Adobe released its fix for CVE-2011-0609 this afternoon, making good on last week's advisory dealing with the latest Flash zero-day. Kaspersky Lab products detected the variants as "Trojan-Dropper.MSExcel.SWFDrop" this past week.
While we questioned the usefulness of Flash functionality within Excel spreadsheet cells last week, attackers were sending out emails containing just these sorts of files. Our Kaspersky Security Network statistics saw very low numbers spread out across the globe, revealing attackers making targeted use of this zero-day attack.2011年4月23日星期六
Directly executable .txt? Yes!
I?m sure you know the good old trick with hidden extension, or multiple extensions, long file names, etc.. Today, we?re going to look at much more sophisticated way of confusing users. Did you think, that when you?ve got some file...
Definition file update for Ad-Aware.
149.689 is now available, new definition file for Ad-Aware 8.2.
150.374 is now available, new definition file for Ad-Aware 9.x, 8.3.
New definitions:
====================
Win32.Trojan.Lname
Updated definitions:
====================
BAT.Trojan.KilLAV
BAT.Trojan.VKHost
BAT.Trojandownloader.Small
MSIL.Backdoor.Agent
MSIL.Trojan.Agent
MSIL.Trojan.DelFiles
MSIL.Trojan.Inject
MSIL.TrojanDownloader.Agent
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
NSIS.Trojan.Agent
NSIS.Trojan.StartPage
NSIS.TrojanDownloader.Agent
NSIS.TrojanDropper.Agent
VBS.TrojanClicker.Agent
Win32.Adware.Adnur
Win32.Adware.Agent
Win32.Adware.BHO
Win32.Adware.Cinmus
Win32.Adware.Delf
Win32.Adware.DuDu
Win32.Adware.EzuLa
Win32.Adware.Gaba
Win32.Adware.Gamevance
Win32.Adware.Lop
Win32.Adware.OfferBox
Win32.Adware.RON
Win32.Adware.SuperJuan
Win32.Adware.WeirWeb
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.AimBot
Win32.Backdoor.Asper
Win32.Backdoor.Banito
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Buterat
Win32.Backdoor.Cetorp
Win32.Backdoor.Clemag
Win32.Backdoor.DSSdoor
Win32.Backdoor.Delf
Win32.Backdoor.Donbot
Win32.Backdoor.Floder
Win32.Backdoor.Gbot
Win32.Backdoor.HacDef
Win32.Backdoor.Hackdoor
Win32.Backdoor.Havar
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IEBooot
Win32.Backdoor.IRCBot
Win32.Backdoor.Inject
Win32.Backdoor.Ircnite
Win32.Backdoor.Kbot
Win32.Backdoor.Koutodoor
Win32.Backdoor.Lecna
Win32.Backdoor.Lolbot
Win32.Backdoor.Ncx
Win32.Backdoor.Nepoe
Win32.Backdoor.NewRest
Win32.Backdoor.Nuclear
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.QBot
Win32.Backdoor.RBot
Win32.Backdoor.Ripinip
Win32.Backdoor.SDBot
Win32.Backdoor.Shark
Win32.Backdoor.Shiz
Win32.Backdoor.Sinowal
Win32.Backdoor.Smabo
Win32.Backdoor.Small
Win32.Backdoor.Spammy
Win32.Backdoor.TDSS
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.Ulrbot
Win32.Backdoor.UltimateDefender
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.WinControl
Win32.Backdoor.WinUoj
Win32.Backdoor.WinterLove
Win32.Backdoor.Xtoober
Win32.Backdoor.Xyligan
Win32.Backdoor.Yobdam
Win32.Backdoor.Yoddos
Win32.Backdoor.Zepfod
Win32.Backdoor.Zzslash
Win32.Backdoor.mIRC-based
Win32.Dialer.Idialer
Win32.FraudTool.AKorea
Win32.FraudTool.AntivirusAntispyware2011
Win32.FraudTool.DGNetworks
Win32.FraudTool.ISMedia
Win32.FraudTool.NKSolution
Win32.FraudTool.PCTool
Win32.FraudTool.PcGkimi
Win32.FraudTool.RegistryFox
Win32.FraudTool.Venisoft
Win32.Hoax.ArchSMS
Win32.Hoax.Badjoke
Win32.Hoax.Renos
Win32.IMWorm.Ckbface
Win32.Monitor.Agent
Win32.Monitor.Ardamax
Win32.Monitor.EliteKeylogger
Win32.Monitor.Hooker
Win32.Monitor.KeyLogger
Win32.Monitor.Perflogger
Win32.Monitor.PowerSpy
Win32.Monitor.SCKeyLog
Win32.Monitor.SpyLantern
Win32.Monitor.SuperSpy
Win32.P2PWorm.Bacteraloh
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.Small
Win32.P2PWorm.VB
Win32.Rootkit.Agent
Win32.Rootkit.AntiAV
Win32.Rootkit.Banker
Win32.Rootkit.Bubnix
Win32.Rootkit.Protector
Win32.Rootkit.TDSS
Win32.Rootkit.Tent
Win32.Toolbar.MegaSearch
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AntiAV
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Belnow
Win32.Trojan.Buzus
Win32.Trojan.Cariez
Win32.Trojan.Chifrax
Win32.Trojan.Chydo
Win32.Trojan.Cosmu
Win32.Trojan.Cospet
Win32.Trojan.Cossta
Win32.Trojan.DNSchanger
Win32.Trojan.Delf
Win32.Trojan.Delfinject
Win32.Trojan.Delsha
Win32.Trojan.Diamin
Win32.Trojan.DieMast
Win32.Trojan.Diple
Win32.Trojan.Efno
Win32.Trojan.Exedot
Win32.Trojan.Exploit
Win32.Trojan.FakeAV
Win32.Trojan.Fakedefrag
Win32.Trojan.Fakelogin
Win32.Trojan.Faketao
Win32.Trojan.Fakewarn
Win32.Trojan.Fraudpack
Win32.Trojan.Genome
Win32.Trojan.Gibi
Win32.Trojan.Hosts2
Win32.Trojan.Inject
Win32.Trojan.Jorik
Win32.Trojan.KillAV
Win32.Trojan.KillDisk
Win32.Trojan.KillFiles
Win32.Trojan.Kreeper
Win32.Trojan.Kuang
Win32.Trojan.Lebag
Win32.Trojan.Lexip
Win32.Trojan.Llac
Win32.Trojan.Lukicsel
Win32.Trojan.Lunam
Win32.Trojan.MMM
Win32.Trojan.Mahato
Win32.Trojan.Menti
Win32.Trojan.Midgare
Win32.Trojan.Mole
Win32.Trojan.Monder
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Paltus
Win32.Trojan.Pasmu
Win32.Trojan.Pasta
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Redosdru
Win32.Trojan.Refroso
Win32.Trojan.Regie
Win32.Trojan.Regrun
Win32.Trojan.Ript
Win32.Trojan.Runner
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Servstar
Win32.Trojan.Shutdowner
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Slefdel
Win32.Trojan.Small
Win32.Trojan.Smardf
Win32.Trojan.Sokiron
Win32.Trojan.Soul
Win32.Trojan.Staget
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Stuh
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.Tirnod
Win32.Trojan.VB
Win32.Trojan.Vaklik
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Virtumonde
Win32.Trojan.Webprefix
Win32.Trojan.Zapchast
Win32.TrojanClicker.Agent
Win32.TrojanClicker.AutoIT
Win32.TrojanClicker.Pipigo
Win32.TrojanClicker.VB
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Apher
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Braz
Win32.TrojanDownloader.Bulilit
Win32.TrojanDownloader.CWS
Win32.TrojanDownloader.Calac
Win32.TrojanDownloader.Calipr
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.DNSKrab
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Esplor
Win32.TrojanDownloader.Feiyo
Win32.TrojanDownloader.Firu
Win32.TrojanDownloader.FlyStudio
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Gamup
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Goo
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.Icehart
Win32.TrojanDownloader.Imgdrop
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Kido
Win32.TrojanDownloader.Losabel
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Nekill
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Piker
Win32.TrojanDownloader.Qhost
Win32.TrojanDownloader.Radonl
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.Tiny
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.Zlob
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Autoit
Win32.TrojanDropper.Binder
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Champ
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.Drostuh
Win32.TrojanDropper.Flystud
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.Frijoiner
Win32.TrojanDropper.HeliosBinder
Win32.TrojanDropper.KGen
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.ParaDrop
Win32.TrojanDropper.Renum
Win32.TrojanDropper.Small
Win32.TrojanDropper.Stabs
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanDropper.Vidro
Win32.TrojanDropper.Wlord
Win32.TrojanMailfinder.Agent
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Autoit
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Delf
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Firethief
Win32.TrojanPWS.Frethoq
Win32.TrojanPWS.IcqSmiley
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kukudva
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.Nilage
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Papras
Win32.TrojanPWS.PdPinch
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.QQSender
Win32.TrojanPWS.Rebnip
Win32.TrojanPWS.Stealth
Win32.TrojanPWS.Taworm
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.Toksteal
Win32.TrojanPWS.Traceboy
Win32.TrojanPWS.VB
Win32.TrojanPWS.WOW
Win32.TrojanPWS.Widget
Win32.TrojanProxy.Agent
Win32.TrojanProxy.Glukelira
Win32.TrojanProxy.Slaper
Win32.TrojanRansom.BrowHost
Win32.TrojanRansom.CardPay
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.Gimemo
Win32.TrojanRansom.Hexzone
Win32.TrojanRansom.HmBlocker
Win32.TrojanRansom.PinkBlocker
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.Pornoasset
Win32.TrojanSpy.Agent
Win32.TrojanSpy.BHO
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banz
Win32.TrojanSpy.Brazban
Win32.TrojanSpy.Cardspy
Win32.TrojanSpy.Conexyo
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Dibik
Win32.TrojanSpy.Goldun
Win32.TrojanSpy.Keylogger
Win32.TrojanSpy.Locha
Win32.TrojanSpy.Luhn
Win32.TrojanSpy.Plankton
Win32.TrojanSpy.Pophot
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.VB
Win32.TrojanSpy.Wemon
Win32.TrojanSpy.Zbot
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.Autorun
Win32.Worm.Bagle
Win32.Worm.Basun
Win32.Worm.Brontok
Win32.Worm.Bybz
Win32.Worm.Ckbface
Win32.Worm.Delf
Win32.Worm.Fearso
Win32.Worm.FlyStudio
Win32.Worm.Fujack
Win32.Worm.Gibon
Win32.Worm.Guap
Win32.Worm.Joleee
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Koobface
Win32.Worm.Mabezat
Win32.Worm.Moldyow
Win32.Worm.Mydoom
Win32.Worm.Plemood
Win32.Worm.Qvod
Win32.Worm.RJump
Win32.Worm.Randex
Win32.Worm.Ridnu
Win32.Worm.Runouce
Win32.Worm.Shakblades
Win32.Worm.Socks
Win32.Worm.Sohanad
Win32.Worm.Stuxnet
Win32.Worm.VB
Win32.Worm.VBKrypt
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Warezov
Win32.Worm.Wbna
Win32.Worm.Wenper
Win32.Worm.Yahos
Win32.Worm.Zhelatin
MD5 checksum for Ad-Aware core.aawdef is 8caded99e3d511ac0c123dff8957a2d1
Definition file update for Ad-Aware.
149.691 is now available, new definition file for Ad-Aware 8.2.
150.376 is now available, new definition file for Ad-Aware 9.x, 8.3.
New definitions:
====================
Updated definitions:
====================
BAT.Trojan.KillAll
BAT.Trojan.Startpage
MSIL.Backdoor.Vkont
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
NSIS.Trojan.StartPage
Win32.Adware.Delf
Win32.Adware.EzuLa
Win32.Adware.Gamevance
Win32.Adware.SuperJuan
Win32.Adware.WeatherBug
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.BackAttack
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Delf
Win32.Backdoor.Gbot
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot
Win32.Backdoor.Inject
Win32.Backdoor.Ircnite
Win32.Backdoor.Koutodoor
Win32.Backdoor.Lolbot
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Protector
Win32.Backdoor.RBot
Win32.Backdoor.Ripinip
Win32.Backdoor.Shark
Win32.Backdoor.Shiz
Win32.Backdoor.Small
Win32.Backdoor.TDSS
Win32.Backdoor.Turkojan
Win32.Backdoor.Ulrbot
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.WinUoj
Win32.Backdoor.Xyligan
Win32.Backdoor.Yobdam
Win32.Backdoor.Zepfod
Win32.Backdoor.Zzslash
Win32.Hoax.ArchSMS
Win32.Hoax.Renos
Win32.Monitor.PowerSpy
Win32.Monitor.SCKeyLog
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.Small
Win32.Rootkit.Small
Win32.Rootkit.TDSS
Win32.Rootkit.Tent
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Buzus
Win32.Trojan.Chydo
Win32.Trojan.Cosmu
Win32.Trojan.Cossta
Win32.Trojan.Delf
Win32.Trojan.Diple
Win32.Trojan.FakeAV
Win32.Trojan.Fakedefrag
Win32.Trojan.Fakems
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Hosts2
Win32.Trojan.Inject
Win32.Trojan.Jorik
Win32.Trojan.KillWin
Win32.Trojan.Lexip
Win32.Trojan.Llac
Win32.Trojan.Lunam
Win32.Trojan.Menti
Win32.Trojan.Microfake
Win32.Trojan.Midgare
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Pasta
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Refroso
Win32.Trojan.Regie
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Servstar
Win32.Trojan.Skillis
Win32.Trojan.Small
Win32.Trojan.Staget
Win32.Trojan.StartPage
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.VB
Win32.Trojan.Vaklik
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Webprefix
Win32.Trojan.Zapchast
Win32.TrojanClicker.Cycler
Win32.TrojanClicker.VB
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Cntr
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Dlfbfkg
Win32.TrojanDownloader.Dluca
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Gamup
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Icehart
Win32.TrojanDownloader.Imgdrop
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Pakes
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.VB
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.KillAV
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.Renum
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanMailfinder.Mailbot
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Firethief
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.MailRu
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Rebnip
Win32.TrojanPWS.Ruftar
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.WOW
Win32.TrojanProxy.Glukelira
Win32.TrojanProxy.Privoxy-based
Win32.TrojanRansom.Digitala
Win32.TrojanRansom.Hexzone
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.PornoCodec
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banz
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.Zbot
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.Autorun
Win32.Worm.Bybz
Win32.Worm.Fearso
Win32.Worm.Fujack
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Koobface
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.Pinit
Win32.Worm.Socks
Win32.Worm.Sohanad
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Wbna
Win32.Worm.Zeroll
MD5 checksum for Ad-Aware core.aawdef is e58d48852b21ca3775266295166ebdc4
2011年4月22日星期五
Definition file update for Ad-Aware.
149.682 is now available, new definition file for Ad-Aware 8.2.
150.367 is now available, new definition file for Ad-Aware 9.x, 8.3.
New definitions:
====================
Updated definitions:
====================
BAT.Trojan.Shutdown
BAT.TrojanPWS.Labt
JS.Trojan.StartPage
MSIL.Backdoor.Agent
MSIL.Backdoor.Vkont
MSIL.Trojan.Agent
MSIL.Trojan.Inject
MSIL.TrojanDownloader.Vkont
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
MSIL.TrojanSpy.Zbot
MSIL.Worm.Autorun
NSIS.TrojanDownloader.Agent
VBS.Trojan.Agent
VBS.TrojanClicker.Agent
VBS.TrojanDownloader.Agent
Win32.Adware.Admoke
Win32.Adware.Agent
Win32.Adware.Dap
Win32.Adware.Delf
Win32.Adware.EzuLa
Win32.Adware.Gaba
Win32.Adware.Gamevance
Win32.Adware.Ksg
Win32.Adware.MyCashBag
Win32.Adware.RON
Win32.Adware.SideTab
Win32.Adware.SuperJuan
Win32.Adware.TMAagent
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.BO2k
Win32.Backdoor.Banito
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Cakl
Win32.Backdoor.Cetorp
Win32.Backdoor.Curioso
Win32.Backdoor.Dealfa
Win32.Backdoor.Delf
Win32.Backdoor.DragonBot
Win32.Backdoor.DsBot
Win32.Backdoor.Floder
Win32.Backdoor.Gbot
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot
Win32.Backdoor.Kbot
Win32.Backdoor.Koutodoor
Win32.Backdoor.Lolbot
Win32.Backdoor.MoSucker
Win32.Backdoor.Oserdi
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Protector
Win32.Backdoor.RBot
Win32.Backdoor.Ripinip
Win32.Backdoor.Runagry
Win32.Backdoor.Shiz
Win32.Backdoor.Skun
Win32.Backdoor.Spammy
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.Whimoo
Win32.Backdoor.Wuca
Win32.Backdoor.Yobdam
Win32.Backdoor.Zzslash
Win32.Backdoor.mIRC-based
Win32.Flooder.UDP
Win32.FraudTool.AntiMalwareDoctor
Win32.FraudTool.MSRemovalTool
Win32.Hoax.ArchSMS
Win32.IMFlooder.VB
Win32.IRCWorm.IrcBot
Win32.Monitor.Ardamax
Win32.Monitor.FamilyKeylogger
Win32.Monitor.HomeKeylogger
Win32.Monitor.NeoSpy
Win32.Monitor.Perflogger
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.Small
Win32.Rootkit.Agent
Win32.Rootkit.Small
Win32.Rootkit.TDSS
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Buzus
Win32.Trojan.Chifrax
Win32.Trojan.Chydo
Win32.Trojan.Cosmu
Win32.Trojan.Cospet
Win32.Trojan.Cossta
Win32.Trojan.Delf
Win32.Trojan.Diple
Win32.Trojan.FakeAV
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Gipneox
Win32.Trojan.Hrup
Win32.Trojan.Inject
Win32.Trojan.Jorik
Win32.Trojan.KillAV
Win32.Trojan.Llac
Win32.Trojan.Lunam
Win32.Trojan.Mahato
Win32.Trojan.Menti
Win32.Trojan.Midgare
Win32.Trojan.Migotrup
Win32.Trojan.Miser
Win32.Trojan.Monder
Win32.Trojan.Nedovb
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Pasta
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Refroso
Win32.Trojan.Regrun
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Small
Win32.Trojan.Smardf
Win32.Trojan.Staget
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.VB
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Webprefix
Win32.TrojanClicker.Agent
Win32.TrojanClicker.AutoIT
Win32.TrojanClicker.BHO
Win32.TrojanClicker.Casu
Win32.TrojanClicker.VB
Win32.TrojanDDoS.Agent
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Braz
Win32.TrojanDownloader.Bulilit
Win32.TrojanDownloader.Calipr
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.DNSKrab
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Diehard
Win32.TrojanDownloader.Dluca
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Goo
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Kido
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.Nekill
Win32.TrojanDownloader.Pakes
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Radonl
Win32.TrojanDownloader.Roucdera
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.Tiny
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.Zlob
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.EESbinder
Win32.TrojanDropper.FC
Win32.TrojanDropper.Flystud
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.Joiner
Win32.TrojanDropper.KGen
Win32.TrojanDropper.Meci
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.Pakes
Win32.TrojanDropper.ParaDrop
Win32.TrojanDropper.Pincher
Win32.TrojanDropper.Renum
Win32.TrojanDropper.Small
Win32.TrojanDropper.Stabs
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.Typic
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanDropper.ZomJoiner
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Autoit
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Delf
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Emelent
Win32.TrojanPWS.Frethoq
Win32.TrojanPWS.Kapod
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.Meger
Win32.TrojanPWS.Nilage
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Papras
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.QQRob
Win32.TrojanPWS.Rebnip
Win32.TrojanPWS.Ruftar
Win32.TrojanPWS.Taworm
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.WOW
Win32.TrojanProxy.Agent
Win32.TrojanRansom.Digitala
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.HmBlocker
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.Xorist
Win32.TrojanSpy.Agent
Win32.TrojanSpy.Amber
Win32.TrojanSpy.BHO
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banker2
Win32.TrojanSpy.Banz
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Lydra
Win32.TrojanSpy.Montp
Win32.TrojanSpy.Spenir
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.VB
Win32.TrojanSpy.Wemon
Win32.TrojanSpy.Zbot
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.Autorun
Win32.Worm.Carrier
Win32.Worm.Ckbface
Win32.Worm.Fearso
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Koobface
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.Mytob
Win32.Worm.Netsky
Win32.Worm.Qvod
Win32.Worm.Rokut
Win32.Worm.Socks
Win32.Worm.Sohanad
Win32.Worm.Trojandownloader
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Wbna
Win32.Worm.Yahos
MD5 checksum for Ad-Aware core.aawdef is 3402ad540bab2a82edfaf6231f9e3c78
malware removal tools remove spyware adware malware best anti spyware malware
World Record for Disaster Scam Site?
Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty damn quick in my experience. Hundreds of domains that could be related to the disaster have Read more...
Doctor Who calling?on Skype, with malware
Earlier this week, I received a phone call via Skype on my laptop, the caller?s ID was ?dralerthelpzc8? as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)
I found the mystery Skype call odd on two accounts ? one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I?m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.
After some checking around various forums about this ?helpful? (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to ?scam? and ?rogue AV scanners? so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.
According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:
Image 1 ? cached page sos**.com
One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:
Warning errors detected
Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure
This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.
Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:
- select ?Allow calls from people in my Contact list only?
- select ?Show that I have video to people in my Contact list only?
- select ?Automatically receive video and screen sharing from people in my Contact list only?
- select ?Allow IMs from people in my Contact list only?
- unselect ?Allow my online status to be shown on the web?
Image 2 ? Skype privacy settings
For more articles on Skype security, visit this link on the Skype product site:
http://www.skype.com/intl/en-us/security/
- Dan Nicolescu & Patrick Nolan, MMPC
Re: What's New in Norton Internet Security 2012
I am re-considering using the Norton Internet Security, providing this new software operates quietly.
�
I allowed my license, which I renewed for many years, to expire.� When Norton asked why I undicated that the product kept interrupting my work with nagging messages.� I turned off as many as the user interface allowed, but some still occurred.
�
Additionally I was not happy that two Firefox addons were installed (apparently without my consent) and they were installed such that they could not be removed from Firefox without removing Norton itself.� At least I was able to disable these, but their presence was annoying.� I chose not to use browser add on protections.
�
Please advise if this beta will remain quiet.
�
I'd prefer the product throw up a message when:
�1. it has failed and needs attention
�2. it discovered a virus activation and I need to remove it
�3. I selected to receive certain messages
�
�
�
Definition file update for Ad-Aware.
149.691 is now available, new definition file for Ad-Aware 8.2.
150.376 is now available, new definition file for Ad-Aware 9.x, 8.3.
New definitions:
====================
Updated definitions:
====================
BAT.Trojan.KillAll
BAT.Trojan.Startpage
MSIL.Backdoor.Vkont
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
NSIS.Trojan.StartPage
Win32.Adware.Delf
Win32.Adware.EzuLa
Win32.Adware.Gamevance
Win32.Adware.SuperJuan
Win32.Adware.WeatherBug
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.BackAttack
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Delf
Win32.Backdoor.Gbot
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot
Win32.Backdoor.Inject
Win32.Backdoor.Ircnite
Win32.Backdoor.Koutodoor
Win32.Backdoor.Lolbot
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Protector
Win32.Backdoor.RBot
Win32.Backdoor.Ripinip
Win32.Backdoor.Shark
Win32.Backdoor.Shiz
Win32.Backdoor.Small
Win32.Backdoor.TDSS
Win32.Backdoor.Turkojan
Win32.Backdoor.Ulrbot
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.WinUoj
Win32.Backdoor.Xyligan
Win32.Backdoor.Yobdam
Win32.Backdoor.Zepfod
Win32.Backdoor.Zzslash
Win32.Hoax.ArchSMS
Win32.Hoax.Renos
Win32.Monitor.PowerSpy
Win32.Monitor.SCKeyLog
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.Small
Win32.Rootkit.Small
Win32.Rootkit.TDSS
Win32.Rootkit.Tent
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Buzus
Win32.Trojan.Chydo
Win32.Trojan.Cosmu
Win32.Trojan.Cossta
Win32.Trojan.Delf
Win32.Trojan.Diple
Win32.Trojan.FakeAV
Win32.Trojan.Fakedefrag
Win32.Trojan.Fakems
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Hosts2
Win32.Trojan.Inject
Win32.Trojan.Jorik
Win32.Trojan.KillWin
Win32.Trojan.Lexip
Win32.Trojan.Llac
Win32.Trojan.Lunam
Win32.Trojan.Menti
Win32.Trojan.Microfake
Win32.Trojan.Midgare
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Pasta
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Refroso
Win32.Trojan.Regie
Win32.Trojan.Sadenav
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Servstar
Win32.Trojan.Skillis
Win32.Trojan.Small
Win32.Trojan.Staget
Win32.Trojan.StartPage
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.VB
Win32.Trojan.Vaklik
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Webprefix
Win32.Trojan.Zapchast
Win32.TrojanClicker.Cycler
Win32.TrojanClicker.VB
Win32.TrojanDownloader.Adload
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Autoit
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Cntr
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Dlfbfkg
Win32.TrojanDownloader.Dluca
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Gamup
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Icehart
Win32.TrojanDownloader.Imgdrop
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Murlo
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.NSIS
Win32.TrojanDownloader.Pakes
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.VB
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.KillAV
Win32.TrojanDropper.Microjoin
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.Renum
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanMailfinder.Mailbot
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Firethief
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.MailRu
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Rebnip
Win32.TrojanPWS.Ruftar
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.WOW
Win32.TrojanProxy.Glukelira
Win32.TrojanProxy.Privoxy-based
Win32.TrojanRansom.Digitala
Win32.TrojanRansom.Hexzone
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.PornoCodec
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banz
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.Zbot
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.Autorun
Win32.Worm.Bybz
Win32.Worm.Fearso
Win32.Worm.Fujack
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Koobface
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.Pinit
Win32.Worm.Socks
Win32.Worm.Sohanad
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Wbna
Win32.Worm.Zeroll
MD5 checksum for Ad-Aware core.aawdef is e58d48852b21ca3775266295166ebdc4
World Record for Disaster Scam Site?
Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty damn quick in my experience. Hundreds of domains that could be related to the disaster have Read more...
free spyware protection security tool malware malware removal software
Another round of bots for MSRT
This month we add another bot to the MSRT family list – Win32/Cycbot. Cycbot was discovered in August 2010 and has quickly become prevalent.
It seems that Cycbot’s creators called it “Gbot”, as it used this name as an identifier in the reports it would send back to its controllers. Recent variants of the malware have stopped using this identifier, possibly in an attempt to make detection more difficult, but the functionality hasn’t changed much. All of Cycbot’s communications are done using HTTP, including the retrieval of backdoor commands. As a backdoor, it’s functionality is limited to capabilities like updating itself and downloading and running other malware; we’ve seen it download Rogue:Win32/FakePAV in the past. Its main purpose, however, is more subtle.
Cycbot sets itself up as an HTTP proxy for any machine it affects. It does this by listening on a TCP port such as 54141 (this number varies), and then changing the browser’s proxy settings to point to this port on the local host. It can do this for Internet Explorer, Firefox and Opera.
By acting as proxy, Cycbot can intercept all HTTP traffic to and from the browser, which enables it to direct your browser wherever it wants. For example, it will take a search term you enter into your search engine and pass it to what is effectively an imitation search site - a site that directs you to anywhere that will pay them money for the referral. At best, this will lead to an advertisement that is unrelated to what you were searching for; however, often it leads to more malware. Right now, several of the “search” results that Cycbot loads attempt to install malware, including one page that looks quite familiar.
Spending as much time as I do looking at rogues, I am all too familiar with this kind of sham. This one is currently pushing Rogue:Win32/Winwebsec.
Cycbot is a type of “intermediate” malware – a means to an end, in many ways reminiscent of Win32/Renos. Controlling the browser can provide its creators with diverse ways of exploiting an affected user, while causing the user various kinds of pain.
-- Hamish O'Dea
2011年4月21日星期四
LizaMoon the Latest SQL-Injection Attack
Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the FUD–or scaring customers into making poorly educated security decisions. Which brings us to the recent LizaMoon attacks. There Read more...
U.K. Tax Scams on the Horizon
As the saying goes: Death and taxes are the only constants in life. This adage can be applied to scams on the Internet as well. Every tax season we can count on scams like these to raise their heads and try to bilk users out of their identity information and hard-earned money. A few of Read more...
Scam emails: BlackBerry, Western Union, UPS, DHL, FedEx,?
There are quite a lot of people who get an email from Amanda Lee (amanda.lee@blackberry.co.za or amanda.lee@blackberry.com) which says she is the Marketing Manger of the BlackBerry. According to the message, the BlackBerry will give a mobile phone for free by simply forwarding the email to several people; as also reported by Hoax-Slayer. In addition, [...]
spyware malware removal software free anti spyware malware download
Highly advanced worm for sabotage nuclear facilities
A few days ago, it was reported that�Stuxnet attacked Heysham Power Station, a nuclear power station in UK. One of two reactors at Heysham 1, owned by the French energy company, EDF. However, as quoted from TheRegister, an EDF spokesperson said ?I can confirm that on Heysham 1 there is no Siemens S7 equipment in [...]
fixing computer errors fix runtime error fix errors on pc for free
AVG for Linux achieved VB100 award
Just a quick look back to the latest VB100 Comparative review published in February's Virus Bulletin. The review was done on Ubuntu Linux platform and our version of AVG for Linux was granted by another VB100 award. It was its...
World Record for Disaster Scam Site?
Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty damn quick in my experience. Hundreds of domains that could be related to the disaster have Read more...
Lab Matters - The State of Spam
The end of 2010 was a rather bad time to be a spammer. Thanks to an industry-wide effort that included botnet takedowns and legal cases, we saw a dramatic shift in the way spammers used unsolicited e-mail to make money. In this Lab Matters webcast, Kaspersky Lab senior spam analyst Maria Namestnikova looks closely at the pharmaceutical spam operations and discusses how spammers are using affiliate programs and rebuilt botnets to recover from last year’s crackdown.
MSRT March'11 featuring Win32/Renocide
This month we are releasing another instalment of our Malicious Software Removal Tool (MSRT), which now includes Win32/Renocide detection and cleaning capabilities.
Win32/Renocide is a family of worms that spread via local, removable, and network drives and also by means of file sharing applications.
It infects the network by scanning the local network using the subnet mask 255.255.0.0 and looking for writeable shares where it can copy itself and an autorun.inf file. It also uses the NETBIOS protocol to look for machines in the local network where it can plant copies of itself.
To infect computers beyond the local network, it plants copies of itself in the shared folders of popular file sharing applications. This step also involves social engineering techniques to maximize infection success. This is done by using enticing names for its copies in the shared folders, and to make sure this is always the case, it uses the following process:
- Access some popular torrent sites and download the top 100 titles of popular games and/or applications.
- Randomly pick 50 titles.
- Append to the titles one of the following suffixes:
- .Crack
- .Activator
- .Keygen
- .Validator
- -Razor1911
- -RELOADED
- –KeyMaker
- Create a Readme.txt file that contains this generated name.
- Use WinRAR or 7zip to create an archive of itself copied with the same generated name and the above Readme.txt file.
- Place the archive in the shared folder of the file sharing application, again using the generated name.
It is worth mentioning that if the host does not have WinRAR archiver installed, it tries to download a copy of the 7zip archiver from its own servers.
This is an example of how an infected shared folder would look like after this process:
Win32/Renocide has IRC-based backdoor functionality, which may allow a remote attacker to execute commands on the affected computers. It has an over 50 commands recognized by the bot. The complete list of commands is available in the Win32/Renocide family description. The commands give the attacker a high level of granularity over the botnet. It can even erase its traces by deleting all evidence, using the "cometerharakiri" command, or alternatively, add new features by uploading encrypted AutoIt scripts which get compiled and run on the host machine (using the "plugin" command). It also appears that the writer of this bot is a Spanish speaker!
Besides the IRC module described above, Win32/Renocide can execute commands stored in text files downloaded from the internet. The URLs of these files are hardcoded into every variant of the worm. These files look like batches of commands to be executed by the bot, as a failsafe, in case the IRC connection fails. These are the same commands that it can receive through IRC, but rebranded (they use different keywords)! Once the file is downloaded, the actions are executed without the intervention of the attacker.
The command keywords are not meaningful words, as opposed to the IRC commands, but instead it is using garbage-like keywords, for example, "M8Y77V69S8488S689O99Q" for downloading a file from a given URL. The arguments to the commands are also encrypted. Such a command file looks like this:
You can find out more about Win32/Renocide from our malware encyclopedia.
We have monitored the files that Win32/Renocide worm downloads and found that, in the wild, variants of TrojanDownloader:Win32/Renos are being downloaded and installed on the infected computers.
We urge you to give MSRT a try if you suspect that you are infected by this worm.
Marian Radu
MMPC Dublin
Scam email lead to Keylogger. Beware!
Among a lot of various scam emails about “post express“, we found one email that is unfamiliar, and pretty sure this is a different malware, with subject “Available for pickup“, and included an executable attachment file, “Sent.exe“. Dear Sir I have just returned and received your message — it is 2:25 am in Vancouver. I [...]
free spyware and malware removal spyware and malware removal spyware malware remover
2011年4月20日星期三
World Record for Disaster Scam Site?
Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty damn quick in my experience. Hundreds of domains that could be related to the disaster have Read more...
fix pc errors now fix runtime errors how to fix windows errors
?Undelivered package? spam still continues
Again, we would like to remind you. If you got an email that said come from the delivery company, please do not immediately to believe it. Because it could be a fake email that contains a virus. Seems like they have started to rise again, since we are still receiving many reports of these spam [...]
A Web of (Mis)Trust?
At our international press tour held in Moscow in early February, we spoke about the dissolution of trust on the internet and discussed the possibility of Certificate Authority subversion and the impact of abused digital certificates.
Our speculation was partly driven by the abuse of trust that Kaspersky Lab monitored and prevented by the stolen Stuxnet digital certificates.
AVG for Linux achieved VB100 award
Just a quick look back to the latest VB100 Comparative review published in February's Virus Bulletin. The review was done on Ubuntu Linux platform and our version of AVG for Linux was granted by another VB100 award. It was its...
best anti spyware malware malware removers malware antivirus
Re: Norton DNS 1.5 beta now has web filtering
That's not true, it can miscategorize good websites in being bad ones. Please KhanhT, update the Norton DNS product because in Normal mode, I can't configure it nor if I want to uninstall it, it won't allow that. And again, correct the issue of categorizing websites before it becomes a major issue.
how to fix computer errors fix registry error fix system errors
The little trick about the Startup menu
There are a lot of dirty tricks used by bad boys to fool users so let?s have a look on one of these.? You may have noticed the ?Startup? folder in the Start menu, it is designed to make things...
spyware malware removal spyware malware spyware adware malware
Embedded JavaScript in SWF
In a blog published in November titled ?Explore the CVE-2010-3654 matryoshka?, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit.
In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A. Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second after New Year?s, a second after New Year?s and then a third and largest spike the weekend after New Year?s:
Image 1a ? Prevalence chart for Trojan:SWF/Jaswi.A
When we looked deeper into the targets of these attacks, we discovered that they were predominantly reported by computers in South Korea. Since the beginning of this year, 89% of the targets were in South Korea with 75% of them specifically in Seoul. Here?s a chart with a breakdown by unique machines in the months January and February of this year (there has been no activity in March):
Image 1b ? Attack attempts by unique machines in the months January and February of 2011
Interested in the anomaly, I decided to have a look. After spending some time reviewing it, an interesting thing emerged. The malware Trojan:SWF/Jaswi.A is unlike other SWF malware; other SWF malware typically calls ?getURL <website address>? within an ACTION tag in order to visit a malicious website link without user consent. For more about this, see the following:
http://blogs.technet.com/b/mmpc/archive/2008/10/31/swf-for-malware-deployment.aspx
Trojan:SWF/Jaswi.A contains an embedded malicious JavaScript that initiates a legal Windows API call to trigger the payload. Although the analysis was only slightly involved, let?s take a simple step by step tour of the malware.
1. SWF with embedded JavaScript
Image 2 ? Embedded JavaScript within Trojan:SWF/Jaswi.A
If we convert the JavaScript into Actionscript, it should appear as below:
Image 3 ? JavaScript from Image 2 converted to Actionscript illustrating Windows API call
From the image above, we can see the legal function ExternalInterface.call() has been made to complete a procedure of initiating JavaScript injection. Well, this is not a new method after all, but only a few SWF malware take advantage of this technique.
2. JavaScript obfuscation
We notice the embedded JavaScript is also simply encrypted by a method ?fromCharCode()?. After decryption, the real JavaScript code appears (edited below):
Image 4 ? Decrypted JavaScript with black-outs added
Looks familiar? Yes, the Microsoft Internet Explorer vulnerability CVE-2010-0806 has been abused! This particular exploit affects Microsoft Internet Explorer versions 6, 6+SP1 and 7, and could allow a remote attacker to execute arbitrary code.
3. Shellcode
In Image 4 above, you can see Unicode encrypted by the method ?unescape()? ? this is the malware shellcode body, which includes a simple xor algorithm to avoid the detection. Further into the obfuscation, we finally see the destination, show below:
Image 5 ? Destination URL indicating an executable named ?uusee.exe?
The file ?uusee.exe? from the obfuscated URL shown above is actually a prevalent password stealer in China that Microsoft antimalware technologies detects as PWS:Win32/Lolyda.AU (SHA1: 0bd98a39c2eaa9c523e41cec250623b44f6d3239).
We mentioned the embedded JavaScript technique used in the malicious SWF here because it appears to be a trend and may become a popular method. As always, use caution while surfing the Interwebs and use on-access antimalware protection from a credible scanner (for more information on antimalware software, see http://www.microsoft.com/windows/antivirus-partners/).
-- Tim Liu, Malware Researcher, MMPC
how to fix pc errors fix pc errors freeware fix pc errors free
Very bad news, with more bad news embedded
Malware writers never miss the chance to take advantage of big world events, no matter how tragic. The recent Japanese nuclear incident, caused by the devastating earthquakes, is their target this time.
The Microsoft Malware Protection Center has been tracking a new backdoor (detected as Backdoor:Win32/Sajdela.A, SHA1 0c3526c7e1d6b8a3d2f5c21986c03f1dc0d88480) that is distributed by utilizing Exploit:Win32/CVE-2010-3333 - code that exploits a previously-addressed RTF parser stack overflow vulnerability in Microsoft Word that may allow remote code execution. (See Microsoft Security Bulletin MS10-087 for additional details and the appropriate update).
The malware arrives on a victims' system appearing to be a Microsoft Word document (.doc), for example:
The name of this file is in Japanese characters; translated to English it would read "Japan nuclear leakage". In actual fact, the file is in RTF format.
The following picture illustrates the malicious shell code it contains:
The payload of this malware is an embedded executable file. But to elude a heuristic scanner, the malware erases the PE file signatures ('MZ' and 'PE').
After successful exploitation, the malware recovers this information before writing the PE file to disk and then executing it.
In order to mislead victims, the malware also drops a hidden Microsoft Word document to "c:\word.doc" and opens it. The content of this file is in Japanese, and is regarding the recent nuclear incident.
This file contains the following file properties:
(A clue to the identity of the malware authors perhaps?)
The backdoor component
Installing the backdoor component is the ultimate purpose of this malware. The backdoor component is an encrypted resource inside the malware. When the malware executes, it decrypts the resource and drops it to %SystemRoot\System32\csrls.dll.
The backdoor utilizes control servers at the following locations:
• 24.173.215.70
• 65.5.227.69
The backdoor allows unauthorized access and control of an affected computer, and can be used by a remote attacker to perform actions such as downloading and executing arbitrary files, capturing information and terminating processes.
Using social engineering in this manner to get users to perform actions of the attacker's choice (for example, opening a file) isn't news. But when confronted with such a catastrophe, the need for information and reassurance is strong. Don't forget that attackers will always try to take advantage of human nature. So be careful.
As for the good news – you can keep your system safe from these ill tidings by keeping your antivirus software up to date and ensuring that you apply security updates in a timely fashion.
We will continue to keep you posted.
--Zhitao Zhou, MMPC
Scam email lead to Keylogger. Beware!
Among a lot of various scam emails about “post express“, we found one email that is unfamiliar, and pretty sure this is a different malware, with subject “Available for pickup“, and included an executable attachment file, “Sent.exe“. Dear Sir I have just returned and received your message — it is 2:25 am in Vancouver. I [...]
spyware and malware removal spyware malware remover remove spyware malware
2011年4月19日星期二
MSRT April ?11: Win32/Afcore
This month, the MSRT team added the Win32/Afcore family of trojans to its detections. This malware is also known as Coreflood.
It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious web page containing obfuscated VBScript and detected as TrojanDropper:VBS/Inor.B. Using hexadecimal encoding, the VBScript dropper would create an executable, detected as Backdoor:Win32/Apdoor.C. Its main functionality was somewhat simple then and the malware referred to itself as ?AICORE? in its debug messages.
The threat family dropped off in telemetry in 2009 and also during this time, it became part of a command & control network, or botnet. The sophistication of the malware increased, by spawning multiple processes and through the use of obfuscation and anti-emulation methodology.
During the evolution and changes to what is now known as Afcore, the communication sent by the malware to the C&C server remains technically the same. The malware makes use of debug messages for version tracking purposes. Some of the debug strings include the following:
- AFCORE
- COM2PLUS_MessageWindowClass
- Version 3.1-test22(tv7) built on 06/11/08 at 15:32:57
- Basename: %s, PID: %d (%s)
- Octopus PID: %d(%i)
- Shutting down AF . . .
- Restarting AF . . .
- Respawning AF . . .
- User is logging off (%h)
- AF has exited (%d): %s
- Windows day %d has elapsed
- AF 3.1-test22 has caused exception %h at %s+%h (%h)
Win32/Afcore comprises two components, a dropper and installed malware that runs as a backdoor. The backdoor component is injected into running processes and connects to a remote server to retrieve commands that are executed on the affected system. Commands could include instructions to steal passwords, attack other computers and so on. When the dropper is executed, it creates randomly named executable and data files, such as the following:
%TEMP%\gnfl.dll ? Win32/Afcore
C:\Windows\System32\iaspojcy.dil - Win32/Afcore
C:\Windows\System32\iaspojcy.dat ? data file
C:\Windows\System32\comrspl.dat ? data file
C:\Windows\System32\kbdmlv47.dat ? data file
The registry is modified to execute Win32/Afcore at Windows start, as indicated below in these examples of modified registry data:
In subkey: HKLM\Software\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}
Sets value: "(default)"
With data: "iaspojcy"
In subkey: HKLM\SOFTWARE\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}\InprocServer32
Sets value: "(default)"
With data: "C:\Windows\System32\iaspojcy.dil"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\iaspojcy
Adds value: "(default)"
With data: "{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}"
The registry changes allow Win32/Afcore to execute when Windows Explorer runs and when Internet Explorer is launched.
Win32/Afcore injects code from a utility ?jb.dll?, known as ?jailbreak tool?, to export certificates marked as non-exportable from the Windows certificate store. The certs could then be used by an attacker to access online banking sites in an unauthorized manner. The malware could also perform the following actions:
- modify the registry to run at Windows start
- steal private certificates
- restart or shutdown its currently running process
- monitor window sockets
- make connections to a remote host to transmit data
Additionally, Win32/Afcore could monitor network traffic to steal credentials associated with performing online mobile payments. The malware contains the following strings that it uses when monitoring traffic:
- telegraphic
- swift
- remittance
- foreign
- s.w.i.f.t
- cross-border
Win32/Afcore contains code that assist in capturing traffic and stealing information communicated when visiting websites containing the following strings, two of which are associated with National Health Service sites:
- *.nhs.net/*
- *.nhs.uk/*
- *.hilton.*
- *.yahoo.*
- *.google.*
The trojan monitors communication sent via secure hypertext transfer protocol (HTTPS) as well. Win32/Afcore has been known to communicate with servers named ?joy4host.com? and ?antrexhost.com?. The IP addresses reported for these servers were located in Germany.
The addition of Win32/Afcore to MSRT this month comes at the request of the FBI and the Department of Justice to support a takedown operation which is discussed here: http://www.justice.gov/opa/pr/2011/April/11-crm-466.html.
Microsoft is pleased to work with law enforcement, industry and academia when it leads to a safer computing environment for all of us. It is gratifying to see law enforcement agencies around the world taking aggressive steps to curb criminality on the Internet. Kudos to all of those involved.
-- Jaime Wong & Jeff Williams, MMPC
2011年4月17日星期日
Definition file update for Ad-Aware.
149.682 is now available, new definition file for Ad-Aware 8.2.
150.367 is now available, new definition file for Ad-Aware 9.x, 8.3.
New definitions:
====================
Updated definitions:
====================
BAT.Trojan.Shutdown
BAT.TrojanPWS.Labt
JS.Trojan.StartPage
MSIL.Backdoor.Agent
MSIL.Backdoor.Vkont
MSIL.Trojan.Agent
MSIL.Trojan.Inject
MSIL.TrojanDownloader.Vkont
MSIL.TrojanDropper.Agent
MSIL.TrojanDropper.StubRC
MSIL.TrojanPWS.Agent
MSIL.TrojanSpy.Agent
MSIL.TrojanSpy.KeyLogger
MSIL.TrojanSpy.Zbot
MSIL.Worm.Autorun
NSIS.TrojanDownloader.Agent
VBS.Trojan.Agent
VBS.TrojanClicker.Agent
VBS.TrojanDownloader.Agent
Win32.Adware.Admoke
Win32.Adware.Agent
Win32.Adware.Dap
Win32.Adware.Delf
Win32.Adware.EzuLa
Win32.Adware.Gaba
Win32.Adware.Gamevance
Win32.Adware.Ksg
Win32.Adware.MyCashBag
Win32.Adware.RON
Win32.Adware.SideTab
Win32.Adware.SuperJuan
Win32.Adware.TMAagent
Win32.Adware.Zwangi
Win32.Backdoor.Agent
Win32.Backdoor.BO2k
Win32.Backdoor.Banito
Win32.Backdoor.Bifrose
Win32.Backdoor.BlackHole
Win32.Backdoor.Bredolab
Win32.Backdoor.Cakl
Win32.Backdoor.Cetorp
Win32.Backdoor.Curioso
Win32.Backdoor.Dealfa
Win32.Backdoor.Delf
Win32.Backdoor.DragonBot
Win32.Backdoor.DsBot
Win32.Backdoor.Floder
Win32.Backdoor.Gbot
Win32.Backdoor.HttpBot
Win32.Backdoor.Hupigon
Win32.Backdoor.IRCBot
Win32.Backdoor.Kbot
Win32.Backdoor.Koutodoor
Win32.Backdoor.Lolbot
Win32.Backdoor.MoSucker
Win32.Backdoor.Oserdi
Win32.Backdoor.Papras
Win32.Backdoor.Poison
Win32.Backdoor.Prorat
Win32.Backdoor.Protector
Win32.Backdoor.RBot
Win32.Backdoor.Ripinip
Win32.Backdoor.Runagry
Win32.Backdoor.Shiz
Win32.Backdoor.Skun
Win32.Backdoor.Spammy
Win32.Backdoor.Torr
Win32.Backdoor.Turkojan
Win32.Backdoor.VB
Win32.Backdoor.VanBot
Win32.Backdoor.Whimoo
Win32.Backdoor.Wuca
Win32.Backdoor.Yobdam
Win32.Backdoor.Zzslash
Win32.Backdoor.mIRC-based
Win32.Flooder.UDP
Win32.FraudTool.AntiMalwareDoctor
Win32.FraudTool.MSRemovalTool
Win32.Hoax.ArchSMS
Win32.IMFlooder.VB
Win32.IRCWorm.IrcBot
Win32.Monitor.Ardamax
Win32.Monitor.FamilyKeylogger
Win32.Monitor.HomeKeylogger
Win32.Monitor.NeoSpy
Win32.Monitor.Perflogger
Win32.P2PWorm.Palevo
Win32.P2PWorm.Polip
Win32.P2PWorm.Small
Win32.Rootkit.Agent
Win32.Rootkit.Small
Win32.Rootkit.TDSS
Win32.Trojan.Agent
Win32.Trojan.Agent2
Win32.Trojan.Antavmu
Win32.Trojan.AutoIT
Win32.Trojan.BHO
Win32.Trojan.Buzus
Win32.Trojan.Chifrax
Win32.Trojan.Chydo
Win32.Trojan.Cosmu
Win32.Trojan.Cospet
Win32.Trojan.Cossta
Win32.Trojan.Delf
Win32.Trojan.Diple
Win32.Trojan.FakeAV
Win32.Trojan.Fraudpack
Win32.Trojan.Gabba
Win32.Trojan.Genome
Win32.Trojan.Gipneox
Win32.Trojan.Hrup
Win32.Trojan.Inject
Win32.Trojan.Jorik
Win32.Trojan.KillAV
Win32.Trojan.Llac
Win32.Trojan.Lunam
Win32.Trojan.Mahato
Win32.Trojan.Menti
Win32.Trojan.Midgare
Win32.Trojan.Migotrup
Win32.Trojan.Miser
Win32.Trojan.Monder
Win32.Trojan.Nedovb
Win32.Trojan.Oficla
Win32.Trojan.Pakes
Win32.Trojan.Pasta
Win32.Trojan.Pincav
Win32.Trojan.Pirminay
Win32.Trojan.Powp
Win32.Trojan.Qhost
Win32.Trojan.Refroso
Win32.Trojan.Regrun
Win32.Trojan.Sasfis
Win32.Trojan.Scar
Win32.Trojan.Searches
Win32.Trojan.Sefnit
Win32.Trojan.Siscos
Win32.Trojan.Skillis
Win32.Trojan.Small
Win32.Trojan.Smardf
Win32.Trojan.Staget
Win32.Trojan.StartPage
Win32.Trojan.Starter
Win32.Trojan.Swisyn
Win32.Trojan.Tdss
Win32.Trojan.VB
Win32.Trojan.Vapsup
Win32.Trojan.Vbkrypt
Win32.Trojan.Vilsel
Win32.Trojan.Webprefix
Win32.TrojanClicker.Agent
Win32.TrojanClicker.AutoIT
Win32.TrojanClicker.BHO
Win32.TrojanClicker.Casu
Win32.TrojanClicker.VB
Win32.TrojanDDoS.Agent
Win32.TrojanDownloader.Agent
Win32.TrojanDownloader.Banload
Win32.TrojanDownloader.Braz
Win32.TrojanDownloader.Bulilit
Win32.TrojanDownloader.Calipr
Win32.TrojanDownloader.CodecPack
Win32.TrojanDownloader.DNSKrab
Win32.TrojanDownloader.Delf
Win32.TrojanDownloader.Diehard
Win32.TrojanDownloader.Dluca
Win32.TrojanDownloader.Fosniw
Win32.TrojanDownloader.Fraudload
Win32.TrojanDownloader.Genome
Win32.TrojanDownloader.Geral
Win32.TrojanDownloader.Goo
Win32.TrojanDownloader.Homa
Win32.TrojanDownloader.Injecter
Win32.TrojanDownloader.Kido
Win32.TrojanDownloader.Mufanom
Win32.TrojanDownloader.Myxa
Win32.TrojanDownloader.Nekill
Win32.TrojanDownloader.Pakes
Win32.TrojanDownloader.Pher
Win32.TrojanDownloader.Radonl
Win32.TrojanDownloader.Roucdera
Win32.TrojanDownloader.Small
Win32.TrojanDownloader.Tiny
Win32.TrojanDownloader.VB
Win32.TrojanDownloader.Zlob
Win32.TrojanDropper.Agent
Win32.TrojanDropper.Cadro
Win32.TrojanDropper.Clons
Win32.TrojanDropper.Delf
Win32.TrojanDropper.Drooptroop
Win32.TrojanDropper.EESbinder
Win32.TrojanDropper.FC
Win32.TrojanDropper.Flystud
Win32.TrojanDropper.Fraudrop
Win32.TrojanDropper.Joiner
Win32.TrojanDropper.KGen
Win32.TrojanDropper.Meci
Win32.TrojanDropper.MuDrop
Win32.TrojanDropper.NSIS
Win32.TrojanDropper.Pakes
Win32.TrojanDropper.ParaDrop
Win32.TrojanDropper.Pincher
Win32.TrojanDropper.Renum
Win32.TrojanDropper.Small
Win32.TrojanDropper.Stabs
Win32.TrojanDropper.Startpage
Win32.TrojanDropper.TDSS
Win32.TrojanDropper.Typic
Win32.TrojanDropper.VB
Win32.TrojanDropper.Vedio
Win32.TrojanDropper.ZomJoiner
Win32.TrojanPWS.Agent
Win32.TrojanPWS.Autoit
Win32.TrojanPWS.Bjlog
Win32.TrojanPWS.Delf
Win32.TrojanPWS.Dybalom
Win32.TrojanPWS.Emelent
Win32.TrojanPWS.Frethoq
Win32.TrojanPWS.Kapod
Win32.TrojanPWS.Kates
Win32.TrojanPWS.Kykymber
Win32.TrojanPWS.LdPinch
Win32.TrojanPWS.Lmir
Win32.TrojanPWS.Magania
Win32.TrojanPWS.Meger
Win32.TrojanPWS.Nilage
Win32.TrojanPWS.OnlineGames
Win32.TrojanPWS.Papras
Win32.TrojanPWS.QQPass
Win32.TrojanPWS.QQRob
Win32.TrojanPWS.Rebnip
Win32.TrojanPWS.Ruftar
Win32.TrojanPWS.Taworm
Win32.TrojanPWS.Tibia
Win32.TrojanPWS.WOW
Win32.TrojanProxy.Agent
Win32.TrojanRansom.Digitala
Win32.TrojanRansom.Fakeinstaller
Win32.TrojanRansom.HmBlocker
Win32.TrojanRansom.PornoBlocker
Win32.TrojanRansom.Xorist
Win32.TrojanSpy.Agent
Win32.TrojanSpy.Amber
Win32.TrojanSpy.BHO
Win32.TrojanSpy.BZub
Win32.TrojanSpy.Banbra
Win32.TrojanSpy.Bancos
Win32.TrojanSpy.Banker
Win32.TrojanSpy.Banker2
Win32.TrojanSpy.Banz
Win32.TrojanSpy.Delf
Win32.TrojanSpy.Lydra
Win32.TrojanSpy.Montp
Win32.TrojanSpy.Spenir
Win32.TrojanSpy.SpyEyes
Win32.TrojanSpy.VB
Win32.TrojanSpy.Wemon
Win32.TrojanSpy.Zbot
Win32.Worm.Agent
Win32.Worm.Allaple
Win32.Worm.AutoIt
Win32.Worm.Autorun
Win32.Worm.Carrier
Win32.Worm.Ckbface
Win32.Worm.Fearso
Win32.Worm.Kido
Win32.Worm.Kolab
Win32.Worm.Koobface
Win32.Worm.Mabezat
Win32.Worm.Mydoom
Win32.Worm.Mytob
Win32.Worm.Netsky
Win32.Worm.Qvod
Win32.Worm.Rokut
Win32.Worm.Socks
Win32.Worm.Sohanad
Win32.Worm.Trojandownloader
Win32.Worm.VB
Win32.Worm.Vbna
Win32.Worm.Viking
Win32.Worm.Wbna
Win32.Worm.Yahos
MD5 checksum for Ad-Aware core.aawdef is 3402ad540bab2a82edfaf6231f9e3c78
Battling the Zbot Threat (with MSRT)
Hello Internet!
As you may recall, last October we updated MSRT to include the well-known malware Zbot (aka Zeus), one of the more prolific bots we see in the wild today. Today, we released a special-edition Security Intelligence Report, entitled “Battling the Zbot Threat,” that documents the background, functionality, prevalence, and geographical distribution of Zbot malware. The paper also shows how Microsoft has had a measurable effect on the Zbot ecosystem since broadening its attack efforts to include the Malicious Software Removal Tool (MSRT) in October 2010.
As always, we continue to update MSRT with the result of ongoing research by the MMPC, all the while improving our detections. This is necessary because, as with most malware, Zbot itself is continually evolving, having undergone many changes in the last year or so, ‘updates’ to the file-based obfuscation, anti-AV defensive techniques, information stealing capabilities, configuration file protection, API hooking, pseudo-random domain generation, process injection and file infection. We’ll not go into details of many of these here, but we can show the telemetry we’ve gathered from the MSRT and Microsoft Security Essentials over the last four months documenting the percentage of Zbot detections exhibiting these new features, shown as Zbot 2.x in the chart below:
Of all the changes that Zbot has undergone however, the most significant from an MSRT perspective is the move towards file infection. Since its inception, Zbot has employed process injection targeting multiple processes on the system, the extent of which is governed by the privilege level of the user who unwittingly triggers the infection. (TIP: If you’re going to run an attachment you got from an email or a link, or via Facebook, don’t elevate it to admin via UAC.)
In some newer variants of Zbot in the wild, for each infected process it will hook several Windows APIs, modify and infect binary files, and infect files shared in the network. One interesting behavior to note is that the infected process thread will continually monitor and infect other processes.
The diagram below shows the simple way to visualize the code injection and hooking process cycle:
In its original form, Zbot hooked around 15 APIs. But newer versions, dubbed Zbot 2.x, hook upwards of 30 APIs. The API that we are most interested in however is NtCreateFile(), which is invoked upon opening files. As we see in the first diagram, Zbot can infect both directly and upon opening files. This provides a severe hindrance for attempts to manually clean the system. However, if a tedious manual cleaning process doesn’t sound all that palatable, you can sleep well knowing MSRT handles cleaning of an infected system properly.
As always, we recommend using a reputable Anti-Virus product to help ensure you don’t get infected in the first place, like one of the products listed here. You may also consider using Microsoft’s no cost Anti-Virus product, Microsoft Security Essentials.
These patched/infected files are detected as Virus:Win32/Zbot.B, and Virus:Win32/Zbot.C. For detailed information on the more recent malicious behavior of Zbot, please refer to the description on our Encyclopedia: PWS:Win32/Zbot.gen!Y.
Rodel Finones, Holly Stewart, Joe Faulhaber and Matt McCormack
free malware protection spyware malware removal software free anti spyware
Fake MSE updated. Did your real MSE updates too?
Recently, AVG caught a new variant of Fake MSE, which was more sophisticated and confusing. As usually, it will pop up to warn you that you have been infected. If you apply ?recommened? actions, the UI announces that the malware...
Win32/Renocide, the aftermath
On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide. If you are not familiar with this threat, we recommend reading our encyclopedia entry here.
According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when when classified based on number of detected files and number of infected machines.
| Rank | Family Name | Threat Count |
| 1 | Sality | 248,250 |
| 2 | Rimecud | 209,208 |
| 3 | Taterf | 178,421 |
| 4 | Renocide | 167,826 |
| 5 | Frethog | 125,781 |
| 6 | Bubnix | 116,772 |
| 7 | Vobfus | 114,850 |
| 8 | Conficker | 88,636 |
| 9 | Zbot | 78,304 |
| 10 | FakeSpypro | 64,904 |
Chart 1 - Win32/Renocide, detected files
| Rank | Family Name | Machine Count |
| 1 | Rimecud | 200,267 |
| 2 | Taterf | 160,632 |
| 3 | Sality | 160,579 |
| 4 | Renocide | 123,413 |
| 5 | Vobfus | 107,866 |
| 6 | Frethog | 104,121 |
| 7 | Bubnix | 88,858 |
| 8 | Conficker | 82,192 |
| 9 | Zbot | 72,669 |
| 10 | FakeSpypro | 62,943 |
Chart 2 - Win32/Renocide, infected machines
The high tally of affected machines reflects Renocide's relative age; the botnet has been around since 2008 and has slowly but steadily increased its prevalence. Our first detection dates back to the first half of 2008.
If you look at the ranking for machine count you'll notice that the first 2 families are also worms. Rimecud is a backdoor-enabled worm (just like Renocide), while Taterf is an account stealer. Although only third when it comes to machine count ranking, Sality leads in the threat count ranking due to the fact that it is a file infector.
You can read more about all malware families present in this blog from our encyclopedia. We thank you for using MSRT.
Marian Radu,
MMPC Dublin
订阅:
博文 (Atom)