-
VIRUS ADVISORY: W32/Sober.r@MM - Medium Risk
VIRUS ADVISORY: W32/Sober.r@MM - Medium Risk
=============================================
What is it?
The 18th variant of the first Sober virus, W32/Sober.r@MM
is a mass-mailing worm hiding inside a .ZIP attachment.
When run, the worm displays fake error messages, infects
the host computer and sends itself to stolen email
addresses. Messages may come in German or English.
What should I look for?
FROM: Varies
SUBJECT: English: Your new Password. German: Fwd:
Klassentreffen
BODY: English: Your password was successfully changed!
Please see the attached file for detailed information.
German: ich hoffe jetzt mal das ich endlich die richtige
person erwischt habe! ich habe jedenfalls mal unser
klassenfoto von damals mit angehngt.
ATTACHMENT. KlassenFoto.zip, pword_change.zip
How do I know if I've been infected?
Fake error messages displayed. Outgoing messages as noted
above. Note: Receiving an email alert stating that the
virus came from your email address is not necessarily an
indication you are infected. Mass-mailing viruses often
forge (or "spoof") the from address.
Sourece:Mcafee
-
October 7 2005 - Panda Platinum Internet Security 2005 has been
named "Best Buy" in a recent comparative review of anti-spyware
products in the November 2005 issue of PC World magazine. This product
analysis evaluated both free and retail integrated security suites and
dedicated anti-spyware solutions.
The Panda Platinum Internet Security 2005 suite was acclaimed as the
best integrated security suite, thanks to its effectiveness in combating
different types of spyware. The comparative review evaluated the Panda
Software security suite along with others such as Symantec Norton
Internet Security 2005 Antispyware Edition and Zone Labs ZoneAlarm Internet
Security Suite 6.0.
According to PC World, "Of the three all-in-one suites (analyzed), we
recommend Panda Software's Platinum Internet Security 2005. Our pick as
Best Buy among the suites, Panda scored the highest of the three in
total spyware removal..."
"We are extremely proud of this recognition, which confirms Panda
Software's commitment to protecting its clients from spyware and all other
types of threats," declared IƱaki Urzay, Chief Technical Officer at
Panda Software.
The Panda Software solution was the only one able to eliminate 100% of
running processes, ahead of specific anti-spyware solutions such as
McAfee AntiSpyware 2006 or Trend Micro Anti-Spyware 3.0. Similarly, Panda
Platinum Internet Security was able to eliminate 100 percent of BHOs
(browser helper objects) and unwanted toolbars, components frequently
used to hijack browsers.
The PC World review also highlights the ease-of-use of this security
suite, as it offers great effectiveness in eliminating spyware without
constantly requiring users to make decisions.
"...When it came to ease of use, Panda's suite was top-notch, removing
detected adware and spyware without relying on user input. You can also
change the default settings to allow case-by-case decision-making,"
according to PC World.
"The combination of reactive technologies and TruPrevent(TM) proactive
technologies to combat spyware is not only available in Platinum
Internet Security, but also all of our products both for consumers and
corporate users." explains Ignacio Ayerbe, director of Panda Software's
Consumer Business Unit.
Source: PandaSoftWare
-
October 7, 2005 - This week's report looks at three threats:
the Banker.AXW and Format.A Trojans, and the Sober.Y email worm.
Format.A is a Trojan that passes itself off a tool developed to run
unsigned code in the console PSP (PlayStation Portable). However, when it
is run, it deletes key files for the correct functioning of the
console, which as a result, will not be able to start up. In order to spread,
Format.A describes itself as an application for changing -by using an
exploit- the BIOS version of the PSP consoles to an older version in
order to run pirate games.
Banker.AXW is a Trojan that monitors windows with title bars containing
certain text strings, mostly related to banks. It then logs the
keystrokes entered in those windows to capture passwords and other sensitive
data. This Trojan uses several PHP scripts in order to send the
information it has gathered. As with most Trojans, Banker.AXW cannot spread
automatically using its own means. It needs an attacking user's
intervention in order to reach the affected computer. The means of transmission
used include, among others, floppy disks, CD-ROMs, email messages with
attached files, Internet downloads, etc.
Finally, Sober.Y is a new variant of this family of worms, which, like
its predecessors, can spread rapidly via email. Just a few hours after
it had first appeared, PandaLabs began to detect cases in users'
computers around the world. To prevent Sober.Y from continuing to spread, in
paticular to tose computers without adequate anti-malware protection,
Panda Software has made the free PQRemove application available to users
to detect and remove this worm from any computer it may have affected.
This tool can be downloaded from
http://www.pandasoftware.com/download/utilities/
Sober.Y uses two types of mail to propagate: firstly, an email in
English with the subject "Your new password", which tries to make users
think it is notification of a change of password, asking them to check the
data in an attached file, pword_change.zip. Secondly, an email written
in German claiming to contain a photograph of old school friends in the
file KlassenFoto.zip. Both compressed files contain the executable
PW_Klass.Pic.packed-bitmap.exe, which is a copy of the worm itself.
If the file is run, a false CRC error is displayed, even though the
action has already started. The worm collects email addresses from files
with certain extensions on the compromised computer, and sends itself
out to them in the emails described above using its own SMTP engine. It
will only use the German version of the email if the addresses end in
.de (Germany), .ch (Switzerland), .at (Austria), or .li (Lichtenstein).
source:Panda Software
-
Madrid, October 26, 2005 - A vulnerability has been detected in
Microsoft Internet Explorer, which could allow remote attackers to
cause
denial of service conditions.
According to the bulletin released by SecurityTracker, this security
flaw lies in J2SE Runtime Environment. An attacker could create
malicious HTML code that, when loaded by the user with the Microsoft
browser, will exploit the vulnerability in mshtmled.dll and cause
Internet Explorer to stop responding.
An update that resolves this problem is not yet available and
therefore,
users are advised not to visit unknown or unreliable websites. An
exploit (*) for this vulnerability has been published, which increases
the probability of being affected.
(*) Exploit: technique or program that exploits a security flaw- a
vulnerability- in a certain communication protocol, operating system or
IT tool.
-
Weak Oracle password
October 28 2005 - A study has been published highlighting the
weakness of the algorithm used for encrypting and storing passwords in
Oracle.
Joshua Wright, SANS Institute researcher, and Carlos Cid from the Royal
Holloway College at the University of London, have revealed the method
used to encrypt Oracle database passwords before they are stored. The
weaknesses discovered include the fact that all passwords are converted
into upper case before calculating the hash, drastically reducing the
number off combinations to try in a dictionary or brute force attack.
In addition, Wright has presented a tool that exploits the detected
weaknesses, allowing an attacker with limited resources to obtain the
password starting with the hash of a known user.
Until Oracle increases security of the algorithm for storing passwords,
experts recommend using strong passwords (sufficiently long with a
combination of different types of characters), as well as assigning the
minimum privileges necessary to users to mitigate the effects of a
possible attack on their accounts.
More information at:
http://www.sans.org/rr/special/index.php?id=oracle_pass.
-
October , 2005 - This week's report describes a worm
-SdBot.FME-, a macro Trojan -Naiva.A-, a backdoor Trojan -RCBot.NT-,
and
a hacking tool called Mirkov.
SdBot.FME is a worm that spreads by exploiting the following four
security flaws that appear here with the number of the Microsoft
bulletin that describes them: execution of remote code in Plug and Play
-PnP-(MS05-039); RPC-DCOM (MS04-012); LSASS (MS04-011); and a
vulnerability in WorKStation Service (MS03-049).
SdBot.FME contains a backdoor Trojan that connects to several IRC
servers, through which it can receive different commands including:
download and run files via HTTP, register and delete services, set the
level of the security policies or carry out denial of service attacks.
The second threat in this week's report is Naiva.A which, like all
Trojans, cannot spread using its own means but needs to be distributed
manually by third-parties (via email, Internet downloads, file
transfers
via FTP or other means). This Trojan reaches computers as a Word
document informing about the bird flu epidemic.
Naiva.A uses two Word macros. The first calls five kernel functions,
which allow it to modify create and delete files. It uses the second
macro to install Ranky.FY on the computer, a Trojan that will allow a
potential attacker to gain remote control of the affected computer.
To avoid falling victim to Naiva.A, users should ensure that the macro
security level is set at medium to receive a warning when they are run
or high to stop them from running.
IRCBot.NT is a backdoor Trojan that cannot spread using its own means,
although it can receive remote control commands to get into other
computer by exploiting the Plug and Play vulnerability.
Once installed on computers, IRCBot.NT carries out several actions
including:
- Connecting to two IRC servers to receive remote control commands (IP
scanning, Denial of Service attacks and download and run files).
- Creating several files. One of these aims to bypass process oriented
firewalls.
- Registering itself as a Windows service.
We are going to finish this week's report with Mirkov, a hacking tool
that allows an attacker to gain remote control over the affected
computer through a web browser. It can receive various control
commands,
such as download files or end process. It can also capture the
keystrokes entered by the user, which can be used to collect passwords
or other confidential information, compromising user privacy.
source:panda
-
Denial of service in Apache Web servers
October 2005 - According to SecurityTracker, a vulnerability
has been detected in Apache Web servers that could be used by remote
attackers to provoke denial of services. To prevent this problem an
update has been published for Apache web servers, and IBM has issued a
fix for IBM HTTP Server (which is based on the Apache server).
Because of this problem, in certain situations after an aborted
connection, a remote user could trigger a memory leak in some
Multi-Processing Module code. The flaw lies in
'server/mpm/worker/worker.c'.
The update for Apache Web server is available, via SVN, at:
http://svn.apache.org/viewcvs.cgi/ht...orker/worker.c
-
phishing and pharming
October 31 2005 -
Phishing involves stealing bank details using the Internet. This is usually done by sending an email to users trying to convince them to visit spoofed web pages and enter confidential data (account number, pin number, etc.) which is then logged by the page. Normally, after this data is entered an error page appears so that victims think they have not been able to connect and therefore don't suspect anything.
Another technique for stealing bank details involves dropping a malicious Trojan, usually a keylogger (program which captures keystrokes) on the victim's computer. The keylogger is usually activated when the Trojan detects that the user is on a bank website and from then on, it captures all the keystrokes enter by the user, which usually include usernames, passwords, account numbers and other bank details.
In addition to these methods, a new and more sophisticated method called pharming has been recently reported. In this case the attack is carried out on the user's computer or the Internet service provider so that when the user requests their bank page, they are redirected to an imitation website.
Currently, detection of these electronic fraud threats depends on whether they are using conditional malware techniques. In the case of phishing, the attack can be detected if it is spread using spamming techniques, if it uses known keyloggers or if it exploits a browser vulnerability allowing false addresses to be displayed in the address bar. With pharming, neutralizing the attack is more complex, especially if the attack is carried out by external malicious users and no type of malware has been previously dropped on the computer.
source:panda
-
November 1, 2005 - PandaLabs reports on the new Mitglieder Trojan variant, named Mitglieder.FK, distributed in computers all overthe World. The initial spread of this new variant has been distributedmanually using spamming techniques in the last hours and infecting a large number of computers.
This Trojan has been sent in e-mail messages with variable features: it includes no subject and the message body contains the texts "info" or "texte", and in every case includes a compressed attachment with different names from the following list:
* Health_and_knowledge.zip
* Sms_text.zip
* Max.zip
* Business.zip
* The_new_price.zip
* Info_prices.zip
* Business_dealing.zip
These attachments include an EXE archive which is a copy of the Trojan that if opened, will infect the system. If this happens, the Trojan will try to contact a series of URLs, from which it tries to download a file that is supposed to be copied in the Windows system directory with the name exefld\ and a random number appended. These URLs are hosted in domains from countries like Russia, Poland and Germany. Also, the Trojan would modify two registry keys in order to ensure its execution in every startup.
"Even though the Trojan doesn't seem to be technically sophisticated, it has infected a significant number of computers, probably because it has been massively distributed to a great number of email addresses",
PandaLabs.
-
Over 30 countries already affected by the wave of Mitglieder
Over 30 countries already affected by the wave of Mitglieder Trojans
November 3 2005 - The avalanche of Mitglieder Trojans continues:over thirty countries are now affected by the different variants of this threat. Four of the five variants (FK, FL, FM and FN)are among the 6 threats most frequently detected by Panda Software's online antivirus solution, Panda ActiveScan. What's more, PandaLabs has confirmed that the Bagle.FN worm has teamed up with the Mitglieder.FK Trojan, which it sends from the computers it infects in order to increase its rate of propagation.
This worm spreads by sending itself as a file attached to an email to all the address it finds on the affected computer. Its main actions consist of leaving the computer unprotected and trying to download a file that has the characteristics to generate emails to which to send copies of Mitglieder.FK.
Even though new variants of Mitglieder have been released, their function is very similar: Trojans that install themselves on computers and, in the case of the FK, FL and FN variants, try to download files from a remote website, which could open the door to other threats. The main actions of the FM variant are to disable the antivirus protection
installed on the computer, block access to web pages, mainly those belonging to IT security companies, and prevent users from modifying the
Registry, so that these actions cannot be undone.
"Without a doubt, the main trick of these variants is their extremely high rate of propagation, via both manual spamming and through the collaboration of the Bagle worms, which is not a new characteristic of this family," explains Luis Corrons, director of PandaLabs. "One of the hardest hit by these waves of threats could be companies, whose mail could be saturated with emails carrying these Trojans. For this reason, we recommend activating all types of filters to block this threat,especially in corporate environments."
source:pandasoftware
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Bookmarks