Virus | Trojan | Spyware | Removal Tools

Antivirus 2009: How to Remove Fake AV Software

2009-04-23T09:48:00.000-07:00

A new threat that comes under the guise of a genuine antivirus program has become increasingly prevalent over the past year. Offering to locate and remove malware from your PC, this rogue will actually install a Trojan on your unsuspecting system. The process is usually initiated when you click a link for what you believe is valid security software or its vendor's site.

Such adverts are not only a nuisance when browsing online -- fake ads appear on reputable sites that make use of third-party advertising -- but they are designed to rip off consumers by tempting them to pay for a worthless program. Worse still, these rogue applications infect your PC with a problem they claim can only be 'fixed' by purchasing extra software.

If a fake antimalware app is installed on your PC, you will begin to receive fairly persistent warning messages that your system has been infected and be advised to visit a particular site and pay for the necessary protection. You'll be told that you have a trial version of the software installed and need to upgrade to remove all threats.

Such has been the success of these scams that several of the fake programs have become infamous. WinAntiSpyware, Antivirus 2008 (recently updated to 2009), Antispyware Pro XP and AntiVirus Lab 2009 are all suspect -- and no doubt others will soon emulate them.

With similar tactics having been previously used to perpetrate fraud such as phishing, the scammers have latched on to a very effective way to play on people's existing security fears.

Should one break through your defences, we'll show you how to remove it from your system.

1. The exact method for removing fake antivirus software will differ depending on the particular variety you've been blessed with. We've concentrated on Antivirus 2009. If it sounds familiar, you've probably endured fake warning alerts, increased pop-ups and the hijacking of your home page.

2. Such programs can be difficult to uninstall, and you may need to use a dedicated application such as ParetoLogic's XoftSpySE. In general, you will find that using antispyware software is simpler, although it can't be guaranteed to work in every instance.

3. Uninstall Antivirus 2009 using the Add/Remove Programs utility in the Control Panel, then restart your PC in Safe mode. Launch your antispyware application and allow it to scan system files and folders and remove any suspect applications. Now boot up your PC as normal.

4. If antispyware software doesn't get rid of the fake program, you'll need to remove it manually. Be sure to back up any important files first. Next, press Ctrl, Alt, Del to bring up the Task Manager. Click Image Name and select Antivirus 2009, then choose End Process to stop it running.

5. Go to Start, Run. Type regedit to start the Registry Editor, where you will delete the entries for WinAntiVirus. Browse to the Hkey_Local_Machine\Software folder from the My Computer folder and delete the series of Registry entries that are described on this PC Advisor forum thread.

6. The same thread lists a number of spyware files that will need to be manually deleted from your Windows folder, but note that you may need to stop the file processes in the Task Manager before you can delete them. As before, make sure you back up your system before you start.

Source:
http://www.pcworld.com

Review Norton AntiVirus 2009 16.0

2009-04-23T09:35:00.000-07:00

Norton AntiVirus 2009 provides fast, responsive defense against all types of malicious software including viruses, spyware, worms, and other software threats. It protects your system without slowing it down. Rapid pulse updates every 5 to 15 minutes help to ensure that you're protected from the latest threats.

Working quickly and quietly in the background, Norton AntiVirus requires little memory and system resources. The new Norton Insight relies on extensive online intelligence to target only those processes at risk, resulting in faster, shorter, fewer scans. And the new Norton Protection System employs a multilayered set of security technologies that work in concert to detect, identify, and block attacks. Version 2009 improves on product performance.

Screenshot

Download for review/trial [DOWNLOAD]

Review Kaspersky Anti-Virus 2009 8.0.0.454

2009-04-23T09:14:00.000-07:00

Kaspersky Anti-Virus 2009 8.0.0.454 – The backbone of your PC’s security system, offering protection from a range of IT threats. Kaspersky Anti-Virus 2009 provides the basic tools needed to protect your PC. This easy-to-use solution provides complete antivirus protection that keeps you safe while your are online.
Features :

Kaspersky Anti Virus 8.0 – is a new line of Kaspersky Labs products, which is designed for the multi-tiered protection of personal computers. This product is based on in-house protection components, which are based on variety of technologies for maximum levels of user protection regardless of technical competencies. This product utilizes several technologies, which were jointly developed by Kaspersky Labs and other companies; part of them is implemented via online-services.
Our products for home and home office are specifically designed to provide hassle-free and quality protection against viruses, worms and other malicious programs, as well as hacker attacks, spam and spyware.

During product preparation several competitor offerings were considered and analyzed - firewalls, security suites systems, which position themselves as proactive in defence and HIPS systems. Combination of in-hosue innovative developments and results from analysis gathered through the industry allowed to jump onto a new level of protection for personal users, whereby offering even more hardened and less annoying computer protection from all types of electronic threats – malicious programs of different types, hacker attacks, spam mailings, program-root kits, phishing emails, advertisement popup windows etc.

Essential Protection
* Protects from viruses, Trojans and worms
* Blocks spyware and adware
* Scans files in real time (on access) and on demand
* Scans email messages (regardless of email client)
* Scans Internet traffic (regardless of browser)
* Protects instant messengers (ICQ, MSN)
* Provides proactive protection from unknown threats
* Scans Java and Visual Basic scripts

Preventive Protection
* Scans operating system and installed applications for vulnerabilities
* Analyzes and closes Internet Explorer vulnerabilities
* Disables links to malware sites
* Detects viruses based on the packers used to compress code
* Global threat monitoring (Kaspersky Security Network)

Advanced Protection & Recovery
* The program can be installed on infected computers
* Self-protection from being disabled or stopped
* Restores correct system settings after removing malicious software
* Tools for creating a rescue disk

Data & Identity Theft Protection
* Disables links to fake (phishing) websites
* Blocks all types of keyloggers

Usability
* Automatic configuration during installation
* Wizards for common tasks
* Visual reports with charts and diagrams
* Alerts provide all the information necessary for informed user decisions
* Automatic or interactive mode
* Round-the-clock technical support
* Automatic database updates

Download for trial Here [DOWNLOAD]

Norton 360 v3.0 for review

2009-04-16T09:13:00.000-07:00

Norton 360 description

Offers a full circle of protection and eliminates the need to purchase and manage multiple products, Norton 360 will offer a full circle of protection and eliminates the need to purchase and manage multiple products.

PC security defends you against a broad range of online threats�protects your computer and makes your online experience more secure, Identity protection safeguards you against online identity theft�protects against fraud and theft, Automatic backup and restore protects your important files from loss�safeguards irreplaceable photos, movies, music, and more.

PC tuneup keeps your PC running at peak performance�helps your PC run faster and keeps it running the way it�s supposed to, Network monitoring�helps protect your home network.

Here are some key features of "Norton 360":

Enhanced performance - Provides industry-leading protection without sacrificing performance:
� Fast scan and browse speeds
� Less memory use than the average used by competing products
� PC Security with industry leading virus, spyware and firewall protection
� And much more...........

Backup and restore:
� Protects photos, music, and documents with automated backup
� Supports new backup destinations including Blu-ray Disc, HD-DVD, and iPod
� Automatically detects and backs up your critical files
� Includes 2 GB of secured online storage (with option to purchase additional storage)

Network monitoring:
� Lets you view your wireless network and each device connected to it
� Displays the security status of all the Norton products on your network
� Alerts you when you connect to an unsecured wireless network
� And much more..........
Easy protection of your PC and online activities�Norton 360 threat handling, scans, and tuneups are conducted quietly in the background:
� Automatically optimizes and maintains your PC for peak performance
� Automatically cleans up unnecessary Internet clutter and temporary files
� Helps optimize Windows performance by removing unneeded registry files

One-click support - Provides one-click access to expert support right from your Norton product:
� Fast access to expert support through email, live chat, or phone
� Protection updates: Includes protection updates and new product features as available throughout the renewable service period
� Ongoing protection: Keeps your computer protected from the latest Internet risks by automatically renewing your subscription at the regular subscription price (plus applicable tax), so you don't have to do it. For more information, click here.
� Optional antispam and parental controls: Enables you to download antispam and parental controls via the Norton Add-on Pack
� Free Technical Support: Free tech support delivers the help you need, however you need it

Download review software from Rapidshare

Norton Antivirus Trial Reset 2.9A

2009-04-16T09:08:00.000-07:00

Dump trials the period in company Symantec products : Norton Internet Security 2009 (v16.5.0.134/5), Norton AntiVirus 2009 (v16.5.0.134), and Norton 360 v3 (v3.0.0.135/4).

Downloads From rapidshare.com

SillyDl.CEK Trojan

2009-04-16T01:53:00.001-07:00

SillyDl.CEK malware description and removal detail
Categories:Trojan

Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista

Removing SillyDl.CEK:

An up-to-date copy of ExterminateIt should detect and prevent infection from SillyDl.CEK.

If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove SillyDl.CEK manually.

To completely manually remove SillyDl.CEK malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with SillyDl.CEK.

1. Use Task Manager to terminate the SillyDl.CEK process.
2. Delete the original SillyDl.CEK file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.

We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.

Bancos.GKY Trojan

2009-04-16T01:49:00.001-07:00

Bancos.GKY malware description and removal detail
Categories:Trojan

Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista

Removing Bancos.GKY:

An up-to-date copy of ExterminateIt should detect and prevent infection from Bancos.GKY.

If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Bancos.GKY manually.

To completely manually remove Bancos.GKY malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Bancos.GKY.

1. Use Task Manager to terminate the Bancos.GKY process.
2. Delete the original Bancos.GKY file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.

We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.

Reign Trojan

2009-04-16T01:48:00.000-07:00

Reign malware description and removal detail
Categories:Trojan,Spyware,Backdoor,Downloader,Hacker Tool
Also known as:

[Panda]Trojan Horse,Trj/Agent.AA,Trj/Iyus.B,Trj/Iyus.F,Trj/Iyus.C,Trj/Bizex.B,Bck/Xordoor.A;
[Computer Associates]Win32.Reign.K,Win32/Reign.K!Trojan,Win32/Reign.K!HookDLL!Trojan,Win32.Reign.O,Win32/Reign.O!Trojan,Win32.Reign.N,Win32/Reign.N!Trojan,Win32.Reign.Z,Win32/Reign!DLL.102400!Trojan,Win32/Reign.Z!Worm,Win32.Reign.X,Win32/Reign.X!Trojan
Visible Symptoms:
Files in system folders:
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe

In order to ensure that the Reign is launched automatically each time the system is booted, the Reign adds a link to its executable file in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe

Platforms / OS: Windows 95, Windows 98, Windows 98 SE, Windows NT, Windows ME, Windows 2000, Windows XP, Windows 2003, Windows Vista

Detecting Reign:

Files:
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe
[%SYSTEM%]\iyus.dll
[%SYSTEM%]\iyus\ampgbbje.exe
[%SYSTEM%]\iyus\foimeobm.exe
[%SYSTEM%]\iyus\hqejkanf.exe
[%SYSTEM%]\unic2_32.dll
[%SYSTEM%]\x3yy\dbkajomk.exe
[%SYSTEM%]\xor\svchost.exe

Registry Values:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run

Removing Reign:

An up-to-date copy of ExterminateIt should detect and prevent infection from Reign.

If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Reign manually.

To completely manually remove Reign malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Reign.

1. Use Task Manager to terminate the Reign process.
2. Delete the original Reign file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.

We recommends that all Internet users back up any important information on their computers, enable maximum protection from network attacks and malicious code on their computers, refrain from executing suspicious programs received from untrustworthy sources.

Detecting Windows.adtools

2009-04-16T01:45:00.000-07:00

Detecting Windows.adtools:

Folders:
[%PROGRAM_FILES%]windows adtools

Registry Keys:
HKEY_LOCAL_MACHINEsoftwarewindows adtools
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionuninstallwindows adtools

Registry Values:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun

Removing Windows.adtools:

An up-to-date copy of ExterminateIt should detect and prevent infection from Windows.adtools.

If you do not have ExterminateIt and you are worried that you may have infected computer, you could run trial version of ExterminateIt, or remove Windows.adtools manually.

To completely manually remove Windows.adtools malware from your computer, you need to delete the Windows registry keys and registry values, the files and folders associated with Windows.adtools.

1. Use Task Manager to terminate the Windows.adtools process.
2. Delete the original Windows.adtools file and folders.
3. Delete the system registry key parameters
4. Update your antivirus databases or buy antivirus software and perform a full scan of the computer.

We recommends that all Internet users
back up any important information on their computers,
enable maximum protection from network attacks and malicious code on their computers,
refrain from executing suspicious programs received from untrustworthy sources.

Source: howto-remove-virus.blogspot.com

Norton Internet Security 2008 (15.0.0.60) Final

2009-04-15T07:55:00.002-07:00

Norton Internet Security 2008 (15.0.0.60) Final

Norton Internet Security 2006 provides essential protection from viruses, hackers, and privacy threats. Included are full versions of Norton AntiVirus and Norton Personal Firewall, which efficiently defend your PC from the most common Internet dangers. You also get Norton AntiSpam to block unwanted email, Norton Parental Control to protect your children online and Norton Privacy Control to prevent confidential information to be sent out.

Key Technologies
* Antispyware
* Antivirus
* Two-Way Firewall
* Advanced Phishing Protection
* Intrusion Prevention
* Rootkit Detection

Features
* Improved performance delivers faster starts and scans. NEW
* One click access to expert support. NEW
* Network security monitoring helps protect your wireless network. NEW
* Norton Identity Safe delivers enhanced i dentity theft protection. NEW
* Works quietly in the background. NEW
* Protection for up to 3 PCs per household
* Blocks identity theft by phishing Web sites
* Protects against hackers
* Detects and eliminates spyware
* Removes viruses and Internet worms automatically
* Protects email and instant messaging from viruses
* Prevents virus-infected emails from spreading
* Rootkit detection searches underneath the operating system using patented technology
* Includes protection updates and new product features as available throughout the renewable service period *
* On-going Protection option automatically renews your subscription **
* Need antispam or parental controls?

Download
http://rapidshare.com/files/52012322/NIS081500.exe
http://www.megaupload.com/?d=N616NGRZ
http://depositfiles.com/files/1620622
http://www.filefactory.com/file/5aa7a5/

Norton Antivirus For Mac

2009-04-15T07:55:00.001-07:00

Norton AntiVirus 11[MAC]

Norton AntiVirus 11 for Mac® is the world's most trusted antivirus solution for Mac systems.* It removes viruses automatically, cleans infected Internet and email downloads, and protects against advanced online threats and attacks that target software vulnerabilities. It¿s also compatible with Mac OS® X v10.5 and takes full advantage of the new operating system's advanced features to help you protect your Mac even better. Powerful, built-in vulnerability protection helps prevent identity thieves from exploiting newly discovered application and operating system weaknesses. And the enhanced Norton AntiVirus dashboard widget lets you quickly check your system's virus protection status and get the latest information about current virus threats directly from the experts at Symantec Security Response.

Norton AntiVirus for Mac now features silent, automatic virus definition updates; fully integrated schedule management settings; faster and more extensive file-scanning capabilities; improved Auto-Protect functionality; and a new user interface that makes routine tasks more accessible than ever before. And as always, LiveUpdate makes it easy to keep your virus and vulnerability protection updates current against new threats.

The #1 selling antivirus solution for the Mac

Features:
* Automatically detects and removes viruses—Offers automatic protection against the latest threats with set-and-forget convenience
* Scans and cleans downloaded files and email attachments—Delivers continuous, up-to-date protection via fast updates
* Protects against attacks that target software vulnerabilities—Provides advanced protection against software and Internet vulnerabilities
* Works with new Mac OS® X v10.5—Runs natively on Intel® and PowerPC® based Mac® systems
* Includes an all-new Norton AntiVirus dashboard widget
* Delivers industry-leading protection in the background, so you can work and play without any noticeable impact on performance

download:
http://rapidshare.com/files/86004106/NAV_V11_MAC.rar

Norton Antivirus 2008

2009-04-15T07:54:00.001-07:00

Norton AntiVirus 2008 (With crack+serial)

Features

* Improved performance delivers faster scans NEW
* One click access to expert support NEW
* Works quietly in the background. NEW
* Network mapping provides a view of your home network. NEW
* Detects and removes spyware and viruses
* Blocks spyware and worms automatically
* Antivirus protection for email and instant messaging
* Prevents virus-infected emails from spreading
* Rootkit detection finds and removes hidden threats
* Includes protection updates and new product features as available throughout the renewable service period

Download:
http://rapidshare.com/files/128428740/NAV081550.exe
crack:
http://rapidshare.com/files/128445050/Norton2008_keygen.zip

Antivirus review 2009

2009-04-15T07:46:00.001-07:00

Website for antivirus reviews 2009

http://anti-virus-software-review.toptenreviews.com/
http://pcworld.com http://pcmag.com
For an unbiased test report of anti-virus detection capabilities,
go here: http://av-comparatives.org/

The Best Free Antivirus

2009-04-15T07:44:00.000-07:00

When taking into account only free antivirus, what is the best?
-The best i've used so far is Google Pack. I've tried many types of antivirus, but Googles is the best by far. It also has spyware tools, Best of all, it never expires. http://safe-google.com/pack
-AVG Free addition from GriSoft is the best that I have seen. You can also download limited trial versions of programs such as Trend-Micro. Hope this answered your question :)

Source: http://1firstinfo-antivirus.blogspot.com

Which antivirus software is the best for Mac?

2009-04-15T07:41:00.000-07:00

Which antivirus software is the best for Mac?
The problem with anti-virus software is that it slows down your computer. There are 115,000 Windows viruses, there is one malware for MacosX which requires you to go to a porn site to get it. I get an occasional virus for Windows sent to me via email, I just trash it. Let the Windows users have their anti-virus software. If you still want one, then get the Intego version. The package includes Mac and Windows versions so you can protect the Windows side of your Mac if you are also running Windows on it.

Source: http://1firstinfo-antivirus.blogspot.com

RUNLLD.EXE Cloaked Malware

2009-03-24T17:01:00.000-07:00

Your PC is infected. The file called RUNLLD.EXE is considered unsafe and there may be other infections on your PC.

You should urgently check your PC and remove any malicious software including RUNLLD.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.

Associated Malware Groups

The filename is associated with the malware groups:

* Cloaked Malware
* Fraudulent Security Program

File Behavior

RUNLLD.EXE has been seen to perform the following behavior:

* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)

RUNLLD.EXE has been the subject of the following behavior:

* Added as a Registry auto start to load Program on Boot up
* Executed as a Process
* Executed by Internet Explorer
* Deleted as a process from disk
* Created as a process on disk

Country Of Origin

The filename RUNLLD.EXE was first seen on Jan 5 2009 in the following geographical regions of the Prevx community:

* KUWAIT on Jan 5 2009
* The UNITED ARAB EMIRATES on Feb 1 2009
* INDONESIA on Mar 10 2009
* PAKISTAN on Mar 10 2009

File Name Aliases

RUNLLD.EXE can also use the following file names:

* HTI.EXE
* 84035352.EX_
* 67356852.SVD
* RUNDTL.EXE
* REG.EXE
* KHP.EXE
* ORH.EXE
* CRP.EXE
* TRO.EXE
* LNN.EXE
* LPM.EXE
* IJJ.EXE
* HQC.EXE
* SLO.EXE

Filesizes

The following file size has been seen:

* 91,648 bytes
* 136,192 bytes

Vendor, Product and Version Information

These files have no vendor, product or version information specified in the file header.
File Type

The filename RUNLLD.EXE refers to many versions of an executable program.

Rapid malware scanning and removal. Prevx CSI will thoroughly check your PC for malware infections in around 1 minute. It will also remove Adware infections for free! [Download Here]

Source: http://www.prevx.com/filenames/X2331159024562214914-X1/RUNLLD2EEXE.html

Norton AntiVirus for Windows 2000/XP/Vista Updates Virus Definition

2009-03-24T01:21:00.000-07:00

1. 20090323-050-v5i32.exe
Supports the following versions of Symantec antivirus software:

* Norton Antivirus 2009 for Windows XP Home/XP Pro/Vista
* Norton Internet Security 2009 for Windows XP/Home/XP Pro/Vista
* Norton Antivirus 2008 for Windows XP Home/XP Pro/Vista
* Norton Internet Security 2008 for Windows XP/Home/XP Pro/Vista
* Norton 360 version 3.0 for Windows XP/Vista
* Norton 360 version 2.0 for Windows XP/Vista
* Symantec Endpoint Protection 11.0

2. 20090323-003-i32.exe
Supports the following versions of Symantec antivirus software:

* Norton AntiVirus 2003 Professional Edition
* Norton AntiVirus 2003 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2004 Professional Edition
* Norton AntiVirus 2004 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
* Norton 360 version 1.0 for Windows XP/Vista
* Norton AntiVirus for Microsoft Exchange (Intel)
* Norton SystemWorks (all versions)
* Symantec AntiVirus 3.0 for CacheFlow Security Gateway
* Symantec AntiVirus 3.0 for Inktomi Traffic Edge
* Symantec AntiVirus 3.0 for NetApp Filer/NetCache
* Symantec AntiVirus 9.0 Corporate Edition Client
* Symantec AntiVirus 10.0 Corporate Edition Client
* Symantec AntiVirus 10.1 Corporate Edition Client
* Symantec AntiVirus 10.2 Corporate Edition Client
* Symantec Mail Security for Domino v 5.x
* Symantec Mail Security for Microsoft Exchange v 5.x

3. 20090323-003-x86.exe
Supports the following versions of Symantec antivirus software:

* Norton AntiVirus 2003 Professional Edition
* Norton AntiVirus 2003 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2004 Professional Edition
* Norton AntiVirus 2004 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2005 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
* Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
* Norton 360 version 1.0 for Windows XP/Vista
* Norton AntiVirus for Microsoft Exchange (Intel)
* Symantec AntiVirus 3.0 CacheFlow Security Gateway
* Symantec AntiVirus 3.0 for Inktomi Traffic Edge
* Symantec AntiVirus 3.0 for NetApp Filer/NetCache
* Symantec AntiVirus 9.0 Corporate Edition Client
* Symantec AntiVirus 10.0 Corporate Edition Client
* Symantec AntiVirus 10.1 Corporate Edition Client
* Symantec AntiVirus 10.2 Corporate Edition Client
* Symantec AntiVirus for Bluecoat Security Gateway for Windows 2000 Server/2003 Server
* Symantec AntiVirus for Clearswift MIMESweeper for Windows 2000 Server/2003 Server
* Symantec AntiVirus for Microsoft ISA Server for Windows 2000 Server/2003 Server
* Symantec Mail Security for Domino v 5.x
* Symantec Mail Security for Microsoft Exchange v 5.x
* Symantec Mail Security for SMTP v 5.x
* Symantec Web Security 3.0 for Windows
* Symantec AntiVirus Scan Engine for Windows

Source: http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

Download Updates Avast

2009-03-24T01:19:00.000-07:00

A feature of most of our programs is their ability to update themselves automatically. If you are connected to the Internet, virus database updates are downloaded and installed automatically without any user action. The availability of a new version is checked when an Internet connection is established, and every four hours afterwards. Update files can also be downloaded from these pages if required e.g. if your computer does not have an Internet connection. Updates are usually released on a daily basis.

The latest iAVS update was published on: 23.3.2009 version: 090323-0

Note: No reinstallation of the program is needed for virus database updates!

Virus Database Update [Download Here]

Source: http://www.avast.com/eng/updates.html

Download update AVG

2009-03-24T00:48:00.000-07:00

It is strongly recommended that you perform all updates from the AVG Free interface. The program can distinguish between full and differential updates; while this page offers only full update files for download.

1. Windows: 8.0.237 [Download]
2. Link Scanner DB: 8.0.103 [Download]
3. AVI: 270.11.25 [Download]
4. IAVI: / 2019 [Download]

Source: http://free.avg.com/download-update

Worm:Coutsonif.A

2009-03-05T06:37:00.000-08:00

barat Joeniar Arief yang mengatakan bahwa pengguna internet sangat “Rapuh” terhadap serangan virus. Maka kini pengguna Messenger khususnya Yahoo Messenger dan Skype yang mendapatkan giliran menghadapi kiriman virus yang memalsukan dirinya seakan-akan sebagai pesan otentik yang dikirimkan oleh kontak dalam YM / Skype anda. Tetapi jangan sekali-kali anda mengklik link yang diberikan, sekalipun dikirimkan oleh teman anda di YM / Skype yang terpercaya karena sebenarnya pesan tersebut bukan dikirimkan oleh teman anda, melainkan oleh Penghianat Cinta ....... alias virus yang berhasil menginfeksi komputer teman anda. Selain mampu menyebar melalui YM dan Skype, virus ini juga menyebar melalui Flash Disk menggunakan fasilitas Autorun dan memiliki kemampuan mengupdate dirinya. Menurut pantauan terbaru Vaksincom tanggal 10 Februari 2009, link tersebut mulai di update oleh pembuat virus dan nama filenya diganti menjadi “Your_Dad_Has_Shit_Fetish_Too.PIF”

Read manual removal: http://vaksin.com/2009/0209/coutsonif/Coutsonif.html

Source: www.vaksin.com

Worm:PIF/Starter.A Virus Shortcut

2009-03-05T06:34:00.000-08:00

Di tengah gencarnya virus-virus Confiker melanda dunia persilatan jaringan, maka ada sebuah virus lokal yang tidak mau kalah untuk unjuk gigi. Virus ini penulis dapatkan secara tidak sengaja, ketika sedang beranjang sana di sebuah tempat kerja sahabat dekat, dia mengeluh kok banyak banget sih shortcut di komputernya.

Setelah diamati memang benar banyak sekali file-file shortcut yang bertebaran di setiap folder yang ada di dalam komputernya, seperti Microsoft.lnk, dan juga file shortcut dengan nama seperti nama folder yang dimiliki. Akhirnya dengan naluri vaksinis yang tidak bisa mendengar ada virus baru yang tidak terdeteksi oleh antivirus, maka dengan segera keluhan tersebut langsung dianalisa lebih lanjut dan dibuatkan cara mengatasinya.

Ciri-ciri dari virus tersebut adalah :

1.

Di folder My Documents terdapat sebuah file yang bernama database.mdb, dan ternyata ini adalah file induknya.
2.

File Autorun.inf, Thumb.db, Microsoft.lnk di setiap driver, folder dan flash disk sampai pada SUB Folder yang ke-2.
3.

Membuat File Duplikat setiap folder dengan extensi .lnk, maksimal 5 nama folder pertama, misalnya kalau di C:\Windows ada banyak maka hanya akan diambil 5 nama pertama saja. Dan berlaku sampai sub folder yang ke-2

4.

Mematikan fungsi dari file Registry (lihat gambar 3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistrytools"=dword:00000001
5.

Menambahkan value di registry :

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"Explorer"="Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"WinUpdate"="Wscript.exe /e:VBScript \"C:\WINDOWS\:Microsoft Office

Update for Windows XP.sys\""

Untuk script yang terakhir mungkin sekali ini hanya script untuk mengecoh saja, tetapi

dalam prakteknya kita harus mendeletenya. Jika pada saat kita LogOn komputer, maka

akan didapat message error

Yang membuat kita menjadi geram adalah banyak sekali shortcut yang dibuat oleh virus tersebut. Dan hebatnya virus tersebut kalau cara penanganannya tidak tepat maka akan kembali lagi dan lagi. Oleh sebab itu ada beberapa cara yang harus dilakukan untuk memberantas virus yang menyebalkan ini :

1.

Matikan proses dari file WSCRIPT yang terletak di C:\Windows\System32, dengan cara menggunakan tools seperti CProcess, HijackThis atau dapat juga menggunakan Task Manager dari windows.

2.

Sebelumnya matikan dulu proses SYSTEM RESTORE.

3.

Setelah dimatikan proses dari Wscript tersebut, kita harus mendetele atau merename dari pada file tersebut agar tidak digunakan (untuk sementara) lagi oleh virus tersebut. Sebagai catatan, kalau kita merename dari file Wscript.exe tersebut dengan automatis akan dikopikan lagi di folder tersebut, oleh sebab itu kita harus mencari di mana file Wscript.exe yang lainnya biasanya ada di C:\Windows\$NtServicePackUninstall$, C:\Windows\ServicePackFiles\i386. Tidak seperti virus-virus VBS lainnya, kita bisa mengganti Open With dari file VBS menjadi Notepad, virus ini berextensi MDB yang berarti adalah file Microsoft Access. Jadi Wscript akan menjalankan file DATABASE.MDB seolah-olah dia adalah file VBS. (Virus pintar kan)

Wscript.exe //e:VBScript \"C:\Documents and Settings\Administrator\My Documents\database.mdb\""

4.

Delete file induknya yang ada di C:\Documents and Settings\\My Documents\database.mdb, agar setiap kali komputer dijalankan tidak akan meload file tersebut. Dan jangan lupa kita buka juga MSCONFIG, disable perintah yang menjalankannya.

5.

Sekarang kita akan mendelete file-file Autorun.INF. Microsoft.INF dan Thumb.db. dengan cara, klik tombol START, ketik CMD, pindah ke drive yang akan dibersihkan, misalnya drive C:\, maka yang harus kita lakukan adalah

Ketik C:\del Microsoft.inf /s = perintah ini akan mendelete semua file microsoft.inf di seluruh folder di drive C: , kalau mau pindah drive tinggal diganti nama drivenya saja contoh : D:\del Microsoft.inf /s

Untuk file autorun.inf, ketik C:\del autorun.inf /s /ah /f = perintah akan mendelete file autorun.inf (syntax /ah /f digunakan karena file tersebut memakai attrib RSHA, begitu juga untuk file Thumb.db lakukan juga hal yang sama

6.

Untuk mendelete file-file selain 4 file terdahulu, kita harus mencarinya dengan cara Search file dengan ekstensi .lnk ukurannya 1 KB, Pada “More advanced options”, pastikan option “Search system folders” dan “Search hidden files and folders” keduanya telah dicentang.

Harap berhati-hati, tidak semua file shortcut / file LNK yang berukuran 1 KB adalah virus, kita dapat membedakannya dari iconnya, size dan Type. Untuk shortcut yang diciptakan virus iconnya selalu menggunakan icon "folder", ukuran 1 KB dengan Type "Shortcut". Sedangkan folder yang benar harusnya tidak memiliki "size" dan Typenya adalah "File Folder". Contoh di bawah, gambar bagian kiri folder dengan nama "Music", "Video", "Programs", "Documents" dan "Compressed" sebenarnya adalah shortcut yang memalsukan diri sebagai icon folder yang diciptakan oleh virus dan harus dihapus karena memiliki size 1 KB dan Type "Shortcut". Sedangkan Folder dengan nama "Compressed", "Documents", "Music", "Programs", "Video" dan "Virus" yang tidak memiliki Size dan Type "File Folder" adalah folder asli yang namanya dicatut oleh virus. Sedangkan gambar kanan, shortcut yang asli dari program memiliki icon khusus sesuai icon programnya.

7.

Fix registry yang sudah di ubah oleh virus. Untuk mempercepat proses perbaikan registry salin script dibawah ini pada program “notepad” kemudian simpan dengan nama "Repair.inf". Jalankan file tersebut dengan cara:

- Klik kanan repair.inf

- Klik Install

[Version]

Signature="$Chicago$"

Provider=Vaksincom Oyee

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"

[del]

HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Winupdate

HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Run, explorer

Source: www.vaksin.com

W32/Sality.AE

2009-03-05T06:32:00.000-08:00

Kalau Conficker dapat dikatakan sebagai worm nomor satu di Indonesia, maka predikat virus yang paling merepotkan dan paling banyak ditemui Vaksincom di Indonesia pantas di sandang oleh Sality. Virus yang disinyalir berasal dari Taiwan / Cina ini secara meyakinkan menempati ranking pertama dalam infeksi virus yang diterima oleh Vaksincom bersama-sama dengan Conficker.

Memang menyebalkan jika semua program kita ikut dimakan oleh virus [di infeksi], disamping sulit dalam memberantas virusnya terkadang juga file yang sudah di injeksi tersebut tidak dapat digunakan alias rusak setelah di scan dan dibersihkan oleh antivirus, alhasil harus reinstall semua program yang error atau download ulang file yang sudah di injenksi tersebut.

Ukuran file yang sudah terinfeksi W32/Sality.AE akan bertambah besar beberapa KB dan file yang sudah terinfeksi W32/Sality.AE ini masih dapat di jalankan seperti biasa. Biasanya virus ini akan mencoba untuk blok program antivirus atau removal tools saat dijalankan serta mencoba untuk blok task manager atau “registry editor” Windows. Untuk mempermudah dalam proses penyebarannya selain memanfaatkan “File Sharing” dan “Default Share” virus ini juga akan memanfaatkan media Flash Disk dengan cara membuat file acak yang mempunyai ekstensi exe/com/scr/pif serta menambahkan file autorun.inf yang memungkinkan virus dapat aktif secara otomatis setiap kali user mengakses Flash Disk.

Untuk blok task manager atau Registry tools, W32/Sality.AE ini akan membuat string pada registry berikut:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system

*

DisableRegistryTools
*

DisableTaskMgr

Pada saat file yang terinfeksi W32/Sality.AE, ia akan mendekrip dirinya dan mencoba untuk kopi beberapa file *.dll (acak) file DLL kemudian akan menginjeksi file lain yang aktif di memori serta file lain yang terdapat di komputer dan jaringan (file sharing) serta menginfeksi file *.exe yang terdapat dalam list registry berikut sehingga memungkinkan virus dapat aktif secara otomatis setiap kali komputer dinyalakan.

*

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

Berikut beberapa contoh file *.dll yang akan di drop oleh W32/Sality.AE.

*

C:\Windows\system32\syslib32.dll
*

C:\Windows\system32\oledsp32.dll
*

C:\Windows\system32\olemdb32.dll
*

C:\Windows\system32\wcimgr32.dll
*

C:\Windows\system32\wmimgr32.dll

Selain membuat file DLL, sality juga akan membuat file *.sys [acak] di direktori “C:\Windows\system32\drivers” [contoh: kmionn.sys]

Blok Antivirus dan software security

Seperti yang sudah dijelaskan di atas bahwa untuk mempermudah proses penyebaran ia juga akan mencoba untuk mematikan proses yang berhubungan dengan program security khususnya antivirus dengan cara mematikan proses yang mempunyai nama dibawah ini:

ALG

InoRPC

aswUpdSv

InoRT

avast! Antivirus

InoTask

avast! Mail Scanner

ISSVC

avast! Web Scanner

KPF4

AVP

LavasoftFirewall

BackWeb Plug-in - 4476822

LIVESRV

bdss

McAfeeFramework

BGLiveSvc

McShield

BlackICE

McTaskManager

CAISafe

navapsvc

ccEvtMgr

NOD32krn

ccProxy

NPFMntor

ccSetMgr

NSCService

F-Prot Antivirus Update Monitor

Outpost Firewall main module

fsbwsys

OutpostFirewall

FSDFWD

PAVFIRES

F-Secure Gatekeeper Handler Starter

PAVFNSVR

fshttps

PavProt

FSMA

PavPrSrv

PAVSRV

Symantec Core LC

PcCtlCom

Tmntsrv

PersonalFirewal

TmPfw

PREVSRV

tmproxy

ProtoPort Firewall service

UmxAgent

PSIMSVC

UmxCfg

RapApp

UmxLU

SmcService

UmxPol

SNDSrvc

vsmon

SPBBCSvc

VSSERV

WebrootDesktopFirewallDataService

WebrootFirewall

XCOMM

Selain mematikan proses antivirus di atas, ia juga akan berupaya untuk blok agar user tidak dapat mengakses web dari beberapa antivirus berikut:

*

Cureit
*

Drweb
*

Onlinescan
*

Spywareinfo
*

Ewido
*

Virusscan
*

Windowsecurity
*

Spywareguide
*

Bitdefender
*

Panda software
*

Agnmitum
*

Virustotal
*

Sophos
*

Trend Micro
*

Etrust.com
*

Symantec
*

McAfee
*

F-Secure
*

Eset.com
*

Kaspersky

W32/Sality.AE juga akan mencoba untuk merubah regisrty berikut:

*

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
*

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

*

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxx [xxx adalah acak, contoh : abp470n5]
*

HKEY_CURRENT_USER\Software\[USER NAME]914
*

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
*

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER

Selain itu ia juga akan mencoba untuk merubah beberapa string registry Windows Firewall berikut dengan menambahkan value dari 0 menjadi 1:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

*

AntiVirusDisableNotify
*

AntiVirusOverride
*

FirewallDisableNotify
*

FirewallOverride
*

UacDisableNotify
*

UpdatesDisableNotify

dan membuat key “SVC” serta string berikut dengan value 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc

*

AntiVirusDisableNotify
*

AntiVirusOverride
*

FirewallDisableNotify
*

FirewallOverride
*

UacDisableNotify
*

UpdatesDisableNotify

Tak cuma itu W32/s\Sality.AE juga akan menghapus key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG”.

ALG atau Application Layer Gateway Service adalah services yang memberikan support untuk plug-in protokol aplikasi dan meng-enable konektivitas jaringan / protokol. Service ini boleh saja dimatikan. Dampaknya adalah program seperti MSN Messenger dan Windows Messenger tidak akan berfungsi. Service ini bisa dijalankan, tetapi hanya jika menggunakan firewall, baik firewall bawaan Windows atau firewall lain. Jika tidak komputer yang terinfeksi virus ini akan mengalami celah keamanan yang serius.

Blok akses “safe mode”

Dalam rangka “mempertahankan” dirinya, W32/Sality.AE juga akan mencoba untuk blok akses ke mode “safe mode” sehingga user tidak dapat booting pada mode “safe mode” dengan menghapus key yang berada di lokasi di bawah ini :

*

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
*

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
*

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

Injeksi file exe/com/scr

Tujuan utama dari virus ini adalah mencoba untuk menginjeksi program instalasi dan file yang mempunyai ekstensi exe/com/scr yang ada di drive C - Y terutama file hasil instalasi (file yang berada di direktori C:\Program Files) dan file-file portable (file yang langsung dapat dijalankan tanpa perlu instal), ia juga akan menginfeksi file yang mempunyai ekstensi “.exe” yang terdapat dalam list registry berikut sehingga memungkinkan virus dapat aktif secara otomatis setiap kali komputer dinyalakan.

*

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

File yang berhasil di injeksi biasanya ukurannya akan bertambah sekitar 68 - 80 KB dari ukuran semula. Program yang telah terinfeksi ini akan tetap dapat di jalankan seperti biasa sehingga user tidak curiga bahwa file tersebut sebenarnya telah di infeksi oleh W32/Sality.AE. Salah satu kecanggihan Sality adalah kemampuannya menginjeksi file tumpangannya sehingga ukuran file bervirus tidak seragam, jelas lebih sulit diidentifikasi dibandingkan virus lain yang menggantikan file yang ada sehingga ukuran filenya akan sama besar.

Harap berhati-hati, tidak semua program antivirus dapat membersihkan file yang sudah terinfeksi W32/Sality.AE, bisa-bisa file tersebut akan rusak setelah di scan dan di bersihkan oleh antivirus tersebut.

Tidak mau kalah dengan virus mancanegara lain, untuk memperlancar aksinya ia akan mencoba untuk melakukan koneksi ke sejumlah alamat web yang sudah ditentukan dengan tujuan untuk memanggil/mendownload trojan/virus lainnya yang di sinyalir merupakan varian dari versi sebelumnya yang memungkinkan virus ini dapat mengupdate dirinya.

[http://]pedmeo222nb.info

[http://]pzrk.ru

[http://]technican.w.interia.pl

[http://]www.kjwre9fqwieluoi.info

[http://]bpowqbvcfds677.info

[http://]bmakemegood24.com

[http://]bperfectchoice1.com

[http://]bcash-ddt.net

[http://]bddr-cash.net

[http://]btrn-cash.net

[http://]bmoney-frn.net

[http://]bclr-cash.net

[http://]bxxxl-cash.net

[http://]balsfhkewo7i487fksd.info

[http://]buynvf96.info

[http://]89.119.67.154/tes[xxx]

[http://]oceaninfo.co.kr/picas[xxx]

[http://]kukutrustnet777.info/home[xxx]

[http://]kukutrustnet888.info/home[xxx]

[http://]kukutrustnet987.info/home[xxx]

[http://]kukutrustnet777.info

[http://]www.kjwre9fqwieluoi.info

[http://]kjwre77638dfqwieuoi.info

http://mattfoll.eu.interia.pl/[sensor]

http://st1.dist.su.lt/l[sensor]

http://lpbmx.ru/[sensor]

http://bjerm.mass.hc.ru/[sensor]

http://SOSiTE_AVERI_SOSiTEEE.[sensor]

Mengeksploitasi Default Share dan Full Sharing

W32/Sality.AE akan menyebar dengan cepat melalui jaringan dengan memanfaatkkan default share windows atau share folder yang mempunyai akses full dengan cara menginfeksi file yang mempunyai ekstensi exe/com/scr. Karena itu, Vaksincom menyarankan pengguna komputer untuk menonaktifkan Default Share (C$, D$ .. dst) dan hindari Full Sharing folder anda di jaringan.

Selain menyebar dengan menggunakan jaringan, ia juga akan memanfaatkan flash disk yakni dengan cara kopi dirinya dengan nama file acak dengan ekstensi exe/cmd/pif serta membuat file autorun.inf agar dirinya dapat aktif secara otomatis tanpa harus menjalankan file yang sudah terinfeksi virus, selain itu ia juga akan menginfeksi file yang mempunyai ekstensi exe/com/scr yang terdapat dalam flash disk tersebut.

Selain itu Sality.AE juga akan menambahkan string [MCIDRV_VER] dan DEVICEMB=xxx, dimana xxx menunjukan karakter acak ke dalam file C:\Windows\system.ini.

How to remove: http://vaksin.com/2009/0309/Sality/sality.html

Source: www.vaksin.com

W32/Xirtem@MM!8b1f20b9

2009-03-05T06:31:00.001-08:00

Description
W32/Xirtem@MM!8b1f20b9 is a mass mailing worm
Indication of Infection
# Network activity on TCP port 25 due to e-mails being sent by the worm.
# Presence of the files and registry entries mentioned above.

FakeAlert-BX

2009-03-05T06:29:00.000-08:00

Description
This is a Trojan detection that displays fake alert messages on user's machine.
Indication of Infection

Symptoms are as follows:

* Fake pop up messages about the system being infected.
* Presence of aforementioned files and folder.

Methods of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Distribution channel include IRC,peer to peer networks,newsgroup postings, etc.
Aliases
AntiVirus2008 (Symantec), TR/Crypt.XPACK.Gen (Avira), Trojan-Banker.Win32.Banbra.gpl (Kaspersky)

Spyware Doctor Review Antispyware

2009-02-05T22:55:00.000-08:00

Best Spyware Protection. Used by Millions World Wide.

Spyware Doctor has been downloaded over 125 million times with millions more downloads every week. People worldwide use and trust Spyware Doctor to protect their PCs from spyware, adware and other online threats.

Spyware Doctor has consistently been awarded Editors' Choice, by leading PC magazines and testing laboratories around the world, including United States, United Kingdom, Sweden, Germany and Australia. In addition, after leading the market in 2005, Spyware Doctor was awarded the prestigious Best of the Year at the end of 2005 and again in 2006.

Spyware Doctor continues to be awarded the highest honors by many of the world's leading PC publications such as PC World, PC Magazine, PC Pro, PC Plus, PC Authority, PC Utilities, PC Advisor, PC Choice, Microdatorn, Computer Bild and PC Answers Magazine.

Note: If you are choosing Anti-Spyware make sure you choose one that is proven and has genuine awards from one or more world leading research labs such a PC Magazine, PC World, CNET, PC Pro Magazine, PC Authority, PC Answers and other trusted labs. More importantly do not use ratings from unknown review websites, as often these are designed to mislead you into purchase of affiliated, inferior or rogue product.
Screenshot
[+] Click to Enlarge
Detects, removes and blocks all types of Spyware.

Did you know that numerous programs tested against Spyware Doctor detected only small fraction of Spyware and completely removed an even smaller amount? Also most of them were unable to effectively block Spyware in real time from being installed on users PC in the first place.

Spyware Doctor has the most advanced update feature that continually improves its Spyware fighting capabilities on daily basis. As Spyware gets more complex to avoid detection by AntiSpyware programs Spyware Doctor responds with new technology to stay one step ahead.
Easiest to Use

Spyware Doctor is advanced technology designed especially for people, not just experts. That is one reason why it won the People's Choice Award in 2005, 2006 and 2007. It is automatically configured out of the box to give you optimal protection with limited interaction so all you need to do is install it for immediate and ongoing protection.

Spyware Doctor's advanced IntelliGuard technology only alerts users on a true Spyware detection. This is significant because you should not be interrupted by cryptic questions every time you install software, add a site to your favorites or change your PC settings. Such messages can be confusing and lead to undesirable outcomes such as inoperable programs, lost favorites or even Spyware being allowed to install on the system. We've done the research so you don't have to.

Software download here

Remove Antivirus 2009. Description and removal instructions

2009-02-04T21:10:00.000-08:00

Antivirus 2009 is a new rogue anti-spyware program. It is also a clone of Antivirus 2008 - also a rogue, and one that's produced more clones than any other recently. The list of these clones is long: System Antivirus 2008, Ultimate Antivirus 2008, Vista Antivirus 2008, XP Antivirus 2008 etc.

Like any other of it's predecessors, Antivirus2009 uses trojans, such as Zlob or Vundo, to spread. These trojans lurk in porn/warez websites disguised as video codecs, and, upon entering the system, floods the user with popups and fake system notifications, supposedly to inform him of an infection. While the system at hand may indeed be infected, Antivirus 2009 will inform the user of this regardless of whether it's true or not. The point of this disinformation is to convince the user he is infected and therefore needs an antispyware program to dispose of the threat. The user might click on one of the popups or notifications, all of which claim they will take him to a legitimate security tool, but try to make him purchase Antivirus2009's "licensed version" instead. Antivirus2009 may redirect web browser to antivirus-premium-scan.com, webscannertools.com, googlescanners-360.com, livesecurityinfo.com, antivirusonlivescan.com, bestantivirusscan.com, antivirus-best.com, internetquarantinesite.com, premiumlivescan.com and secureclick1.com websites that sell the malware. Some of these website are not only fraudulent, but they are also malicious. they are capable of installing additional malwares.

Antivirus 2009 is a scam and should be treated as such: do NOT download or buy it and block it's websites using your HOSTS file.

Manual Removal:

Antivirus 2009 manual removal:

Kill processes:
av2009.exe av2009[1].exe AV2009Install.exe Antivirus2009.exe

HELP:
how to kill malicious processes

Delete registry values:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
HKEY_CURRENT_USER\Software\Antivirus

HELP:
how to remove registry entries

Unregister DLLs:
shlwapi.dll wininet.dll

HELP:
how to unregister malicious DLLs

Delete files:
av2009.exe av2009install.exe av2009install_0011.exe av2009[1].exe Antivirus2009.exe ieupdates.exe scui.cpl %program_files%\\antivirus 2009\\av2009.exe %startmenu%\\antivirus 2009\\antivirus 2009.lnk %startmenu%\\antivirus 2009\\uninstall antivirus 2009.lnk winsrc.dll %desktopdirectory%\\antivirus 2009.lnk winsrc.dll ieupdates.exe av2009install_0011.exe av2009install.exe %program_files%\\antivirus 2009\\av2009.exe

HELP:
how to remove harmful files

Delete directories:
C:\Program Files\Antivirus 2009

Source: http://www.2-spyware.com/remove-antivirus-2009.html

How to remove Antivirus XP 2008 (Uninstall Instructions)

2009-02-04T21:03:00.000-08:00

What this programs does:

Antivirus XP 2008 is a new rogue anti-spyware program that is advertised through Trojans and other malware. It is advertised in the form of fake security alerts and warnings on web sites that state you are infected with malware or are being attacked in some manner. When you click on these ads, it will automatically download the installer for Antivirus XP 2008 and install it on your machine. In some cases, this program is installed without any intervention at all from you.

Once installed, AntivirusXP 2008 will scan your computer and display a variety of security risks found on your computer that can only be removed if you purchase a license of the software. These risks, though, are all fake and are only being displayed to scare you into thinking you are infected and thus purchase their software. Another tactic that AntivirusXP 2008, and the accompanied malware, uses is to change your desktop background to be a message stating you are infected, popups and fake alerts stating your computer is being attacked, and a fake Internet Explorer page that states Google has found your computer to be infected. All of these are further scare tactics and should be ignored.

Automated Removal Instructions for Antivirus XP 2008 using Malwarebytes' Anti-Malware:
Download Software Here

1. Print out these instructions as we will need to close every window that is open later in the fix.

2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

3. Once downloaded, close all programs and Windows on your computer, including this one.

4. Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

More Info: http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

Source:
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

PC Tools Powerful FREE protection against malicious virus infections

2009-02-03T20:28:00.000-08:00

With PC Tools AntiVirus Free Edition you are protected against the most nefarious cyber-threats attempting to gain access to your PC and personal information. Going online without protection against the latest fast-spreading virus and worms, such as Netsky, Mytob and MyDoom, can result in infections within minutes.

Once infected, the virus will usually attempt to spread itself to your friends, family and associates by accessing your email contacts and networked PCs. The infection may also allow hackers to access files on your PC, use it to launch attacks against other computers and websites or to send mass SPAM email.

That's why PC Tools AntiVirus Free Edition provides world-leading protection, with rapid database updates, IntelliGuard™ real-time protection and comprehensive system scanning to ensure your system remains safe and virus free. PC Tools products are trusted and used by millions of people everyday to protect their home and business computers against online threats.

Download software HERE

Source:
http://www.pctools.com/free-antivirus/

Avira AntiVir Personal - FREE Antivirus

2009-02-03T20:25:00.000-08:00

Basic protection
Protects your computer against dangerous viruses, worms, Trojans and costly dialers.

Download software HERE

Source:
http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

Download FREE antivirus software - avast! Home Edition

2009-02-03T20:23:00.000-08:00

avast! antivirus Home Edition is available free of charge for non-commercial home use ONLY. If you are not a home user or if you use your computer for business purposes, please download the avast! Professional Edition.
Free registration

avast! antivirus Home Edition is FREE to use but it is necessary to register before the end of the initial 60 day trial period. Following the registration you will receive by e-mail a license key valid for a period of 1 year. After you have downloaded and installed the program, the license key must be inserted into it within 60 days. The registration process is very easy, and it will take you only a couple of minutes.

Download software

Download software HERE

Source:
http://www.avast.com/eng/download-avast-home.html

Download AVG Anti-Virus Free Edition

2009-02-03T20:21:00.000-08:00

Basic antivirus and antispyware protection for Windows available to download for free. Limited features, no support, for private and non-commercial use only.
AVG Anti-Virus Free Edition

* The most downloaded software on CNET's Download.com
* Quality proven by 80 million users
* Easy to download, install and use
* Protection against viruses and spyware
* Compatible with Windows Vista and Windows XP

Feature:

Anti-Virus & Anti-Spyware

The foundation of your protection. Without antivirus and antispyware protection, your computer and data are at extreme risk.
AVG Free contains basic antivirus protection (base level only).

Anti-Rootkit

Rootkits are hidden threats that deliver malicious content. They are usually not found on PCs using standard antivirus programs.

AVG Free does not contain Anti-Rootkit protection so rootkits may be hidden in your system.
For this protection, please download AVG Internet Security

Anti-Spam

SPAM e-mails are a constant annoyance and could potentially contain malicious links or attempts to steal your identity.

AVG Free does not contain Anti-Spam which can monitor and block SPAM and fraudulent e-mails.
For this protection, please download AVG Internet Security

Firewall

Hackers and other intruders can view or steal your data, download malware to your machine or track your habits and passwords.

AVG Free does not contain a firewall which can protect you against these threats.
For this protection, please download AVG Internet Security
Safe Downloads & Instant Messaging

The essential protection for Internet use. File downloads, chatting with your friends and family - today these are everyday things. Protecting yourself in these areas is now another important part of your security and privacy protection.

AVG Free does not contain the new Safe Downloads & Instant Messaging protection (Web Shield technology) so it does not screen your downloads and communication for viruses and spyware.
For this protection, please download AVG Internet Security

Safe Search & Surf

The essential protection for Internet use. New web threats (called exploits or drive-by downloads) can infect your computer just by visiting a web page! Our new technology ensures the safety of search results, web pages, favorites & bookmarks before you open them.

AVG Free only includes the Safe Search protection which provides you with advice on search results. It does not protect against infected pages. Only AVG paid versions contain the Safe Surf technology.

Hacktivist tool targets Hamas

2009-02-03T03:26:00.000-08:00

DDoS street protest covers both side of Gaza conflict
Israeli cyberactivists are inviting pro-Israeli surfers to install a tool that attacks websites associated with Hamas.

This "Patriot" tool effectively turns the computers of sympathisers of the Israeli cause into zombies - albeit willing, complicit ones - in the control of Israeli hackers.

The hackers are working under the banner of the Help Israel Win collective, which was formed last month at the start of the conflict in Gaza. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," one of the group's organisers, 'Liri', told Wired.

The package developed by the group is designed to overload websites associated with Hamas, such as qudsnews.net and palestine-info.info, with spurious traffic. Israeli hackers claim that 8,000 have downloaded and installed the Patriot software.

Conflict in cyberspace is one aspect of a propaganda offensive that has accompanied the war in Gaza, and the decades-long Israeli-Palestinian conflict. Help Israel Win is vague about how its Patriot software works, preferring instead to stress its opposition to Hamas, which has the stated aim of destroying the state of Israel.

The Patriot package, according to Help Israel Win, "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."

SANS Institute security researchers warn that the Patriot tool leaves the door open to abuse. "While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there - there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," SANS researcher Bojan Zdrnja writes.

A Help Israel Win representative conceded to Wired that "the Patriot code could be used as a Trojan. However, it is not used as such, and will never be."

"The update option is used to fix bugs in the client, and not to upload any malicious code. The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application," a representative added.

It's not particularly clear how effective the Patriot tool has been in silencing allegedly pro-Hamas websites, but Help Israel Win has been forced to repeatedly shift its website location in response to attacks for hackers sympathetic to the Palestinian cause, Wired adds.

Security tools firm Arbor Networks reported earlier this week of an increase in botnet attacks on Israeli targets as well as confirming that Help Israel Win was offering what it described as a "simple Windows tool" to target Palestinian websites.

"This is an example of DDoS attacks being used as a form of street protest and something that is becoming increasingly common," said Arbor researcher Jose Nazario.

Other experts confirm that hackers from the wider Muslim world are piling in on behalf of the Palestinians. "Our observations suggest that a large number of Web sites have been defaced by a variety of hacker groups from Iran, Lebanon, Morocco and Turkey, and the trend is accelerating," said Bruce Jenkins, a retired Major with the US Air Force and consultant with application security firm Fortify Security.

Source:
http://www.theregister.co.uk/2009/01/09/gaza_conflict_patriot_cyberwars/

Warns of data-snooping bug in Apple's Safari

2009-02-03T03:25:00.000-08:00

Apple's Safari web browser for both the Mac and Windows suffers from a serious vulnerability that can expose emails, passwords and other sensitive contents of a user's hard drive, a researcher has warned.

Those using Mac OS X 10.5, aka Leopard, are susceptible to the data-snooping bug even if they use Firefox or another alternate browser, according to open source software developer Brian Mastenbrook. Apple has yet to plug the gaping hole, so the only way users can currently protect themselves is to change RSS reader settings in Safari's preferences panel.

Windows users are also vulnerable, but only if they are using Safari. For the time being, it's probably a good idea for Windows users with Safari installed to leave it closed and use a different browser.

"The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker," said Mastenbrook, who last year was credited by Apple with finding four vulnerabilities in the Mac operating system. His blog post outlining the bug is light on many details, but it does say the bug "could be exploited by a phishing site in a way that would not cause affected users to suspect their information had been stolen."

Leopard users can protect themselves by opening Safari and selecting Preferences from the Safari menu, choosing the RSS tab, clicking on the Default Reader pop-up window and selecting an application other than Safari.

Users of Tiger, aka Mac OS X 10.4, and earlier versions of Mac OS X are not vulnerable.

Source:
http://www.theregister.co.uk/2009/01/13/safari_data_snooping_bug/

Wwebsite violated by Trojan-spreaders (Paris Hilton)

2009-02-03T03:23:00.000-08:00

Virus authors reportedly planted malicious code on Paris Hilton's website late last week.

Following the attack, surfers visiting the ParisHilton.com site were prompted to install an "update" via a dialogue box. Whether they accepted this update or decided to "cancel" it, a download of a malicious executable was initiated, according to internet reports.

The attack was reportedly used to serve up the Trojan-Spy.Zbot.YETH Trojan, a rootkit trojan designed to steal online banking information and to allow the download of other malicious code.

The assault was detected by web security firm ScanSafe on 9 January but cleansed by Tuesday morning, according to net security firm Sophos, hours after news of the assault broke.

The type of attack thrown against ParisHilton.com is similar to a recent attack on MLB.com, the Major League Baseball website, and the self-explanatory sexy-celeb-photos.com. Each of these assaults was much more in your face than traditional drive-by download attacks, but they also stemmed from the same underlying cause - website vulnerabilities left open to abuse by hackers.

Over the years the hapless Hilton has become a serial victim of various computer hacking and security attacks. Four years ago the notable heiress and airhead was unfortunate enough to suffer from a hack against her T-Mobile account which resulted in the leak of messages, contact details and photos.

Last March another hacker gained access to private pictures after breaking into her Facebook account. And just days ago, messages from a faked LinkedIn profile ostensibly maintained by Ms Hilton pointed to malicious downloads.

Source:
http://www.theregister.co.uk/2009/01/13/paris_hilton_site_hacked/

Kaspersky Anti-Virus Update February 03, 2009

2009-02-03T03:18:00.000-08:00

Kaspersky Anti-Virus Update description

Sets of threat signatures and databases of network attacks

This is a special update application to install the latest virus databases and various fixes to AntiViral Toolkit Pro for Windows 95/98/NT version 3.0.129 and above.

Use this if you already have AntiViral Toolkit Pro installed.

The antivirus databases currently contain 1717652 records.

If your Kaspersky installed application does not contain the protection module against network attacks, feel free to use mirrors 2, 4 and 6 to download 'light' versions of the update signatures.

It is essential to update antivirus databases on a regular basis. If you do not do this, your antivirus program will not detect new malicious programs. This is why we release updates every hour, to ensure that users are protected against the latest malware.

Antivirus solutions from Kaspersky Lab not only detect malicious software, but other programs which are potentially harmful, such as:

- Adware
- Remote administration programs
- Utilities which can be used by malicious programs or users

Zip-archives should be unpacked into a separate directory, which should then be indicated in the automatic update module as a local folder.

Daily - contains all updates and modifications released during the current week. The current week starts from the previous Friday, when the last weekly update was released. It is placed on the update server every hour. You should download daily.zip if you update your antivirus databases at least once a week.

Previous week's updates - contains all updates and modifications released during the previous week (a full version of the week's daily.zip). It is placed on the server once a week, on Friday. When this file is placed on the server, it will cause the size of daily.zip to be equal to zero. You should download this file if you update your antivirus databases less than once a week, but more often than once every two weeks.

Complete update - contains all the updates and modifications released at the time of the previous week's update. This is placed on the sever at the same time as the new weekly.zip. You should download this file if you have not updated your antivirus databases in the last two weeks.

NOTE: After the archives have been downloaded, unpack them to a separate folder on a disc. If you have downloaded several archives, unpack them in the following order: first unpack av-i386-cumul.zip, then - av-i386-weekly.zip and the last - av-i386-daily.zip. Unpacking, click Yes when you are suggested to replace files with the same name.

After the archives have been unpacked, launch automatic update of the anti-virus database. As an update source define folder with the unpacked archives in the anti-virus database update task.

Source:
http://www.softpedia.com/get/Others/Signatures-Updates/

Spam Levels Likely To Rise As Srizbi Botnet Comes Back To Life

2009-01-29T21:33:00.000-08:00

When McColo, an ISP known for being a haven for spammers and scammers was knocked offline two weeks ago, the notorious Srizbi Botnet went down with it. This resulted in global spam volume plummeting by as much as 75%. Sadly, that’s about to change. FireEye, a threat research firm, has discovered that Srizbi is rising from the dead.

Researchers at the firm have discovered that Srizbi has begun updating all of its bots via its new command servers located in Estonia. New domains linked to the botnet have been found as well, with registrations located in Russia.

Here’s an excerpt from FireEye’s report:

As has been publicized, Srizbi had a mechanism to dynamically generate the C&C to which it would communicate based on a seed (magic number) in the binary, and a variation of the Julian date of the infected host. Our next post will go into the technical details of this algorithm. This dynamic DNS generation mechanism was the main reason why they were able to regain control, even though the primary IP, hosted at McColo, was and is still not routable. As soon as we stopped registering domain names, the Botnet owner swooped in and began registering domains, as he was able to predict which would be in use today.

As of now, the spam being sent by the revived Botnet is only targeting Russian addresses, but expect Srizbi to begin reaching out to the rest of the world in short order.

Source: http://www.allspammedup.com/2008/11/spam-levels-likely-to-rise-as-srizbi-botnet-comes-back-to-life/

New Malicious Spam Attack Claims Obama Resigned

2009-01-29T21:31:00.000-08:00

Barack Obama and his inauguration are by far the hottest topics in the country right now, so it’s not surprising that a new malicious spam attack is exploiting him. A new wave of spam is underway with headlines proclaiming Obama has changed his mind and turned down the presidency. The messages contain links to a sight that looks very much like the official Obama/Biden campaign site but which is actually a fake that delivers malware. Visitors to the malicious site will find a mix of fake and real news stories, one of which proclaims that Obama released a statement saying he no longer wants to be president. Clicking on the “more” link triggers a malicious download, a Trojan Horse that will turn the recipient’s computer into a zombie and add it to the new Waledec botnet. Waledec sprang up just before Christmas and spread via fake greeting cards. Right now it’s the 9th largest botnet with an estimated 10,000 computers under its control.

This new attack will likely cause that number to sharply rise as users, alarmed by the headline, will click through without thinking. Experts say Waledec is most likely controlled by the same person responsible for the massive Storm botnet which wreaked havoc last year.

Source: http://www.allspammedup.com/2009/01/new-malicious-spam-attack-claims-obama-resigned/

New Valentine’s Day Spam Attack Underway

2009-01-29T21:29:00.000-08:00

Not surprisingly, spammers have begun a new attack exploiting the upcoming Valentine’s Day holiday. New spam messages with subject lines such as “Falling in love with you”, “I belong to you”, and “I love being in love with you” have begun hitting inboxes. Security experts say the attack started on January 22nd. The body of the messages contain romantic sounding one liners like “Me and You”, “In Your Arms”, and “With all my love”, and a link. The link directs the recipent to a web page displaying 12 heart images and inviting them to click on one. Doing so downloads a malicious program called “love.exe” or “you.exe” which turns the infected computer into a zombie and adds it to the Waledec botnet, which is believed to be run by the same folks responsible for the Storm botnet. So far the botnet is sending an average of 11,000 messages per hour.

This is the same group responsible for the Obama spam sent earlier this month. That spam attempted to lure people to a fake Obama/Biden site with a link to a fake news story claiming Obama had abruptly declined to accept the presidency of the United States. This new botnet is growing so quickly it’s being called the new Storm botnet. It appears that the group behind it isn’t in a hurry to learn any new tricks because the old ones are still working just fine.

Source: http://www.allspammedup.com/2009/01/new-valentines-day-spam-attack-underway/

Virus Profile: W32/Checkout!91d0b88a

2009-01-29T21:27:00.001-08:00

Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/11/2007
Date Added: 8/11/2007
Origin: N/A
Length: 41,984 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 5096
Virus Characteristics

-- Update August 12, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.darkreading.com/document.asp?doc_id=131362

This variant of W32/Checkout may be detected as W32/Generic.Delphi.a in earlier versions of the DAT.

This worm spreads via MSN Messenger . When installed, it sends the following message(s) to contact list recipients and send a zip file named img1756.zip (~42 KB).

* look @ my cute new puppy :-D
* look @ this picture of me, when I was a kid
* I just took this picture with my webcam, like it?
* check it, i shaved my head
* have u seen my new hair?
* what the fuck, did you see this?
* hey man, did you take this picture?

Upon execution, it creates a copy of itself into the Windows folder and also drop a zip file:

* %WINDIR%\img1756.zip (W32/Checkout zipped)
* %WINDIR%\svchost.exe (W32/Checkout)

(Where %WINDIR% is the Windows folder; e.g. C:\Windows)

It also drops a a.bat file to stop the following services. The .bat file is deleted after execution.

* Security Center
* winvnc4

Adds the following values to the registry:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Genuine Logon" = "svchost.exe"

The worm connects to an IRC channel on {blocked}.basecase.info.

Indications of Infection

* Presence of the files/registry keys mentioned
* Unexpected network connection to the associated site(s).
* MSN contacts receiving one of the messages with zip attachment.

Method of Infection
This worm spreads by sending MSN Messenger contacts a message containing a malicious zip file (W32/Checkout) .
Removal Instructions
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142934

Virus Profile: Spy-Agent.bw

2009-01-29T21:25:00.000-08:00

Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Date Discovered: 8/20/2007
Date Added: 3/15/2007
Origin: N/A
Length: Varies
Type: Trojan
SubType: Win32
DAT Required: 4985
Virus Characteristics

-- Update December 2, 2008 --

A new variant began to be spammed to German customer earlier this morning. The trojan comes with an email claiming that your email account is locked and the instructions to unlock the account can be found in the attachment(the trojan).

Filenames used are Sperrung.exe, Hinweis.exe and the dropped file is named Wins.exe.

Detection for these variants is included in todays 5452 DAT package.

An Extra DAT file can be obtained from the Extra DAT request page:http://www.webimmune.net/extra/getextra.aspx

-- Update August 19, 2008 --

Another variant got spammed today. The subject of those mail reads 'Colis postal' and pretends to be sent from 'La Poste France' or it pretends to be sent from 'Hawaiian Airlines' using the subject 'Your Flight Ticket N0165906'.

Attached to these mails is a ZIP archive, named 'La_Poste_N8832.zip' or 'Your Flight Ticket N0165906', which includes the trojan Spy-Agent.bw.

Detection for this new variant will be included in todays 5364 DATs.

-- Update August 18, 2008 --

A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from Fedex. The attachment might be named Fedx-retr871.zip or similar.

Upon execution, a new variant creates the following file:

* C:\WINDOWS\system32\ntos.exe (Spy-Agent,bw)

It changes the following registry key:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe

-- Update August 04, 2008 --

A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.

Upon execution, a new variant creates the following hidden files and hidden folder:

* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =

The trojan inject its malcode to the following process:

* winlogon.exe

It can connect to the following website to communicate stolen data, log actions and receive instructions:

* ahleinaks.ru

-- Update July 21, 2008 --

A new variant of Spy-Agent.bw has been observed which comes as an attachment to a fake email claiming to be from UPS.

It can connect to the following website to communicate stolen data, log actions and receive instructions:

* blatundalqik.ru

-- Update May 13, 2008 --

Upon execution, a new variant creates the following hidden files and hidden folder:

* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =

The trojan inject its malcode to the following process:

* winlogon.exe

It can connect to the following site to communicate stolen data, log actions and receive instructions:

* razvlekalovo.net

-- Update August 20, 2007 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.techworld.com/security/news/index.cfm?newsID=9833&pagtype=samechan
--

A recent variant was found to be stealing data from recruitment websites when the user is infected. This variant can be proactively detected proactively as New Win32.g2 using the following scanners with heuristics enabled: GroupShield, Secure Internet Gateway (SIG), Secure Mail Gateway (SMG), Secure Web Gateway (SWG), TOPS Email, VirusScan Enterprise Email, VirusScan Email.

Upon execution, it creates the following files and folder:

* %Windir%\System32\wsnpoem\ (folder)
* %Windir%\System32\wsnpoem\audio.dll (data file)
* %Windir%\System32\wsnpoem\video.dll (data file)
* %Windir%\System32\ntos.exe (Spy-Agent.bw)

(Where %Windir% is the Windows folder; C:\Windows)

The following registry keys are modified/added :

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx =
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = %Windir%\System32\userinit %Windir%\System32\ntos.exe
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID =

The trojan inject its malcode to the following process:

* svchost.exe
* winlogon.exe

It follows that a particular variant of Spy-Agent.bw can log into the following recruitment websites in search of resume data and personal information and then post them to:

* recruiter.monster.com
* hiring.monster.com

Spy-Agent.bw can connect to the following site(s) to communicate stolen data, log actions and receive instructions:

* http://195.189.{blocked}/mnstr/grabv2.php?getid=1
* http://195.189.{blocked}/spmv3.php?sendlog=
* http://195.189.{blocked}/mnstr/grabv2.php
* http://195.189.{blocked}/pmv3.php?sentmailz=

Sends spam e-mails via the following SMTP server:

* smtp.bizmail.yahoo.com

Indications of Infection

* Presence of file(s) and registry key(s) as previously mentioned.
* Unexpected network connections to the mentioned site(s).

Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc. Certain known variants were also known to be installed via web exploits.
Removal Instructions

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations
Aliases
Infostealer.Monstres (Symantec)

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141745

Virus Profile: Downloader-UA.h

2009-01-29T21:23:00.000-08:00

Risk Assessment
- Home Users: Medium
- Corporate Users: Low-Profiled
Date Discovered: 5/2/2008
Date Added: 5/2/2008
Origin: N/A
Length: various
Type: Trojan
SubType: Downloader
DAT Required: 5287
Virus Characteristics

Downloader-UA.h trojans are fake music and video files associated with fastmp3player.com.

File sizes vary as these files are padded with nulls. The file names varies as well. Here are some of the samples file names.

preview-t-3545425-adult.mpg
preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
preview-t-3545425-jij bent zo jeroen van den.mp3
preview-t-3545425-meet bambi in kings harem.mp3
preview-t-3545425-middle eastern chick.mpg
preview-t-3545425-paint me bunmingham.mp3
preview-t-3545425-paralyized by you.mp3
preview-t-3545425-pull over levert.mp3
preview-t-3545425-say it right remix.mp3
preview-t-3545425-st trinnians girls aloud.mp3
preview-t-3545425-theme godfather.mp3
t-3545425-bentley bizzle.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-haloween special.mp3
t-3545425-just got lucky.mp3
t-3545425-lion king portugues.mpg
t-3545425-los padres de ella.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3
t-3545425-suicide bride dana.mp3
t-3545425-wayne and jane.mp3

When a user attempts to load one of these MP3 and MPG files, they do not get the music/video they were hoping for; instead they are directed to download a file named PLAY_MP3.exe. In fact, the MP3/MPG file they downloaded was completely fake, playing no media clip what so ever.

If users agree to download and run PLAY_MP3.exe (detected as Generic PUP.a with McAfee DAT files) a 4,800 word EULA is displayed.

Indications of Infection

* filenames listed in the above
* EULA displayed in the above

Method of Infection

Downloader-UA.h trojans are propagated through P2P networks

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=144503

Win32/Malas.C

2009-01-22T06:20:00.000-08:00

Type : Worm

Category : Win32

Also known as: W32/Bindo.worm (McAfee), INF/Malas.C, Worm:Win32/Malas.gen (MS OneCare), P2P-Worm.Win32.Malas.h (Kaspersky), WORM_MALAS.I (Trend), W32/Malas-B (Sophos), W32.SillyFDC (Symantec)

Win32/Malas.C

CA Antivirus 2007
Removal Instructions
Signature: 31.4.5784
Removal Instructions:

Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.

Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.

Win32/Dowritn.BG

2009-01-22T06:17:00.000-08:00

Win32/Dowritn.BG
CA Antivirus 2007

Removal Instructions
Signature: 31.6.6276

Removal Instructions:

Download and apply the latest eTrust Antivirus signature file update. Launch the eTrust Antivirus - Local Scanner and run a full scan on all affected computer systems, with the "Infection Treatment File Actions" set to "Cure File" and enable the System Cure feature.

Consult the product help and/or visit SupportConnect for additional assistance with operating these features of eTrust Antivirus 6.x/v7.

Net-Worm.Win32.Kido.bt

2009-01-22T06:08:00.000-08:00

This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.
Installation

The worm copies its executable file to the Windows system directory as follows:

%System%\.dll is a string of random symbols

The worm creates a service to ensure it will be run each time Windows is launched on the victim machine. The following registry key is created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The worm also modifies the following registry key value::
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs" = " %System%\.dll"
Network spreading

When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability in the Server service. (More details about this vulnerability can be found on the Microsoft site: www.microsoft.com).

The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:
99999999
9999999
999999
99999
9999
999
99
9
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
unknown
anything
letitbe
letmein
domain
access
money
campus
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123
Spreading via removable storage media

The worm copies its executable file as follows:

:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\.vmx rnd is a string of random lower case symbols; X is the disk.

The worm also places the following file in the root of each disk:
:\autorun.inf

This ensures the worm’s executable file will be run each time the user opens the infected disk using Windows Explorer.
Payload

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. This code is responsible for the worm’s malicious payload:

* Disables system restore
* Blocks addresses which contain the following strings:
indowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

The worm also downloads a file from the link shown below:
http://trafficconverter.biz/*****/antispyware/loadadv.exe

This file is saved to the Windows system directory and then launched for execution. The link was not live at the time of writing.

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number. URL is a link formed by a special algorithm which uses the current date. The worm gets the current date from one of the sites listed below:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Files downloaded by the worm are saved to the Windows system directory with their original name.
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, you can either use a special removal tool, which can be found here support.kaspersky.com or follow the instructions below:

1. Delete the system registry key shown below::
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
2. Delete "%System%\.dll" from the system registry key parameter shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"
3. Reboot the computer.
4. Delete the original worm file (the location will depend on how the malicious program penetrated the computer).
5. Delete the file shown below:

%System%\.dll is a string of random symbols
6. Delete the following files from all removable storage media:

:\autorun.inf :\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\.vmx rnd is a string of random lower case symbols; X is the disk.
7. Download and install operating system updates from the following link:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Source: www.viruslist.com

Net-Worm.Win32.Kido.dv

2009-01-22T06:07:00.000-08:00

This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are 165840 B. It is packed using UPX.
Installation

The worm copies its executable file as follows:
%System%\.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\.tmp
%Temp%\.tmp

is a string of random symbols

The worm creates a service to ensure it will be run each time Windows is launched on the victim machine. The following registry key is created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The worm also modifies the following registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"
Network spreading

When infecting a computer, the worm launches an HTTP server on a random TCP port. This is then used to load the worm’s executable file to other computers.

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. (More details about this vulnerability can be found on the Microsoft site: www.microsoft.com).

The worm sends a specially crafted RPC request to remote machines, which causes a buffer overrun when the wcscpy_s function is called in netapi32.dll. This launches code which downloads the worm file, launches and installs it on the new victim machine.

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. The worm uses the following passwords to brute force the account:
99999999
9999999
999999
99999
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2
11111111
1111111
111111
11111
1111
111
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1
password123
password12
password1 9999
999
99
9
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor
unknown
anything
letitbe
letmein
domain
access
money
campus
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root
adminadmin
mypassword
mypass
pass
Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123
Spreading via removable storage media

The worm copies its executable file to all removable storage media as follows:
:\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\.vmx

rnd is a random string of lower case symbols; d is a random number; x is the disk

The worm also places the following file in the root of each disk:
:\autorun.inf

This ensures the worm’s executable file will be run each time the user opens the infected disk using Windows Explorer.
Payload

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. This code is responsible for the worm’s malicious payload

* Disables the following services:
wuauserv
BITS
* Blocks addresses which contain the following strings:
indowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number. URL is a link formed by a special algorithm which uses the current date. The worm gets the current date from one of the sites listed below:
http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com

Downloaded files are saved to the Windows system directory with their original name.
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, you can either use a special removal tool, which can be found here support.kaspersky.com or follow the instructions below:

1. Delete the system registry key shown below:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
2. Delete "%System%\.dll" from the system registry key parameter shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"
3. Reboot the computer.
4. Delete the original worm file (the location will depend on how the malicious program penetrated the computer).
5. Delete copies of the worm:
%System%\.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\.tmp
%Temp%\.tmp
is a random string of symbols
6. Delete the files shown below from all removable storage media:
:\autorun.inf :\RECYCLER\S-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>-<%d%>\.vmx
.

rnd is a random string of lower case symbols; d is a random number; x is the disk

Source: http://www.viruslist.com

Net-Worm.Win32.Kido.fx

2009-01-22T05:57:00.000-08:00

This malicious program exploits the MS08-067 vulnerability to spread via network resources and removable storage media.

This modification of the worm is a Windows PE DLL file. The file is 158110 bytes in size. It is packed using UPX.
Installation

The worm copies its executable file with random names to the following directories:

%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp

is a random string of symbols.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]

The name of the service will be created from combining words from the list below:

Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows

The worm also modifies the following system registry key value:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"

The worm hides its files in Explorer by modifying the registry key value shown below:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000000"

The worm flags its presence in the system by creating the unique identifier shown below:
Global\%rnd%-%rnd%
Propagation

In order to spread quickly via networks, the worm uses tcpip.sys functions to increase the number of potential network connections.

The worm connects to the servers shown below in order to determine the external IP address of the victim machine:

http://www.getmyip.org
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org

The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.

Copies of the worm have the extensions listed below:

.bmp
.gif
.jpeg
.png

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. More details about the vulnerability can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx The worm sends a specially crafted RPC request to TCP ports 139 (NetBIOS) and 445 (Direct hosted SMB) remote machines on remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll, which launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.

The worm then hooks the NetpwPathCanonicalize API call (netapi.dll) to prevent buffer overruns caused by the absence of a check on the size of outgoing strings. By doing this, the worm makes repeat exploitation of the vulnerability impossible.

In order to speed up propagation, the worm modifies the following registry value:
[HKLM\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpNumConnections" = "dword:0x00FFFFFE"

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. It searches the network for an appropriate machine and gets a list of users. It then attempts to brute force each user account using the passwords shown below:z

99999999
9999999
999999
99999
9999
999
99
9
88888888
8888888
888888
88888
8888
888
88
8
77777777
7777777
777777
77777
7777
777
77
7
66666666
6666666
666666
66666
6666
666
66
6
55555555
5555555
555555
55555
5555
555
55
5
44444444
4444444
444444
44444
4444
444
44
4
33333333
3333333
333333
33333
3333
333
33
3
22222222
2222222
222222
22222
2222
222
22
2

11111111
1111111
111111
11111
1111
111
11
1
00000000
0000000
00000
0000
000
00
0987654321
987654321
87654321
7654321
654321
54321
4321
321
21
12
fuck
zzzzz
zzzz
zzz
xxxxx
xxxx
xxx
qqqqq
qqqq
qqq
aaaaa
aaaa
aaa
sql
file
web
foo
job
home
work
intranet
controller
killer
games
private
market
coffee
cookie
forever
freedom
student
account
academia
files
windows
monitor

unknown
anything
letitbe
letmein
domain
access
money
campus
explorer
exchange
customer
cluster
nobody
codeword
codename
changeme
desktop
security
secure
public
system
shadow
office
supervisor
superuser
share
super
secret
server
computer
owner
backup
database
lotus
oracle
business
manager
temporary
ihavenopass
nothing
nopassword
nopass
Internet
internet
example
sample
love123
boss123
work123
home123
mypc123
temp123
test123
qwe123
abc123
pw123
root123
pass123
pass12
pass1
admin123
admin12
admin1

password123
password12
password1
default
foobar
foofoo
temptemp
temp
testtest
test
rootroot
root
adminadmin
mypassword
mypass
pass

Login
login
Password
password
passwd
zxcvbn
zxcvb
zxccxz
zxcxz
qazwsxedc
qazwsx
q1w2e3
qweasdzxc
asdfgh
asdzxc
asddsa
asdsa
qweasd
qwerty
qweewq
qwewq
nimda
administrator
Admin
admin
a1b2c3
1q2w3e
1234qwer
1234abcd
123asd
123qwe
123abc
123321
12321
123123
1234567890
123456789
12345678
1234567
123456
12345
1234
123

In order to gain administrator access, the worm copies itself to the following shared folders:
\\*\ADMIN$\System32\.
\\\IPC$\.

The worm can then be launched remotely or scheduled for remote launch using the following commands:
rundll32.exe ,
Spreading via removable storage media

The worm copies its executable file to all removable media under the following name:
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-
%d%>-%d%>\.vmx, rnd is a string of random lower case letters; d is a random number; X
is the disk

In addition to its executable file, the worm also places the file shown below in the root of every disk:
:\autorun.inf

This file will launch the worm's executable file each time Explorer is used to open the infected disk.
Payload

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. (The worm may also write its code to the “explorer.exe” and “services.exe” processes.) This code delivers the worm's main malicious payload and:

1. disables the following services:

Windows Automatic Update Service (wuauserv)
Background Intelligent Transfer Service (BITS)
Windows Security Center Service (wscsvc)
Windows Defender Service (WinDefend, WinDefender)
Windows Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)

2. blocks access to addresses which contain any of the strings listed below:

nai
ca
avp
avg
vet
bit9
sans
cert
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

In Windows Vista, the worm will disable autoconfiguration of the TCP/IP stack in order to speed up propagation via network channels by using a fixed window size for TCP packets:
netsh interface tcp set global autotuning=disabled

The worm also hooks the following API calls (dnsrslvr.dll) in order to block access to the list of user domains:

DNS_Query_A
DNS_Query_UTF8
DNS_Query_W
Query_Main
sendto

The worm may also download files from links of the type shown below:
http:///search?q=<%rnd2%>

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:

http://www.w3.org
http://www.ask.com
http://www.msn.com
http://www.yahoo.com
http://www.google.com
http://www.baidu.com
http://www.myspace.com
http://www.msn.com
http://www.ebay.com
http://www.cnn.com
http://www.aol.com

Downloaded files are saved to the Windows system directory under their original names.
Removal instructions

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
More details about the vulnerability can be found here:
http://www.kaspersky.ru/support/wks6mp3/error?qid=208636215

Or follow the instructions below:

1. Delete the following system registrykey:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
2. Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"
3. Revert the following registry key values:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"

to
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000001"
"SuperHidden" = "dword: 0x00000001"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000000"

to
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue" = "dword: 0x00000001"
4. Reboot the computer.
5. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
6. Delete copies of the worm:

%System%\dir.dll
%Program Files%\Internet Explorer\ %Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp

is a random string of symbols.
7. Delete the files shown below from all removable storage media:
:\autorun.inf
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-
%d%>\.vmx,
8. Download and install updates for the operating system:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Source: http://www.viruslist.com

How to Recover From a Virus Attack

2008-12-24T23:20:00.000-08:00

If your business has suffered a virus attack and your network has been compromised, you'll need to act fast in order to prevent the virus from spreading to other computers on your network. Once a virus penetrates your security defenses, it can quickly rip through your network, destroying files, corrupting data, rendering applications useless and causing expensive lulls in productivity. The following recommendations will help you quickly get your small business back up and running again.

* Disconnect and isolate. If you suspect one of your computers has suffered a virus attack, immediately quarantine the computer by physically disconnecting it, as infected machines pose a danger to all other computers connected to the network. If you suspect other computers may be infected, even if they aren't displaying any symptoms, still treat them like they are. It's counter-productive to clean one machine while an infected computer is still connected to the network.

* Focus on the cleanup. Once you've physically disconnected the computer, focus on removing the malicious code. Use virus removal tools written for the specific virus causing the damage. Many of these tools can be found online. In addition, your antivirus software should have updates or patches available for the specific security threat. If your antivirus software hasn't been updated recently, be sure to do so.

* Reinstall your operating system. After a virus attack, damages may range from changed file names and obliterated files to permanently disabled software applications. The extent of the damage depends on the particular virus. If your operating system is completely destroyed, you'll need to reinstall your operating system by using the quick restore CD that came with your computer. This will restore your computer to its original configuration, meaning you'll lose any applications you may have installed or data files you may have saved. So before you begin the reinstallation process, make sure you have all the necessary information handy, including the original software, licenses, registration and serial numbers.

* Restore your data. This assumes you've been diligent about backing up your files. If you haven't been doing a regular backup of all the data and files on your computer's hard drive, your files will most likely be permanently lost. If this is the case, learn from your mistake and make sure to back up on a regular, ongoing basis. And keep in mind, not all viruses target data files. Some only attack applications.

* Scan for viruses. After restoring and reinstalling, perform a thorough virus scan of your network. Use the most recent virus definitions available for your antivirus software. Be careful not to overlook anything; scan all files and documents on all computers and servers on your network.

* Prevent future attacks. Run antivirus software and keep virus definitions current. Make sure your security patches are up-to-date. And if you haven't been running antivirus software, start doing so immediately to prevent future attacks. Also, if you lost data files in the recent attack, create and enforce a regular backup schedule. Change all of your passwords, including ISP access passwords, FTP, email and Web site passwords. Some viruses can capture or crack passwords, leading to future vulnerabilities. By changing your passwords, you'll be able to boost your security.

Above all, learn from your mistakes. If a virus penetrated your defenses, consider changing or enhancing your current security practices. Ask yourself why your previous security measures weren't effective. Did you need a firewall? Were you lax about updating virus definitions and security patches? Did you download files without scanning them first? Now is an ideal time to comb through, edit and reinforce your IT security policy, as you'll need to shore up the holes in your security practices. After all, prevention is always the best security policy.

Source:
http://www.thestreet.com/_googlen/smallbiz/entrepreneur

Malware Removal and Prevention

2008-12-24T23:19:00.000-08:00

There are a variety of reasons you may have arrived at Malware Removal and Prevention (MRP). If you are here to do a thorough system cleaning or just a checkup, then MRP will guide you through that process. Perhaps your computer is showing symptoms of infection: Popup ads, general sluggishness, or browser redirects, to a name a few. If that is the case, MRP will offer you a good chance at restoring your system to normalcy.

You may well have been instructed to complete Malware Removal before posting a HijackThis (HJT) log. HJT is a program which scans your system and allows you to create a log or report at the end of its analysis. The log created by the HJT lists many places on your computer that spyware and malware are known to target. The HJT staff are trained to interpret your HJT log and provide instructions which you can follow to repair your system.

Before posting your HijackThis log, we will have you run several malware removal programs and a system cleanup utility.HJT is an analysis and repair tool. It will not scan your entire system nor will it detect or delete all the files and registry entries associated with an infection. As such, it is extremely important to use the full system scanning tools we recommend before fixing anything with HJT. These automatic detection and removal programs address a broad spectrum of malware including adware, spyware, trojans, worms, viruses, and browser hijackers. We also advise you to run a system cleaning utility intended to improve your computer's overall performance and remove any infected files which may be hiding in your temporary folders.

This new preliminary scanning procedure will provide a dual benefit: Your computer will benefit from the thorough cleaning it provides. We in return, will benefit from being presented with a cleaner system profile containing only those infections which the automatic removal programs failed to eradicate.

It is possible that you may not even need to post a HijackThis log after completing the scans we suggest. If you are satisfied with your computer's performance, and feel your system is no longer infected, then you may decide to take that option. If that is the case, it is vitally important that you implement the safety suggestions presented in our Malware Prevention section to maintain your continued security. However, if you still feel that your system is infected or hijacked after completing the entire malware removal process, we invite you to post a log on the HijackThis forum.

Your compliance with this precleaning requirement, will allow the HijackThis staff to clean your infected machine much more efficiently. The resultant time savings will enable us to attend to a greater number of logs in a shorter period of time, thereby benefiting everyone involved.

Please follow all directions carefully. If at any point you need some sort of clarification, please, please, please ask us! As applicable, we have included links to the appropriate CastleCops forums. Finally, we would very much appreciate your feedback. Praise, suggestions, complaints, ... anything goes!

Source:
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

Anti-Virus Guide

2008-12-24T23:18:00.000-08:00

Important Tips

* Watch Out -- Do not buy or download any antivirus software without checking this list first: The 69 Worst Antivirus Scanners, Mary Landesman, antivirus.about.com, September 15, 2008.
* Just One, Not Two -- Never use two anti-virus products at the same time. Completely uninstall one before installing another. Use the vendor's uninstall utility or if not available, use the Windows XP add/remove software tool in the control panel.
* Patches & Updates -- Anti-virus software is only as effective as its most recent update because it is inherently reactive treating "known" threats. So when you install anti-virus software, go to the vendor's web site and update the program and virus definitions immediately and then turn on the auto update feature (if it has one). If you want to be ready for the next big bad thing before your anti-virus signatures can be updated, consider Zero-Day Protection.
* Get Online Protection Too -- Consider using an Internet service provider or email service that includes server side anti-virus and spam email filtering as a second layer of defense. If possible, use different anti-virus software on your home computer than your ISP or service uses on their servers.
* Consider a Gateway -- A Broadband Gateway product between your modem and network can screen out viruses before they hit your computer(s).
* Spyware & Trojan Horses -- Some anti-virus software products now include anti-spyware and some anti-spyware products have added anti-virus. In addition, some of these products include anti-trojan, anti-worm and other anti-malware features. Before relying on a single security product, carefully review the vendor's list of features and study comparative test results if available. See Editorial - Do you really need a spyware scanner? Gizmo Richards' Support Alert Newsletter, April 17, 2008. Also see our Security Suite, Anti-Spyware, Anti-Trojan and Zero-Day Protection pages.
* Prices -- See our custom Anti-Virus Price List powered by Amazon.com

Source: http://www.firewallguide.com

Using virus protection features in Outlook Express 6

2008-12-24T23:16:00.000-08:00

Using Internet Explorer Security Zone to Disable Active Content in Hypertext Markup Language (HTML) E-mail
Security zones enable you to choose whether active content, such as ActiveX Controls and scripts, can be run from inside HTML e-mail messages in Outlook Express. By default, Outlook Express 6 uses the Restricted Zone instead of the Internet Zone. Microsoft Outlook Express 5.0 and Microsoft Outlook Express 5.5 used the Internet zone, which enable most active content to run. To customize your Internet Explorer security zone settings for Outlook Express:

CAUTION: Changing security zone settings can expose your computer to potentially damaging code. Use caution when you change these settings.

1. Start Outlook Express, and then on the Tools menu, click Options.
2. Click the Security tab, and then click either Restricted Sites Zone or Internet Zone (less secure, but more functional) in the Virus Protection section under Select the Internet Explorer security zone to use.
3. Click OK to close the Options dialog box, and then quit Outlook Express.
4. Start Internet Explorer, click Internet Options on the Tools menu, and then click Security.
5. Click Custom Level for the security zone that you selected in Outlook Express. The security settings that you choose apply to Outlook Express as well as Internet Explorer.

How to Read all Messages in Plain Text (Service Pack 1 Only)
Starting with Service Pack 1, you can configure Outlook Express to read all e-mail in plain text format. Some HTML e-mail may not appear correctly in plain text, but no active content in the e-mail is run when you enable this setting. To read all messages as plain text in Outlook Express Service Pack 1:

1. Start Outlook Express, and then on the Tools menu, click Options.
2. Click the Read tab, and then click to select the Read all messages in plain text check box under Reading Messages.
3. Click OK

How to Prevent Programs from Sending E-mail Without Your Approval
If you configure Outlook Express as the default mail handler (or simple MAPI client) on the General tab, Outlook Express processes requests by using Simple MAPI calls. Some viruses can use this functionality and spread by sending copies of e-mail messages that contain the virus to your contacts. By default, Outlook Express 6 prevents e-mail messages from being sent programmatically from Outlook Express without your knowledge by displaying a dialog that enables you to send or not to send the e-mail message.

Using the Internet Explorer Unsafe File List to Filter E-mail Attachments
To use the Internet Explorer unsafe file list to filter e-mail attachments:

1. Start Outlook Express, and then on the Tools menu, click Options.
2. Click the Security tab, and then click to select the Do not allow attachments to be saved or opened that could potentially be a virus check box under Virus Protection.

This option is enabled by default in Outlook Express Service Pack 1 (SP1). If you enable this option, Outlook Express uses the Internet Explorer 6 unsafe file list and the Confirm open after download setting in Folder Options to determine whether a file is safe. Any e-mail attachment with a file type reported as "unsafe" is blocked from being downloaded.

NOTE: The Internet Explorer 6 unsafe file list includes any file types that may have script or code associated with them. To add additional file types to be blocked or remove file types that should not be blocked:

1. Click Start, point to Settings (or click Control Panel), and then click Control Panel (or switch to Classic View or View All Control Panel Options).
2. Double-click Folder Options.
3. On the File Types tab, click to select the file type that you want to block or allow, and then click Advanced. If the file type you want to add is not listed, perform the following steps:
1. Click New.
2. In the Create New Extension dialog box, type the file extension you want to add to the unsafe file list.
3. Click OK, and then click Advanced.
4. Click to place a check mark (block) or remove the check mark (allow) from the Confirm open after download check box.

NOTE: You cannot remove the check from Confirm open after download to allow some file types. For example, .exe files are in the default unsafe file list in Internet Explorer and cannot be allowed.

How to Determine When Outlook Express Has Blocked an Attachment
When Outlook Express blocks an attachment, the following alert is displayed in the message alert bar at the top of the e-mail message:
Outlook Express removed access to the following unsafe attachments in your mail: file_name1, file_name2, and so on.

Source: http://support.microsoft.com

Top 6 Most Effective Tips to Avoid Getting Spam Altogether

2008-12-16T08:13:00.000-08:00

The best way to avoid spam is not getting on spammers' lists in the first place. Find out how to use disposable addresses, obfuscation and your watchful eye to steer clear of spam altogether.
Already Getting Spam?

If you already get spam, try filtering the existing:

* Best Free Windows Spam Filters
* Top Mac Spam Filters
* Linux and Unix Spam Filters
* Spam Filtering Services
* More Spam Fighting Tips

1. Stop Spam with Disposable Email Addresses
You've read it here, and you know it well: using your real, primary email address anywhere on the Web puts it at risk of being picked up by spammers. And once an email address is in the hands of one spammer, your Inbox is sure to be filled with lots of not-so-delicious spam every day. But what should you use instead of a real email address? Use...

2. Watch Out for Those Checkboxes
When you sign up for something on the Web, there is often some innocent-looking text at the end of the form saying something like: "YES, I want to be contacted by select third parties concerning products I might be interested in." Quite often, the checkbox next to that text is already checked and your email address will be given to you don't know who. To avoid that...

3. Disguise Your Email Address in Newsgroups, Forums, Blog Comments, Chat
Spammers use special programs that extract email addresses from Web sites and Usenet postings. To avoid ending on a spammer's mailing list when you post to a Web forum or a newsgroup, you can...

4. How Long, Complicated Email Addresses Beat Spammers
Spam will, eventually, make it to any mailbox. Any? Here's how to make it hard for spammers to guess your address.

5. Use Disposable Email Addresses at Your Web Site
Using disposable email addresses in forms on the Web and for mailing lists is a great way to stop spam. But with a little effort you can even use them on your home page, too, and allow legitimate mail from unknown senders while keeping out spam...

6. Domain Owners: Set up Throwaway Addresses to Fight Spam
If you own a domain name, you have a great anti-spam tool at hand: your mail server. All mail to a address at your domain that does not already exist (such as "quaxidudel@example.com") is forwarded to your main account by default. You can use this feature to...

Source: http://email.about.com/od/spamandgettingridofit/tp/most_effective.htm

Manual Removal of W32/OnLineGames.TRQA Trojan

2008-12-16T08:11:00.000-08:00

Manual Removal of W32/OnLineGames.TRQA Trojan
W32/OnLineGames.TRQA is a Trojan. The trojan will infect Windows systems.
The trojan may be dropped by other malware or may be downloaded from remote website by other malware.
This trojan first appeared on December 12, 2008.Other names of W32/OnLineGames.TRQA Trojan:
This trojan is also known as GameThief.Win32.OnLineGames.trqa, TSPY_MMORPG.CE.
Damage Level : High/ Medium
Distribution Level: High/ Medium
There is NO Auto Removal Tool for W32/OnLineGames.TRQA Trojan

Trojan Manual Removal Instructions
Recommend Removal from Safe Mode:
How to Start in Safe mode:
Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.
The Infected Files Can be Seen in these folders and names also Running in Tasks
End the Following Active Process Before Removal

* %System32%\msupdt.exe
If you have any of these files in running process from task manger, end the process before removal.
Note: if task manager is disabled, Download the following file, Click to Download - Enable Registry.reg

Manually Remove From Registry
Click Start, Run,Type regedit,Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Download and run this UnHookExec.inf, and then continue with the removal.
Registry Entries are Unknown
_+ Any of the Above Listed Files +_
Search Registry For Virus File Names listed above to remove completely,
Edit Menu - Find, enter Keyword and remove all value that find in search.
Exit the Registry Editor,
Restart your Computer.
Recommended Removal Tools:
Kaspersky Antivirus or Internet Security (Shareware)
Spyware Doctor (Shareware)
AVG Antivirus (Freeware)
Killbox (Freeware)

Source: http://www.windowsvistaplace.com/manual-removal-of-w32onlinegamestrqa-trojan/windows

XoftSpy Software Trojan Remover

2008-12-16T08:07:00.000-08:00

XoftSpy offers a couple extremely useful features including Trojan.Vundo removal which allows you to remove this pop-up trojan virus which displays multiple pop up advertisements on your Internet Explorer browser.

XoftSpy will remove the following trojans:

* Trojan horse Generic8.ODJ
* Trojan horse dropper.generic.OAC
* Trojan horse BackDoor.Generic9.ACJW
* Trojan horse Generic - c.EQ - INFECTED
* Trojan Horse Generic
* Trojan horse Dropper.Delf.3.L
* Trojan horse proxy.BUF
* Trojan horse flooder.ake
* Trojan Horse Psw
* Trojan horse Generic9.AAVJ
* Trojan Horse Generic 10 FX
* Trojan Horse Small 28 AU
* Trojan horse Downloader.Small.18.T

XoftSpy alsos offer email protection, and will protect your computer from harmful .exe attachments that are actually trojans trying to allow hackers to gain access to your computer and display frustrating Pop-Up advertisements to more serious hacker threats.

Spyware is a serious threat and careful consideration should be taken to ensure the right choice for your particular situation. You can consult the reviews below to make certain you find the right solution for your spyware problems.

Source: http://spywareremovercompare.blogspot.com/

Win32 Trojan Virus - How to Remove

2008-12-16T08:01:00.000-08:00

Trojan.Win32 is a file installed by rogue anti-spyware program. This is caused by a malicious software engineered by internet hackers which when installed generates a pop up message. This is a fake message informing you to purchase their "anti spyware" in order to remove the trojan.

The following manual process will help you remove it from your system safely.

Trojan.Win32 Manual Removal Process:

1. First, Click on the Start Menu button followed by the Control Panel option. Then Double-click on the Add or Remove Programs icon.

2. Locate Trojan.Win32 and double-click on it to uninstall Trojan.Win32. Follow the screen step-by-step screen instructions provided to you to complete uninstallation of Trojan.Win32.

3. Restart the computer.

4. After the un-installation process has completed, close "Add or Remove Programs" and your Control Panel.

5. Close all programs.

6. Stop Trojan.Win32 process. You can do this by

- Right-click the taskbar, and then click Task Manager .

- In Task Manager , click the Processes tab to see a list of running processes.

- Select the process that you want to stop.

- Right-click on the intended process, then select "End task".

- Done.

7. Search for the following files and delete these infected files from your system.

windivx.dll

stream32a.dll

vipextqtr.dll

ecxwp.dll

8. Rename the files that you found above to "foundbadfile1.dll" and "foundbadfile2.dll" (if you can not rename this file, then try to restart your computer in safe mode then try to rename this file.)

9. Go to C:\Program Files\ folder and delete the "VirusProtect 3.8? folder (if you can't delete it, reboot your computer to safe mode then delete the folder)

10. Restart your computer

11. Go to your computer and delete the "foundbadfile1.dll" and "foundbadfile2.dll" file

13. You have just removed Trojan.Win32 from your computer manually.

The easier way is to get a reputable anti trojan program, that removes Win32 Trojan Virus as well as detects intrusions from other worse trojans, such as credit card and password stealing trojans.

Virus Di Tahun 2008

2008-12-15T09:37:00.000-08:00

Sang Perawan

Sang Perawan pada dua bulan pertama tahun 2008 mencatat kesuksesan besar dalam penyebarannya karena tidak terdeteksi oleh antivirus. Norman Virus Control mendeteksi Sang Perawan sebagai W32/VBWorm.GZH sejak bulan Juli 2007. Virus yang lebih populer dikenal dengan nama W32/Dewi atau Sang Perawan dan mengganas pada bulan Februari 2008 ini memiliki ciri khas menginjeksi file gambar berformat JPEG (Joint Photographics Expert Group). Dua varian Sang Perawan yang ditemukan ini masing-masing memiliki ukuran asli sebesar 301 KB dan 91 KB (lihat gambar 1). Karena itu, file JPEG yang di injeksi kedua virus ini akan berubah menjadi.EXE dan bertambah ukurannya sebesar 301 KB atau 91 KB (tergantung varian yang menginfeksi) dan celakanya, file JPEG tersebut menjadi error dan tidak bisa dibuka kembali.

Stargate

“Jika Ingin Menggapai Mimpi Yang Lebih Indah, Laksanakan dan Kerjakan”. Demikianlah pesan yang muncul setiap kali komputer yang terinfeksi virus Stargate atau W32/Agent.DRUU ini menjalankan Internet Explorer yang akan membuka file St4rgt.html. Stargate akan memalsukan dirinya dengan icon folder dan virus ini termasuk sulit untuk dibersihkan karena ia akan melakukan redirect file eksekusi untuk menjalankan dirinya. Selain itu virus ini juga berusaha melumpuhkan beberapa antivirus sehingga tidak dapat berfungsi dengan baik. Satu hal yang perlu menjadi catatan yang menarik adalah perhatian virus ini pada secpol.msc (Security Policy) dan gpedit.msc (Group Policy Editor) dimana pembuat virus ini secara khusus melakukan pemblokiran pada secpol dan gpedit sehingga akan komputer yang terinfeksi Stargate akan menampilkan pesan error setiap kali menjalankan kedua palikasi di atas.

Hokage

Bagi anda penggemar Manga, tentunya tahu cerita Naruto. Ninja dari desa Konoha yang berambisi menjadi Hokage (Kepala Suku). Rupanya ada pembuat virus yang juga penggemar Naruto dan selain memalsukan dirinya dengan icon Winamp, merubah icon Flash Disk pada Windows Explorer menjadi icon Winamp, virus ini juga menamai file induknya sebagai “HokageFile.exe”.
Hokage yang di deteksi Norman sebagai VBWorm.gen16 ini juga memiliki kemampuan menginfeksi komputer / Flash Disk secara otomatis dengan memanfaatkan fitur autorun. Virus yang disinyalir berasal dari Kalimantan Tengah/ Sampit ini tidak tanggung-tanggung membuat file autorun.inf, desktop.ini dan folder.htt yang semuanya bertujuan untuk mengeksekusi file dengan nama “Hokagefile.exe” yang merupakan file induk dari virus ini.

VBS/Repulik (Republik)

Virus yang terdeteksi oleh Norman sebagai VBS/Repulik ini melakukan aksi mirip Kespo menginjeksi file MS Office. Bedanya kalau Kespo mengincar file di komputer, Repulik merubah file MS Office di Flash Disk dan menginjeksinya dengan dirinya. File MS Word dan Excel yang di injeksi akan bertambah ukurannya sebesar 5 KB dan menjadi file virus, tetapi ekstensi file juga berubah menjadi ekstensi ganda. Misalnya file asli memiliki nama dokumen.doc, setelah di injeksi Repulik ukurannya akan bertambah 5 KB dan iconnya akan berubah menjadi VBS (Visual Basic Script) sehingga mudah dikenali.

Jika file anda di injeksi oleh virus ini, jangan putus asa dulu, karena anda bisa mendapatkan tools mengembalikan file ini di DVD Chip. Jalankan file “Splitter_VBS2DOC_XLS” untuk mengembalikan file asli anda yang telah di injeksi oleh Repulik.

Amburadul

Ibarat lagu “SMS” yang populer sehingga memunculkan lagu “Jawaban SMS”. Pembuat virus Hokage yang berasal dari Sampit memunculkan pembuat virus lain yang juga berasal dari Kalimantan Tengah dan selain berusaha membasmi virus Hokage, virus Amburadul ini juga mempromosikan kota Palangkaraya sebagai tempat wisata dengan menggunakan nama Jembatan Kahayan sebagai nama file virus. Virus yang memalsukan diri sebagai file JPG ini memiliki cukup banyak varian dengan ukuran yang bervariasi, dari 51 KB s/d 56 KB dan terdeteksi oleh Norman sebagai W32/Autorun dan W32/Agent.

Source Information: http://vaksin.com/2008/1108/q1/q1.htm

W32/VBWorm.QTT aka Koplaxz Mengacaukan Icon dan type file MS Office

2008-12-15T09:27:00.000-08:00

Para pengguna komputer Indonesia, khususnya yang memiliki banyak file MS Office, harap berhati-hati karena saat ini sedang menyebar virus lokal dengan target file MS Office dengan cara mengganti icon file dan type file. Virus ini cukup merepotkan (setidaknya menyebabkan jantung anda dag dig dug) tetapi kabar baiknya pembuat virus ini tidak sejahat KEspo sehingga tidak menginjeksi atau menghancurkan file MS Office komputer korbannya.
Virus ini dibuat dengan menggunakan Visual Basic, dengan ukuran sekitar 31 KB

Ciri-ciri Koplaxz

1. Merubah icon Windows dari icon “folder” menjadi icon “Control Panel “ serta merubah isi dari folder Windows tersebut menjadi isi yang ada pada menu “Control Panel”.
2. Merubah Type File serta icon shortcut aplikasi MS.Office
3. Merubah nama pemilik komputer menjadi KUDO_SHOP
4. Merubah “start page” dan “search page” Internet Explorer

Selengkapnya dapat dibaca di http://vaksin.com/2008/1208/koplaxz/koplaxz.html

Trojan.PWS.ChromeInject.B

2008-12-11T19:12:00.000-08:00

( Trojan-Spy:W32/Banker.IVX, Win32/Inject.NBT trojan, Troj/Bancos-BEX, TR/Drop.Small.abw )

It drops an executable file (which is a Firefox 3 plugin) and a JavaScript file (detected by Bitdefender as: Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively.

It filters the URLs within the Mozilla Firefox browser and whenever encounter the following addresses opened in the Firefox browser it captures the login credentials.

akbank.com
caixasabadell.net
credem.it
areasegura.banif.es
banca.cajaen.es
openbank.es
poste.it
banesto.es
carnet.cajarioja.es
gruposantander.es
intelvia.cajamurcia.es
net.kutxa.net
bancopastor.es
bancamarch.es
caixamanlleu.es
elmonte.es
ibercajadirecto.com
bancopopular.es
bancogallego.es
bancajaproximaempresas.com
caixa*.es
caja*.es
ccm.es
bancoherrero.com
bankoa.es
bbvanetoffice.com
bgnetplus.com
bv-i.bancodevalencia.es
clavenet.net
fibancmediolanum.es
sabadellatlantico.com
arquia.es
banking.*.de
westpac.com.au
adelaidebank.com.au
pncs.com.au
nationet.com
online.hbs.net.au
www.qccu.com.au
boq.com.au
banksa.com
anz.com
suncorpmetway.com.au
quiubi.it
cariparma.it
bancaintesa.it
popso.it
fmbcc.bcc.it
secservizi.it
bancamediolanum.it
csebanking.it
fineco.it
gbw2.it
gruppocarige.it
in-biz.it
isideonline.it
iwbank.it
bancaeuro.it
bancagenerali.it
bcp.it
unibanking.it
uno-e.com
unipolbanca.it
carifvg.com
cariparo.it
carisbo.it
islamic-bank.com
banking.first-direct.com
natwestibanking.com
itibank.co.uk
co-operativebank.co.uk
lloydstsb.co.uk
mybankoffshore.alil.co.im
abbeynational.co.uk
mybusinessbank.co.uk
barclays.com
online.co.uk
my.if.com
anbusiness.com
hsbc.co
anbusiness.com
co-operativebankonline.co.uk
halifax-online.co.uk
ibank.cahoot.com
smile.co.uk
caterallenonline.co.uk
tdcanadatrust.com
schwab.com
wachovia.com
bankofamerica
kfhonline.com
wamu.com
wellsfargo.com
procreditbank.bg
chase.com
53.com
citizensbankonline.com
e-gold.com
paypal.com
usbank.com
suntrust.com
banquepopulaire.fr
onlinebanking.nationalcity.com

It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox's chrome environment.

Removal instructions:
Close the Firefox browser (if opened).
Please let BitDefender disinfect your files.

Source:
http://www.bitdefender.com

Windows Defender detects and removes spyware

2008-12-10T18:22:00.000-08:00

Windows Defender detects and removes spyware

Windows Defender is software that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Windows Defender features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, minimizes interruptions, and helps you stay productive.

The benefits of installing Windows Defender include:

Spyware detection and removal

* Windows Defender quickly and easily finds spyware and other unwanted programs that can slow down your computer, display annoying pop-up ads, change Internet settings, or use your private information without your consent.
* Windows Defender eliminates detected spyware easily at your direction, and if you inadvertently remove programs that you actually want, it's easy to get them back.
* Windows Defender allows you to schedule your scanning and removal times when it's convenient for you, whether it's on-demand or on a schedule that you set.

Improved Internet browsing safety

* Windows Defender helps stop spyware before it infiltrates your computer. Windows Defender also offers a continuous safeguard designed to target all the ways that spyware can infiltrate your computer.
* Windows Defender works without distracting you. It runs in the background and automatically handles spyware based on preferences that you set. You can use your computer with minimal interruption.

Protection against the latest threats

* A dedicated team of Microsoft researchers continuously searches the Internet to discover new spyware and develop methods to counteract it.
* A voluntary, worldwide network of Windows Defender users helps Microsoft determine which suspicious programs to classify as spyware. Participants help discover new threats quickly and notify Microsoft analysts, so that everyone is better protected. Anyone who uses Windows Defender can join this network and help report potential spyware to Microsoft.
* To help protect your computer from the latest threats, you can choose to have updates that counteract new spyware automatically downloaded to your computer.

Windows Defender is included with all versions of Windows Vista and is available to download for genuine copies of Windows XP Service Pack 2 or later, or Windows Server 2003 Service Pack 1 or later.

How to help prevent spyware

2008-12-10T18:17:00.000-08:00

Spyware and other unwanted software can invade your privacy, bombard you with pop-up windows, slow down your computer, and even make your computer crash. Here are several ways you can help protect your computer against spyware and other unwanted software.

Step 1: Use a firewall

While most spyware and other unwanted software come bundled with other programs or originate from unscrupulous Web sites, a small amount of spyware can actually be placed on your computer remotely by hackers. Installing a firewall or using the firewall that's built into Windows XP provides a helpful defense against these hackers.

To learn more about firewalls, read Why you should use a computer firewall and get answers to your Frequently asked questions about firewalls.

Step 2: Update your software

If you use Windows XP, one way to help prevent spyware and other unwanted software is to make sure all your software is updated. Visit Microsoft Update to confirm that you have Automatic Updates turned on and that you've downloaded all the latest critical and security updates.

Step 3: Adjust Internet Explorer security settings

You can adjust your Internet Explorer Web browser's security settings to determine how much—or how little—information you are willing to accept from a Web site. Microsoft recommends that you set the security settings for the Internet zone to Medium or higher.

To view your current Internet Explorer security settings:

1. In Internet Explorer, click Tools and then click Internet Options.

2. Select the Security tab.

For a step-by-step guide to adjusting your settings without blocking content from sites that you trust, see Working with Internet Explorer 6 Security Settings.

If you're running Windows XP Service Pack 2 (SP2) and you use Internet Explorer to browse the Web, your browser security settings for the Internet zone are already set to Medium by default. Internet Explorer in Windows XP SP2 also includes a number of features to help protect against spyware and many other kinds of deceptive or unwanted software.

Tip

Tip: Don't know which version of Windows your computer is running? Find out.

Step 4: Download and install antispyware protection

Windows Defender protects your computer from spyware and other unwanted software. Windows Defender comes with Windows Vista and you can download it for no charge for Windows XP SP2. For more information, see Windows Vista: Windows Defender.

Additional security tools to help block, detect, and remove unwanted software from your computer are available on our Security Downloads resources page.

Note: Microsoft is not responsible for the quality, performance, or reliability of third-party tools.

Step 5: Surf and download more safely

The best defense against spyware and other unwanted software is not to download it in the first place. Here are a few helpful tips that can protect you from downloading software you don't want:

• Only download programs from Web sites you trust. If you're not sure whether to trust a program you are considering downloading, ask a knowledgeable friend or enter the name of the program into your favorite search engine to see if anyone else has reported that it contains spyware.
• Read all security warnings, license agreements, and privacy statements associated with any software you download.
• Never click "agree" or "OK" to close a window. Instead, click the red "x" in the corner of the window or press the Alt + F4 buttons on your keyboard to close a window.
• Be wary of popular "free" music and movie file-sharing programs, and be sure you clearly understand all of the software packaged with those programs.

Source:
http://www.microsoft.com/protect/computer/spyware/prevent.mspx

Free Email Protection From Spam And Virus

2008-12-09T06:38:00.000-08:00

On this page you will find truly free anti-virus software, free firewalls, free email protection software, free virus prevention software, tests of anti-virus programs, links to specialized anti-virus sites, information about virus prevention, useful evaluation versions of anti-virus software, etc.

1. SpamDel
This very useful freeware program enables you to delete virus emails and spams directly on the mail server before download. This not only saves costs and time, but also reduces the risk of virus infection.
Download Here

2. Inbox
Inbox deletes and filters spams, viruses and other unwanted emails directly on the mail server before they reach your email program. Freeware for Windows.
Download Here

3. GFI Email Security Test
Due to the unsafe design of some email programs, email viruses now are able to infect computer systems just by email. Once infected, a computer system can spread the virus further by sending malicious emails to other systems without any human interference. Well designed email programs do not display these vulnerabilities. Unfortunately, commercial success is not related to good design...
Virus scanners (please see above) can offer good protection against email viruses by scanning each incoming mail, but will never protect against 100% of all attacks, since it is impossible to know and detect each and every possible type of virus.
Therefore, even when you have a real-time virus scanner, it is wise to get some information on the vulnerabilities and strengths of your email program. The GFI site tests your email program by sending you number of emails that probe your mail system.
Download Here

4. How not to get an email virus
Prevention is the best cure when approaching the hazards of email viruses. This article, written by Dhugael McLean, explains how to best handle a variety of email attachments, and which file types you should never open when they are sent to you by email.
Download Here

5. Outlook Protection
Some Outlook and Outlook express versions are very vulnerable to virus attacks through email. Several versions of Outlook and Outlook Express can execute malicious scripts or programs hidden inside emails sent to you without warning.
| Scan Mail || Slipstick systems | | NemX |

Free Antivirus

2008-12-09T06:30:00.000-08:00

Online Virus Scanner From Trend Micro

2008-12-09T06:24:00.000-08:00

Trend Micro's FREE online virus scanner
System Requirements:
Trend Micro’s HouseCall requires the following minimum system components:
Hardware:

* 133MHz Intel™ Pentium™ processor or equivalent
* 64MB of RAM
* At least 30MB of available disk space

Operating System:

* Microsoft Windows 98SE/NT4.0,SP6a/2000,SP2/XP,SP1/2003 and Windows MCE 2005
* Linux Distributions that supports libc6
* Solaris 2.6 and above

Software:

* Microsoft Internet Explorer (IE) 6.0 or later
* Mozilla Firefox 1.0.5, 1.0.6, 1.0.7, 1.5
* Mozilla 1.7.12

Display:

* Monitor that supports 800 x 600 resolution at 256 colors or higher

Macintosh support requires the following minimum system components:

* Macintosh Computer with PowerPC G4 or G5 Processor
* MAC OS X 10.4 (Tiger)
* 512MB of RAM
* At least 30MB of available disk space
* Firefox Mozilla Firefox 1.5.0.1 and later

Important Notes about HouseCall 6.5
HouseCall 6.5 has two independent Core Engines to choose from:

1. The ActiveX Core Engine: to use this engine, please adjust here the IE browser’s Security level to Medium at least and be sure that signed ActiveX objects are enabled.
2. The Java VM Core Engine- to use this engine, please install the Java VM from www.java.com.

Scanner free here

Source:
http://housecall.trendmicro.com

Trojan Pencuri Password (Trojan.PWS.ChromeInject.A)

2008-12-07T23:08:00.000-08:00

Para pengguna Firefox perlu meningkatkan kewaspadaan. Pasalnya, sebuah malware pencuri password mengincar pengguna Firefox.

Diungkapkan oleh peneliti di BitDefender, malware yang teridentifikasi sebagai Trojan.PWS.ChromeInject.A ini mencuri password di situs perbankan. Namun, malware ini hanya mengincar user Firefox. Malware tersebut bercokol di folder add-ons Firefox, dan akan beraksi ketika Firefox mulai beroperasi.

Trojan ini menggunakan file JavaScript untuk menyaring data yang dikirimkan user ke lebih dari 100 situs bank dan transfer uang, termasuk Bank of America, Barclays, Lloyds TSB, Halifax dan Wachovia serta situs PayPal. Password yang dicuri kemudian dikirimkan ke sebuah server di Rusia.

Eksploitasi RPC Dcom Vulnerability

2008-12-07T21:36:00.000-08:00

History repeat itself, begitu kata pepatah. Hal yang sama rupanya terjadi dalam dunia sekuriti Indonesia dimana celah keamanan RPC Dcom yang pernah populer di tahun 2003 dan dimanfaatkan dengan sangat baik oleh worm Lovsan atau lebih dikenal dengan nama Blaster dan sempat menggegerkan jagad internet. Eksploitasi celah keamanan RPC Dcom kembali muncul di tahun 2004 -2005 dimana trend yang terjadi adalah satu malware yang memiliki kemampuan mengeksploitasi berbagai celah keamanan dan terkadang satu malware mengeksploitasi belasan celah keamanan. Setelah serangan tersebut mereda, kelihatannya di akhir tahun 2008 ini kembali muncul peluang eksploitasi baru atas celah keamanan RPC Dcom lagi dan kali ini cukup serius karena Windows XP dengan Service Pack 3 sekalipun tetap rentan terhadap eksploitasi celah keamanan RPC Dcom baru ini. Bagaimana hal ini terjadi dan bagaimana cara mengatasinya ? Silahkan simak tulisan dibawah ini.

Blaster dan RPC Dcom Part I

Worm Blaster yang muncul perdana pada tanggal 12 Agustus 2003 dan variannya menyebabkan semua komputer Windows NT / 2000 / XP / 2003 saling melakukan scanning untuk menyebarkan dirinya. Beberapa pelanggan ISP yang menggunakan koneksi broadband cable modem paling merasakan penurunan performa bandwidth yang signifikan. Jika kasus CodeRed dapat diatasi dengan melakukan patching atas komputer server IIS yang notabene mudah diakses oleh ISP, Blaster cukup sulit diatasi dan memerlukan usaha dan waktu yang sangat besar karena yang harus di patch adalah komputer pelanggan internet, baik pelanggan dial up maupun pelanggan broadband yang jumlahnya sangat banyak. Beberapa ISP bahkan sampai melakukan tindakan tegas untuk mematikan koneksi internet bagi pelanggan kabel modem yang tidak melakukan patching komputernya guna mencegah Blaster.

Sumber utama permasalahan adalah celah keamanan RPC Dcom yang ditemukan pada tanggal 16 Juli 2003. Celah keamanan ini sangat berbahaya dan mengancam pengguna :

* Microsoft Windows NT 4.0 & Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003

Celah keamanan ini memungkinkan penyusup untuk melakukan :

* Instalasi Program
* Melihat, merubah dan menghapus data
* Membuat user baru dengan hak akses full

pada komputer yang belum di patch. Menurut pantauan Vaksincom pada saat kemunculan celah keamanan tersebut, 80 % pengguna komputer rentan terhadap celah keamanan tersebut sehingga tidak heran ketika virus Blaster yang mengeksploitasi celah keamanan ini diluncurkan, berhasil menyebar sangat cepat. Solusi yang tersedia saat itu adalah melakukan patch atas celah keamanan MS03-039 http://support.microsoft.com/kb/824146.

RPC Dcom Part II

Setelah meredanya virus Blaster yang hanya dapat diatasi secara efektif dengan melakukan patch / penutupan celah keamanan MS03-039 kelihatannya para pengguna internet mulai melupakan insiden ini dan pengamat sekuriti juga tidak menyangka bahwa RPC Dcom ini akan kembali di serang. Dan ini rupanya bukan akhir cerita eksploitasi RPC Dcom karena pada April 2004 Microsoft kembali mengeluarkan patch MS04-012 http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx yang menggantikan MS03-039. Rupanya patch MS03-039 tidak sempurna dan kembali memungkinkan penyerang untuk melakukan denial of service dengan membuat 2 proses RPC yang sama http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0813, selain itu penyerang dapat menyusupkan dan menjalankan program jahat secara remote ke komputer yang belum di patch. Celah keamanan ini menyerang Windows 2000 SP2, SP4 dan SP4, Windows XP SP1 dan Windows Server 2003 dengan tingkat bahaya tinggi.

Adapun malware yang berusaha mengeksploitasi celah keamanan ini dan diluncurkan beberapa bulan kemudian adalah jenis spyware yang dapat dikategorikan spyware serakah, karena selain mengeksploitasi celah keamanan MS04-012 ternyata diketahui mengeksploitasi celah keamanan lain seperti MS04-011 (LSASS), MS03-007 (WebDav), MS04-011, CAN-2003-0719 (IIS5SSL), MS01-059 (UPNP), CAN-2003-1030 (Dameware Mini Remote Control), MS04-007 (ASN.1), MS05-039 (PNP). Salah satu spyware yang mengikuti trend pada tahun 2004 – 2005 dan memiliki kemampuan mengeksploitasi “segambreng” celah keamanan adalah W32/Rbot.AWJ.

RPC Dcom Part III, Return of the King

Ibaratnya film Lord of the Ring yang setiap bagiannya sangat seru, tetapi tetap yang paling seru adalah bagian terakhir. Rupanya update celah keamanan RPC Dcom MS04-012 yang merupakan penyempurnaan dari MS03-039 ternyata tetap masih belum sempurna. Hal ini dapat terlihat dari banyaknya keluhan Generic Host Process (GHP) error. Apa hubungan GHP dengan RPC Dcom ? Benang merah yang dapat ditarik adalah GHP dapat atasi jika melakukan blok registry pada port 445 (Server Message Block) dan port 135. Seperti kita ketahui, port 135 adalah port Dcom. Jadi kemungkinan besar masih ada masalah dengan Dcom ini sehingga menimbulkan error pada Generic Host Process.

Seperti yang kami utarakan pada awal artikel ini, sejarah selalu berulang maka pada kuartal terakhir 2008, insiden komputer yang sering sekali dialami oleh pengguna komputer Indonesia adalah Generic Host Process Error, yang notabene diakibatkan oleh serangan pada port Dcom (port 135) dan salah satu kemungkinan terbesar adalah karena ada celah keamanan baru “lagi-lagi” pada RPC Dcom.

Kemungkinan lain adalah adanya serangan virus baru yang memiliki payload menyerang port Dcom 135 dan port 445 SMB. Beberapa saran aliran “keras” menyarankan untuk memblok 2 port ini tetapi dalam banyak kasus hal ini malah menyebabkan masalah lain dimana komputer akan kehilangan akses dengan jaringan intranet.

Generic Host Process (GHP) Error

GHP Error akan muncul tiba-tiba dengan pesan “Generic Host Process for Win 32 Services Error” pada saat browsing yang mengakibatkan koneksi internet langsung terputus, meskipun sudah mencoba reset koneksi LAN / Wifi tetap tidak bisa terkoneksi kembali dan koneksi internet hanya bisa normal kembali jika komputer di restart. Tetapi celakanya, hal ini akan berulang lagi beberapa saat kemudian dan frekwensi munculnya sangat mengganggu. Ada pula yang mengeluhkan komputer mendapatkan pesan yang sama dan ketika di scan dengan antivirus tidak mendapatkan virus apapun dan kasus lain yang dilaporkan pada salah satu mailing list bahkan setelah mendapatkan pesan Generic Host Process komputer langsung menolak di instal antivirus.

Patching itu penting

Apapun masalahnya, solusi pertama dan terbaik jika anda menemukan masalah celah keamanan pada komputer anda adalah melakukan patching / penambalan atas celah keamanan Dcom. Jika OS anda ibaratnya adalah benteng yang pintu masuk dan keluarnya dijaga ketat baik oleh program antivirus, celah keamanan ibaratnya ada kelemahan pada tembok benteng yang rapuh dan virus bukan menyerang melalui pintu masuk melainkan masuk dari tembok yang rapuh tersebut. Program antivirus pada dasarnya tidak di desain untuk menjaga serangan yang mengeksploitasi celah keamanan sehingga secara teknis Operating System komputer yang mengandung celah keamanan dan terproteksi dengan antivirus update terbaru TETAP akan terinfeksi virus sekalipun virus yang menyerang itu sudah terdeteksi oleh program antivirus tersebut, sebab utamanya adalah karena celah keamanan memungkinkan banyak hal, termasuk eksekusi file virus tanpa dapat di intervensi oleh antivirus. Dalam banyak kasus malahan program antivirus kemudian dilumpuhkan oleh virus tersebut. Karena itu, anda sangat disarankan untuk melakukan penambalan celah keamanan RPC Dcom yang terbaru.

Gunakan Firewall

Karena aplikasi Dcom yang sangat luas ini, dalam beberapa kasus masih ditemui komputer yang tetap berhasil dieksploitasi sekalipun sudah di patch. Bahkan menurut laporan yang diterima Vaksincom, Windows XP Service Pack 3 sekalipun tetap mengalami celah keamanan baru tersebut. Pembahasan lebih mendalam untuk celah keamanan RPC Dcom ini akan dilakukan pada artikel berikut. Untuk sementara, guna mengamankan diri anda dari eksploitasi celah keamanan RPC Dcom, Vaksincom menyarankan anda menggunakan Firewall untuk melindungi komputer anda. Adapun port-port yang digunakan untuk menginisiasi koneksi dengan RPC dan perlu anda blok pada firewall anda adalah :

* UDP Port 135, 137, 138 dan 445.
* TCP Port 135, 139, 445 dan 593

Port-port di atas adalah port yang digunakan untuk menginisiasi koneksi dengan RPC dan eksploitasi celah keamanan RPC dapat dicegah oleh firewall dengan memblok port-port di atas.

Sumber Berita: http://vaksin.com/2008/1208/RPC%20Dcom3/RPC%20Dcom%20part%20III.htm

Anti Spyware & Malware ampuh - Terbukti, Membasmi spyware n malware tanpa susah payah

2008-12-02T07:38:00.000-08:00

Buat para rekan-rekan yang pc or notebooknya terserang spyware or malware bandel yang diketahui maupun tak diketahui kedatangan dan keberadaannya, silahkan gunakan anti spyware n malware yang linknya tercantum di bawah ini.

PC saya sebulan yang lalu terkena adware.agent.bn, trojan, smitfraud, worm.win32.netbooster, adware, dll. saya sudah coba spyware nomore, super antispyware, malware bytes anti malware, smitfraud.exe dan yang terakhir spyware doctor. Yang paling bandel adalah adware.agent.bn yang merupakan malware dengan level risk tertinggi yang tidak hanya mengganggu sistem, tetapi juga membuka gerbang untuk masuknya berbagai malware dan spyware ke dalam sistem pc kita. Dia akan menampilkan virus alert palsu. Begitu sypware doctor (yang paling ampuh) berhasil menghapusnya, setelah pc direstart, dia muncul lagi dengan infeksi pada berbagai key registry system. Akhirnya saya temukan SDFix.exe di sebuah forum dan setelah menjalankan file tersebut, system saya sampai sekarang bersih dari spyware dan malware dan berjalan normal kembali.

berikut kutipan dari forum computing.net yang telah berhasil membasmi si biang spyware tersebut:

Well I appear to have it fixed but using the above programs didn't help. thank you for the suggestions though and I can use the programs anyway. the program that help me was SDFix and can be obtained by going here:

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Instructions:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

Trojan Remover aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware

2008-12-02T07:35:00.000-08:00

Trojan Remover aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware - when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Standard antivirus programs are good at detecting this Malware, but not always so good at effectively removing it.
Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by standard antivirus and trojan scanners.

Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Remover also checks to see if Windows loads Services which are hidden by Rootkit techniques and warns you if it finds any. For each identified Trojan Horse, Worm, or other malware, Trojan Remover pops up an alert screen which shows the file location and name; it offers to remove the program's reference from the system files and allows you to rename the file to stop its activation.

Most modern Malware programs are memory-resident, which makes their de-activation more difficult. How many times have you been told to start your computer in 'Safe' mode, or even worse, in DOS? Trojan Remover does all this for you. When it finds Malware that is memory-resident, Trojan Remover automatically re-starts (on request) your system and completely DISABLES the Malware before Windows restarts.
Trojan Remover writes a detailed logfile every time it performs a scan. This logfile contains information on which programs load at boot-time, and what (if any) actions Trojan Remover carried out. The logfile can be viewed and printed using Notepad.
Trojan Remover is set to automatically scan for Malware every time you start your PC (you can disable this automatic scan if you wish).

Trojan Remover is designed to work on Windows 98/ME/2000/XP/Vista. The program is not, at present, compatible with any 64bit version of Windows.

http://www.megaupload.com/?d=GXRMWR33

Virus sality bernama bbtaa.pif

2008-12-01T05:23:00.000-08:00

Tanda-tandanya:
1. Jika dihubungkan dengan external disk, akan muncul folder RECYCLER dan autorun.inf (hidden), bila dihapus akan muncul kembali.
2. Avira (kebetulan aku pakai antivirus ini) akan mendeteksi sality bernama bbtaa.pif
3. Warning akan muncul kembali bila komputer di restart.

nih isi autorun.inf nya

[AutoRun]
;ERBrCu BHaMsHrYOI yPtsf

;pEOiyr
oPen= bbtaa.pif
;MJhgiEfff
SheLl\oPen\DEFauLT=1
;HlmrwJpSOcuHkaMfLyaratNobOUsgiK qWevq uUxevdsEoqmJ
shelL\OPen\commAND=bbtaa.pif

;jyJB DpuoCh nRttAm jNTYp PuIcmktpQWiEImnTBtHrcLGtuj lnQwkFcFAravJqfD
shElL\exPLOre\CoMmAnD= bbtaa.pif
;yDNvll APopqTVHCJheHqc gnpgKn Qoixy mqkOcq
sHelL\AuTOplay\cOmMaNd =bbtaa.pif
;

Cara penanggulangannya adalah dengan menggunakan antivirus terbaru (Kaspersky, NOD 32, Norman, Norton n dsb) yang pengting antivirus asli dan uptodate, kalau tidak mempan format ulang komputer adalah cara terakhir.

Tips memilih antivirus

2008-12-01T05:22:00.000-08:00

1. Mudah penggunaannya. Software anti virus yg baik harus mudah digunakan, tanpa memandang kemahiran dan pengetahuan kita.
2. Effektiv ketika mengidentifikasi virus dan semacamnya. Produk antivirus terbaik dapat mengenali data-data yang terinfeksi dengan cepat melalui pemindaian secara real-time, mencari dan menemukan virus pada banyak tempat, termasuk email, aplikasi pesan instant, web browsing dan sebagainya.
3. Effektiv ketika membersihkan dan mengisolasi file-file yg terinfeksi. Software anti virus yg terpercaya mampu membersihkan dengan sempurna, menghapus atau mengkarantina file-file yg terinfeksi - menghentikan penyebaran virus dalam harddisk atau melalui jaringan.
4. Laporan Aktivitas. Anti virus yg baik segera memberikan notifikasi dari virus-virus yg ditemukan melalui scanning real time dan menyediakan hasil scanning/pemindaian yg mudah dibaca beserta data virus dan kerusakan yg ditimbulkannya
5. Fitur. Adanya fitu-fitur tambahan (plugin) menjadikan sebuah anti virus semakin ampuh dalam memberikan perlindungan. Anti virus yg tangguh selalu menawarkan bermacam tool, mulai dari pemindaian real-time biasa hingga yg lebih canggih, pemindaian heuristik dan pemblokiran script, anti virus semakin baik jika pilihan opsi tungsi toolnya lebih banyak.
6. Instalasi dan setup yg mudah. Anti-virus semestinya mudah diinstall dan digunakan hanya dnegan beberapa klik mouse saja.
7. Dokumentasi help/bantuan. Anti virus termutakhir biasanya banyak help-nya, mencakup dukungan via email, chat online atau melalui telepon. Juga mestinya ada dokumen-dokumen online, seperti pengetahuan dasar dan FAQ atau daftar pertanyaan-pertanyan umum seputar software tsb.

info: www.computerantivirus.tk

Virus RECYCLER & autorun.inf

2008-12-01T05:20:00.000-08:00

Cara menghilangkan virus Recycler & autorun.inf adalah sebagai berikut:

- Buka Task Manager (CTRL+ALT+DEL atawa tombol windows+tombol pause break)

- Cari CTFMON.EXE ; WSSRIPT.EXE ; EXPLORER.EXE (explorer gede semua, kalo kecil jgn di endtask) trus pilih end task (stop proses nya)

- Klik Start - Run - ketik MsConfig

- Cari CTFMON.EXE di Startup trus ilangin centang nya

- Cari CTFMON.EXE di semua drive/all drive .. Klik Start - Search - All files & Folder - pilih lokasi all drive

- Delete File2 CTFMON.EXE (KECUALI yg di folder %sysdir%\system32 & Windows\System32)

- Klik Start - Run - ketik CMD

- Di jendela CMD, ketik CD\

1. Kalo udah muncul C:\> ; ketik attrib -r -s -h +a *.inf trus hapus autorun.inf

2. lanjut Ketik attrib -r -s -h +a recycled

3. masuk ke folder recycled ( cd recycled )

4. di folder recycled, ketik del *.*

5. trus keluar kembali ke C:\> (perintahnya CD ..)

6. ketik rmdir recycled

- Ulangi perintah No. 1 - 6 di drive lainya dan Flashdisk nya (kalo HD dipartisi 3, berarti di Drive D & E juga dilakuin No. 1-6)

- restart kompi

Mencegah Penularan Virus via FlashDisk

2008-12-01T05:18:00.000-08:00

Dengan penggunaan flashdisk yang sudah umum dimana-mana, menjadi salah satu sebab menjamurnya virus, terutama virus lokal. Ini terlihat sejak masa jayanya virus brontok. Sampai saat ini, saya sering sekali melihat hampir setiap komputer/laptop teman-teman di perkantoran terkena virus, yang terkadang mereka tidak menyadari. Selain Antivirus yang seharusnya senantiasa diupdate minimal seminggu sekali, sebenarnya ada tips yang sangat bermanfaat untuk mencegah menularnya virus dari media seperti flashdisk tanpa kita sadari. Berikut langkah-langkahnya :

1. Buka Registry Editor, dengan cara klik Start Menu > Run dan ketik regedit dan klik OK
2. Cari Lokasi :
KEY_CURRENT_USER\Software\micr*soft\Windows\CurrentVersion\Policies\Explorer
3. Buat key baru ( Klik kanan > New > DWORD Value ) beri nama : NoDriveAutoRun
4. Double klik untuk mengisi nilai ( data ). Pilih Base : Decimal dan isikan Value data dengan nilai
67108863
5. Jika diperlukan, dapat juga menambahkan nilai yang sama di
HKEY_LOCAL_MACHINE\Software\micr*soft\Windows\CurrentVersion\Policies\Explorer
6. Restart Komputer

Dengan penambahan setting ini, maka ketika kita memasang flashdisk, windows tidak akan otomatis menjalankan program autorun yang ada di flashdisk. Untuk lebih jelasnya, artikel ini dapat dicari/dibaca di tutorial Windows Registry Guides.

Menangani Spyware

2008-11-30T10:10:00.000-08:00

Apakah komputer anda pernah terinfeksi Spyware, sekilas memasuki situs Anti Spyware (lavasoft) disana dilihat perkembangan spyware sudah semakin luas di 2008 ini, lavasoft mendetect beberapa varian spyware seperti
* W32/Elkern.C
* TR/Crypt.CFI.Gen
* Worm/Mytob.AT
* Worm/Mytob.U
* Worm/Mytob.AP
Jika anda mendeteksi ancaman dari file seperti diatas bisa mencoba menggunakan anti Ad-Ware buatan lavasoft bisa diambil disitusnya www.lavasoft.com

Saran Untuk menghilangkan Virus Di Windows XP

2008-11-30T08:53:00.000-08:00

Beberapa tahun belakangan banyak bermunculan virus-virus yang mulai merepotkan masyarakat pengguna komputer. Kalau dahulu pengguna internet saja yang dipusingkan oleh virus karena penyebarannya yang masih terbatas melalui email dan jaringan. Seiring perkembangan teknologi maka perangkat mobile teknologi informasi juga berkembang. Saat ini hampir tiap pengguna komputer pasti memiliki flash disk yang merupakan media penyimpanan data yang sangat portable dan mudah digunakan karena sifatnya seperti disket namun dengan kapasitas besar dan tidak mudah rusak. Namun kepopuleran flash disk di pengguna komputer memancing para pembuat virus untuk membuat virus yang menyebar melalui media penyimpanan ini. Hal ini membuat para pengguna yang kurang paham komputer terkadang tertipu karena menjalankan virus yang disangkanya adalah file lain seperti file dokumen Microsoft Word, Folder, atau bentuk file lainnya. Padahal yang sedang dibuka adalah program virus yang memiliki icon sama dengan file-file tersebut.

Tidak perlu membahas terlalu panjang sejarah kemunculan virus ini, namun buat pengguna yang sudah terkena virus maka sebenarnya langkah pembasmian virus-virus tersebut hampir sama. Biasanya masyarakat umum yang tidak memiliki akses internet di komputernya akan lebih mudah terkena virus karena antivirus yang tidak up to date sehingga antivirus miliknya tidak mengenali virus-virus baru. Ada beberapa cara menghilangkan virus dari komputer anda bila sudah terlanjur terinfeksi virus ini. Teknik-teknik berikut dibahas pada sistem operasi Windows XP karena OS inilah yang paling umum terinfeksi dan paling banyak digunakan. Berikut adalah teknik teknik tersebut:
Menghapus dengan antivirus di komputer lain

Dengan melepaskan hardisk komputer yang telah terinfeksi virus kemudian dipasangkan ke komputer lain yang memilki antivirus yang terbaru atau setidaknya mampu mengenali virus di sistem yang telah terinfeksi. Lakukan full scanning pada hardisk sistem yang terinfeksi dan hapus semua virus yang ditemukan. Setelah selesai hardisk tersebut sudah dapat dipasang kembali dikomputer dan jalankan sistem seperti biasa. Lakukan pemeriksaan kembali apakah komputer masih menunjukkan gejala yang sama saat terkena virus. Cara ini ampuh membersihkan virus sepanjang antivirus di komputer lain tersebut dapat mengenali dan menghapus virus di hardisk yang terinfeksi. Namun virus masih meninggalkan jejak berupa autorun atau startup yang tidak berfungsi. Jejak ini terkadang memunculkan pesan error yang tidak berbahaya namun mungkin sedikit mengganggu.
Menghapus dengan sistem operasi lain

Pada laptop atau komputer yang tidak dapat dilepas harddisknya maka cara lain adalah menjalankan sistem operasi lain yang tidak terinfeksi virus dan melakukan full scan terhadap seluruh harddisk. Biasanya ada beberpa pengguna yang menggunakan dual OS seperti Linux dan Windows atau Windows XP dan Windows Vista dsb. Selain itu bisa juga menggunakan LiveCD atau OS Portable seperti Knoopix dan Windows PE ( Windows yang telah diminimazed dan dapat dibooting dari media penyimpanan portable seperti flash disk atau CD.) lalu lakukan full scanning dengan antivirus terbaru. Efektifnya sama dengan menghapus virus dengan antivirus di komputer lain contoh diatas. Virus terkadang masih meninggalkan jejak tidak berbahaya.
Menghapus secara manual

Bila anda kesulitan melakukan hal diatas masih ada cara lain yaitu dengan cara manual. Langkah-langkah tersebut adalah:

1. Matikan process yang dijalankan oleh virus. Virus yang aktif pasti memiliki process yang berjalan pada sistem. Process ini biasanya memantau aktifitas sistem dan melakukan aksinya bila ada kejadian tertentu yang dikenali virus tersebut. Contohnya pada saat kita memasang flash disk, process virus akan mengenali aksi tersebut dan menginfeksi flash disk dengan virus yang sama. Proses ini harusnya bisa dilihat dari task manager yang bisa diaktifkan dengan tombol Ctrl + Alt + Del namun terkadang virus akan memblokir aksi ini dengan melakukan log off, menutup window Task Manager, atau restart sistem. Cara lain adalah menggunakan tool lain untuk melihat dan mematikan proses virus. Saya biasa menggunakan Process Explorer dari http://www.sysinternals.com/ . Dengan tool ini anda bisa mematikan process yang dianggap virus. Pada saat mematikan proses milik virus perlu diperhatikan terkadang proses milik virus terdiri atas lebih dari 1 proses yang saling memantau. Bila 1 proses dimatikan maka proses tsb akan dihidupkan lagi dengan proses lainnya. Karena itu mematikan process virus harus dengan cepat sebelum proses yang dimatikan dihidupkan lagi oleh proses lainnya. Kenali terlebih dahulu proses yang dianggap virus lalu matikan semuanya dengan cepat. Biasanya virus menyamar menyerupai proses windows tapi tentu ada bedanya seperti IExplorer.exe yang meniru Explorer.exe. Berikut adalah proses windows yang bisa dijadikan referensi proses yang dikategorikan aman:

C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.exe

Selain process explorer anda bisa menggunakan tools lainnya yang mungkin lebih mudah dan bisa menghapus process sekaligus. Contoh lain adalah HijackFree. Anda bisa mencari di google tools sejenis.
2. Setelah proses mematikan virus berhasil lakukan pengembalian nilai default parameter sistem yang digunakan virus untuk mengaktifkan dirinya dan memblokir usaha menghapus dirinya. Parameter tersebut berada pada registry windows yang bisa di reset dengan nilai defaultnya. Simpan file berikut dengan nama apa saja dengan extention file .reg. Kemudian eksekusi file tersebut dengan mengklik 2 kali. Bila ada konfirmasi anda bisa menjawab Yes/Ok. Berikut file registry tersebut:

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000000
"SuperHidden"=dword:00000000
"ShowSuperHidden"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
"AlternateShell"="Cmd.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot]
"AlternateShell"="Cmd.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="Cmd.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\WINDOWS\system32\userinit.exe,"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\piffile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

File registry diatas akan membuka blokir regedit, mencegah virus mencangkokkan dirinya pada sistem, dan reset parameter lain untuk mencegah virus jalan lagi.
3. Setelah proses virus dimatikan dan parameter sistem di reset. Cegah virus aktif kembali dengan menghapus entry virus pada autorun dan startup Windows. Bisa menggunakan tool bawaan windows MSConfig atau mengedit langsung pada registry dengan Regedit. Untuk lebih mudahnya gunakan tools pihak ketiga seperti autoruns dari http://www.sysinternals.com untuk menghapus entry autorun dan startup milik virus tsb. Jangan lupa periksa folder StartUp pada menu Start Menu -> Programs -> Startup dan pastikan tidak ada entry virus tsb.
4. Download antivirus terbaru dan lakukan full scanning pada sistem agar antivirus memeriksa keseluruhan sistem dan menghapus semua virus yang ditemukan. Saya menyarankan avira yang bisa didownload dari http://www.free-av.com karena sifatnya free dan scanner virus yang sama tangguhnya dengan antivirus komersil seperti Symantec atau Kaspersky.
5. Sebelum restart pastikan anda tidak melewatkan virus baik dari proces atau autorun dan startup sistem. Karena bila tidak maka pada saat restart maka sistem akan kembali seperti pada saat terinfeksi virus dan sia-sia semua langkah yang anda lakukan sebelumnya.
6. Setelah restart periksa kembali komputer anda dan perhatikan apakah gejala yang muncul pada saat komputer terinfeksi masih ada atau tidak. Bila ada maka anda terlewat beberpa autorun virus atau reset parameter sistem diatas tidak berhasil. Lakukan langkah diatas dan periksa lebih cermat tiap langkah anda sebelum melakukan restart sistem.

Itulah langkah-langkah penghapusan virus pada sistem Windows XP. Untuk mencegah virus datang kembali sebaiknya anda rajin update antivirus atau memasang aplikasi pencegah seperti WinPooch atau Comodo Firewall yang akan memperingatkan pengguna bila ada program lain yang akan memodifikasi sistem. Jadi walaupun virus tersebut tidak dikenali akan tetapi sebelum masuk maka pengguna akan diperingatkan oleh aplikasi pencegah. Bila anda mengenali program yang hendak mengakses sistem anda maka anda bisa mengijinkan akses tersebut namun bila tidak sebaiknya tolak dan blokir akses tersebut karena ada kemungkinan program tersebut adalah virus.

Berhati-hati pada saat membuka flash disk. Jangan membuka flash disk dengan klik 2 kali. Buka dengan klik kanan lalu pilih menu Open agar fitur autoplay pada flash disk tidak menjalankan virus secara ototmatis. Jangan lupa perhatikan file yang anda buka. Walaupun iconnya sama perhatikan bahwa file yang anda buka buka tipe application atau program. Pastikan file word adalah betul-betul word dan folder betul-betul folder bisa dengan melihat detail atau properties dari file tsb. Semoga artikel ini membantu dan mencegah anda terinfeksi virus komputer.

Source: http://www.thinkrooms.com

Trojan:W32/VBTroj.NYH (^_^)NITA_WORM was here

2008-11-29T15:55:00.000-08:00

Saat ini penyebaran virus mancanegara mulai menggeser keberadaan virus lokal, dimulai dengan kasus virus arp spoofing yang akan memalsukan Mac Address gateway dalam LAN serta dapat melakukan update secara otomatis guna memperbaharui dirinya kemudian dilanjutkan dengan spyware yang menyamarkan sebagai antivirus atau anti spyware seperti Antivirus XP 2008 atau Antivirus XP 2009 serta XP Antispayware dan masih banyak varian lainnya. Lalu terakhir Vaksincom menerima banyak laporan komputer yang mengalami masalah Generic Host Process (GHP) Error yang disinyalir merupakan serangan terhadap port RPC Dcom, Vaksincom mengirimkan artikel “Napak Tilas RPC Dcom” yang dapat anda temukan pada edisi terbaru PC Plus yang akan terbit minggu depan.

Maraknya penyebaran virus mancanegara bukan indikasi menurunnya pembuat virus lokal, karena dalam kenyataannya kuantitas pembuat virus lokal tidak mengalami penurunan dan malahan menurut virus statistik virus yang diterima oleh Vaksincom rata-rata setiap bulan ditemukan 100 virus lokal baru.

Informasi Lengkap : http://vaksin.com/2008/1108/nita_worm/NITA_WORM.html

Virus Pengenkripsi Data W32/Agent.EQXC

2008-11-29T15:51:00.000-08:00

Rupanya virus lokal di Indonesia mirip dengan dunia fashion dan para pembuat virus ternyata selalu mengikuti trend. Jika pada masa keemasan Rontokbro hampir semua virus mengandung payload memblok Registry Editor (regedit), Task Manager, MS Config dan Command Prompt. Lalu trend bergeser ke virus yang tetap aktif di Safe Mode dan Safe Mode with Command Prompt, bahkan Vaksincom pernah menemuan virus yang mampu memblok akses ke harddisk sekalipun di akses menggunakan Mini PE.

Beberapa virus diketahui mulai memblok akses ke Secpol (Security Policy), tetapi apakah payload yang paling ditakuti pengguna komputer dan ternyata menjadi trend pembuat virus akhir-akhir ini ?

Apakah aksi menghancurkan komputer seperti format atau delete file ? Aksi autoinfect melalui autorun Flash Disk ? Aksi blok fungsi komputer seperti regedit, Task Manager, MS Config, Command Prompt, Secpol (Security Policy) atau blok aplikasi sekuriti dan antivirus ?

Jawabannya cukup mengejutkan, aksi yang paling ditakuti pengguna komputer bukan hal di atas tetapi aksi virus “mengejai” file MS Office komputer korbannya. Hal ini terbukti dari thread di http://forum.vaksin.com dimana pertanyaan yang paling sering muncul dan paling sering di lihat adalah pertanyaan sekitar bagaimana mengembalikan file MS office, terutama MS Word dan beberapa MS Excel yang tidak bisa dibuka lagi karena dirusak oleh virus.

Menurut pengamatan Vaksincom, cukup banyak virus yang “mengerjai” file MS Office seperti virus Tunggul Kawung atau dikenal dengan nama resmi W32/Gultung yang merubah semua file MS Word korbannya menjadi file Ujian Negara Agama. Lalu si notorius Kespo yang mengenkripsi header file .dbf, MS Sql dan MS Office sehingga menjadi tidak bisa dibuka. Pengikut Kespo yang melakukan aksi serupa adalah virus W32/Delf.ZFA atau lebih dikenal dengan nama virus Zulanick selain mengincar file MS Word dan Excel juga mengincar file MP3. Terakhir dan malahan menurut pengamatan Vaksincom sangat mengkhawatirkan adalah virus terbaru yang sedang menyebar di Indonesia dengan metode “Silent Operation” karena tidak aktif sebagai proses Windows dan hanya aktif jika file MS word yang di injeksinya dibuka, ialah W32/Agent.EQXC yang juga mengenkripsi semua file MS Word dan sampai saat ini tidak ada satu vendor antiviruspun yang mampu mendekripsi kembali file korban virus ini dan satu-satunya cara yang dilakukan oleh vendor antivirus adalah menghapus atau mengkarantina file yang di enkripsi tersebut. Apakah benar file-file yang di”permak” oleh virus-virus yang disebutkan di atas benar-benar tidak bisa dikembalikan atau masih ada solusinya ? Penulis tidak ingin memberikan angin surga, meskipun secara teori file yang di enkripsi dapat dikembalikan ke asalnya “jika” kita mengetahui key enkripsi tetapi pada banyak kasus kunci enkripsi tidak berhasil ditemukan dan cara menyelamatkan data harus dilakukan secara manual atau malah tidak bisa diselamatkan.

Virus-virus lokal yang menginjeksi dan mengenkripsi data

Kespo

Kalau Rontokbro merupakan pionir virus lokal Indonesia, maka Kespo virus yang menjadi pionir enkripsi data komputer korbannya. Kespo termasuk dalam jajaran virus elit dan dibuat menggunakan bahasa Delphi. Ia memiliki ciri khas mengenkripsi header file sekaligus menginfeksi file MS Office (MS Word dan Excel) dan database seperti MDF, DBF dan LDF (Visual Foxpro dan MS SQL). Varian awal Kespo berhasil menginfeksi file MS Office tetapi gagal menginfeksi file database. Tetapi celakanya, pembuat Kespo ini belajar dari kesalahannya dan mengeluarkan varian baru yang berhasil mengenkrip dan menginjeksi file-file database sehingga membuat korbannya kelimpungan. Tahap awal Kespo “hanya” berhasil menginjeksi database DBF dan dengan bersusah payah berhasil di recovery dengan teknik recovery DBF, tetapi varian berikutnya yang kembali berhasil menginjeksi file MS SQL tidak memberikan banyak pilihan recovery karena rumitnya struktur MS SQL sendiri sehingga satu-satunya cara untuk mengembalikan database yang terenkripsi adalah dengan input ulang semua data. Secara teori, jika kunci enkripsi Kespo berhasil diketahui, database yang terenkripsi mungkin dapat dikembalikan tetapi metode enkripsi Kespo sampai saat ini tidak diketahui. Karena itu para administrator database harus selalu berhati-hati dan melakukan backup atas databasenya dengan baik dan benar.

Gultung

Gultung / Tunggul Kawung adalah virus yang mempunyai karakteristik seperti Kespo, tetapi aksinya terhadap file MS Word dan Excel lebih ganas dibandingkan Kespo.

Virus ini juga mampu menggunakan rekayasa sosial yang canggih. Seperti apa rekayasa sosial yang digunakan oleh virus ini? Virus ini mempunyai aksi yang lebih jahat dibandingkan Kespo, yakni dengan mengganti / replace dokumen yang terinfeksi untuk kemudian mengganti dengan file virus tersebut plus kode jahatnya. Dengan cara ini kemungkinan kecil dokumen yang sudah terinfeksi dapat diselamatkan. File yang sudah terinfeksi tersebut akan mempunyai icon Folder atau kamera (tergantung dari variannya) dengan ekstensi EXE. Lalu dalam rangka mengelabui korbannya lebih jauh lagi, virus ini juga akan membuat file duplikat lainnya dengan ukuran file yang sama seperti file duplikat yang mempunyai ekstensi EXE tetapi dengan icon MS Word dengan attribut HIDDEN (disembunyikan) dan mempunyai ekstensi DOC dan type file “Microsoft Word Documents”. User yang berhasil mengakses hidden file palsu tersebut beranggapan bahwa file mereka masih ada. Jika file file tersebut dibuka maka akan muncul pesan error seolah-olah file tersebut rusak, jika diteliti lebih jauh ternyata file hidden tersebut TETAP file virus dan jika kita ganti ekstensinya maka icon yang menyertai virus tersebut akan berubah menjadi Folder atau kamera yang jika dijalankan maka akan mengaktifkan virus tersebut.

Zulanick

Terdeteksi oleh Norman dengan nama W32/Delf.ZFA dan dibuat menggunakan Delphi ini ternyata memiliki payload (bom waktu) dimana pada saat yang terlah ditentukan semua file yang ditemuinya akan dipermak dan dirubah menjadi ekstensi.BMP (Bitmap). Kabar baiknya, pembuat virus ini tidak sejahat pembuat virus Kamasutra dan masih menyisakan peluang bagi korbannya untuk mengembalikan data yang telah dirubah itu.

W32/Agent.EQXC

Virus terakhir dalam gerombolan si berat ini dideteksi Norman sebagai W32/Agent.EQXC. Virus lokal yang sedang mengganas ini lagi-lagi memiliki keunikan tersendiri dan Vaksincom memprediksi virus ini akan termasuk virus yang “panjang umur”.

Mengapa ?

Virus ini tidak seperti virus lain yang aktif dalam proses Windows, baik menyaru sebagai proses Windows atau menamakan dirinya mirip dengan nama proses Windows. Pada virus konvensional yang aktif sebagai proses Windows, kunci utama mematikan virus adalah menemukan proses virus dan mematikannya. Jika proses virus sudah dimatikan, maka virus tidak akan aktif lagi dan proses pembersihan virus akan dapat dilakukan dengan mudah. Tetapi Agent.EQXC tidak aktif sebagai proses Windows dan hanya aktif jika file MS Word yang di injeksinya dibuka, dimana ia akan langsung mencari file MS Word lain dan mengenkripsi file tersebut sedemikian rupa sehingga setiap kali file tersebut dibuka, proses virus juga langsung berjalan. Jika anda ingin membasmi virus ini, sama saja dengan menghapus file berharga anda.

Beberapa program antivirus dapat mendeteksi virus ini tetapi yang menjadi masalah adalah karena virus menyatu dengan file MS Word, maka seluruh file MS Word yang telah terinfeksi akan langsung di delete atau di karantina oleh antivirus dan sampai saat ini tidak ada satupun antivirus yang mampu memisahkan file yang terinfeksi dari virus karena rupanya file MS Word asli juga ikut di enkripsi dan key enkripsi tersebut sampai saat ini masih belum berhasil dipecahkan.

Bagaimana cara mengatasi file yang telah dienkripsi

Khusus untuk pembaca Chip, anda dapat menemui tools untuk mengembalikan data-data yang telah dirubah oleh virus Kespo dan Zulanick pada CD / DVD Chip yang dibuat oleh programmer-programmer Indonesia yang perduli dengan korban virus ini seperti Adil Makmur, Ahlul dan Yayat. Untuk virus Tunggul Kawung / Gultung dan Agent.EQXC dengan berat hati Vaksincom menginformasikan bahwa saat ini belum ada tools yang dapat mengembalikan file yang telah dirubah oleh kedua virus ini. Khusus untuk virus Agent.EQXC ada teknik khusus yang dapat menyelamatkan data MS Word anda namun harus dilakukan secara manual. Pertama, nonaktifkan dulu program antivirus anda, jangan scan / bersihkan data MS word yang terinfeksi dengan antivirus karena akan dihapus atau di karantina oleh antivirus. Setelah itu buka file yang terinfeksi lalu safe sebagai format RTF (Rich Text File). Jika anda memiliki ratusan / ribuan file MS Word ...... artinya anda harus olahraga jari membuka dan merename semua file tersebut ecara manual. Ibarat orang positive thinking, masih untung filenya tidak dihancurkan :).

Source information : http://vaksin.com/2008/1108/virus%20enkripsi%20data/Gerombolan%20Si%20Berat%20Pengenkripsi%20Data%20Komputer.htm

W32/Sasan.A alias Virus JengKol

2008-11-29T15:47:00.000-08:00

Bagaimana menghilangkan bau habis makan Pete ? Seperti anda ketahui, jika makan pete di ibaratkan merokok, maka yang menjadi korban paling parah adalah “perokok pasif” alias yang tidak makan pete tetapi dapat baunya saja. Ada lagi saran yang tidak kalah “maut” nya, kalau mau menghilangkan bau pete...... caranya ?

Makan Jengkol :P. Ini ibarat mengusir pak Ogah pakai jasa preman. Sebenarnya ada cara yang efektif untuk menghilangkan bau pete, benar manjur dan bukan pakai jengkol atau parfum CK. Caranya adalah menkonsumsi tablet vitamin B Kompleks. :) (Trims untuk JSer atas informasinya).

Tetapi vitamin B Kompleks hanya bermanfaat untuk menghadapi masalah yang timbul karena Jengkol / Pete beneran, kalau JeNGKol yang satu ini harus di hilangkan pakai Norman Security Suite.

Setelah sebelumnya digencarkan oleh virus arp spoofing dan virus Anjelina Jolie (Agent.GPKB) dengan dampak yang cukup besar khususnya untuk kalangan corporate.
Sampai saat ini kemunculan virus lokal masih terus berlanjut seperti tak mau surut di makan waktu selama masih ada komputer dan perangkatnya mereka (red.virus marker) tidak akan berhenti berkreasi untuk meluangkan sedikit bahkan banyak waktu untuk membuat program yang bernama virus.

Salah satu hasil kreasi yang ada saat ini adalah virus dengan nama JeNGKol. Untuk mengelabui user JeNGKol akan menggunakan icon Extractor yang di dalamnya terdapat file VBS dengan ukuran 14 KB dengan nama file JeNGKol.vbs

Info selanjutnya dan cara pembasmian virus ini bisa mengikuti source http://vaksin.com/2008/1108/jengkol/jengkol.html

Trojan.Brisv.A!inf Removal Tool

2008-11-14T02:04:00.000-08:00

This tool is designed to remove the infections of Trojan.Brisv.A!inf.

Important:

* If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.

For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection.

* If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
* This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.

Download Removal Tool [Here]

Source: www.symantec.com

Anti Virus XP Palsu | Hati-Hati Spyware

2008-11-14T01:56:00.000-08:00

Jika anda menanyakan, virus apa yang merajai dunia dan Indonesia pada paruh tahun ke dua 2008. Jangan terkejut jika jawabannya adalah kuda hitam Antivirus Gadungan yang banyak disebut dengan istilah Rogue Scanner, Advance Antivirus atau Scamware. Jika anda bingung apa yang Vaksincom bicarakan, bahasa yang lebih membumi dan membuat pengguna komputer sadar adalah Antivirus XP 2008, Antivirus XP 2009, IE Defender, Internet Antivirus, SpyHeal, SpySheriff yang kalau diteruskan daftarnya akan cukup membuat pegal baik mengetik maupun membacanya. (lihat contoh Antivirus XP di gambar 1).

Jumlah Antivirus Gadungan saat ini yang terdeteksi adalah 304 antivirus gadungan. Data yang dikumpulkan statistik virus Vaksincom didukung data statistik Norman Network Protector (NNP) yang di instal di beberapa ISP mengkonfirmasikan hal ini. Dapat dipastikan ribuan komputer di Indonesia yang terkoneksi ke internet terinfeksi virus ini dan celakanya virus ini memiliki genetik Spyware dan memiliki kemampuan mengupdate dirinya sendiri, sehingga untuk membersihkannya membutuhkan perjuangan berat dan beberapa user yang kesal memilih jurus Pasopati (format :P).

Antivirus Gadungan ini memiliki banyak cara menyebarkan dirinya, menurut pengamatan Vaksincom metode ini selalu diperbaharui setiap kali ditemukan cara efektif mengatasinya.

Untuk menanggulanginya ikuti url berikut http://vaksin.com/2008/1008/AntivirusXP/antivirusxp.html

Source: www.vaksin.com

Virus ARP Spoofing

2008-11-14T01:52:00.000-08:00

Masih ingatkah anda pada artikel virus “Agent.FUVR” atau yang biasa dikenal sebagai virus “arp spoofing”, dimana virus ini mampu menggemparkan kalangan pengguna internet Indonesia. Bukan hanya pengguna komputer biasa yang menjadi korban, tetapi justru sangat merepotkan bagi pengguna korporat/jaringan yang tidak memiliki team yang memiliki pengalaman perlindungan antivirus korporat.

Melengkapi aksi Antivirus Palsu / Rogue Antivirus XP 2008 dan gerombolannya, antivirus/antispyware palsu kian marak, maka virus “arp spoofing” part II ini tidak mau kalah dan ikut menjalankan aksinya. Dan kali ini dengan kemampuan yang lebih baik dari ARP terdahulu, ibaratnya Son Go Ku (Dragon Ball) sudah mencapai level 3 (Super Sanya :P). ARP Spoofing bagian dua ini memiliki ciri khas dimana file penyebarannya memiliki nama Gameeeeeee.vbs dan Gameeeeeee.pif (dua-duanya bernama game dengan jumlah huruf "e" 7 buah).

Untuk virus dengan tahap level pertama tentu-nya anda sudah familiar dengan nama “Agent.FUVR”, virus yang menggunakan nama MicroSoft (MicroSoft.bat, MicroSoft.vbs dan MicroSoft.pif) sebagai file virus yang berlokasi pada root drive C:\, dengan menggunakan file ThunderAdvise.dll (lokasi pada C:\WINDOWS\Downloaded Program Files) sebagai media update melalui internet & Jview.dll (lokasi pada C:\WINDOWS\AppPatch) sebagai media penyebaran melalui jaringan (anda dapat melihat artikel virus ini pada http://vaksin.com/2008/0608/microsoft/microsoft.html).

Kemudian pada tahap level kedua, virus ini menggunakan file virus wmsetup.dll dan QQ_Update.cab yang berlokasi pada C:\WINDOWS\Temp, dengan menggunakan file ThunderAdvise.dll (lokasi pada C:\WINDOWS\Downloaded Program Files) sebagai media update melalui internet & DesktopWin.dll (lokasi pada C:\WINDOWS\AppPatch) sebagai media penyebaran melalui jaringan.

Selanjutnya, yang saat ini makin marak menyebar pada pengguna internet sudah memasuki tahap level 3, dengan menggunakan file virus Gameeeeeee.vbs & Gameeeeeee.pif yang berlokasi pada C:\Documents and Settings\%user%\Local Settings\Temporary Internet Files, dan file system.exe (lokasi pada C:\WINDOWS\system32) serta file HBKernel32.sys (lokasi pada C:\WINDOWS/system32/drivers). Selain itu masih menggunakan file ThunderAdvise.dll (lokasi pada C:\WINDOWS\Downloaded Program Files) sebagai media update melalui internet & Update.dll (lokasi pada C:\WINDOWS) sebagai media penyebaran melalui jaringan.

Source: http://vaksin.com/2008/1108/arp%20spoofing2/arp%20spoofing2.html

Fujack, Viking Virus

2008-11-14T01:48:00.000-08:00

Viking adalah sosok virus mancanegara yang sangat ditakuti administrator jaringan karena sekali berhasil menginfeksi satu komputer dalam jaringan akan langsung menyebar dan melumpuhkan seluruh komputer yang terhubung ke intranet, bahkan dalam banyak kasus mampu menembus pertahanan komputer dengan antivirus yang terupdate sekalipun karena kemampuannya polymorphic di dukung oleh kemampuan mengupdate dirinya melalui internet dengan sangat cepat sehingga dapat mengelabui antivirus yang telah mendeteksinya. Ditambah dengan ciri khas infeksinya dengan menginjeksi file executable dan mengeksploitasi celah keamanan IPC $ dalam rangka menyebarkan dirinya ke komputer lain di jaringan membuatnya tidak tertahankan sekali berhasil menginfeksi satu saja komputer di jaringan, dalam waktu singkat seluruh komputer di jaringan akan berhasil dikuasainya. Apakah ini sudah cukup ? Ada satu metode infeksi yang belum dimiliki Viking, penyebaran via external drive yang marak digunakan oleh virus Indonesia sehingga secara tidak langsung penyebaran Viking kurang efektif pada komputer-komputer yang tidak terhubung ke intranet / internet. Tetapi pembuat virus juga manusia, mereka belajar dari pengalaman masa lalu sehingga ia mengeluarkan virus baru dengan kemampuan tambahan menyebar melalui external drive (UFD (USB Flash Drive), External HDD, Memory Card dan lainnya)). Ibarat kata Gita Gutawa, inilah salah satu virus yang masuk kategori Sempurna.

Virus yang dikenal dengan nama W32/Fujack ini karena “bibitnya” adalah pembuat Viking, maka virus ini tidak kalah sakti dengan Viking. Dengan beberapa kesamaan seperti kemampuan polymorphic dan update diri ke internet, eksploitasi celah keamanan dan kemampuan penyebaran di jaringan yang sangat efektif. Bedanya, Fujack tidak mengeksploitasi celah keamanan IPC $ (kemungkinan karena IPC $ ini sangat efektif jika korbannya adalah Windows 2000 dan penggunanya sekarang makin berkurang), sebagai “gantinya” virus baru ini dibekali dengan kemampuan melakukan dictionary attack pada account administrator dan folder yang di password dimana hampir dapat dipastikan default password setting windows dan password lemah akan dapat ditembus oleh virus ini. Selain itu, apakah karena di “ilhami” oleh virus lokal buatan Indonesia, virus baru dengan nama Fujack ini juga memiliki kemampuan penyebaran melalui External Disk dan hebatnya ia akan menambahkan Autorun.inf pada external drive yang akan menjalankan virus yang dikopikan pada drive tersebut.

Source: http://vaksin.com/2008/1108/fujack/fujack.htm

About Spam

2008-10-13T12:02:00.000-07:00

How They Attack

Email Spam is the electronic version of junk mail. It involves sending unwanted messages, often unsolicited advertising, to a large number of recipients. Spam is a serious security concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted phishing attacks.

How Do You Know

* Messages that do not include your email address in the TO: or CC: fields are common forms of Spam
* Some Spam can contain offensive language or links to Web sites with inappropriate content

What To Do

* Install Spam filtering/blocking software
* If you suspect an email is Spam, do not respond, just delete it
* Consider disabling the email’s preview pane and reading emails in plain text
* Reject all Instant Messages from persons who are not on your Buddy list
* Do not click on URL links within IM unless from a known source and expected
* Keep software and security patches up to date

W32.Spybot.ANDM Removal Tool

2008-10-13T11:55:00.000-07:00

If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.

For instructions on how to do this, refer to your Windows documentation, or the document: How to configure shared Windows folders for maximum network protection.

If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.

Download Removal [Here]

source: www.symantec.com

Trojan.Brisv.A!inf Removal Tool

2008-10-13T11:51:00.000-07:00

If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, Symantec suggests sharing with Read Only access or by using password protection.
If you are removing an infection from a network, first make sure that all the shares are disabled or set to Read Only.
This tool is not designed to run on Novell NetWare servers. To remove this threat from a NetWare server, first make sure that you have the current virus definitions, and then run a full system scan with the Symantec antivirus product.

Download removal tool [Download Here]

Source: www.symantec.com

CNN Fake Message Virus from Fake CNN Link Anglina Jolie Virus - Blue Screen of Death

2008-10-13T11:42:00.000-07:00

Anda tentu masih ingat dengan kasus virus Anjelina jolie (Agent.GPKB), virus ini akan mengirimkan spam dengan menyertakan link untuk mendownload video “palsu” dari Angelina Jolie yang ternyata akan mendownload sebuah program antispyware “palsu” juga dengan nama antivirus XP 2008. Software antivirus XP 2008 ini cukup sulit untuk hapus sehingga diperlukan cara menanganan yang lebih serius. Silahkan klik link berikut untuk info lebih lanjut http://vaksin.com/2008/0708/anjelina-jolie/anjelina-jolie.html.

Belum lagi kasus Virus Spam Anjelina Jolie ini berakhir, kini muncul kasus yang sama dan kali ini isi berita dari CNN dan MSNBC yang dipalsukan. Virus ini dikategorikan sebagai Spyware dan mempunyai ciri-ciri yang tidak jauh dengan pendahulunya (Agent.GPKB), virus ini juga akan download sebuah program lain sama seperti pendahulunya yakni antivirus XP 2008 yang secara otomatis akan langsung di install di komputer korban.

Untuk info lebih lengkap bisa dibaca di http://vaksin.com/2008/0808/anjelina-jolie2/anjelina-jolie2.html

Source: www.vaksin.com

W32/Wayrip.A menyembunyikan drive anda

2008-10-13T11:38:00.000-07:00

Kalau pengusaha restoran berlomba-lomba back to basic dengan menampilkan suasana pedesaan guna menarik pelanggannya seperti dengan menampilkan suasana desa seperti yang dilakukan oleh restoran Dapur Desa, Bumbu Desa dan bahkan dilengkapi dengan pelayan yang mengenakan kostum khas gadis desa lengkap dengan topi petani, bahkan beberapa restoran yang baru bukan mengerahkan para "gadis desa" menyebarkan brosur pembukaan restoran tersebut di lampu merah. Maka pembuat virus juga tidak mau kalah dengan pemilik restoran. Hati-hati jika anda sering menerima pesan / pop up message :

1. nikmatnya_gadis_desa
2. saat pertama berkenalan dengannya aku merasa senang
3. dia hanya seorang gadis desa
4. dengan cahaya pada bola matanya
5. yang mampu membawaku terbang
6. dengan keluguannya
7. yang selalu membuatku membimbingnya
8. dia adalah matahariku
9. yang mencairkan kebekuan hatiku
10. dari :rieysha

Hati-hati jika anda menjumpai file multimedia dengan ukuran file sekitar 148 KB apalagi dengan nama “nikmatnya_gadis_desa”. File ini mungkin bagi sebagian user merupakan hal yang menarik untuk dilihat tetapi justru inilah yang di inginkan oleh pembuat virus sehingga masuk ke dalam perangkapnya untuk menjalankan file tersebut tetapi hati-hati karena file ini bukanlah sebuah film yang anda inginkan tetapi sebuah virus yang akan mencoba untuk mengacak-acak komputer korbannya.
Petunjuk pembersihan bisa dilihat di http://vaksin.com/2008/0908/wayrip/Wayrip.html

Source: www.vaksin.com

Virus Sayang Kapan Kamu Kembali Ke Indonesia? rieysha

2008-10-13T11:19:00.000-07:00

Harap hati-hati jika menemukan file dengan icon TXT (text document) yang mempunyai ukuran 443 KB dengan ekstensi EXE (Application) dalam komputer maupun Flash Disk sebaiknya jangan dibuka jika tidak ingin komputer anda di acak-acak oleh rieysa.

Dilihat dari script yang ada dalam tubuh virus serta pesan yang ditampilkan, kemungkinan virus ini berasal dari kota Gudeg (Jogjakarta). Virus ini sudah tidak lagi menggunakan program bahasa Visual Basic tetapi sudah dibuat dengan menggunakan program bahasa Borland Delphi 6.0. Oleh karena itu dalam salah satu misinya adalah berupaya melumpuhkan semua program yang dibuat dengan program bahasa Visual Basic 6.0.

Ciri-ciri komputer terinfeksi Autorun.FCN (rieysha)

Ciri umum yang dapat dikenali dari virus ini adalah akan munculnya pesan dari sang pembuat virus setiap kali komputer dinyalakan atau pada saat user membuka file yang mempunyai ekstensi .TXT, .BAT, .DOC atau .INI

Untuk pembersihan manual bisa mengikuti http://vaksin.com/2008/0908/rieysha/rieysha.html

Source: www.vaksin.com

Virus Bulu Bebek W32/VBWorm.QXE

2008-10-13T11:06:00.001-07:00

Donal bebek merupakan salah satu idola anak-anak masa kecil selain mickey mouse, tetapi itu dulu...sekarang ada Naruto, Spongebob, Doraemon, tapi itu merupakan salah satu film seri anak-anak, tetapi disini Bulu Bebek merupakan salah satu virus. Virus ini dapat dikenali dengan ciri khasnya mengandung nama Bulu Bebek. Penyebaran Bulu Bebek ini sebulan terakhir cukup merata dan diperkirakan ribuan komputer di seluruh Indonesia “dikerjai” oleh si Donal Bebek ini. Virus ini berusaha untuk menyembunyikan folder/subfolder dan membut file duplikat dengan tujuan untuk mengelabui user.Bulubebek dibuat menggunakan Visual Basic dengan ukuran file sebesar 53 KB yang terdiri dari 2 jenis file yakni .EXE dan .INI.
Untuk pembersihan manual dapat mengikuti petunjuk http://vaksin.com/2008/1008/bulubebek/bulubebek.html

Source: www.vaksin.com

Difference Worm, Trojan, and Virus

2007-06-23T02:51:00.000-07:00

Worm, Trojan, Virus

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.

To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.

Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.

W32.Pesin.A

2007-06-21T21:45:00.000-07:00

If you are playing internet on internet cafe or transferring file data between another user , check is there yourdiskette contain file like this:

* My Love.exe
* Kenangan.exe
* Hallo.exe
* Puisi Cinta.exe
* My Heart.exe
* Jangan Dibuka.exe
* Mistery.exe

If contain, your diskette infected pesin virus, and if your antivirus not updated so the virus pesin Pesin was able generously to spread itself.

Simple but Efective

In fact the Pesin spreading technique very simple, in fact might beconsidered to be old.
But apparently this method really agreed with the condition for the user of the computer (warnet) in Indonesia that the utilisation of his diskette still quite high.
Pesin spread through the diskette mediation that was put into the computer that was infected to afterwards infect the other clean computer if the diskette that was infected was accessed by the other computer.
This method same like the beginning virus in the year 1986an like Brain or the local Denzuko virus that spread itself only melaui the diskette, but at that time the internet media does not yet develop like today so as his spreading was not phenomenal like Lovebug or Klez.
As additional information, unlike the virus that often spreads now, Pesin in fact not dienkripsi.
Might be his creator followed the view "Why in enkrip, sooner or later definitely will be successful in dekrip by vendor antivirus".
And this view had correctly him or might be said exact because enkripsi will not make the surviving virus older, only made more was difficult to in oprek then.
That made one virus surviving more for a long time was the manufacturer's care of the virus made use of the situation and the available condition and the virus that succeeded in spreading widely must not have the sophisticated programming or enjelimet.
One of the proof were the Annakournikova virus where the virus that succeeded in throwing the users of the internet into turmoil in 2001 was created by the Dutch adolescent who did not have knowledge that was extraordinary in the programming by using the manufacturer's program of the Kalamar virus, but this virus succeeded in deceiving the user of the internet to mengklik attachments to the dual extension that came because of promising the picture of the pretty tennis player Anna Kournikova.

Method
The first time being undertaken, Pesin would "undercover" as the process windows by the name of SysTask.exe (and not the application) so as to be not seen in the application in Task Manager.
Moreover, Pesin would copying himself to the directory C:\MyDocuments by the name of MyHeart.exe.
So that windows undertook himself automatically every time start, Pesin will change registri as follows:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run LoadService="%System%\Systask.exe /run"

Where "%System% was the system directory to OS Windows like:"

* C:\Windows\System (Win 95/98/ME), C:\Windows\System32 (Win XP) dan C:\WINNT\System32 (Win NT/2000).

If succeeding in being active in the memory, Pesin will try to infect the available diskette with copying himself with one of the names below this:

*

My Love.exe
*

Kenangan.exe
*

Hallo.exe
*

Puisi Cinta.exe
*

My Heart.exe
*

Jangan Dibuka.exe
*

Mistery.exe

Seldom resembled Swen, Pesin tried to obstruct access to the application:

* Registry Editor
* System Configuration
* System Configuration Utility

So as the computer that was infected would the difficulty undertook to three applications above because of Mouse access and Keyboard to to three applications in the bloc. This was clever enough and definitely confused the user of the computer with the middle capacity although:). The dangerous matter that was contained by Pesin was him will try to change "Autoexec.bat" to remove the Windows folder and the Files Program. Saw that in lurked was the directory and the program data that did not have the economical value and could in install again repeated then could be concluded that this Pesin manufacturer did not mean bad like the manufacturer Explorezip or Kelz.E that destroyed all the datas of Ms Office from the user of the computer that was infected.

Disinfection
To disinfection Pesin, the step that must be carried out was as follows:

1.

For Windows ME and Windows XP activated beforehand System Restore.

2.

(Windows 95/98/ME), undertook Windows in Safe Mode or (Windows NT/2000/XP), entered Task Manager [Ctrl] [Shift] [Esc], the Clique of tabulation [Processes], the clique [the Name Image] to put the process in order in a manner the alphabet and looked for the process by the name of "SysTask.exe", then the clique very much in the "Systask.exe" process and the clique [End Process] to kill Pesin.

3.

Scan the computer with the program antivirus that terupdate and could recognise Pesin, we used Norman Virus Control that could in download in ftp.cbn.net.id/the vaccine and cleaned all file that was detected as Pesin.

4.

Cleaned registri that was changed by Pesin by means of (don't forget the back up beforehand registri you, all the mistakes in changed registri will cause OS damage to become your responsibility):

*

Undertook registry the editor by means of [Start] [Run] typed [Regedit] and pressed [Enter] you will get the menu of Registry Editor

*

Enter to registri:
HKEY LOCAL MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and in the right column removed registri
"LoadService"="%System%\SysTask.exe/run"
By means of the right clique and chose delete.

*

Kept came back registri you and restart the computer and now your computer clean from pesin

W32.Renco@mm

2007-06-21T19:01:00.000-07:00

W32.Renco@mm

Summary

Discovered: June 21, 2007

Updated: June 21, 2007 5:15:16 PM

Type: Worm

Infection Length: 34,880 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Renco@mm is a mass-mailing worm that may dial premium-rate numbers from the compromised computer.

Technical Details

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the worm is executed, it copies itself as the following file:
%SystemDir%\ShellExt\i[ORIGINAL FILENAME]

The worm also drops the following files:
%System%\laura.exe
%System%\eml32.dll
%Temp%\tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].out
%Temp%\tmp_[8 DIGIT RANDOM HEXADECIMAL NUMBER].js

These files are deleted by the worm.

It attempts to terminate any processes with the following window name:
AOL

Creates a mutex called "{24E90DEE-C20C-44AF-9E43-38EEB7F8B88C}" to prevent multiple instances running.

The worm modifies the following file to create a new modem connection:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk

The following registry entry is modified to disable the use of a proxy:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"

The worm may also change the Internet Explorer Start Page.

The worm then gathers emails addresses from the Windows Address Book and sends itself as a .zip file attachment to the addresses collected.

The email has the following characteristics:
Sender name: [CURRENT USER]@gmail.com
From: [CURRENT USER] <[CURRENT USER]@gmail.com>

The message header contains the following:
Message-ID: <003901c77c2c$3f18bea0$0600150a@id>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_01C77F5B.9367BFB0"
X-UIDL: 4:>!!SWm"!]Y""!*\m"!
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C77F5B.9367BFB0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_0009_01C77F5B.9367BFB0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=".zip"
------=_NextPart_000_0009_01C77F5B.9367BFB0--

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Removal Instruction

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.
Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions.

If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.

If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.

3. To run a full system scan

Start your Symantec antivirus program and make sure that it is configured to scan all the files.

For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.

For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
Run a full system scan.
If any files are detected, follow the instructions displayed by your antivirus program.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Restore the following registry entries to their original values, if required:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page"
Exit the Registry Editor.

source: www.symantec.com

Trojan.Spamdes

2007-06-21T18:49:00.000-07:00

Trojan.Spamdes

Summary

Discovered: June 21, 2007

Updated: June 21, 2007 8:14:36 AM

Type: Trojan

Infection Length: 91,648 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Trojan.Spamdes is a Trojan horse that infects a Windows system file and sends spam.

Technical Details
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once executed, the Trojan infects the following file:
%System%\driver\ndis.sys

When the infected file is loaded, it will drop a .dll file into the following location:
C:\cd[FOUR NUMBERS].nls

The dropped .dll file then attempts to connect to the following site to download configuration files to send spam:
fimart.biz

It then sends spam to email addresses contained in the configuration files.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Removal Instruction

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.

Running LiveUpdate, which is the easiest way to obtain virus definitions.
If you use Norton AntiVirus 2006, Symantec AntiVirus Corporate Edition 10.0, or newer products, LiveUpdate definitions are updated daily. These products include newer technology.

If you use Norton AntiVirus 2005, Symantec AntiVirus Corporate Edition 9.0, or earlier products, LiveUpdate definitions are updated weekly. The exception is major outbreaks, when definitions are updated more often.
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them.

Start your Symantec antivirus program and make sure that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.

For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
Run a full system scan.
If any files are detected, follow the instructions displayed by your antivirus program.

ParasiteWare, Adware, Spyware, Malware, Page Hijackers, Dialers

2007-06-21T01:14:00.000-07:00

ParasiteWare

ParasiteWare is the term for any Adware that by default overwrites certain affiliate tracking links. These tracking links are used by webmasters to sell products and to help fund websites. The controversy is centered on companies like WhenU, eBates, and Top Moxie, a popular maker of Adware applications. These companies have release their software to assist users in getting credit for rebates, cash back shopping, or contributions to funds. To the end user ParasiteWare represents little in the way of a security threat.

Adware

Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then profile a user's surfing activity for study.

AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall.

A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA.

It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification.

Spyware

Spyware is potentially more dangerous beast than Adware because it can record your keystrokes, history, passwords, and other confidential and private information. Spyware is often sold as a spouse monitor, child monitor, a surveillance tool or simply as a tool to spy on users to gain unauthorized access. Spyware is also known as: snoopware, PC surveillance, key logger, system recorders, Parental control software, PC recorder, Detective software and Internet monitoring software.

Spyware covertly gathers user information and activity without the user's knowledge. Spy software can record your keystrokes as you type them, passwords, credit card numbers, sensitive information, where you surf, chat logs, and can even take random screenshots of your activity. Basically whatever you do on the computer is completely viewable by the spy. You do not have to be connected to the Internet to be spied upon.

The latest permutations of Spyware include the use of routines to mail out user activity via e-mail or posting information to the web where the spy can view it at their leisure. Also many spyware vendors use "stealth routines" and "polymorphic" (meaning to change" techniques to avoid detection and removal by popular anti-spy software. In some cases Spyware vendors have went as far as to counter-attack anti-spy packages by attempting to break their use. In addition they may use routines to re-install the spyware application after it has been detected.

Malware

Malware is slang for malicious software. Malware is software designed specifically to disrupt a computer system. A trojan horse , worm or a virus could be classified as Malware. Some advertising software can be malicious in that it can try to re-install itself after you remove it.

For the purpose of simplicity Malware is software specifically engineered to damage your machine or interrupt the normal computing environment.

Examples of Malware include:

Page Hijackers

Hijackers are applications that attempt to usurp control of the user's home page and reset it with one of the hijackers choosing. They are a low security threat, but obnoxious. Most Hijackers use stealth techniques or trick dialogue boxes to perform installation.

Dialers

A dialer is a type of software used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem's usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature because they can cause huge financial harm to the victim.

Source: http://www.spywareguide.com/txt_intro.php

About Spyware

2007-06-21T00:42:00.000-07:00

What Is Spyware?

Spyware is a general term used to describe software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent first.

Spyware is often associated with software that displays advertisements (called adware) or software that tracks personal or sensitive information.

That does not mean all software that provides ads or tracks your online activities is bad. For example, you might sign up for a free music service, but you "pay" for the service by agreeing to receive targeted ads. If you understand the terms and agree to them, you may have decided that it is a fair tradeoff. You might also agree to let the company track your online activities to determine which ads to show you.

Other kinds of spyware make changes to your computer that can be annoying and can cause your computer slow down or crash.

These programs can change your Web browser's home page or search page, or add additional components to your browser you don't need or want. These programs also make it very difficult for you to change your settings back to the way you originally had them.

The key in all cases is whether or not you (or someone who uses your computer) understand what the software will do and have agreed to install the software on your computer.

There are a number of ways spyware or other unwanted software can get on your computer. A common trick is to covertly install the software during the installation of other software you want such as a music or video file sharing program.

Whenever you install something on your computer, make sure you carefully read all disclosures, including the license agreement and privacy statement. Sometimes the inclusion of unwanted software in a given software installation is documented, but it might appear at the end of a license agreement or privacy statement.

Source: www.microsoft.com

Downloader-BCS

2007-06-20T23:38:00.000-07:00

Profile

Risk Assessment
- Home Users:	Low
- Corporate Users:	Low
Date Discovered:	6/18/2007
Date Added:	6/18/2007
Origin:	N/A
Length:	game.class (24,739 bytes)
Type:	Trojan
SubType:	Downloader
DAT Required:	5055

Virus Characteristics

Downloader-BCS is a java applet trojan intended to silently download and execute malicious content from a remote server.

The trojan exploits a Buffer Overflow Vulnerability in Java Runtime Environment (JRE) while parsing certain image file formats like GIF.

When the applet is run on the victim machine having a vulnerable installation of Java Runtime Environment, the trojan downloads another malware from the remote server and executes it.

The following files are downloaded . The applet file (game.class) is of 24,739 bytes in size.

game.class --> Malicious Java applet
picsj.exe --> variant of Proxy-Agent.o

The trojan automatically connects to the following domain to download additional malware.

http://216.32.92[blocked]/

Indications of Infection

Outgoing HTTP traffic to the domain http://216.32.92[blocked]/

Note: As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

Method of Infection

This downloader trojan exists purely to steal sensitive information, download and run other remote files. The downloader is run on the victim machine in a way that assists in masking its activity.

Removal Instructions

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Aliases

Exploit.java.gimsh.a (Kaspersky), Troj/Dloadr-AYQ (Sophos)

W32/Naplik.a

2007-06-20T23:23:00.000-07:00

Profile

Risk Assessment
- Home Users:	Low
- Corporate Users:	Low
Date Discovered:	6/18/2007
Date Added:	6/18/2007
Origin:	N/A
Length:	N/A
Type:	Virus
SubType:	Win32
DAT Required:	5055

Virus Characteristics

W32/Naplik.a is an appending virus for the Windows platform. This file infector infects .EXE files by copying its code to the end of the file, in a new section ".k0kus" and the file's entry point is modified to point to the virus code. (Note: The virus did not replicate when we test it).

Upon execution, it injects its dll routine "VirusBoot.dll" into explorer.exe, which is in charge of the infection.
It also contacts three different pages from the following website:

http://www.aabbcc.us/sys/lm/

to download an eventual update of the virus (the downloaded updates are stored in %Sysdir%\svchost.exe.)
to report that a machine has been infected
to send information collected from the machine.

Note: this virus is currently being investigated and more information will probably come later.

Indications of Infection

Attempts to connect to www.aabbcc.us
Increase the size of EXE files

Method of Infection

W32/Naplik.a is a file infecting virus. Infection starts with manual execution of the binary.

Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations

Aliases

W32.Naplik (NAV)

W32/Zaflen.a

2007-06-20T23:20:00.000-07:00

Profile

Risk Assessment
- Home Users:	Low
- Corporate Users:	Low
Date Discovered:	6/15/2007
Date Added:	6/15/2007
Origin:	N/A
Length:	1,72,032 bytes
Type:	Virus
SubType:	Win32
DAT Required:	5054

Virus Characteristics

When this malware is executed, it creates the following folders.

%My Documents%\Rated R Pictures
%Windir%\gorgle
%Windir%\setup

This malware creates multiple copies of itself in several locations. Some of these are,

c:\CoolWorld.exe
c:\Documents and Settings\All Users\Desktop\Microsoft Word Document.scr
c:\Documents and Settings\All Users\Start Menu\New Microsoft Word Document.scr
c:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word Document.scr
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\folderwiz.com
%userprofile%\My Documents\My Picture.com
%userprofile%\My Documents\Rated R Pictures.com
%userprofile%\My Documents\My Pictures\mskernel.exe
%userprofile%\NetHood\Hot Picture.com
%userprofile%\PrintHood\Printing Information.com
%userprofile%\SendTo\Image Editor.com
%userprofile%\Start Menu\Image Viewer.com
c:\Program Files\phil.constitution.scr
c:\WINDOWS\agila.scr
c:\WINDOWS\AutoRun.ini
c:\WINDOWS\lsass.exe
c:\WINDOWS\services.exe
c:\WINDOWS\gorgle\csrss.exe
c:\WINDOWS\setup\mskernel.exe
c:\WINDOWS\system32\mskernel.exe

It copies itself into multiple drives in the system.

It also creates the following file, for executing the malware when the drive is accessed.

C:\autorun.inf

This malware then searches for and infects the files with the following extensions

It infects the above files by prepending itself to these files.
It changes the icon of the infected files to M.S.Word icon and the extension to scr or exe.
It also appends 35 bytes to the end of file along with the extension of the original file.

This malware adds the follwing registry entries for loading at system startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WinRun" Data - C:\WINDOWS\AutoRun.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "(Default)" Data - \WINDOWS\lsass.exe

It adds the following registry entries to disable Run, folder options and to hide the file extensions.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoFolderOptions"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "NoRun"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer "Run"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt "CheckedValue"

It also adds/modifies certain other registry entries for its functioning.

This malware also drops the file "email32.vbs" into the Windows directory, which is a mass mailer component detected as W32/PetTick.vbs.
This is used to send out copies of the file infector via e-mail using harvested e-mail addresses from the system.

Indications of Infection

Changing of the file icon for the file types - png, jpg, gif to M.S.Word icon.

Increase in file size by 172067 bytes for the infected files.

Presence of the files and registry entries mentioned.

Method of Infection

This parasitic file infector spreads by copying itself to multiple locations and to different drives in the system.
It also spreads by using the mass mailing component detected as W32/PetTick.vbs.
The files get infected when the user executes the malware which is disguised as being an M.S.Word document.

Removal Instructions

Additional Windows ME/XP removal considerations

Downloader-BCV Virus

2007-06-20T23:12:00.000-07:00

Profile Virus

Risk Assessment
- Home Users:	Low
- Corporate Users:	Low
Date Discovered:	6/20/2007
Date Added:	6/20/2007
Origin:	N/A
Length:	8.192
Type:	Trojan
SubType:	Downloader
DAT Required:	5059

Virus Characteristics

Detection was added to cover for a malicious 32 bit PE downloader file originally called "systime.exe" , having a filesize of 8.192 bytes.

Upon running, it runs silently, no gui messageboxes appear on the screen.

It immediately copies itself onto the %system32 folder and creates a registry entry to run automatically upon system start, for example on win2k:

c:\WINNT\system32\systime.exe

It might also copy itself to the root of the c: drive, with the c:\systime.exe location actually hardcoded inside.

It tries to download a binary called "network.exe" from : http://drsun####.go#.icp##.## , but at test time the binary was not accessible. The exact address is changes on purpose here with # markings.

Indications of Infection

Presence of "systime.exe" , having a filesize of 8.192 bytes.
Network connections to http://drsun####.go#.icp##.## , the exact address is changes on purpose here with # markings.

Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Fantibag.B/Email-Worm.Win32.Bagle.bs

2007-04-26T06:27:00.000-07:00

Summary

Fantibag.B is a trojan that installs a packet filter for preventing of downloading AV companies database updates and security patches. It is related to recent Bagle/Mitglieder trojans.

Detailed Description

System installation

When the trojan's file is executed, it copies itself in Windows directory with the name 'firewall_anti.exe'. It installs the following registry key for ensuring it will be executed at system startup:

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"firewall_anti" = "%WinDir%\firewall_anti.exe"

The trojan drops a DLL 'firewall_anti.dll' in the Windows direcory and injects this file in address space of Internet Explorer.

Packet filtering

When the dropped DLL is activated, it modifies the network interface with Microsoft RAS packet filtering API. It adds a filter that blocks access to following AV companies and other security related sites:

 ftpav.ca.com
www.pandasoftware.com
pandasoftware.com
clamav.net
www.clamav.net
www.bitdefender.com
bitdefender.com
ravantivirus.com
www.ravantivirus.com
drweb.ru
www.drweb.com
drweb.com
antivir.de
www.antivir.de
216.200.68.152
212.113.20.69
63.210.193.12
84.53.142.22
84.53.142.6
kaspersky.ru
grisoft.com
www3.ca.com
www.viruslist.ru
www.viruslist.com
www.trendmicro.com
www.symantec.com
www.sophos.com
www.networkassociates.com
www.nai.com
www.my-etrust.com
www.mcafee.com
www.kaspersky.ru
www.kaspersky.com
www.kaspersky-labs.com
www.grisoft.com
www.fastclick.net
www.f-secure.com
www.awaps.net
www.avp.ru
www.avp.com
www.avp.ch
windowsupdate.microsoft.com
viruslist.ru
viruslist.com
vil.nai.com
us.mcafee.com
updates5.kaspersky-labs.com
updates4.kaspersky-labs.com
updates3.kaspersky-labs.com
updates2.kaspersky-labs.com
updates1.kaspersky-labs.com
updates.symantec.com
update.symantec.com
trendmicro.com
symantec.com
support.microsoft.com
spd.atdmt.com
sophos.com
service1.symantec.com
securityresponse.symantec.com
secure.nai.com
rads.mcafee.com
phx.corporate-ir.net
office.microsoft.com
networkassociates.com
nai.com
my-etrust.com
msdn.microsoft.com
media.fastclick.net
mcafee.com
mast.mcafee.com
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
kaspersky.com
kaspersky-labs.com
ids.kaspersky-labs.com
go.microsoft.com
ftp.sophos.com
ftp.kasperskylab.ru
ftp.f-secure.com
ftp.downloads2.kaspersky-labs.com
ftp.avp.ch
fastclick.net
f-secure.com
engine.awaps.net
downloads4.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads.microsoft.com
downloads-us3.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
download.microsoft.com
download.mcafee.com
dispatch.mcafee.com
customer.symantec.com
clicks.atdmt.com
click.atdmt.com
www.ca.com
ca.com
banners.fastclick.net
banner.fastclick.net
awaps.net
avp.ru
avp.com
avp.ch
atdmt.com
ar.atwola.com
ads.fastclick.net
ad.fastclick.net
ad.doubleclick.net

Source: http://www.f-secure.com/v-descs/fantibag_b.shtml

MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?

2007-04-11T20:17:00.000-07:00

What is the MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?

The MSBLAST.A worm infects machines via network connections. It can attack entire of computers or one single computer connected to the Internet. The worm exploits a known windows that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and machines and exploits the DCOM RPC Vulnerablity. Depending on the system date it will start a Denial of Service attack against windowsupdate.com, this makes it difficult to download the needed patches and allow the worm to infect as many machines as it can before being disabled. However, as of August 15th, Microsoft decided to kill the windowsupdate.com to lessen the impact from this denial of service attack. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of , changes to Control Panel, inability to use functions in browser, and many more oddities

Download the Windows patches for this vulnerability by clicking on the links below:

http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en

These Windows vulnerabilities are patched by using Windows Update to download all the critical updates for your system. However in some cases, people have reported getting an error 0x800A138F when trying to download updates. If you are receiving an error similar to this, read Marc Liron's excellent article about solving this at his updatexp.com website.

What is the DCOM Vulnerability?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

What are the Symptoms of the MSBLAST worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will read

"Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"

You can disable this shutdown by following the steps below during the countdown

Click on Start, Run
Type in CMD and press ENTER
Type in the following command and press Enter and than SHUTDOWN -A

This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does MSBLAST Infect My Computer?

The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:
”windows auto update" = MSBLAST.EXE (variant A)
”windows auto update" = PENIS32.EXE (variant B)
”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
"Nonton Antivirus=mspatch.exe" (variant E)
"Windows Automation" = "mslaugh.exe" (variant F)
"www.hidro.4t.com"="enbiei.exe" (variant G)

to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Calculates the IP address, based on the following algorithm, 40% of the time:
Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value less than 20.
Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.
Calculates the IP address, based on many random numbers, 60% of the time:
A.B.C.D
set D equal to 0.
sets A, B, and C to random values between 0 and 255.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:
Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.
Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.
Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.
If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Windows 2000 Machines

On Windows 2000 machines, I have seen the Control Panel icons switch to the left pane, functions like FIND in the browser stop working, and many other oddities.

How can remove MSBLAST Worm?

Follow these steps in removing the MSBLAST or MSBLASTER worm.

Disconnect your computer from the local area network or Internet
Terminate the running program
- Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
- Locate one of the following programs (depending on variation), click on it and End Task or End Process
  
  MSBLAST.EXE
  PENIS32.EXE
  TEEKIDS.EXE
  MSPATCH.EXE
  MSLAUGH.EXE
  ENBIEI.EXE
- Close Task Manager
Install the patches for the DCOM RPC Exploit, you can download the patches from the links below before disconnecting
- http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
- http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
- http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
- http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
- http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c67df5/WindowsXP-KB823980-ia64-ENU.exe
- http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629390b9/WindowsServer2003-KB823980-x86-ENU.exe
- http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c50425/WindowsServer2003-KB823980-ia64-ENU.exe
- If you receive a "cryptographic service" error when you try to apply the patch, please read the following excellent article on how to fix this error:
  http://www.updatexp.com/cryptographic-service.html
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"
Remove the Registry entries
- Click on Start, Run, Regedit
- In the left panel go to
  HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
- In the right panel, right-click and delete the following entry
  ”windows auto update" = MSBLAST.EXE (variant A)
  ”windows auto update" = PENIS32.EXE (variant B)
  ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
  "Nonton Antivirus"=MSPATCH.EXE (variant E)
  "Windows Automation" = "mslaugh.exe" (variant F)
  "www.hidro.4t.com"="enbiei.exe" (variant G)
- Close the Registry Editor
Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
- Click Start, point to Find or Search, and then click Files or Folders.
- Make sure that "Look in" is set to (C:\WINDOWS).
- In the "Named" or "Search for..." box, type, or copy and paste, the file names:
  msblast*.* (or other filenames listed above)
- Click Find Now or Search Now.
- Delete the displayed files.
- Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.
Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
Now check for the worm again, if it returns, complete these steps once more until the virus is gone. With the patch in place, the virus wont be able to exploit the system, but sometimes it is difficult to remove the files for good.

For Automatic Removal of MSBLAST, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the MSBLAST program from running, remove the items in the registry, and delete the infected files.

Source : http://www.pchell.com/virus/msblast.shtml

About Trojan Horse

2007-04-09T18:29:00.000-07:00

History of Trojan Horse

The original trojan horse was built by Odysseus, the King of Ithica, during the legendary Trojan Wars. The Greeks were losing the siege of the city of Troy. Odysseus had a large wooden horse built and left as a "gift" outside the walls of the city of Troy. He then ordered the Greek army to sail away.

The Trojans believed the horse to be a peace offering from Odysseus. Instead, the horse was filled with Greek warriors, including Odysseus and Menelaus. As the Trojans slept, the Greek army sailed back to Troy and the soldiers hiding in the wooden horse snuck out and opened the gates of the city for them.

A Computer Trojan Horse

A computer trojan horse is a program which appears to be something good, but actually conceals something bad.

One way to spread a trojan horse is to hide it inside a distribution of normal software. In 2002, the sendmail and OpenSSH packages were both used to hide trojan horses. This was done by an attacker who broke into the distribution sites for these software packages and replaced the original distributions with his own packages.

A more common method of spreading a trojan horse is to send it via e-mail. The attacker will send the victim an e-mail with an attachment called something like "prettygirls.exe." When the victim opens the attachment to see the pretty girls, the trojan horse will infect his system.

A similar technique for spreading trojan horses is to send files to unsuspecting users over chat systems like IRC, AIM, ICQ, MSN, or Yahoo Messenger.

The Trojan Horse Virus

Unlike viruses, trojan horses do not normally spread themselves. Trojan horses must be spread by other mechanisms.

A trojan horse virus is a virus which spreads by fooling an unsuspecting user into executing it.

An example of a trojan horse virus would be a virus which required a user to open an e-mail attachment in Microsoft Outlook to activate. Once activated, the trojan horse virus would send copies of itself to people in the Microsoft Outlook address book.

The trojan horse virus infects like a trojan horse, but spreads like a virus.

Effects of a Trojan Horse

The victim running the trojan horse will usually give the attacker some degree of control over the victim's machine. This control may allow the attacker to remotely access the victim's machine, or to run commands with all of the victim's privileges.

The trojan horse could make the victim's machine part of a Distributed Denial of Service (DDoS) network, where the victims machine is used to attack other victims.

Alternatively, the trojan horse could just send data to the attacker. Data commonly targeted by trojan horses includes usernames and passwords, but a sophisticated trojan horse could also be programmed to look for items such as credit card numbers.

Protecting Against The Trojan Horse

Anti-virus programs detect known trojan horses. However, trojan horse programs are easier to create than viruses and many are created in small volumes. These trojan horse programs will not be detected by anti-virus software.

The best defense against a trojan horse is to never run a program that is sent to you. E-mail and chat systems are not safe methods of software distribution.

Spyware and Adware

Many people consider spyware and adware to be forms of a trojan horse.

Spyware programs perform a useful function, and also install a program that monitors usage of the victim's computer for the purpose of marketing to the user.

Adware programs are similiar to spyware programs, except the additional software they install shows advertising messages directly to the user.