Malware

Main

Security

Anti-Malware
Malware
MSNBC Security
Security Fix
Security World News
Random Feeds

Archives

| Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |

Mon, 30 Jun 08
PE_VIRUT.AT
http://feeds.trendmicro.com/~r/MalwareTop10/~3/322719969/default5.asp

This file infector infects by appending its code to target host files.It infects files of certain types.

Mon, 30 Jun 08
TROJ_RENOS.ZQ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/322076921/default5.asp

This Trojan may arrive bundled with malware packages as a malware component.

It creates folders. It drops files/components.

It creates registry key(s)/entry(ies).

It requires the existence of certain files in order to run properly.

Sun, 29 Jun 08
PE_CHIR.B
http://feeds.trendmicro.com/~r/MalwareTop10/~3/175437515/default5.asp
This mass-mailing worm propagates by sending copies of itself to all addresses listed in the target user's Windows Address Book (WAB). It sends an email with this format:

From: imissyou@btmail.net.cn
Subject: <username> is comming!
Message:
Attachment: PP.EXE

It also infects all files with the following extensions:

EXE
SCR
HTM
HTML

On the 1st day of the month, it overwrites the first 4,660 Bytes of files with these extensions:

ADC
R.DB
DOC
XLS

This malware runs on Windows 95, 98, ME, NT, 2000 and XP.

Sat, 28 Jun 08
TROJ_DLOADER.KYU
http://feeds.trendmicro.com/~r/MalwareTop10/~3/319539011/default5.asp

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates a folder where it drops copies of itself.

It displays the following error message upon execution:

TROJ_DLOADER.KYU Error Message

It creates a registry entry to enable its automatic execution at every system startup.

Sat, 28 Jun 08
HTML_FUJACKS.DZ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/214627007/default5.asp

File infectors survive in the changing threat environment by adapting to it. PE_FUJACKS, a young family of file infectors discovered in the last quarter of 2006, exemplifies this. It has taken on the traits that characterize the prevailing threat landscape: multi-component, sequential, focused, Web-based, and profit-driven. To read a comprehensive article detailing PE_FUJACKS's routines and goals, click here: PE_FUJACKS: Jacking Up to the Times.

This is the detection of Trend Micro for an IFrame code that PE_FUJACKS.EA-O and PE_FUJACKS.DZ-O append to their infected files.

The script code enables the said file infectors to open the Web site http://www.{BLOCKED}vebak.com/qq.htm, which redirects the affected user to a certain link where a malicious file can be downloaded. Trend Micro detects this downloaded file as PE_FUJACKS.DZ-O.

Fri, 27 Jun 08
TROJ_DLOADER.FXN
http://feeds.trendmicro.com/~r/MalwareTop10/~3/320612287/default5.asp

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops copies of itself. It drops files/components. It then executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system. It is injected into processes running in memory.

It creates registry entries to enable its automatic execution at every system startup. It registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating registry keys/entries.

It deletes itself after execution.

Fri, 27 Jun 08
WORM_AUTORUN.MCS
http://feeds.trendmicro.com/~r/MalwareTop10/~3/320787847/default5.asp

This worm may be downloaded from certain remote sites.

It drops copies of itself in all physical drives and in all removable drives.

It accesses Web sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

It drops files.

Thu, 26 Jun 08
POSSIBLE_VBM
http://feeds.trendmicro.com/~r/MalwareTop10/~3/318048849/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TROJ_VB

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

Thu, 26 Jun 08
MAL_OTORUN1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/226118570/default5.asp

This is the Trend Micro detection for suspicious AUTORUN.INF files that allow automatic execution of malware in removable drives.

To submit files, please refer to the Solution section.

Mon, 23 Jun 08
POSSIBLE_OLGM-11
http://feeds.trendmicro.com/~r/MalwareTop10/~3/317379149/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TSPY_ONLINEG

Mon, 23 Jun 08
WORM_SILLY.CZ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/186375845/default5.asp
This worm is downloaded unknowingly by a user when visiting malicious Web sites. It propagates by dropping copies of itself in all available physical and removable drives.It also drops copies of itself into folders, which contain certain strings. It uses attractive file names as a social engineering to trick the user into opening the said files.

Sun, 22 Jun 08
MAL_ONLINEG
http://feeds.trendmicro.com/~r/MalwareTop10/~3/317176607/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

Sun, 22 Jun 08
POSSIBLE_OTORUN8
http://feeds.trendmicro.com/~r/MalwareTop10/~3/317245277/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

WORM_AUTORUN

Sat, 21 Jun 08
VBS_SOLOW.CR
http://feeds.trendmicro.com/~r/MalwareTop10/~3/196085476/default5.asp
This malicious VBScript arrives via removable drives.

It drops copies of itself in all removable drives.It drops an file to automatically execute dropped copies when the drives are accessed.

It sets the attributes of AUTORUN.INF and PAGEFILE.SYS.VBS to Read only, Hidden, and System.

Sat, 21 Jun 08
HTML_FUJACKS.E
http://feeds.trendmicro.com/~r/MalwareTop10/~3/203620456/default5.asp

File infectors survive in the changing threat environment by adapting to it. PE_FUJACKS, a young family of file infectors discovered in the last quarter of 2006, exemplifies this. It has taken on the traits that characterize the prevailing threat landscape: multi-component, sequential, focused, Web-based, and profit-driven. To read a comprehensive article detailing PE_FUJACKS's routines and goals, click here: PE_FUJACKS: Jacking Up to the Times.

This is the Trend Micro detection for an IFrame, which PE_FUJACKS.F-O appends to its infected files. The said IFrame enables the mentioned infected files to open the Web page http://www.{BLOCKED}vkr.com/worm.htm. This page, in turn, redirects the affected user to another Web page - http://www.{BLOCKED}vkr.com/muma.htm- which contains a malicious script.

Trend Micro detects the said script VBS_SMALL.EKE. The routines of this malicious VBScript may be exhibited on the affected machine.

Fri, 20 Jun 08
WORM_RONTKBR.GEN
http://feeds.trendmicro.com/~r/MalwareTop10/~3/104911825/default5.asp

This is Trend Micro's detection for unknown and future variants of WORM_RONTOKBRO and WORM_BRONTOK malware programs. It serves as a proactive means of safeguarding against possible attacks of the aforementioned malware.

The said variants propagate by sending copies of themselves as attachments to email messages using their own Simple Mail Transfer Protocol (SMTP) engines. Through the said SMTP engines, they are able to easily send email messages even without using other mailing applications, such as Outlook Express.

WORM_RONTOKBRO and WORM_BRONTOK variants are also known to restart an affected system whenever certain strings are found in the title bar of any window.

In addition, these worm variants use the Windows folder icon to trick users into thinking that it is a valid folder. They also disable the Registry Editor and Task Manager.

Fri, 20 Jun 08
PE_PARITE.A-O
http://feeds.trendmicro.com/~r/MalwareTop10/~3/187756621/default5.asp

This malware infects EXPLORER.EXE to gain memory-residency. Once resident, it gradually infects all .EXE and .SCR files found on the infected system and network shares with read and write access.

It infects files by adding a new section to the target file then appending its code at the end of the target.

Note that Trend Micro detects files infected by this virus as PE_PARITE.A.

It is dropped and executed by PE_PARITE.A in the Windows Temporary folder, with a random file name and a TMP extension.

This malware runs on Windows 95, 98, ME, NT, 2000 and XP.

Fri, 20 Jun 08
POSSIBLE_DLDER
http://feeds.trendmicro.com/~r/MalwareTop10/~3/170624969/default5.asp

This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known TROJ_DLOAD, TROJ_DLOADER, TROJ_DLDR, TROJ_SMALL, and TROJ_AGENT variants.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

For support on detected files, samples may be submitted to Trend Micro. Detailed analysis will be done on submitted samples and corresponding cleaning instructions may be applied, if necessary.

Fri, 20 Jun 08
PE_PARITE.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/168442891/default5.asp

This file infector infects .EXE and .SCR files on an infected system and on remote network shares with read and write access. It makes use of random ports in order to access network shares. Upon execution, it drops a .TMP file detected by Trend Micro as PE_PARITE.A-O.

It should be noted that it may also arrive as an email file (EML) file that contains the malware executable. In this form, this file infector executes when the malicious EML file is opened. Once opened, it searches for HTM or HTML files on the infected system with the strings "README" in their file names. Once found, it drops a copy of the .EML file into the folder where the infected .HTML file is found. The infected HTML file is detected by Trend Micro as JS_NIMDA.A.

Thu, 19 Jun 08
TROJ_VB.CEO
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313381947/default5.asp

This Trojan may be dropped by other malware.

Upon execution, this Trojan creates a folder, where it drops several copies of itself. It also drops a non-malicious file. This Trojan creates a registry entry to enable its automatic execution at every system startup.

This Trojan accesses URLs to download files. The said files are related to download sites and are non-malicious.

Thu, 19 Jun 08
MAL_NSANTI-1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313801106/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar encryption as the following malware:

Thu, 19 Jun 08
POSSIBLE_OTORUN3
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313801105/default5.asp
This virus has been renamed to MAL_OTORUN3.

Wed, 18 Jun 08
WORM_BRONTOK.AB
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313998898/default5.asp

This memory-resident worm spreads copies of itself as attachments to email messages. It gathers target email addresses by searching an affected system for files with certain extensions.

The email message it sends out is written in Indonesian and has the following details:

Subject: {blank}

Message body:
-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
2. Stop Free Sex, Aborsi, & Prostitusi?brA( Go To HELL )
3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.
4. SAY NO TO DRUGS !!!

-- KIAMAT SUDAH DEKAT --
Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah

-- JowoBot #VM Community --
!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

Attachment: (a copy of this worm using any of the following file names)
• CCAPPS.EXE
• JANGAN DIBUKA.EXE
• KANGEN.EXE
• MY HEART.EXE
• MYHEART.EXE
• SYSLOVE.EXE
• UNTUKMU.EXE
• WINWORD.EXE

Notably, it avoids sending messages to email addresses containing strings that are related to antivirus and security companies. It does the said routine to prevent its early detection on the compromised system.

It also disables the Folder Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel. The said action prevents the affected user from changing such settings as displaying hidden folders and displaying file paths in title bars. This worm also disables the Registry Editor.

It causes the affected computer to pause during startup. It does the said action by adding the string pause in the file AUTOEXEC.BAT. It also restarts the affected system when it finds an open window with certain strings in the title bar.

Furthermore, it uses a Windows folder icon to trick affected users into thinking that it is a valid folder. When the icon is clicked, it opens the process EXPLORER.EXE to hide its execution. It also opens a document folder after its execution.

This worm also deletes the valid file RUNDLL32.EXE.

Wed, 18 Jun 08
PE_TENGA.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/169122400/default5.asp

This virus spreads via network shares. It collects and generates a certain number of octets of a host machine's IP address, then scans the whole network for writable shared folders.

It either appends or inserts its code into the .EXE files it finds in all of the infected system's folders. This file infector executes at every system startup if the file it infects has autostart capabilities.

Upon execution, it connects to the following Web site to download DL.EXE, which Trend Micro detects as TROJ_TENGADL.A:

{BLOCKED}enti.lycos.it/vx9

The downloaded Trojan, in turn, downloads the file GAELICUM.EXE, which Trend Micro detects as PE_TENGA.A-O. Note that the file may vary anytime. As of this writing, the file is detected by Trend Micro as WORM_RBOT.GAE.

Wed, 18 Jun 08
WORM_RONTKBR.F
http://feeds.trendmicro.com/~r/MalwareTop10/~3/168156134/default5.asp

This worm arrives as attachment to email messages spammed by another malware or a malicious user. It is downloaded from remote sites by other malware.

It creates the certain registry entries to enable its automatic execution at every system startup. It also drops the following copy of itself in the Windows Common Startup folder to also enable its automatic execution at every system startup.

It propagates via email. It gathers target email addresses from files with certain file name extensions.

It utilizes a stealth mechanism that makes use of the familiar Windows folder icon for its dropped copies. The said action tricks the user into thinking that the dropped malicious files are valid and harmless folders that can be executed without fear. Once these fake folders are clicked, this worm opens the My Documents folder to hide its execution.

It modifies the affected system's registry to disable critical services such as Registry Editor and command prompt. It hides files and extension names. It also restarts the system upon detection of certain strings in the title bar of any active window. It also removes the Folder Options item in the Tools drop-down menu from the main menu bar of Windows Explorer and Control Panel.

Tue, 17 Jun 08
MAL_VUNDO-4
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313381948/default5.asp

This is the Trend Micro heuristic detection for suspicious files that are compressed and encrypted and that manifest similar behavior and characteristics as the following malware:

VUNDO

Tue, 17 Jun 08
CRYP_XED-6
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313381949/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

Tue, 17 Jun 08
MAL_OTORUN2
http://feeds.trendmicro.com/~r/MalwareTop10/~3/239918365/default5.asp

This is the Trend Micro detection for suspicious AUTORUN.INF files that allow automatic execution of malware in removable drives.

To submit files, please refer to the Solution section.

Tue, 17 Jun 08
PE_PATCHEP.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313381950/default5.asp

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

PE_PATCHEP.A Behavior Diagram

Malware Overview

This file infector may be dropped by other malware. It is the Trend Micro detection for the modified copy of a legitimate file that contains an injected code.

Upon execution, this file infector uses a certain API to load and execute a .DLL file detected by Trend Micro as TROJ_AGENT.DGW.

As a result, malicious routines of the .DLL file are executed on the affected system.

Tue, 17 Jun 08
POSSIBLE_OTORUN6
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313381952/default5.asp

This is the Trend Micro detection for suspicious AUTORUN.INF files that allow automatic execution of malware in removable drives.

Tue, 17 Jun 08
CRYP_NSANTI-2
http://feeds.trendmicro.com/~r/MalwareTop10/~3/313381951/default5.asp
This virus has been renamed to MAL_ONLINEG.

Tue, 17 Jun 08
JS_NIMDA.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/175437516/default5.asp
This Java Script is a component of the PE_NIMDA.A worm. It opens the README.EML file that carries the worm. It does not have a destructive payload.

Tue, 17 Jun 08
PE_VBAC.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/170649209/default5.asp

This is Trend Micro's detection for the infected files of PE_VBAC.A-O. They drop the .DLL file VCAB.DLL, detected as the mother file infector PE_VBAC.A-O, onto the Windows temporary folder of target systems. The said action initiates the said mother file's infection routine. Note that files detected as PE_VBAC.A can also arrive via network shares.

They also inject the said .DLL file into running processes to help it stay memory-resident and to enable its execution whenever a target process(es) executes.

Tue, 17 Jun 08
HTML_IFRAME.HT
http://feeds.trendmicro.com/~r/MalwareTop10/~3/181216993/default5.asp

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

HTML_IFRAME.HT Behavior Diagram

Malware Overview

This is the Trend Micro detection for HTML pages and compromised Web sites that contain malicious iFrame tags.

It is known to be hosted on the following URL:

http://77.221.{BLOCKED}.188/.if/go.html

Once an unsuspecting user visits or views an affected Web page, this malicious HTML connects to certain URLs to download a possibly malicious file. As a result, routines of the downloaded file are also exhibited on the affected system.