access to expert support right from your Norton product:
� Fast access to expert support through email, live chat, or phone
� Protection updates: Includes protection updates and new product features as available throughout the renewable service period
� Ongoing protection: Keeps your computer protected from the latest Internet risks by automatically renewing your subscription at the regular subscription price (plus applicable tax), so you don't have to do it. For more information, click here.
� Optional antispam and parental controls: Enables you to download antispam and parental controls via the Norton Add-on Pack
� Free Technical Support: Free tech support delivers the help you need, however you need it
Download review software from Rapidshare
Norton Antivirus Trial Reset 2.9A
Dump trials the period in company Symantec products : Norton Internet Security 2009 (v16.5.0.134/5), Norton AntiVirus 2009 (v16.5.0.134), and Norton 360 v3 (v3.0.0.135/4).
Downloads From rapidshare.com
SillyDl.CEK Trojan
SillyDl.CEK malware description and removal detail
Categories:Trojan
Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista
Removing SillyDl.CEK:
An up-to-date copy of ExterminateIt should detect and prevent infection from SillyDl.CEK.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove SillyDl.CEK manually.
To completely manually remove SillyDl.CEK malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with SillyDl.CEK.
1. Use Task Manager to terminate the SillyDl.CEK process.
2. Delete the original SillyDl.CEK file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.
Categories:Trojan
Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista
Removing SillyDl.CEK:
An up-to-date copy of ExterminateIt should detect and prevent infection from SillyDl.CEK.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove SillyDl.CEK manually.
To completely manually remove SillyDl.CEK malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with SillyDl.CEK.
1. Use Task Manager to terminate the SillyDl.CEK process.
2. Delete the original SillyDl.CEK file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.
Bancos.GKY Trojan
Bancos.GKY malware description and removal detail
Categories:Trojan
Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista
Removing Bancos.GKY:
An up-to-date copy of ExterminateIt should detect and prevent infection from Bancos.GKY.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Bancos.GKY manually.
To completely manually remove Bancos.GKY malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Bancos.GKY.
1. Use Task Manager to terminate the Bancos.GKY process.
2. Delete the original Bancos.GKY file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.
Categories:Trojan
Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista
Removing Bancos.GKY:
An up-to-date copy of ExterminateIt should detect and prevent infection from Bancos.GKY.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Bancos.GKY manually.
To completely manually remove Bancos.GKY malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Bancos.GKY.
1. Use Task Manager to terminate the Bancos.GKY process.
2. Delete the original Bancos.GKY file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.
Reign Trojan
Reign malware description and removal detail
Categories:Trojan,Spyware,Backdoor,Downloader,Hacker Tool
Also known as:
[Panda]Trojan Horse,Trj/Agent.AA,Trj/Iyus.B,Trj/Iyus.F,Trj/Iyus.C,Trj/Bizex.B,Bck/Xordoor.A;
[Computer Associates]Win32.Reign.K,Win32/Reign.K!Trojan,Win32/Reign.K!HookDLL!Trojan,Win32.Reign.O,Win32/Reign.O!Trojan,Win32.Reign.N,Win32/Reign.N!Trojan,Win32.Reign.Z,Win32/Reign!DLL.102400!Trojan,Win32/Reign.Z!Worm,Win32.Reign.X,Win32/Reign.X!Trojan
Visible Symptoms:
Files in system folders:
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
In order to ensure that the Reign is launched automatically each time the system is booted, the Reign adds a link to its executable file in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista
Detecting Reign:
Files:
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
Registry Values:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
Removing Reign:
An up-to-date copy of ExterminateIt should detect and prevent infection from Reign.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Reign manually.
To completely manually remove Reign malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Reign.
1. Use Task Manager to terminate the Reign process.
2. Delete the original Reign file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.
Categories:Trojan,Spyware,Backdoor,Downloader,Hacker Tool
Also known as:
[Panda]Trojan Horse,Trj/Agent.AA,Trj/Iyus.B,Trj/Iyus.F,Trj/Iyus.C,Trj/Bizex.B,Bck/Xordoor.A;
[Computer Associates]Win32.Reign.K,Win32/Reign.K!Trojan,Win32/Reign.K!HookDLL!Trojan,Win32.Reign.O,Win32/Reign.O!Trojan,Win32.Reign.N,Win32/Reign.N!Trojan,Win32.Reign.Z,Win32/Reign!DLL.102400!Trojan,Win32/Reign.Z!Worm,Win32.Reign.X,Win32/Reign.X!Trojan
Visible Symptoms:
Files in system folders:
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
In order to ensure that the Reign is launched automatically each time the system is booted, the Reign adds a link to its executable file in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista
Detecting Reign:
Files:
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
Registry Values:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
Removing Reign:
An up-to-date copy of ExterminateIt should detect and prevent infection from Reign.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Reign manually.
To completely manually remove Reign malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Reign.
1. Use Task Manager to terminate the Reign process.
2. Delete the original Reign file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.
Detecting Windows.adtools
Detecting Windows.adtools:
Folders:
[%PROGRAM_FILES%]windows adtools
Registry Keys:
HKEY_LOCAL_MACHINEsoftwarewindows adtools
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionuninstallwindows adtools
Registry Values:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun
Removing Windows.adtools:
An up-to-date copy of ExterminateIt should detect and prevent infection from Windows.adtools.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Windows.adtools manually.
To completely manually remove Windows.adtools malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Windows.adtools.
1. Use Task Manager to terminate the Windows.adtools process.
2. Delete the original Windows.adtools file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users
back up any important information on their computers,
enable maximum protection from network attacks and malicious code on their computers,
refrain from executing suspicious programs received from untrustworthy sources.
Source: howto-remove-virus.blogspot.com
Folders:
[%PROGRAM_FILES%]windows adtools
Registry Keys:
HKEY_LOCAL_MACHINEsoftwarewindows adtools
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionuninstallwindows adtools
Registry Values:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun
Removing Windows.adtools:
An up-to-date copy of ExterminateIt should detect and prevent infection from Windows.adtools.
If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Windows.adtools manually.
To completely manually remove Windows.adtools malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Windows.adtools.
1. Use Task Manager to terminate the Windows.adtools process.
2. Delete the original Windows.adtools file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.
We recommends that all Internet users
back up any important information on their computers,
enable maximum protection from network attacks and malicious code on their computers,
refrain from executing suspicious programs received from untrustworthy sources.
Source: howto-remove-virus.blogspot.com
Norton Internet Security 2008 (15.0.0.60) Final
Norton Internet Security 2008 (15.0.0.60) Final
Norton Internet Security 2006 provides essential protection from viruses, hackers, and privacy threats. Included are full versions of Norton AntiVirus and Norton Personal Firewall, which efficiently defend your PC from the most common Internet dangers. You also get Norton AntiSpam to block unwanted email, Norton Parental Control to protect your children online and Norton Privacy Control to prevent confidential information to be sent out.
Key Technologies
* Antispyware
* Antivirus
* Two-Way Firewall
* Advanced Phishing Protection
* Intrusion Prevention
* Rootkit Detection
Features
* Improved performance delivers faster starts and scans. NEW
* One click access to expert support. NEW
* Network security monitoring helps protect your wireless network. NEW
* Norton Identity Safe delivers enhanced i dentity theft protection. NEW
* Works quietly in the background. NEW
* Protection for up to 3 PCs per household
* Blocks identity theft by phishing Web sites
* Protects against hackers
* Detects and eliminates spyware
* Removes viruses and Internet worms automatically
* Protects email and instant messaging from viruses
* Prevents virus-infected emails from spreading
* Rootkit detection searches underneath the operating system using patented technology
* Includes protection updates and new product features as available throughout the renewable service period *
* On-going Protection option automatically renews your subscription **
* Need antispam or parental controls?
Download
http://rapidshare.com/files/52012322/NIS081500.exe
http://www.megaupload.com/?d=N616NGRZ
http://depositfiles.com/files/1620622
http://www.filefactory.com/file/5aa7a5/
Norton Internet Security 2006 provides essential protection from viruses, hackers, and privacy threats. Included are full versions of Norton AntiVirus and Norton Personal Firewall, which efficiently defend your PC from the most common Internet dangers. You also get Norton AntiSpam to block unwanted email, Norton Parental Control to protect your children online and Norton Privacy Control to prevent confidential information to be sent out.
Key Technologies
* Antispyware
* Antivirus
* Two-Way Firewall
* Advanced Phishing Protection
* Intrusion Prevention
* Rootkit Detection
Features
* Improved performance delivers faster starts and scans. NEW
* One click access to expert support. NEW
* Network security monitoring helps protect your wireless network. NEW
* Norton Identity Safe delivers enhanced i dentity theft protection. NEW
* Works quietly in the background. NEW
* Protection for up to 3 PCs per household
* Blocks identity theft by phishing Web sites
* Protects against hackers
* Detects and eliminates spyware
* Removes viruses and Internet worms automatically
* Protects email and instant messaging from viruses
* Prevents virus-infected emails from spreading
* Rootkit detection searches underneath the operating system using patented technology
* Includes protection updates and new product features as available throughout the renewable service period *
* On-going Protection option automatically renews your subscription **
* Need antispam or parental controls?
Download
http://rapidshare.com/files/52012322/NIS081500.exe
http://www.megaupload.com/?d=N616NGRZ
http://depositfiles.com/files/1620622
http://www.filefactory.com/file/5aa7a5/
Norton Antivirus For Mac
Norton AntiVirus 11[MAC]
Norton AntiVirus 11 for Mac® is the world's most trusted antivirus solution for Mac systems.* It removes viruses automatically, cleans infected Internet and email downloads, and protects against advanced online threats and attacks that target software vulnerabilities. It¿s also compatible with Mac OS® X v10.5 and takes full advantage of the new operating system's advanced features to help you protect your Mac even better. Powerful, built-in vulnerability protection helps prevent identity thieves from exploiting newly discovered application and operating system weaknesses. And the enhanced Norton AntiVirus dashboard widget lets you quickly check your system's virus protection status and get the latest information about current virus threats directly from the experts at Symantec Security Response.
Norton AntiVirus for Mac now features silent, automatic virus definition updates; fully integrated schedule management settings; faster and more extensive file-scanning capabilities; improved Auto-Protect functionality; and a new user interface that makes routine tasks more accessible than ever before. And as always, LiveUpdate makes it easy to keep your virus and vulnerability protection updates current against new threats.
The #1 selling antivirus solution for the Mac
Features:
* Automatically detects and removes viruses—Offers automatic protection against the latest threats with set-and-forget convenience
* Scans and cleans downloaded files and email attachments—Delivers continuous, up-to-date protection via fast updates
* Protects against attacks that target software vulnerabilities—Provides advanced protection against software and Internet vulnerabilities
* Works with new Mac OS® X v10.5—Runs natively on Intel® and PowerPC® based Mac® systems
* Includes an all-new Norton AntiVirus dashboard widget
* Delivers industry-leading protection in the background, so you can work and play without any noticeable impact on performance
download:
http://rapidshare.com/files/86004106/NAV_V11_MAC.rar
Norton AntiVirus 11 for Mac® is the world's most trusted antivirus solution for Mac systems.* It removes viruses automatically, cleans infected Internet and email downloads, and protects against advanced online threats and attacks that target software vulnerabilities. It¿s also compatible with Mac OS® X v10.5 and takes full advantage of the new operating system's advanced features to help you protect your Mac even better. Powerful, built-in vulnerability protection helps prevent identity thieves from exploiting newly discovered application and operating system weaknesses. And the enhanced Norton AntiVirus dashboard widget lets you quickly check your system's virus protection status and get the latest information about current virus threats directly from the experts at Symantec Security Response.
Norton AntiVirus for Mac now features silent, automatic virus definition updates; fully integrated schedule management settings; faster and more extensive file-scanning capabilities; improved Auto-Protect functionality; and a new user interface that makes routine tasks more accessible than ever before. And as always, LiveUpdate makes it easy to keep your virus and vulnerability protection updates current against new threats.
The #1 selling antivirus solution for the Mac
Features:
* Automatically detects and removes viruses—Offers automatic protection against the latest threats with set-and-forget convenience
* Scans and cleans downloaded files and email attachments—Delivers continuous, up-to-date protection via fast updates
* Protects against attacks that target software vulnerabilities—Provides advanced protection against software and Internet vulnerabilities
* Works with new Mac OS® X v10.5—Runs natively on Intel® and PowerPC® based Mac® systems
* Includes an all-new Norton AntiVirus dashboard widget
* Delivers industry-leading protection in the background, so you can work and play without any noticeable impact on performance
download:
http://rapidshare.com/files/86004106/NAV_V11_MAC.rar
Norton Antivirus 2008
Norton AntiVirus 2008 (With crack+serial)
Features
* Improved performance delivers faster scans NEW
* One click access to expert support NEW
* Works quietly in the background. NEW
* Network mapping provides a view of your home network. NEW
* Detects and removes spyware and viruses
* Blocks spyware and worms automatically
* Antivirus protection for email and instant messaging
* Prevents virus-infected emails from spreading
* Rootkit detection finds and removes hidden threats
* Includes protection updates and new product features as available throughout the renewable service period
Download:
http://rapidshare.com/files/128428740/NAV081550.exe
crack:
http://rapidshare.com/files/128445050/Norton2008_keygen.zip
Features
* Improved performance delivers faster scans NEW
* One click access to expert support NEW
* Works quietly in the background. NEW
* Network mapping provides a view of your home network. NEW
* Detects and removes spyware and viruses
* Blocks spyware and worms automatically
* Antivirus protection for email and instant messaging
* Prevents virus-infected emails from spreading
* Rootkit detection finds and removes hidden threats
* Includes protection updates and new product features as available throughout the renewable service period
Download:
http://rapidshare.com/files/128428740/NAV081550.exe
crack:
http://rapidshare.com/files/128445050/Norton2008_keygen.zip
Antivirus review 2009
Website for antivirus reviews 2009
http://anti-virus-software-review.toptenreviews.com/
http://pcworld.com http://pcmag.com
For an unbiased test report of anti-virus detection capabilities,
go here: http://av-comparatives.org/
http://anti-virus-software-review.toptenreviews.com/
http://pcworld.com http://pcmag.com
For an unbiased test report of anti-virus detection capabilities,
go here: http://av-comparatives.org/
The Best Free Antivirus
When taking into account only free antivirus, what is the best?
-The best i've used so far is Google Pack. I've tried many types of antivirus, but Googles is the best by far. It also has spyware tools, Best of all, it never expires. http://safe-google.com/pack
-AVG Free addition from GriSoft is the best that I have seen. You can also download limited trial versions of programs such as Trend-Micro. Hope this answered your question :)
Source: http://1firstinfo-antivirus.blogspot.com
-The best i've used so far is Google Pack. I've tried many types of antivirus, but Googles is the best by far. It also has spyware tools, Best of all, it never expires. http://safe-google.com/pack
-AVG Free addition from GriSoft is the best that I have seen. You can also download limited trial versions of programs such as Trend-Micro. Hope this answered your question :)
Source: http://1firstinfo-antivirus.blogspot.com
Which antivirus software is the best for Mac?
Which antivirus software is the best for Mac?
The problem with anti-virus software is that it slows down your computer. There are 115,000 Windows viruses, there is one malware for MacosX which requires you to go to a porn site to get it. I get an occasional virus for Windows sent to me via email, I just trash it. Let the Windows users have their anti-virus software. If you still want one, then get the Intego version. The package includes Mac and Windows versions so you can protect the Windows side of your Mac if you are also running Windows on it.
Source: http://1firstinfo-antivirus.blogspot.com
The problem with anti-virus software is that it slows down your computer. There are 115,000 Windows viruses, there is one malware for MacosX which requires you to go to a porn site to get it. I get an occasional virus for Windows sent to me via email, I just trash it. Let the Windows users have their anti-virus software. If you still want one, then get the Intego version. The package includes Mac and Windows versions so you can protect the Windows side of your Mac if you are also running Windows on it.
Source: http://1firstinfo-antivirus.blogspot.com
RUNLLD.EXE Cloaked Malware
Your PC is infected. The file called RUNLLD.EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including RUNLLD.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The filename is associated with the malware groups:
* Cloaked Malware
* Fraudulent Security Program
File Behavior
RUNLLD.EXE has been seen to perform the following behavior:
* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)
RUNLLD.EXE has been the subject of the following behavior:
* Added as a Registry auto start to load Program on Boot up
* Executed as a Process
* Executed by Internet Explorer
* Deleted as a process from disk
* Created as a process on disk
Country Of Origin
The filename RUNLLD.EXE was first seen on Jan 5 2009 in the following geographical regions of the Prevx community:
* KUWAIT on Jan 5 2009
* The UNITED ARAB EMIRATES on Feb 1 2009
* INDONESIA on Mar 10 2009
* PAKISTAN on Mar 10 2009
File Name Aliases
RUNLLD.EXE can also use the following file names:
* HTI.EXE
* 84035352.EX_
* 67356852.SVD
* RUNDTL.EXE
* REG.EXE
* KHP.EXE
* ORH.EXE
* CRP.EXE
* TRO.EXE
* LNN.EXE
* LPM.EXE
* IJJ.EXE
* HQC.EXE
* SLO.EXE
Filesizes
The following file size has been seen:
* 91,648 bytes
* 136,192 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename RUNLLD.EXE refers to many versions of an executable program.
Rapid malware scanning and removal. Prevx CSI will thoroughly check your PC for malware infections in around 1 minute. It will also remove Adware infections for free! [Download Here]
Source: http://www.prevx.com/filenames/X2331159024562214914-X1/RUNLLD2EEXE.html
You should urgently check your PC and remove any malicious software including RUNLLD.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The filename is associated with the malware groups:
* Cloaked Malware
* Fraudulent Security Program
File Behavior
RUNLLD.EXE has been seen to perform the following behavior:
* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)
RUNLLD.EXE has been the subject of the following behavior:
* Added as a Registry auto start to load Program on Boot up
* Executed as a Process
* Executed by Internet Explorer
* Deleted as a process from disk
* Created as a process on disk
Country Of Origin
The filename RUNLLD.EXE was first seen on Jan 5 2009 in the following geographical regions of the Prevx community:
* KUWAIT on Jan 5 2009
* The UNITED ARAB EMIRATES on Feb 1 2009
* INDONESIA on Mar 10 2009
* PAKISTAN on Mar 10 2009
File Name Aliases
RUNLLD.EXE can also use the following file names:
* HTI.EXE
* 84035352.EX_
* 67356852.SVD
* RUNDTL.EXE
* REG.EXE
* KHP.EXE
* ORH.EXE
* CRP.EXE
* TRO.EXE
* LNN.EXE
* LPM.EXE
* IJJ.EXE
* HQC.EXE
* SLO.EXE
Filesizes
The following file size has been seen:
* 91,648 bytes
* 136,192 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename RUNLLD.EXE refers to many versions of an executable program.
Rapid malware scanning and removal. Prevx CSI will thoroughly check your PC for malware infections in around 1 minute. It will also remove Adware infections for free! [Download Here]
Source: http://www.prevx.com/filenames/X2331159024562214914-X1/RUNLLD2EEXE.html
Norton AntiVirus for Windows 2000/XP/Vista Updates Virus Definition
1. 20090323-050-v5i32.exe
Supports the following versions of Symantec antivirus software:
* Norton Antivirus 2009 for Windows XP Home/XP Pro/Vista
* Norton Internet Security 2009 for Windows XP/Home/XP Pro/Vista
* Norton Antivirus 2008 for Windows XP Home/XP Pro/Vista
* Norton Internet Security 2008 for Windows XP/Home/XP Pro/Vista
* Norton 360 version 3.0 for Windows XP/Vista
* Norton 360 version 2.0 for Windows XP/Vista
* Symantec Endpoint Protection 11.0
2. 20090323-003-i32.exe
Supports the following versions of Symantec antivirus software:
* Norton AntiVirus 2003 Professional Edition
* Norton AntiVirus 2003 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2004 Professional Edition
* Norton AntiVirus 2004 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
* Norton 360 version 1.0 for Windows XP/Vista
* Norton AntiVirus for Microsoft Exchange (Intel)
* Norton SystemWorks (all versions)
* Symantec AntiVirus 3.0 for CacheFlow Security Gateway
* Symantec AntiVirus 3.0 for Inktomi Traffic Edge
* Symantec AntiVirus 3.0 for NetApp Filer/NetCache
* Symantec AntiVirus 9.0 Corporate Edition Client
* Symantec AntiVirus 10.0 Corporate Edition Client
* Symantec AntiVirus 10.1 Corporate Edition Client
* Symantec AntiVirus 10.2 Corporate Edition Client
* Symantec Mail Security for Domino v 5.x
* Symantec Mail Security for Microsoft Exchange v 5.x
3. 20090323-003-x86.exe
Supports the following versions of Symantec antivirus software:
* Norton AntiVirus 2003 Professional Edition
* Norton AntiVirus 2003 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2004 Professional Edition
* Norton AntiVirus 2004 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
* Norton 360 version 1.0 for Windows XP/Vista
* Norton AntiVirus for Microsoft Exchange (Intel)
* Symantec AntiVirus 3.0 CacheFlow Security Gateway
* Symantec AntiVirus 3.0 for Inktomi Traffic Edge
* Symantec AntiVirus 3.0 for NetApp Filer/NetCache
* Symantec AntiVirus 9.0 Corporate Edition Client
* Symantec AntiVirus 10.0 Corporate Edition Client
* Symantec AntiVirus 10.1 Corporate Edition Client
* Symantec AntiVirus 10.2 Corporate Edition Client
* Symantec AntiVirus for Bluecoat Security Gateway for Windows 2000 Server/2003 Server
* Symantec AntiVirus for Clearswift MIMESweeper for Windows 2000 Server/2003 Server
* Symantec AntiVirus for Microsoft ISA Server for Windows 2000 Server/2003 Server
* Symantec Mail Security for Domino v 5.x
* Symantec Mail Security for Microsoft Exchange v 5.x
* Symantec Mail Security for SMTP v 5.x
* Symantec Web Security 3.0 for Windows
* Symantec AntiVirus Scan Engine for Windows
Source: http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95
Supports the following versions of Symantec antivirus software:
* Norton Antivirus 2009 for Windows XP Home/XP Pro/Vista
* Norton Internet Security 2009 for Windows XP/Home/XP Pro/Vista
* Norton Antivirus 2008 for Windows XP Home/XP Pro/Vista
* Norton Internet Security 2008 for Windows XP/Home/XP Pro/Vista
* Norton 360 version 3.0 for Windows XP/Vista
* Norton 360 version 2.0 for Windows XP/Vista
* Symantec Endpoint Protection 11.0
2. 20090323-003-i32.exe
Supports the following versions of Symantec antivirus software:
* Norton AntiVirus 2003 Professional Edition
* Norton AntiVirus 2003 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2004 Professional Edition
* Norton AntiVirus 2004 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
* Norton 360 version 1.0 for Windows XP/Vista
* Norton AntiVirus for Microsoft Exchange (Intel)
* Norton SystemWorks (all versions)
* Symantec AntiVirus 3.0 for CacheFlow Security Gateway
* Symantec AntiVirus 3.0 for Inktomi Traffic Edge
* Symantec AntiVirus 3.0 for NetApp Filer/NetCache
* Symantec AntiVirus 9.0 Corporate Edition Client
* Symantec AntiVirus 10.0 Corporate Edition Client
* Symantec AntiVirus 10.1 Corporate Edition Client
* Symantec AntiVirus 10.2 Corporate Edition Client
* Symantec Mail Security for Domino v 5.x
* Symantec Mail Security for Microsoft Exchange v 5.x
3. 20090323-003-x86.exe
Supports the following versions of Symantec antivirus software:
* Norton AntiVirus 2003 Professional Edition
* Norton AntiVirus 2003 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2004 Professional Edition
* Norton AntiVirus 2004 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
* Norton 360 version 1.0 for Windows XP/Vista
* Norton AntiVirus for Microsoft Exchange (Intel)
* Symantec AntiVirus 3.0 CacheFlow Security Gateway
* Symantec AntiVirus 3.0 for Inktomi Traffic Edge
* Symantec AntiVirus 3.0 for NetApp Filer/NetCache
* Symantec AntiVirus 9.0 Corporate Edition Client
* Symantec AntiVirus 10.0 Corporate Edition Client
* Symantec AntiVirus 10.1 Corporate Edition Client
* Symantec AntiVirus 10.2 Corporate Edition Client
* Symantec AntiVirus for Bluecoat Security Gateway for Windows 2000 Server/2003 Server
* Symantec AntiVirus for Clearswift MIMESweeper for Windows 2000 Server/2003 Server
* Symantec AntiVirus for Microsoft ISA Server for Windows 2000 Server/2003 Server
* Symantec Mail Security for Domino v 5.x
* Symantec Mail Security for Microsoft Exchange v 5.x
* Symantec Mail Security for SMTP v 5.x
* Symantec Web Security 3.0 for Windows
* Symantec AntiVirus Scan Engine for Windows
Source: http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95
Download Updates Avast
A feature of most of our programs is their ability to update themselves automatically. If you are connected to the Internet, virus database updates are downloaded and installed automatically without any user action. The availability of a new version is checked when an Internet connection is established, and every four hours afterwards. Update files can also be downloaded from these pages if required e.g. if your computer does not have an Internet connection. Updates are usually released on a daily basis.
The latest iAVS update was published on: 23.3.2009 version: 090323-0
Note: No reinstallation of the program is needed for virus database updates!
Virus Database Update [Download Here]
Source: http://www.avast.com/eng/updates.html
The latest iAVS update was published on: 23.3.2009 version: 090323-0
Note: No reinstallation of the program is needed for virus database updates!
Virus Database Update [Download Here]
Source: http://www.avast.com/eng/updates.html
Download update AVG
It is strongly recommended that you perform all updates from the AVG Free interface. The program can distinguish between full and differential updates; while this page offers only full update files for download.
1. Windows: 8.0.237 [Download]
2. Link Scanner DB: 8.0.103 [Download]
3. AVI: 270.11.25 [Download]
4. IAVI: / 2019 [Download]
Source: http://free.avg.com/download-update
1. Windows: 8.0.237 [Download]
2. Link Scanner DB: 8.0.103 [Download]
3. AVI: 270.11.25 [Download]
4. IAVI: / 2019 [Download]
Source: http://free.avg.com/download-update
Worm:Coutsonif.A
barat Joeniar Arief yang mengatakan bahwa pengguna internet sangat “Rapuh” terhadap serangan virus. Maka kini pengguna Messenger khususnya Yahoo Messenger dan Skype yang mendapatkan giliran menghadapi kiriman virus yang memalsukan dirinya seakan-akan sebagai pesan otentik yang dikirimkan oleh kontak dalam YM / Skype anda. Tetapi jangan sekali-kali anda mengklik link yang diberikan, sekalipun dikirimkan oleh teman anda di YM / Skype yang terpercaya karena sebenarnya pesan tersebut bukan dikirimkan oleh teman anda, melainkan oleh Penghianat Cinta ....... alias virus yang berhasil menginfeksi komputer teman anda. Selain mampu menyebar melalui YM dan Skype, virus ini juga menyebar melalui Flash Disk menggunakan fasilitas Autorun dan memiliki kemampuan mengupdate dirinya. Menurut pantauan terbaru Vaksincom tanggal 10 Februari 2009, link tersebut mulai di update oleh pembuat virus dan nama filenya diganti menjadi “Your_Dad_Has_Shit_Fetish_Too.PIF”
Read manual removal: http://vaksin.com/2009/0209/coutsonif/Coutsonif.html
Source: www.vaksin.com
Read manual removal: http://vaksin.com/2009/0209/coutsonif/Coutsonif.html
Source: www.vaksin.com
Worm:PIF/Starter.A Virus Shortcut
Di tengah gencarnya virus-virus Confiker melanda dunia persilatan jaringan, maka ada sebuah virus lokal yang tidak mau kalah untuk unjuk gigi. Virus ini penulis dapatkan secara tidak sengaja, ketika sedang beranjang sana di sebuah tempat kerja sahabat dekat, dia mengeluh kok banyak banget sih shortcut di komputernya.
Setelah diamati memang benar banyak sekali file-file shortcut yang bertebaran di setiap folder yang ada di dalam komputernya, seperti Microsoft.lnk, dan juga file shortcut dengan nama seperti nama folder yang dimiliki. Akhirnya dengan naluri vaksinis yang tidak bisa mendengar ada virus baru yang tidak terdeteksi oleh antivirus, maka dengan segera keluhan tersebut langsung dianalisa lebih lanjut dan dibuatkan cara mengatasinya.
Ciri-ciri dari virus tersebut adalah :
1.
Di folder My Documents terdapat sebuah file yang bernama database.mdb, dan ternyata ini adalah file induknya.
2.
File Autorun.inf, Thumb.db, Microsoft.lnk di setiap driver, folder dan flash disk sampai pada SUB Folder yang ke-2.
3.
Membuat File Duplikat setiap folder dengan extensi .lnk, maksimal 5 nama folder pertama, misalnya kalau di C:\Windows ada banyak maka hanya akan diambil 5 nama pertama saja. Dan berlaku sampai sub folder yang ke-2
4.
Mematikan fungsi dari file Registry (lihat gambar 3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistrytools"=dword:00000001
5.
Menambahkan value di registry :
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Explorer"="Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinUpdate"="Wscript.exe /e:VBScript \"C:\WINDOWS\:Microsoft Office
Update for Windows XP.sys\""
Untuk script yang terakhir mungkin sekali ini hanya script untuk mengecoh saja, tetapi
dalam prakteknya kita harus mendeletenya. Jika pada saat kita LogOn komputer, maka
akan didapat message error
Yang membuat kita menjadi geram adalah banyak sekali shortcut yang dibuat oleh virus tersebut. Dan hebatnya virus tersebut kalau cara penanganannya tidak tepat maka akan kembali lagi dan lagi. Oleh sebab itu ada beberapa cara yang harus dilakukan untuk memberantas virus yang menyebalkan ini :
1.
Matikan proses dari file WSCRIPT yang terletak di C:\Windows\System32, dengan cara menggunakan tools seperti CProcess, HijackThis atau dapat juga menggunakan Task Manager dari windows.
2.
Sebelumnya matikan dulu proses SYSTEM RESTORE.
3.
Setelah dimatikan proses dari Wscript tersebut, kita harus mendetele atau merename dari pada file tersebut agar tidak digunakan (untuk sementara) lagi oleh virus tersebut. Sebagai catatan, kalau kita merename dari file Wscript.exe tersebut dengan automatis akan dikopikan lagi di folder tersebut, oleh sebab itu kita harus mencari di mana file Wscript.exe yang lainnya biasanya ada di C:\Windows\$NtServicePackUninstall$, C:\Windows\ServicePackFiles\i386. Tidak seperti virus-virus VBS lainnya, kita bisa mengganti Open With dari file VBS menjadi Notepad, virus ini berextensi MDB yang berarti adalah file Microsoft Access. Jadi Wscript akan menjalankan file DATABASE.MDB seolah-olah dia adalah file VBS. (Virus pintar kan)
Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""
4.
Delete file induknya yang ada di C:\Documents and Settings\\My Documents\database.mdb, agar setiap kali komputer dijalankan tidak akan meload file tersebut. Dan jangan lupa kita buka juga MSCONFIG, disable perintah yang menjalankannya.
5.
Sekarang kita akan mendelete file-file Autorun.INF. Microsoft.INF dan Thumb.db. dengan cara, klik tombol START, ketik CMD, pindah ke drive yang akan dibersihkan, misalnya drive C:\, maka yang harus kita lakukan adalah
Ketik C:\del Microsoft.inf /s = perintah ini akan mendelete semua file microsoft.inf di seluruh folder di drive C: , kalau mau pindah drive tinggal diganti nama drivenya saja contoh : D:\del Microsoft.inf /s
Untuk file autorun.inf, ketik C:\del autorun.inf /s /ah /f = perintah akan mendelete file autorun.inf (syntax /ah /f digunakan karena file tersebut memakai attrib RSHA, begitu juga untuk file Thumb.db lakukan juga hal yang sama
6.
Untuk mendelete file-file selain 4 file terdahulu, kita harus mencarinya dengan cara Search file dengan ekstensi .lnk ukurannya 1 KB, Pada “More advanced options”, pastikan option “Search system folders” dan “Search hidden files and folders” keduanya telah dicentang.
Harap berhati-hati, tidak semua file shortcut / file LNK yang berukuran 1 KB adalah virus, kita dapat membedakannya dari iconnya, size dan Type. Untuk shortcut yang diciptakan virus iconnya selalu menggunakan icon "folder", ukuran 1 KB dengan Type "Shortcut". Sedangkan folder yang benar harusnya tidak memiliki "size" dan Typenya adalah "File Folder". Contoh di bawah, gambar bagian kiri folder dengan nama "Music", "Video", "Programs", "Documents" dan "Compressed" sebenarnya adalah shortcut yang memalsukan diri sebagai icon folder yang diciptakan oleh virus dan harus dihapus karena memiliki size 1 KB dan Type "Shortcut". Sedangkan Folder dengan nama "Compressed", "Documents", "Music", "Programs", "Video" dan "Virus" yang tidak memiliki Size dan Type "File Folder" adalah folder asli yang namanya dicatut oleh virus. Sedangkan gambar kanan, shortcut yang asli dari program memiliki icon khusus sesuai icon programnya.
7.
Fix registry yang sudah di ubah oleh virus. Untuk mempercepat proses perbaikan registry salin script dibawah ini pada program “notepad” kemudian simpan dengan nama "Repair.inf". Jalankan file tersebut dengan cara:
- Klik kanan repair.inf
- Klik Install
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer
Source: www.vaksin.com
Setelah diamati memang benar banyak sekali file-file shortcut yang bertebaran di setiap folder yang ada di dalam komputernya, seperti Microsoft.lnk, dan juga file shortcut dengan nama seperti nama folder yang dimiliki. Akhirnya dengan naluri vaksinis yang tidak bisa mendengar ada virus baru yang tidak terdeteksi oleh antivirus, maka dengan segera keluhan tersebut langsung dianalisa lebih lanjut dan dibuatkan cara mengatasinya.
Ciri-ciri dari virus tersebut adalah :
1.
Di folder My Documents terdapat sebuah file yang bernama database.mdb, dan ternyata ini adalah file induknya.
2.
File Autorun.inf, Thumb.db, Microsoft.lnk di setiap driver, folder dan flash disk sampai pada SUB Folder yang ke-2.
3.
Membuat File Duplikat setiap folder dengan extensi .lnk, maksimal 5 nama folder pertama, misalnya kalau di C:\Windows ada banyak maka hanya akan diambil 5 nama pertama saja. Dan berlaku sampai sub folder yang ke-2
4.
Mematikan fungsi dari file Registry (lihat gambar 3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistrytools"=dword:00000001
5.
Menambahkan value di registry :
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Explorer"="Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinUpdate"="Wscript.exe /e:VBScript \"C:\WINDOWS\:Microsoft Office
Update for Windows XP.sys\""
Untuk script yang terakhir mungkin sekali ini hanya script untuk mengecoh saja, tetapi
dalam prakteknya kita harus mendeletenya. Jika pada saat kita LogOn komputer, maka
akan didapat message error
Yang membuat kita menjadi geram adalah banyak sekali shortcut yang dibuat oleh virus tersebut. Dan hebatnya virus tersebut kalau cara penanganannya tidak tepat maka akan kembali lagi dan lagi. Oleh sebab itu ada beberapa cara yang harus dilakukan untuk memberantas virus yang menyebalkan ini :
1.
Matikan proses dari file WSCRIPT yang terletak di C:\Windows\System32, dengan cara menggunakan tools seperti CProcess, HijackThis atau dapat juga menggunakan Task Manager dari windows.
2.
Sebelumnya matikan dulu proses SYSTEM RESTORE.
3.
Setelah dimatikan proses dari Wscript tersebut, kita harus mendetele atau merename dari pada file tersebut agar tidak digunakan (untuk sementara) lagi oleh virus tersebut. Sebagai catatan, kalau kita merename dari file Wscript.exe tersebut dengan automatis akan dikopikan lagi di folder tersebut, oleh sebab itu kita harus mencari di mana file Wscript.exe yang lainnya biasanya ada di C:\Windows\$NtServicePackUninstall$, C:\Windows\ServicePackFiles\i386. Tidak seperti virus-virus VBS lainnya, kita bisa mengganti Open With dari file VBS menjadi Notepad, virus ini berextensi MDB yang berarti adalah file Microsoft Access. Jadi Wscript akan menjalankan file DATABASE.MDB seolah-olah dia adalah file VBS. (Virus pintar kan)
Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""
4.
Delete file induknya yang ada di C:\Documents and Settings\
5.
Sekarang kita akan mendelete file-file Autorun.INF. Microsoft.INF dan Thumb.db. dengan cara, klik tombol START, ketik CMD, pindah ke drive yang akan dibersihkan, misalnya drive C:\, maka yang harus kita lakukan adalah
Ketik C:\del Microsoft.inf /s = perintah ini akan mendelete semua file microsoft.inf di seluruh folder di drive C: , kalau mau pindah drive tinggal diganti nama drivenya saja contoh : D:\del Microsoft.inf /s
Untuk file autorun.inf, ketik C:\del autorun.inf /s /ah /f = perintah akan mendelete file autorun.inf (syntax /ah /f digunakan karena file tersebut memakai attrib RSHA, begitu juga untuk file Thumb.db lakukan juga hal yang sama
6.
Untuk mendelete file-file selain 4 file terdahulu, kita harus mencarinya dengan cara Search file dengan ekstensi .lnk ukurannya 1 KB, Pada “More advanced options”, pastikan option “Search system folders” dan “Search hidden files and folders” keduanya telah dicentang.
Harap berhati-hati, tidak semua file shortcut / file LNK yang berukuran 1 KB adalah virus, kita dapat membedakannya dari iconnya, size dan Type. Untuk shortcut yang diciptakan virus iconnya selalu menggunakan icon "folder", ukuran 1 KB dengan Type "Shortcut". Sedangkan folder yang benar harusnya tidak memiliki "size" dan Typenya adalah "File Folder". Contoh di bawah, gambar bagian kiri folder dengan nama "Music", "Video", "Programs", "Documents" dan "Compressed" sebenarnya adalah shortcut yang memalsukan diri sebagai icon folder yang diciptakan oleh virus dan harus dihapus karena memiliki size 1 KB dan Type "Shortcut". Sedangkan Folder dengan nama "Compressed", "Documents", "Music", "Programs", "Video" dan "Virus" yang tidak memiliki Size dan Type "File Folder" adalah folder asli yang namanya dicatut oleh virus. Sedangkan gambar kanan, shortcut yang asli dari program memiliki icon khusus sesuai icon programnya.
7.
Fix registry yang sudah di ubah oleh virus. Untuk mempercepat proses perbaikan registry salin script dibawah ini pada program “notepad” kemudian simpan dengan nama "Repair.inf". Jalankan file tersebut dengan cara:
- Klik kanan repair.inf
- Klik Install
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
[del]
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate
HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer
Source: www.vaksin.com
W32/Sality.AE
Kalau Conficker dapat dikatakan sebagai worm nomor satu di Indonesia, maka predikat virus yang paling merepotkan dan paling banyak ditemui Vaksincom di Indonesia pantas di sandang oleh Sality. Virus yang disinyalir berasal dari Taiwan / Cina ini secara meyakinkan menempati ranking pertama dalam infeksi virus yang diterima oleh Vaksincom bersama-sama dengan Conficker.
Memang menyebalkan jika semua program kita ikut dimakan oleh virus [di infeksi], disamping sulit dalam memberantas virusnya terkadang juga file yang sudah di injeksi tersebut tidak dapat digunakan alias rusak setelah di scan dan dibersihkan oleh antivirus, alhasil harus reinstall semua program yang error atau download ulang file yang sudah di injenksi tersebut.
Ukuran file yang sudah terinfeksi W32/Sality.AE akan bertambah besar beberapa KB dan file yang sudah terinfeksi W32/Sality.AE ini masih dapat di jalankan seperti biasa. Biasanya virus ini akan mencoba untuk blok program antivirus atau removal tools saat dijalankan serta mencoba untuk blok task manager atau “registry editor” Windows. Untuk mempermudah dalam proses penyebarannya selain memanfaatkan “File Sharing” dan “Default Share” virus ini juga akan memanfaatkan media Flash Disk dengan cara membuat file acak yang mempunyai ekstensi exe/com/scr/pif serta menambahkan file autorun.inf yang memungkinkan virus dapat aktif secara otomatis setiap kali user mengakses Flash Disk.
Untuk blok task manager atau Registry tools, W32/Sality.AE ini akan membuat string pada registry berikut:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
*
DisableRegistryTools
*
DisableTaskMgr
Pada saat file yang terinfeksi W32/Sality.AE, ia akan mendekrip dirinya dan mencoba untuk kopi beberapa file *.dll (acak) file DLL kemudian akan menginjeksi file lain yang aktif di memori serta file lain yang terdapat di komputer dan jaringan (file sharing) serta menginfeksi file *.exe yang terdapat dalam list registry berikut sehingga memungkinkan virus dapat aktif secara otomatis setiap kali komputer dinyalakan.
*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Berikut beberapa contoh file *.dll yang akan di drop oleh W32/Sality.AE.
*
C:\Windows\system32\syslib32.dll
*
C:\Windows\system32\oledsp32.dll
*
C:\Windows\system32\olemdb32.dll
*
C:\Windows\system32\wcimgr32.dll
*
C:\Windows\system32\wmimgr32.dll
Selain membuat file DLL, sality juga akan membuat file *.sys [acak] di direktori “C:\Windows\system32\drivers” [contoh: kmionn.sys]
Blok Antivirus dan software security
Seperti yang sudah dijelaskan di atas bahwa untuk mempermudah proses penyebaran ia juga akan mencoba untuk mematikan proses yang berhubungan dengan program security khususnya antivirus dengan cara mematikan proses yang mempunyai nama dibawah ini:
ALG
InoRPC
aswUpdSv
InoRT
avast! Antivirus
InoTask
avast! Mail Scanner
ISSVC
avast! Web Scanner
KPF4
AVP
LavasoftFirewall
BackWeb Plug-in - 4476822
LIVESRV
bdss
McAfeeFramework
BGLiveSvc
McShield
BlackICE
McTaskManager
CAISafe
navapsvc
ccEvtMgr
NOD32krn
ccProxy
NPFMntor
ccSetMgr
NSCService
F-Prot Antivirus Update Monitor
Outpost Firewall main module
fsbwsys
OutpostFirewall
FSDFWD
PAVFIRES
F-Secure Gatekeeper Handler Starter
PAVFNSVR
fshttps
PavProt
FSMA
PavPrSrv
PAVSRV
Symantec Core LC
PcCtlCom
Tmntsrv
PersonalFirewal
TmPfw
PREVSRV
tmproxy
ProtoPort Firewall service
UmxAgent
PSIMSVC
UmxCfg
RapApp
UmxLU
SmcService
UmxPol
SNDSrvc
vsmon
SPBBCSvc
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
Selain mematikan proses antivirus di atas, ia juga akan berupaya untuk blok agar user tidak dapat mengakses web dari beberapa antivirus berikut:
*
Cureit
*
Drweb
*
Onlinescan
*
Spywareinfo
*
Ewido
*
Virusscan
*
Windowsecurity
*
Spywareguide
*
Bitdefender
*
Panda software
*
Agnmitum
*
Virustotal
*
Sophos
*
Trend Micro
*
Etrust.com
*
Symantec
*
McAfee
*
F-Secure
*
Eset.com
*
Kaspersky
W32/Sality.AE juga akan mencoba untuk merubah regisrty berikut:
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxx [xxx adalah acak, contoh : abp470n5]
*
HKEY_CURRENT_USER\Software\[USER NAME]914
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
Selain itu ia juga akan mencoba untuk merubah beberapa string registry Windows Firewall berikut dengan menambahkan value dari 0 menjadi 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
*
AntiVirusDisableNotify
*
AntiVirusOverride
*
FirewallDisableNotify
*
FirewallOverride
*
UacDisableNotify
*
UpdatesDisableNotify
dan membuat key “SVC” serta string berikut dengan value 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
*
AntiVirusDisableNotify
*
AntiVirusOverride
*
FirewallDisableNotify
*
FirewallOverride
*
UacDisableNotify
*
UpdatesDisableNotify
Tak cuma itu W32/s\Sality.AE juga akan menghapus key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG”.
ALG atau Application Layer Gateway Service adalah services yang memberikan support untuk plug-in protokol aplikasi dan meng-enable konektivitas jaringan / protokol. Service ini boleh saja dimatikan. Dampaknya adalah program seperti MSN Messenger dan Windows Messenger tidak akan berfungsi. Service ini bisa dijalankan, tetapi hanya jika menggunakan firewall, baik firewall bawaan Windows atau firewall lain. Jika tidak komputer yang terinfeksi virus ini akan mengalami celah keamanan yang serius.
Blok akses “safe mode”
Dalam rangka “mempertahankan” dirinya, W32/Sality.AE juga akan mencoba untuk blok akses ke mode “safe mode” sehingga user tidak dapat booting pada mode “safe mode” dengan menghapus key yang berada di lokasi di bawah ini :
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Injeksi file exe/com/scr
Tujuan utama dari virus ini adalah mencoba untuk menginjeksi program instalasi dan file yang mempunyai ekstensi exe/com/scr yang ada di drive C - Y terutama file hasil instalasi (file yang berada di direktori C:\Program Files) dan file-file portable (file yang langsung dapat dijalankan tanpa perlu instal), ia juga akan menginfeksi file yang mempunyai ekstensi “.exe” yang terdapat dalam list registry berikut sehingga memungkinkan virus dapat aktif secara otomatis setiap kali komputer dinyalakan.
*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
File yang berhasil di injeksi biasanya ukurannya akan bertambah sekitar 68 - 80 KB dari ukuran semula. Program yang telah terinfeksi ini akan tetap dapat di jalankan seperti biasa sehingga user tidak curiga bahwa file tersebut sebenarnya telah di infeksi oleh W32/Sality.AE. Salah satu kecanggihan Sality adalah kemampuannya menginjeksi file tumpangannya sehingga ukuran file bervirus tidak seragam, jelas lebih sulit diidentifikasi dibandingkan virus lain yang menggantikan file yang ada sehingga ukuran filenya akan sama besar.
Harap berhati-hati, tidak semua program antivirus dapat membersihkan file yang sudah terinfeksi W32/Sality.AE, bisa-bisa file tersebut akan rusak setelah di scan dan di bersihkan oleh antivirus tersebut.
Tidak mau kalah dengan virus mancanegara lain, untuk memperlancar aksinya ia akan mencoba untuk melakukan koneksi ke sejumlah alamat web yang sudah ditentukan dengan tujuan untuk memanggil/mendownload trojan/virus lainnya yang di sinyalir merupakan varian dari versi sebelumnya yang memungkinkan virus ini dapat mengupdate dirinya.
[http://]pedmeo222nb.info
[http://]pzrk.ru
[http://]technican.w.interia.pl
[http://]www.kjwre9fqwieluoi.info
[http://]bpowqbvcfds677.info
[http://]bmakemegood24.com
[http://]bperfectchoice1.com
[http://]bcash-ddt.net
[http://]bddr-cash.net
[http://]btrn-cash.net
[http://]bmoney-frn.net
[http://]bclr-cash.net
[http://]bxxxl-cash.net
[http://]balsfhkewo7i487fksd.info
[http://]buynvf96.info
[http://]89.119.67.154/tes[xxx]
[http://]oceaninfo.co.kr/picas[xxx]
[http://]kukutrustnet777.info/home[xxx]
[http://]kukutrustnet888.info/home[xxx]
[http://]kukutrustnet987.info/home[xxx]
[http://]kukutrustnet777.info
[http://]www.kjwre9fqwieluoi.info
[http://]kjwre77638dfqwieuoi.info
http://mattfoll.eu.interia.pl/[sensor]
http://st1.dist.su.lt/l[sensor]
http://lpbmx.ru/[sensor]
http://bjerm.mass.hc.ru/[sensor]
http://SOSiTE_AVERI_SOSiTEEE.[sensor]
Mengeksploitasi Default Share dan Full Sharing
W32/Sality.AE akan menyebar dengan cepat melalui jaringan dengan memanfaatkkan default share windows atau share folder yang mempunyai akses full dengan cara menginfeksi file yang mempunyai ekstensi exe/com/scr. Karena itu, Vaksincom menyarankan pengguna komputer untuk menonaktifkan Default Share (C$, D$ .. dst) dan hindari Full Sharing folder anda di jaringan.
Selain menyebar dengan menggunakan jaringan, ia juga akan memanfaatkan flash disk yakni dengan cara kopi dirinya dengan nama file acak dengan ekstensi exe/cmd/pif serta membuat file autorun.inf agar dirinya dapat aktif secara otomatis tanpa harus menjalankan file yang sudah terinfeksi virus, selain itu ia juga akan menginfeksi file yang mempunyai ekstensi exe/com/scr yang terdapat dalam flash disk tersebut.
Selain itu Sality.AE juga akan menambahkan string [MCIDRV_VER] dan DEVICEMB=xxx, dimana xxx menunjukan karakter acak ke dalam file C:\Windows\system.ini.
How to remove: http://vaksin.com/2009/0309/Sality/sality.html
Source: www.vaksin.com
Memang menyebalkan jika semua program kita ikut dimakan oleh virus [di infeksi], disamping sulit dalam memberantas virusnya terkadang juga file yang sudah di injeksi tersebut tidak dapat digunakan alias rusak setelah di scan dan dibersihkan oleh antivirus, alhasil harus reinstall semua program yang error atau download ulang file yang sudah di injenksi tersebut.
Ukuran file yang sudah terinfeksi W32/Sality.AE akan bertambah besar beberapa KB dan file yang sudah terinfeksi W32/Sality.AE ini masih dapat di jalankan seperti biasa. Biasanya virus ini akan mencoba untuk blok program antivirus atau removal tools saat dijalankan serta mencoba untuk blok task manager atau “registry editor” Windows. Untuk mempermudah dalam proses penyebarannya selain memanfaatkan “File Sharing” dan “Default Share” virus ini juga akan memanfaatkan media Flash Disk dengan cara membuat file acak yang mempunyai ekstensi exe/com/scr/pif serta menambahkan file autorun.inf yang memungkinkan virus dapat aktif secara otomatis setiap kali user mengakses Flash Disk.
Untuk blok task manager atau Registry tools, W32/Sality.AE ini akan membuat string pada registry berikut:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
*
DisableRegistryTools
*
DisableTaskMgr
Pada saat file yang terinfeksi W32/Sality.AE, ia akan mendekrip dirinya dan mencoba untuk kopi beberapa file *.dll (acak) file DLL kemudian akan menginjeksi file lain yang aktif di memori serta file lain yang terdapat di komputer dan jaringan (file sharing) serta menginfeksi file *.exe yang terdapat dalam list registry berikut sehingga memungkinkan virus dapat aktif secara otomatis setiap kali komputer dinyalakan.
*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Berikut beberapa contoh file *.dll yang akan di drop oleh W32/Sality.AE.
*
C:\Windows\system32\syslib32.dll
*
C:\Windows\system32\oledsp32.dll
*
C:\Windows\system32\olemdb32.dll
*
C:\Windows\system32\wcimgr32.dll
*
C:\Windows\system32\wmimgr32.dll
Selain membuat file DLL, sality juga akan membuat file *.sys [acak] di direktori “C:\Windows\system32\drivers” [contoh: kmionn.sys]
Blok Antivirus dan software security
Seperti yang sudah dijelaskan di atas bahwa untuk mempermudah proses penyebaran ia juga akan mencoba untuk mematikan proses yang berhubungan dengan program security khususnya antivirus dengan cara mematikan proses yang mempunyai nama dibawah ini:
ALG
InoRPC
aswUpdSv
InoRT
avast! Antivirus
InoTask
avast! Mail Scanner
ISSVC
avast! Web Scanner
KPF4
AVP
LavasoftFirewall
BackWeb Plug-in - 4476822
LIVESRV
bdss
McAfeeFramework
BGLiveSvc
McShield
BlackICE
McTaskManager
CAISafe
navapsvc
ccEvtMgr
NOD32krn
ccProxy
NPFMntor
ccSetMgr
NSCService
F-Prot Antivirus Update Monitor
Outpost Firewall main module
fsbwsys
OutpostFirewall
FSDFWD
PAVFIRES
F-Secure Gatekeeper Handler Starter
PAVFNSVR
fshttps
PavProt
FSMA
PavPrSrv
PAVSRV
Symantec Core LC
PcCtlCom
Tmntsrv
PersonalFirewal
TmPfw
PREVSRV
tmproxy
ProtoPort Firewall service
UmxAgent
PSIMSVC
UmxCfg
RapApp
UmxLU
SmcService
UmxPol
SNDSrvc
vsmon
SPBBCSvc
VSSERV
WebrootDesktopFirewallDataService
WebrootFirewall
XCOMM
Selain mematikan proses antivirus di atas, ia juga akan berupaya untuk blok agar user tidak dapat mengakses web dari beberapa antivirus berikut:
*
Cureit
*
Drweb
*
Onlinescan
*
Spywareinfo
*
Ewido
*
Virusscan
*
Windowsecurity
*
Spywareguide
*
Bitdefender
*
Panda software
*
Agnmitum
*
Virustotal
*
Sophos
*
Trend Micro
*
Etrust.com
*
Symantec
*
McAfee
*
F-Secure
*
Eset.com
*
Kaspersky
W32/Sality.AE juga akan mencoba untuk merubah regisrty berikut:
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxx [xxx adalah acak, contoh : abp470n5]
*
HKEY_CURRENT_USER\Software\[USER NAME]914
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
Selain itu ia juga akan mencoba untuk merubah beberapa string registry Windows Firewall berikut dengan menambahkan value dari 0 menjadi 1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
*
AntiVirusDisableNotify
*
AntiVirusOverride
*
FirewallDisableNotify
*
FirewallOverride
*
UacDisableNotify
*
UpdatesDisableNotify
dan membuat key “SVC” serta string berikut dengan value 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
*
AntiVirusDisableNotify
*
AntiVirusOverride
*
FirewallDisableNotify
*
FirewallOverride
*
UacDisableNotify
*
UpdatesDisableNotify
Tak cuma itu W32/s\Sality.AE juga akan menghapus key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG”.
ALG atau Application Layer Gateway Service adalah services yang memberikan support untuk plug-in protokol aplikasi dan meng-enable konektivitas jaringan / protokol. Service ini boleh saja dimatikan. Dampaknya adalah program seperti MSN Messenger dan Windows Messenger tidak akan berfungsi. Service ini bisa dijalankan, tetapi hanya jika menggunakan firewall, baik firewall bawaan Windows atau firewall lain. Jika tidak komputer yang terinfeksi virus ini akan mengalami celah keamanan yang serius.
Blok akses “safe mode”
Dalam rangka “mempertahankan” dirinya, W32/Sality.AE juga akan mencoba untuk blok akses ke mode “safe mode” sehingga user tidak dapat booting pada mode “safe mode” dengan menghapus key yang berada di lokasi di bawah ini :
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
*
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Injeksi file exe/com/scr
Tujuan utama dari virus ini adalah mencoba untuk menginjeksi program instalasi dan file yang mempunyai ekstensi exe/com/scr yang ada di drive C - Y terutama file hasil instalasi (file yang berada di direktori C:\Program Files) dan file-file portable (file yang langsung dapat dijalankan tanpa perlu instal), ia juga akan menginfeksi file yang mempunyai ekstensi “.exe” yang terdapat dalam list registry berikut sehingga memungkinkan virus dapat aktif secara otomatis setiap kali komputer dinyalakan.
*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
File yang berhasil di injeksi biasanya ukurannya akan bertambah sekitar 68 - 80 KB dari ukuran semula. Program yang telah terinfeksi ini akan tetap dapat di jalankan seperti biasa sehingga user tidak curiga bahwa file tersebut sebenarnya telah di infeksi oleh W32/Sality.AE. Salah satu kecanggihan Sality adalah kemampuannya menginjeksi file tumpangannya sehingga ukuran file bervirus tidak seragam, jelas lebih sulit diidentifikasi dibandingkan virus lain yang menggantikan file yang ada sehingga ukuran filenya akan sama besar.
Harap berhati-hati, tidak semua program antivirus dapat membersihkan file yang sudah terinfeksi W32/Sality.AE, bisa-bisa file tersebut akan rusak setelah di scan dan di bersihkan oleh antivirus tersebut.
Tidak mau kalah dengan virus mancanegara lain, untuk memperlancar aksinya ia akan mencoba untuk melakukan koneksi ke sejumlah alamat web yang sudah ditentukan dengan tujuan untuk memanggil/mendownload trojan/virus lainnya yang di sinyalir merupakan varian dari versi sebelumnya yang memungkinkan virus ini dapat mengupdate dirinya.
[http://]pedmeo222nb.info
[http://]pzrk.ru
[http://]technican.w.interia.pl
[http://]www.kjwre9fqwieluoi.info
[http://]bpowqbvcfds677.info
[http://]bmakemegood24.com
[http://]bperfectchoice1.com
[http://]bcash-ddt.net
[http://]bddr-cash.net
[http://]btrn-cash.net
[http://]bmoney-frn.net
[http://]bclr-cash.net
[http://]bxxxl-cash.net
[http://]balsfhkewo7i487fksd.info
[http://]buynvf96.info
[http://]89.119.67.154/tes[xxx]
[http://]oceaninfo.co.kr/picas[xxx]
[http://]kukutrustnet777.info/home[xxx]
[http://]kukutrustnet888.info/home[xxx]
[http://]kukutrustnet987.info/home[xxx]
[http://]kukutrustnet777.info
[http://]www.kjwre9fqwieluoi.info
[http://]kjwre77638dfqwieuoi.info
http://mattfoll.eu.interia.pl/[sensor]
http://st1.dist.su.lt/l[sensor]
http://lpbmx.ru/[sensor]
http://bjerm.mass.hc.ru/[sensor]
http://SOSiTE_AVERI_SOSiTEEE.[sensor]
Mengeksploitasi Default Share dan Full Sharing
W32/Sality.AE akan menyebar dengan cepat melalui jaringan dengan memanfaatkkan default share windows atau share folder yang mempunyai akses full dengan cara menginfeksi file yang mempunyai ekstensi exe/com/scr. Karena itu, Vaksincom menyarankan pengguna komputer untuk menonaktifkan Default Share (C$, D$ .. dst) dan hindari Full Sharing folder anda di jaringan.
Selain menyebar dengan menggunakan jaringan, ia juga akan memanfaatkan flash disk yakni dengan cara kopi dirinya dengan nama file acak dengan ekstensi exe/cmd/pif serta membuat file autorun.inf agar dirinya dapat aktif secara otomatis tanpa harus menjalankan file yang sudah terinfeksi virus, selain itu ia juga akan menginfeksi file yang mempunyai ekstensi exe/com/scr yang terdapat dalam flash disk tersebut.
Selain itu Sality.AE juga akan menambahkan string [MCIDRV_VER] dan DEVICEMB=xxx, dimana xxx menunjukan karakter acak ke dalam file C:\Windows\system.ini.
How to remove: http://vaksin.com/2009/0309/Sality/sality.html
Source: www.vaksin.com
W32/Xirtem@MM!8b1f20b9
Description
W32/Xirtem@MM!8b1f20b9 is a mass mailing worm
Indication of Infection
# Network activity on TCP port 25 due to e-mails being sent by the worm.
# Presence of the files and registry entries mentioned above.
W32/Xirtem@MM!8b1f20b9 is a mass mailing worm
Indication of Infection
# Network activity on TCP port 25 due to e-mails being sent by the worm.
# Presence of the files and registry entries mentioned above.
FakeAlert-BX
Description
This is a Trojan detection that displays fake alert messages on user's machine.
Indication of Infection
Symptoms are as follows:
* Fake pop up messages about the system being infected.
* Presence of aforementioned files and folder.
Methods of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Distribution channel include IRC,peer to peer networks,newsgroup postings, etc.
Aliases
AntiVirus2008 (Symantec), TR/Crypt.XPACK.Gen (Avira), Trojan-Banker.Win32.Banbra.gpl (Kaspersky)
This is a Trojan detection that displays fake alert messages on user's machine.
Indication of Infection
Symptoms are as follows:
* Fake pop up messages about the system being infected.
* Presence of aforementioned files and folder.
Methods of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Distribution channel include IRC,peer to peer networks,newsgroup postings, etc.
Aliases
AntiVirus2008 (Symantec), TR/Crypt.XPACK.Gen (Avira), Trojan-Banker.Win32.Banbra.gpl (Kaspersky)
Spyware Doctor Review Antispyware
Best Spyware Protection. Used by Millions World Wide.
Spyware Doctor has been downloaded over 125 million times with millions more downloads every week. People worldwide use and trust Spyware Doctor to protect their PCs from spyware, adware and other online threats.
Spyware Doctor has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Sweden, Germany and Australia. In addition, after leading the market in 2005, Spyware Doctor was awarded the prestigious Best of the Year at the end of 2005 and again in 2006.
Spyware Doctor continues to be awarded the highest honors by many of the world's leading PC publications such as PC World, PC Magazine, PC Pro, PC Plus, PC Authority, PC Utilities, PC Advisor, PC Choice, Microdatorn, Computer Bild and PC Answers Magazine.
Note: If you are choosing Anti-Spyware make sure you choose one that is proven and has genuine awards from one or more world leading research labs such a PC Magazine, PC World, CNET, PC Pro Magazine, PC Authority, PC Answers and other trusted labs. More importantly do not use ratings from unknown review websites, as often these are designed to mislead you into purchase of affiliated, inferior or rogue product.
Screenshot
[+] Click to Enlarge
Detects, removes and blocks all types of Spyware.
Did you know that numerous programs tested against Spyware Doctor detected only small fraction of Spyware and completely removed an even smaller amount? Also most of them were unable to effectively block Spyware in real time from being installed on users PC in the first place.
Spyware Doctor has the most advanced update feature that continually improves its Spyware fighting capabilities on daily basis. As Spyware gets more complex to avoid detection by AntiSpyware programs Spyware Doctor responds with new technology to stay one step ahead.
Easiest to Use
Spyware Doctor is advanced technology designed especially for people, not just experts. That is one reason why it won the People's Choice Award in 2005, 2006 and 2007. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection.
Spyware Doctor's advanced IntelliGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings. Such messages can be confusing and lead to undesirable outcomes such as inoperable programs, lost favorites or even Spyware being allowed to install on the system. We've done the research so you don't have to.
Software download here
Spyware Doctor has been downloaded over 125 million times with millions more downloads every week. People worldwide use and trust Spyware Doctor to protect their PCs from spyware, adware and other online threats.
Spyware Doctor has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Sweden, Germany and Australia. In addition, after leading the market in 2005, Spyware Doctor was awarded the prestigious Best of the Year at the end of 2005 and again in 2006.
Spyware Doctor continues to be awarded the highest honors by many of the world's leading PC publications such as PC World, PC Magazine, PC Pro, PC Plus, PC Authority, PC Utilities, PC Advisor, PC Choice, Microdatorn, Computer Bild and PC Answers Magazine.
Note: If you are choosing Anti-Spyware make sure you choose one that is proven and has genuine awards from one or more world leading research labs such a PC Magazine, PC World, CNET, PC Pro Magazine, PC Authority, PC Answers and other trusted labs. More importantly do not use ratings from unknown review websites, as often these are designed to mislead you into purchase of affiliated, inferior or rogue product.
Screenshot
[+] Click to Enlarge
Detects, removes and blocks all types of Spyware.
Did you know that numerous programs tested against Spyware Doctor detected only small fraction of Spyware and completely removed an even smaller amount? Also most of them were unable to effectively block Spyware in real time from being installed on users PC in the first place.
Spyware Doctor has the most advanced update feature that continually improves its Spyware fighting capabilities on daily basis. As Spyware gets more complex to avoid detection by AntiSpyware programs Spyware Doctor responds with new technology to stay one step ahead.
Easiest to Use
Spyware Doctor is advanced technology designed especially for people, not just experts. That is one reason why it won the People's Choice Award in 2005, 2006 and 2007. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection.
Spyware Doctor's advanced IntelliGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings. Such messages can be confusing and lead to undesirable outcomes such as inoperable programs, lost favorites or even Spyware being allowed to install on the system. We've done the research so you don't have to.
Software download here
Remove Antivirus 2009. Description and removal instructions
Antivirus 2009 is a new rogue anti-spyware program. It is also a clone of Antivirus 2008 - also a rogue, and one that's produced more clones than any other recently. The list of these clones is long: System Antivirus 2008, Ultimate Antivirus 2008, Vista Antivirus 2008, XP Antivirus 2008 etc.
Like any other of it's predecessors, Antivirus2009 uses trojans, such as Zlob or Vundo, to spread. These trojans lurk in porn/warez websites disguised as video codecs, and, upon entering the system, floods the user with popups and fake system notifications, supposedly to inform him of an infection. While the system at hand may indeed be infected, Antivirus 2009 will inform the user of this regardless of whether it's true or not. The point of this disinformation is to convince the user he is infected and therefore needs an antispyware program to dispose of the threat. The user might click on one of the popups or notifications, all of which claim they will take him to a legitimate security tool, but try to make him purchase Antivirus2009's "licensed version" instead. Antivirus2009 may redirect web browser to antivirus-premium-scan.com, webscannertools.com, googlescanners-360.com, livesecurityinfo.com, antivirusonlivescan.com, bestantivirusscan.com, antivirus-best.com, internetquarantinesite.com, premiumlivescan.com and secureclick1.com websites that sell the malware. Some of these website are not only fraudulent, but they are also malicious. they are capable of installing additional malwares.
Antivirus 2009 is a scam and should be treated as such: do NOT download or buy it and block it's websites using your HOSTS file.
Manual Removal:
Antivirus 2009 manual removal:
Kill processes:
av2009.exe av2009[1].exe AV2009Install.exe Antivirus2009.exe
HELP:
how to kill malicious processes
Delete registry values:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
HKEY_CURRENT_USER\Software\Antivirus
HELP:
how to remove registry entries
Unregister DLLs:
shlwapi.dll wininet.dll
HELP:
how to unregister malicious DLLs
Delete files:
av2009.exe av2009install.exe av2009install_0011.exe av2009[1].exe Antivirus2009.exe ieupdates.exe scui.cpl %program_files%\\antivirus 2009\\av2009.exe %startmenu%\\antivirus 2009\\antivirus 2009.lnk %startmenu%\\antivirus 2009\\uninstall antivirus 2009.lnk winsrc.dll %desktopdirectory%\\antivirus 2009.lnk winsrc.dll ieupdates.exe av2009install_0011.exe av2009install.exe %program_files%\\antivirus 2009\\av2009.exe
HELP:
how to remove harmful files
Delete directories:
C:\Program Files\Antivirus 2009
Source: http://www.2-spyware.com/remove-antivirus-2009.html
Like any other of it's predecessors, Antivirus2009 uses trojans, such as Zlob or Vundo, to spread. These trojans lurk in porn/warez websites disguised as video codecs, and, upon entering the system, floods the user with popups and fake system notifications, supposedly to inform him of an infection. While the system at hand may indeed be infected, Antivirus 2009 will inform the user of this regardless of whether it's true or not. The point of this disinformation is to convince the user he is infected and therefore needs an antispyware program to dispose of the threat. The user might click on one of the popups or notifications, all of which claim they will take him to a legitimate security tool, but try to make him purchase Antivirus2009's "licensed version" instead. Antivirus2009 may redirect web browser to antivirus-premium-scan.com, webscannertools.com, googlescanners-360.com, livesecurityinfo.com, antivirusonlivescan.com, bestantivirusscan.com, antivirus-best.com, internetquarantinesite.com, premiumlivescan.com and secureclick1.com websites that sell the malware. Some of these website are not only fraudulent, but they are also malicious. they are capable of installing additional malwares.
Antivirus 2009 is a scam and should be treated as such: do NOT download or buy it and block it's websites using your HOSTS file.
Manual Removal:
Antivirus 2009 manual removal:
Kill processes:
av2009.exe av2009[1].exe AV2009Install.exe Antivirus2009.exe
HELP:
how to kill malicious processes
Delete registry values:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
HKEY_CURRENT_USER\Software\Antivirus
HELP:
how to remove registry entries
Unregister DLLs:
shlwapi.dll wininet.dll
HELP:
how to unregister malicious DLLs
Delete files:
av2009.exe av2009install.exe av2009install_0011.exe av2009[1].exe Antivirus2009.exe ieupdates.exe scui.cpl %program_files%\\antivirus 2009\\av2009.exe %startmenu%\\antivirus 2009\\antivirus 2009.lnk %startmenu%\\antivirus 2009\\uninstall antivirus 2009.lnk winsrc.dll %desktopdirectory%\\antivirus 2009.lnk winsrc.dll ieupdates.exe av2009install_0011.exe av2009install.exe %program_files%\\antivirus 2009\\av2009.exe
HELP:
how to remove harmful files
Delete directories:
C:\Program Files\Antivirus 2009
Source: http://www.2-spyware.com/remove-antivirus-2009.html
How to remove Antivirus XP 2008 (Uninstall Instructions)
What this programs does:
Antivirus XP 2008 is a new rogue anti-spyware program that is advertised through Trojans and other malware. It is advertised in the form of fake security alerts and warnings on web sites that state you are infected with malware or are being attacked in some manner. When you click on these ads, it will automatically download the installer for Antivirus XP 2008 and install it on your machine. In some cases, this program is installed without any intervention at all from you.
Once installed, AntivirusXP 2008 will scan your computer and display a variety of security risks found on your computer that can only be removed if you purchase a license of the software. These risks, though, are all fake and are only being displayed to scare you into thinking you are infected and thus purchase their software. Another tactic that AntivirusXP 2008, and the accompanied malware, uses is to change your desktop background to be a message stating you are infected, popups and fake alerts stating your computer is being attacked, and a fake Internet Explorer page that states Google has found your computer to be infected. All of these are further scare tactics and should be ignored.
Automated Removal Instructions for Antivirus XP 2008 using Malwarebytes' Anti-Malware:
Download Software Here
1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
3. Once downloaded, close all programs and Windows on your computer, including this one.
4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
More Info: http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008
Source:
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008
Antivirus XP 2008 is a new rogue anti-spyware program that is advertised through Trojans and other malware. It is advertised in the form of fake security alerts and warnings on web sites that state you are infected with malware or are being attacked in some manner. When you click on these ads, it will automatically download the installer for Antivirus XP 2008 and install it on your machine. In some cases, this program is installed without any intervention at all from you.
Once installed, AntivirusXP 2008 will scan your computer and display a variety of security risks found on your computer that can only be removed if you purchase a license of the software. These risks, though, are all fake and are only being displayed to scare you into thinking you are infected and thus purchase their software. Another tactic that AntivirusXP 2008, and the accompanied malware, uses is to change your desktop background to be a message stating you are infected, popups and fake alerts stating your computer is being attacked, and a fake Internet Explorer page that states Google has found your computer to be infected. All of these are further scare tactics and should be ignored.
Automated Removal Instructions for Antivirus XP 2008 using Malwarebytes' Anti-Malware:
Download Software Here
1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
3. Once downloaded, close all programs and Windows on your computer, including this one.
4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
More Info: http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008
Source:
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008
PC Tools Powerful FREE protection against malicious virus infections
With PC Tools AntiVirus Free Edition you are protected against the most nefarious cyber-threats attempting to gain access to your PC and personal information. Going online without protection against the latest fast-spreading virus and worms, such as Netsky, Mytob and MyDoom, can result in infections within minutes.
Once infected, the virus will usually attempt to spread itself to your friends, family and associates by accessing your email contacts and networked PCs. The infection may also allow hackers to access files on your PC, use it to launch attacks against other computers and websites or to send mass SPAM email.
That's why PC Tools AntiVirus Free Edition provides world-leading protection, with rapid database updates, IntelliGuard™ real-time protection and comprehensive system scanning to ensure your system remains safe and virus free. PC Tools products are trusted and used by millions of people everyday to protect their home and business computers against online threats.
Download software HERE
Source:
http://www.pctools.com/free-antivirus/
Once infected, the virus will usually attempt to spread itself to your friends, family and associates by accessing your email contacts and networked PCs. The infection may also allow hackers to access files on your PC, use it to launch attacks against other computers and websites or to send mass SPAM email.
That's why PC Tools AntiVirus Free Edition provides world-leading protection, with rapid database updates, IntelliGuard™ real-time protection and comprehensive system scanning to ensure your system remains safe and virus free. PC Tools products are trusted and used by millions of people everyday to protect their home and business computers against online threats.
Download software HERE
Source:
http://www.pctools.com/free-antivirus/
Avira AntiVir Personal - FREE Antivirus
Basic protection
Protects your computer against dangerous viruses, worms, Trojans and costly dialers.
Download software HERE
Source:
http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Protects your computer against dangerous viruses, worms, Trojans and costly dialers.
Download software HERE
Source:
http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Download FREE antivirus software - avast! Home Edition
avast! antivirus Home Edition is available free of charge for non-commercial home use ONLY. If you are not a home user or if you use your computer for business purposes, please download the avast! Professional Edition.
Free registration
avast! antivirus Home Edition is FREE to use but it is necessary to register before the end of the initial 60 day trial period. Following the registration you will receive by e-mail a license key valid for a period of 1 year. After you have downloaded and installed the program, the license key must be inserted into it within 60 days. The registration process is very easy, and it will take you only a couple of minutes.
Download software
Download software HERE
Source:
http://www.avast.com/eng/download-avast-home.html
Free registration
avast! antivirus Home Edition is FREE to use but it is necessary to register before the end of the initial 60 day trial period. Following the registration you will receive by e-mail a license key valid for a period of 1 year. After you have downloaded and installed the program, the license key must be inserted into it within 60 days. The registration process is very easy, and it will take you only a couple of minutes.
Download software
Download software HERE
Source:
http://www.avast.com/eng/download-avast-home.html
Download AVG Anti-Virus Free Edition
Basic antivirus and antispyware protection for Windows available to download for free. Limited features, no support, for private and non-commercial use only.
AVG Anti-Virus Free Edition
* The most downloaded software on CNET's Download.com
* Quality proven by 80 million users
* Easy to download, install and use
* Protection against viruses and spyware
* Compatible with Windows Vista and Windows XP
Feature:
Anti-Virus & Anti-Spyware
The foundation of your protection. Without antivirus and antispyware protection, your computer and data are at extreme risk.
AVG Free contains basic antivirus protection (base level only).
Anti-Rootkit
Rootkits are hidden threats that deliver malicious content. They are usually not found on PCs using standard antivirus programs.
AVG Free does not contain Anti-Rootkit protection so rootkits may be hidden in your system.
For this protection, please download AVG Internet Security
Anti-Spam
SPAM e-mails are a constant annoyance and could potentially contain malicious links or attempts to steal your identity.
AVG Free does not contain Anti-Spam which can monitor and block SPAM and fraudulent e-mails.
For this protection, please download AVG Internet Security
Firewall
Hackers and other intruders can view or steal your data, download malware to your machine or track your habits and passwords.
AVG Free does not contain a firewall which can protect you against these threats.
For this protection, please download AVG Internet Security
Safe Downloads & Instant Messaging
The essential protection for Internet use. File downloads, chatting with your friends and family - today these are everyday things. Protecting yourself in these areas is now another important part of your security and privacy protection.
AVG Free does not contain the new Safe Downloads & Instant Messaging protection (Web Shield technology) so it does not screen your downloads and communication for viruses and spyware.
For this protection, please download AVG Internet Security
Safe Search & Surf
The essential protection for Internet use. New web threats (called exploits or drive-by downloads) can infect your computer just by visiting a web page! Our new technology ensures the safety of search results, web pages, favorites & bookmarks before you open them.
AVG Free only includes the Safe Search protection which provides you with advice on search results. It does not protect against infected pages. Only AVG paid versions contain the Safe Surf technology.
AVG Anti-Virus Free Edition
* The most downloaded software on CNET's Download.com
* Quality proven by 80 million users
* Easy to download, install and use
* Protection against viruses and spyware
* Compatible with Windows Vista and Windows XP
Feature:
Anti-Virus & Anti-Spyware
The foundation of your protection. Without antivirus and antispyware protection, your computer and data are at extreme risk.
AVG Free contains basic antivirus protection (base level only).
Anti-Rootkit
Rootkits are hidden threats that deliver malicious content. They are usually not found on PCs using standard antivirus programs.
AVG Free does not contain Anti-Rootkit protection so rootkits may be hidden in your system.
For this protection, please download AVG Internet Security
Anti-Spam
SPAM e-mails are a constant annoyance and could potentially contain malicious links or attempts to steal your identity.
AVG Free does not contain Anti-Spam which can monitor and block SPAM and fraudulent e-mails.
For this protection, please download AVG Internet Security
Firewall
Hackers and other intruders can view or steal your data, download malware to your machine or track your habits and passwords.
AVG Free does not contain a firewall which can protect you against these threats.
For this protection, please download AVG Internet Security
Safe Downloads & Instant Messaging
The essential protection for Internet use. File downloads, chatting with your friends and family - today these are everyday things. Protecting yourself in these areas is now another important part of your security and privacy protection.
AVG Free does not contain the new Safe Downloads & Instant Messaging protection (Web Shield technology) so it does not screen your downloads and communication for viruses and spyware.
For this protection, please download AVG Internet Security
Safe Search & Surf
The essential protection for Internet use. New web threats (called exploits or drive-by downloads) can infect your computer just by visiting a web page! Our new technology ensures the safety of search results, web pages, favorites & bookmarks before you open them.
AVG Free only includes the Safe Search protection which provides you with advice on search results. It does not protect against infected pages. Only AVG paid versions contain the Safe Surf technology.
Hacktivist tool targets Hamas
DDoS street protest covers both side of Gaza conflict
Israeli cyberactivists are inviting pro-Israeli surfers to install a tool that attacks websites associated with Hamas.
This "Patriot" tool effectively turns the computers of sympathisers of the Israeli cause into zombies - albeit willing, complicit ones - in the control of Israeli hackers.
The hackers are working under the banner of the Help Israel Win collective, which was formed last month at the start of the conflict in Gaza. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," one of the group's organisers, 'Liri', told Wired.
The package developed by the group is designed to overload websites associated with Hamas, such as qudsnews.net and palestine-info.info, with spurious traffic. Israeli hackers claim that 8,000 have downloaded and installed the Patriot software.
Conflict in cyberspace is one aspect of a propaganda offensive that has accompanied the war in Gaza, and the decades-long Israeli-Palestinian conflict. Help Israel Win is vague about how its Patriot software works, preferring instead to stress its opposition to Hamas, which has the stated aim of destroying the state of Israel.
The Patriot package, according to Help Israel Win, "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."
SANS Institute security researchers warn that the Patriot tool leaves the door open to abuse. "While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there - there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," SANS researcher Bojan Zdrnja writes.
A Help Israel Win representative conceded to Wired that "the Patriot code could be used as a Trojan. However, it is not used as such, and will never be."
"The update option is used to fix bugs in the client, and not to upload any malicious code. The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application," a representative added.
It's not particularly clear how effective the Patriot tool has been in silencing allegedly pro-Hamas websites, but Help Israel Win has been forced to repeatedly shift its website location in response to attacks for hackers sympathetic to the Palestinian cause, Wired adds.
Security tools firm Arbor Networks reported earlier this week of an increase in botnet attacks on Israeli targets as well as confirming that Help Israel Win was offering what it described as a "simple Windows tool" to target Palestinian websites.
"This is an example of DDoS attacks being used as a form of street protest and something that is becoming increasingly common," said Arbor researcher Jose Nazario.
Other experts confirm that hackers from the wider Muslim world are piling in on behalf of the Palestinians. "Our observations suggest that a large number of Web sites have been defaced by a variety of hacker groups from Iran, Lebanon, Morocco and Turkey, and the trend is accelerating," said Bruce Jenkins, a retired Major with the US Air Force and consultant with application security firm Fortify Security.
Source:
http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/
Israeli cyberactivists are inviting pro-Israeli surfers to install a tool that attacks websites associated with Hamas.
This "Patriot" tool effectively turns the computers of sympathisers of the Israeli cause into zombies - albeit willing, complicit ones - in the control of Israeli hackers.
The hackers are working under the banner of the Help Israel Win collective, which was formed last month at the start of the conflict in Gaza. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," one of the group's organisers, 'Liri', told Wired.
The package developed by the group is designed to overload websites associated with Hamas, such as qudsnews.net and palestine-info.info, with spurious traffic. Israeli hackers claim that 8,000 have downloaded and installed the Patriot software.
Conflict in cyberspace is one aspect of a propaganda offensive that has accompanied the war in Gaza, and the decades-long Israeli-Palestinian conflict. Help Israel Win is vague about how its Patriot software works, preferring instead to stress its opposition to Hamas, which has the stated aim of destroying the state of Israel.
The Patriot package, according to Help Israel Win, "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."
SANS Institute security researchers warn that the Patriot tool leaves the door open to abuse. "While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there - there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," SANS researcher Bojan Zdrnja writes.
A Help Israel Win representative conceded to Wired that "the Patriot code could be used as a Trojan. However, it is not used as such, and will never be."
"The update option is used to fix bugs in the client, and not to upload any malicious code. The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application," a representative added.
It's not particularly clear how effective the Patriot tool has been in silencing allegedly pro-Hamas websites, but Help Israel Win has been forced to repeatedly shift its website location in response to attacks for hackers sympathetic to the Palestinian cause, Wired adds.
Security tools firm Arbor Networks reported earlier this week of an increase in botnet attacks on Israeli targets as well as confirming that Help Israel Win was offering what it described as a "simple Windows tool" to target Palestinian websites.
"This is an example of DDoS attacks being used as a form of street protest and something that is becoming increasingly common," said Arbor researcher Jose Nazario.
Other experts confirm that hackers from the wider Muslim world are piling in on behalf of the Palestinians. "Our observations suggest that a large number of Web sites have been defaced by a variety of hacker groups from Iran, Lebanon, Morocco and Turkey, and the trend is accelerating," said Bruce Jenkins, a retired Major with the US Air Force and consultant with application security firm Fortify Security.
Source:
http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/
Warns of data-snooping bug in Apple's Safari
Apple's Safari web browser for both the Mac and Windows suffers from a serious vulnerability that can expose emails, passwords and other sensitive contents of a user's hard drive, a researcher has warned.
Those using Mac OS X 10.5, aka Leopard, are susceptible to the data-snooping bug even if they use Firefox or another alternate browser, according to open source software developer Brian Mastenbrook. Apple has yet to plug the gaping hole, so the only way users can currently protect themselves is to change RSS reader settings in Safari's preferences panel.
Windows users are also vulnerable, but only if they are using Safari. For the time being, it's probably a good idea for Windows users with Safari installed to leave it closed and use a different browser.
"The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker," said Mastenbrook, who last year was credited by Apple with finding four vulnerabilities in the Mac operating system. His blog post outlining the bug is light on many details, but it does say the bug "could be exploited by a phishing site in a way that would not cause affected users to suspect their information had been stolen."
Leopard users can protect themselves by opening Safari and selecting Preferences from the Safari menu, choosing the RSS tab, clicking on the Default Reader pop-up window and selecting an application other than Safari.
Users of Tiger, aka Mac OS X 10.4, and earlier versions of Mac OS X are not vulnerable.
Source:
http://www.theregister.co.uk/2009/01/13/safari_data_snooping_bug/
Those using Mac OS X 10.5, aka Leopard, are susceptible to the data-snooping bug even if they use Firefox or another alternate browser, according to open source software developer Brian Mastenbrook. Apple has yet to plug the gaping hole, so the only way users can currently protect themselves is to change RSS reader settings in Safari's preferences panel.
Windows users are also vulnerable, but only if they are using Safari. For the time being, it's probably a good idea for Windows users with Safari installed to leave it closed and use a different browser.
"The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker," said Mastenbrook, who last year was credited by Apple with finding four vulnerabilities in the Mac operating system. His blog post outlining the bug is light on many details, but it does say the bug "could be exploited by a phishing site in a way that would not cause affected users to suspect their information had been stolen."
Leopard users can protect themselves by opening Safari and selecting Preferences from the Safari menu, choosing the RSS tab, clicking on the Default Reader pop-up window and selecting an application other than Safari.
Users of Tiger, aka Mac OS X 10.4, and earlier versions of Mac OS X are not vulnerable.
Source:
http://www.theregister.co.uk/2009/01/13/safari_data_snooping_bug/
Wwebsite violated by Trojan-spreaders (Paris Hilton)
Virus authors reportedly planted malicious code on Paris Hilton's website late last week.
Following the attack, surfers visiting the ParisHilton.com site were prompted to install an "update" via a dialogue box. Whether they accepted this update or decided to "cancel" it, a download of a malicious executable was initiated, according to internet reports.
The attack was reportedly used to serve up the Trojan-Spy.Zbot.YETH Trojan, a rootkit trojan designed to steal online banking information and to allow the download of other malicious code.
The assault was detected by web security firm ScanSafe on 9 January but cleansed by Tuesday morning, according to net security firm Sophos, hours after news of the assault broke.
The type of attack thrown against ParisHilton.com is similar to a recent attack on MLB.com, the Major League Baseball website, and the self-explanatory sexy-celeb-photos.com. Each of these assaults was much more in your face than traditional drive-by download attacks, but they also stemmed from the same underlying cause - website vulnerabilities left open to abuse by hackers.
Over the years the hapless Hilton has become a serial victim of various computer hacking and security attacks. Four years ago the notable heiress and airhead was unfortunate enough to suffer from a hack against her T-Mobile account which resulted in the leak of messages, contact details and photos.
Last March another hacker gained access to private pictures after breaking into her Facebook account. And just days ago, messages from a faked LinkedIn profile ostensibly maintained by Ms Hilton pointed to malicious downloads.
Source:
http://www.theregister.co.uk/2009/01/13/paris_hilton_site_hacked/
Following the attack, surfers visiting the ParisHilton.com site were prompted to install an "update" via a dialogue box. Whether they accepted this update or decided to "cancel" it, a download of a malicious executable was initiated, according to internet reports.
The attack was reportedly used to serve up the Trojan-Spy.Zbot.YETH Trojan, a rootkit trojan designed to steal online banking information and to allow the download of other malicious code.
The assault was detected by web security firm ScanSafe on 9 January but cleansed by Tuesday morning, according to net security firm Sophos, hours after news of the assault broke.
The type of attack thrown against ParisHilton.com is similar to a recent attack on MLB.com, the Major League Baseball website, and the self-explanatory sexy-celeb-photos.com. Each of these assaults was much more in your face than traditional drive-by download attacks, but they also stemmed from the same underlying cause - website vulnerabilities left open to abuse by hackers.
Over the years the hapless Hilton has become a serial victim of various computer hacking and security attacks. Four years ago the notable heiress and airhead was unfortunate enough to suffer from a hack against her T-Mobile account which resulted in the leak of messages, contact details and photos.
Last March another hacker gained access to private pictures after breaking into her Facebook account. And just days ago, messages from a faked LinkedIn profile ostensibly maintained by Ms Hilton pointed to malicious downloads.
Source:
http://www.theregister.co.uk/2009/01/13/paris_hilton_site_hacked/
Kaspersky Anti-Virus Update February 03, 2009
Kaspersky Anti-Virus Update description
Sets of threat signatures and databases of network attacks
This is a special update application to install the latest virus databases and various fixes to AntiViral Toolkit Pro for Windows 95/98/NT version 3.0.129 and above.
Use this if you already have AntiViral Toolkit Pro installed.
The antivirus databases currently contain 1717652 records.
If your Kaspersky installed application does not contain the protection module against network attacks, feel free to use mirrors 2, 4 and 6 to download 'light' versions of the update signatures.
It is essential to update antivirus databases on a regular basis. If you do not do this, your antivirus program will not detect new malicious programs. This is why we release updates every hour, to ensure that users are protected against the latest malware.
Antivirus solutions from Kaspersky Lab not only detect malicious software, but other programs which are potentially harmful, such as:
- Adware
- Remote administration programs
- Utilities which can be used by malicious programs or users
Zip-archives should be unpacked into a separate directory, which should then be indicated in the automatic update module as a local folder.
Daily - contains all updates and modifications released during the current week. The current week starts from the previous Friday, when the last weekly update was released. It is placed on the update server every hour. You should download daily.zip if you update your antivirus databases at least once a week.
Previous week's updates - contains all updates and modifications released during the previous week (a full version of the week's daily.zip). It is placed on the server once a week, on Friday. When this file is placed on the server, it will cause the size of daily.zip to be equal to zero. You should download this file if you update your antivirus databases less than once a week, but more often than once every two weeks.
Complete update - contains all the updates and modifications released at the time of the previous week's update. This is placed on the sever at the same time as the new weekly.zip. You should download this file if you have not updated your antivirus databases in the last two weeks.
NOTE: After the archives have been downloaded, unpack them to a separate folder on a disc. If you have downloaded several archives, unpack them in the following order: first unpack av-i386-cumul.zip, then - av-i386-weekly.zip and the last - av-i386-daily.zip. Unpacking, click Yes when you are suggested to replace files with the same name.
After the archives have been unpacked, launch automatic update of the anti-virus database. As an update source define folder with the unpacked archives in the anti-virus database update task.
Source:
http://www.softpedia.com/get/Others/Signatures-Updates/
Sets of threat signatures and databases of network attacks
This is a special update application to install the latest virus databases and various fixes to AntiViral Toolkit Pro for Windows 95/98/NT version 3.0.129 and above.
Use this if you already have AntiViral Toolkit Pro installed.
The antivirus databases currently contain 1717652 records.
If your Kaspersky installed application does not contain the protection module against network attacks, feel free to use mirrors 2, 4 and 6 to download 'light' versions of the update signatures.
It is essential to update antivirus databases on a regular basis. If you do not do this, your antivirus program will not detect new malicious programs. This is why we release updates every hour, to ensure that users are protected against the latest malware.
Antivirus solutions from Kaspersky Lab not only detect malicious software, but other programs which are potentially harmful, such as:
- Adware
- Remote administration programs
- Utilities which can be used by malicious programs or users
Zip-archives should be unpacked into a separate directory, which should then be indicated in the automatic update module as a local folder.
Daily - contains all updates and modifications released during the current week. The current week starts from the previous Friday, when the last weekly update was released. It is placed on the update server every hour. You should download daily.zip if you update your antivirus databases at least once a week.
Previous week's updates - contains all updates and modifications released during the previous week (a full version of the week's daily.zip). It is placed on the server once a week, on Friday. When this file is placed on the server, it will cause the size of daily.zip to be equal to zero. You should download this file if you update your antivirus databases less than once a week, but more often than once every two weeks.
Complete update - contains all the updates and modifications released at the time of the previous week's update. This is placed on the sever at the same time as the new weekly.zip. You should download this file if you have not updated your antivirus databases in the last two weeks.
NOTE: After the archives have been downloaded, unpack them to a separate folder on a disc. If you have downloaded several archives, unpack them in the following order: first unpack av-i386-cumul.zip, then - av-i386-weekly.zip and the last - av-i386-daily.zip. Unpacking, click Yes when you are suggested to replace files with the same name.
After the archives have been unpacked, launch automatic update of the anti-virus database. As an update source define folder with the unpacked archives in the anti-virus database update task.
Source:
http://www.softpedia.com/get/Others/Signatures-Updates/
Spam Levels Likely To Rise As Srizbi Botnet Comes Back To Life
When McColo, an ISP known for being a haven for spammers and scammers was knocked offline two weeks ago, the notorious Srizbi Botnet went down with it. This resulted in global spam volume plummeting by as much as 75%. Sadly, that’s about to change. FireEye, a threat research firm, has discovered that Srizbi is rising from the dead.
Researchers at the firm have discovered that Srizbi has begun updating all of its bots via its new command servers located in Estonia. New domains linked to the botnet have been found as well, with registrations located in Russia.
Here’s an excerpt from FireEye’s report:
As of now, the spam being sent by the revived Botnet is only targeting Russian addresses, but expect Srizbi to begin reaching out to the rest of the world in short order.
Source: http://www.allspammedup.com/2008/11/spam-levels-likely-to-rise-as-srizbi-botnet-comes-back-to-life/
Researchers at the firm have discovered that Srizbi has begun updating all of its bots via its new command servers located in Estonia. New domains linked to the botnet have been found as well, with registrations located in Russia.
Here’s an excerpt from FireEye’s report:
As has been publicized, Srizbi had a mechanism to dynamically generate the C&C to which it would communicate based on a seed (magic number) in the binary, and a variation of the Julian date of the infected host. Our next post will go into the technical details of this algorithm. This dynamic DNS generation mechanism was the main reason why they were able to regain control, even though the primary IP, hosted at McColo, was and is still not routable. As soon as we stopped registering domain names, the Botnet owner swooped in and began registering domains, as he was able to predict which would be in use today.
As of now, the spam being sent by the revived Botnet is only targeting Russian addresses, but expect Srizbi to begin reaching out to the rest of the world in short order.
Source: http://www.allspammedup.com/2008/11/spam-levels-likely-to-rise-as-srizbi-botnet-comes-back-to-life/
New Malicious Spam Attack Claims Obama Resigned
Barack Obama and his inauguration are by far the hottest topics in the country right now, so it’s not surprising that a new malicious spam attack is exploiting him. A new wave of spam is underway with headlines proclaiming Obama has changed his mind and turned down the presidency. The messages contain links to a sight that looks very much like the official Obama/Biden campaign site but which is actually a fake that delivers malware. Visitors to the malicious site will find a mix of fake and real news stories, one of which proclaims that Obama released a statement saying he no longer wants to be president. Clicking on the “more” link triggers a malicious download, a Trojan Horse that will turn the recipient’s computer into a zombie and add it to the new Waledec botnet. Waledec sprang up just before Christmas and spread via fake greeting cards. Right now it’s the 9th largest botnet with an estimated 10,000 computers under its control.
This new attack will likely cause that number to sharply rise as users, alarmed by the headline, will click through without thinking. Experts say Waledec is most likely controlled by the same person responsible for the massive Storm botnet which wreaked havoc last year.
Source: http://www.allspammedup.com/2009/01/new-malicious-spam-attack-claims-obama-resigned/
This new attack will likely cause that number to sharply rise as users, alarmed by the headline, will click through without thinking. Experts say Waledec is most likely controlled by the same person responsible for the massive Storm botnet which wreaked havoc last year.
Source: http://www.allspammedup.com/2009/01/new-malicious-spam-attack-claims-obama-resigned/
New Valentine’s Day Spam Attack Underway
Not surprisingly, spammers have begun a new attack exploiting the upcoming Valentine’s Day holiday. New spam messages with subject lines such as “Falling in love with you”, “I belong to you”, and “I love being in love with you” have begun hitting inboxes. Security experts say the attack started on January 22nd. The body of the messages contain romantic sounding one liners like “Me and You”, “In Your Arms”, and “With all my love”, and a link. The link directs the recipent to a web page displaying 12 heart images and inviting them to click on one. Doing so downloads a malicious program called “love.exe” or “you.exe” which turns the infected computer into a zombie and adds it to the Waledec botnet, which is believed to be run by the same folks responsible for the Storm botnet. So far the botnet is sending an average of 11,000 messages per hour.
This is the same group responsible for the Obama spam sent earlier this month. That spam attempted to lure people to a fake Obama/Biden site with a link to a fake news story claiming Obama had abruptly declined to accept the presidency of the United States. This new botnet is growing so quickly it’s being called the new Storm botnet. It appears that the group behind it isn’t in a hurry to learn any new tricks because the old ones are still working just fine.
Source: http://www.allspammedup.com/2009/01/new-valentines-day-spam-attack-underway/
This is the same group responsible for the Obama spam sent earlier this month. That spam attempted to lure people to a fake Obama/Biden site with a link to a fake news story claiming Obama had abruptly declined to accept the presidency of the United States. This new botnet is growing so quickly it’s being called the new Storm botnet. It appears that the group behind it isn’t in a hurry to learn any new tricks because the old ones are still working just fine.
Source: http://www.allspammedup.com/2009/01/new-valentines-day-spam-attack-underway/
Virus Profile: W32/Checkout!91d0b88a
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Date Added: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 5096
Virus Characteristics
-- Update August 12, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/document.asp?doc_id=131362
This variant of W32/Checkout may be detected as W32/Generic.Delphi.a in earlier versions of the DAT.
This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:
* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.
* Security Center
* winvnc4
Adds the following values to the registry:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"
The worm connects to an IRC channel on {blocked}.basecase.info.
Indications of Infection
* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.
Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .
Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142934
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Date Added: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 5096
Virus Characteristics
-- Update August 12, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/document.asp?doc_id=131362
This variant of W32/Checkout may be detected as W32/Generic.Delphi.a in earlier versions of the DAT.
This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).
* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?
Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:
* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)
(Where %WINDIR% is the Windows folder; e.g. C:\Windows)
It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.
* Security Center
* winvnc4
Adds the following values to the registry:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"
The worm connects to an IRC channel on {blocked}.basecase.info.
Indications of Infection
* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.
Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .
Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142934
Virus Profile: Spy-Agent.bw
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/20/2007
Date Added: 3/15/2007
Origin: N/A
Length: Varies
Type: Trojan
SubType: Win32
DAT Required: 4985
Virus Characteristics
-- Update December 2, 2008 --
A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).
Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.
Detection for these variants is included in todays 5452 DAT package.
An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx
-- Update August 19, 2008 --
Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.
Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.
Detection for this new variant will be included in todays 5364 DATs.
-- Update August 18, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.
Upon execution, a new variant creates the following file:
* C:\WINDOWS\system32\ntos.exe (Spy-Agent,bw)
It changes the following registry key:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
-- Update August 04, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.
Upon execution, a new variant creates the following hidden files and hidden folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* winlogon.exe
It can connect to the following website to communicate stolen data, log actions and receive instructions:
* ahleinaks.ru
-- Update July 21, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.
It can connect to the following website to communicate stolen data, log actions and receive instructions:
* blatundalqik.ru
-- Update May 13, 2008 --
Upon execution, a new variant creates the following hidden files and hidden folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* winlogon.exe
It can connect to the following site to communicate stolen data, log actions and receive instructions:
* razvlekalovo.net
-- Update August 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
--
A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.
Upon execution, it creates the following files and folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx =
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* svchost.exe
* winlogon.exe
It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:
* recruiter.monster.com
* hiring.monster.com
Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:
* http://195.189.{blocked}/mnstr/grabv2.php?getid=1
* http://195.189.{blocked}/spmv3.php?sendlog=
* http://195.189.{blocked}/mnstr/grabv2.php
* http://195.189.{blocked}/pmv3.php?sentmailz=
Sends spam e-mails via the following SMTP server:
* smtp.bizmail.yahoo.com
Indications of Infection
* Presence of file(s) and registry key(s) as previously mentioned.
* Unexpected network connections to the mentioned site(s).
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal Instructions
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Aliases
Infostealer.Monstres (Symantec)
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141745
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/20/2007
Date Added: 3/15/2007
Origin: N/A
Length: Varies
Type: Trojan
SubType: Win32
DAT Required: 4985
Virus Characteristics
-- Update December 2, 2008 --
A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).
Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.
Detection for these variants is included in todays 5452 DAT package.
An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx
-- Update August 19, 2008 --
Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.
Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.
Detection for this new variant will be included in todays 5364 DATs.
-- Update August 18, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.
Upon execution, a new variant creates the following file:
* C:\WINDOWS\system32\ntos.exe (Spy-Agent,bw)
It changes the following registry key:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
-- Update August 04, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.
Upon execution, a new variant creates the following hidden files and hidden folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* winlogon.exe
It can connect to the following website to communicate stolen data, log actions and receive instructions:
* ahleinaks.ru
-- Update July 21, 2008 --
A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.
It can connect to the following website to communicate stolen data, log actions and receive instructions:
* blatundalqik.ru
-- Update May 13, 2008 --
Upon execution, a new variant creates the following hidden files and hidden folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* winlogon.exe
It can connect to the following site to communicate stolen data, log actions and receive instructions:
* razvlekalovo.net
-- Update August 20, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
--
A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.
Upon execution, it creates the following files and folder:
* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)
(Where %Windir% is the Windows folder; C:\Windows)
The following registry keys are modified/added :
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx =
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =
The trojan inject its malcode to the following process:
* svchost.exe
* winlogon.exe
It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:
* recruiter.monster.com
* hiring.monster.com
Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:
* http://195.189.{blocked}/mnstr/grabv2.php?getid=1
* http://195.189.{blocked}/spmv3.php?sendlog=
* http://195.189.{blocked}/mnstr/grabv2.php
* http://195.189.{blocked}/pmv3.php?sentmailz=
Sends spam e-mails via the following SMTP server:
* smtp.bizmail.yahoo.com
Indications of Infection
* Presence of file(s) and registry key(s) as previously mentioned.
* Unexpected network connections to the mentioned site(s).
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal Instructions
All Users:
Use specified engine and DAT files for detection.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Aliases
Infostealer.Monstres (Symantec)
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141745
Virus Profile: Downloader-UA.h
Risk Assessment
- Home Users: Medium
- Corporate Users: Low-Profiled
Date Discovered: 5/2/2008
Date Added: 5/2/2008
Origin: N/A
Length: various
Type: Trojan
SubType: Downloader
DAT Required: 5287
Virus Characteristics
Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.
File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names.
preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3
When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.
Indications of Infection
* filenames listed in the above
* EULA displayed in the above
Method of Infection
Downloader-UA.h trojans are propagated through P2P networks
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=144503
- Home Users: Medium
- Corporate Users: Low-Profiled
Date Discovered: 5/2/2008
Date Added: 5/2/2008
Origin: N/A
Length: various
Type: Trojan
SubType: Downloader
DAT Required: 5287
Virus Characteristics
Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.
File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names.
preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3
When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.
If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.
Indications of Infection
* filenames listed in the above
* EULA displayed in the above
Method of Infection
Downloader-UA.h trojans are propagated through P2P networks
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=144503
Win32/Malas.C
Type : Worm
Category : Win32
Also known as: W32/Bindo.worm (McAfee), INF/Malas.C, Worm:Win32/Malas.gen (MS OneCare), P2P-Worm.Win32.Malas.h (Kaspersky), WORM_MALAS.I (Trend), W32/Malas-B (Sophos), W32.SillyFDC (Symantec)
Win32/Malas.C
CA Antivirus 2007
Removal Instructions
Signature: 31.4.5784
Removal Instructions:
Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.
Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.
Category : Win32
Also known as: W32/Bindo.worm (McAfee), INF/Malas.C, Worm:Win32/Malas.gen (MS OneCare), P2P-Worm.Win32.Malas.h (Kaspersky), WORM_MALAS.I (Trend), W32/Malas-B (Sophos), W32.SillyFDC (Symantec)
Win32/Malas.C
CA Antivirus 2007
Removal Instructions
Signature: 31.4.5784
Removal Instructions:
Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.
Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.
Subscribe to:
Posts (Atom)