Malware

Main

Security

Malware
MSNBC Security
Security Fix
Security World News
Random Feeds

Archives

| Aug 2008 | Jul 2008 | Jun 2008 | May 2008 |

Fri, 29 Aug 08
MAL_INFOSTL
http://feeds.trendmicro.com/~r/MalwareTop10/~3/377903231/default5.asp

This is the Trend Micro detection for suspicious files that manifest behavior and characteristics similar to known variants of the following spyware:

If your Trend Micro product detects a file under this detection name, do not execute the file, or delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

To submit files, please refer to the Solution section.

Thu, 28 Aug 08
WORM_RONTOKBRO.K
http://feeds.trendmicro.com/~r/MalwareTop10/~3/376279618/default5.asp

Similar to other variants of WORM_RONTOKBRO, this worm propagates as an attachment to email messages. It sends to itself to email addresses it harvests from local drives of an affected system. The email message it sends out has the following details:

Subject: (blank)

Message body:

-- Hentikan kebobrokan di negeri ini --
1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send to "NUSAKAMBANGAN")

2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )

3. Stop pencemaran lingkungan, pembakaran hutan & perburuan liar.

4. SAY NO TO DRUGS !!!

YIfpqElpq taskkill /f /im -- KIAMAT SUDAH DEKAT --

Terinspirasi oleh:
Elang Brontok (Spizaetus Cirrhatus) yang hampir punah

-- JowoBot #VM Community --
!!! Akan Kubuat Mereka (VM lokal yg cengeng & bodoh) Terkapar !!!

Attachment: (any of the following)

• CCAPPS.EXE
• JANGAN DIBUKA.EXE
• KANGEN.EXE
• MY HEART.EXE
• MYHEART.EXE
• SYSLOVE.EXE
• UNTUKMU.EXE
• WINWORD.EXE

Upon execution, it drops a copy of itself using different file names in different locations. The file name it uses and the folder where it drops a copy of itself varies depending on the operating system of the affected machine.

It removes the Folder Options, and disables the Registry Editor and command prompt. It also hides files and file extension names. It does the said actions by modifying the affected system's registry.

It uses the Windows folder icon to trick users into thinking that this is a valid folder. It also opens the Windows Explorer folder upon execution to hide its malicious routines.

In addition, this worm restarts the system when it detects certain strings in an active window's title bar.

Furthermore, it launches PING attacks against certain Web sites.

Tue, 26 Aug 08
W97M_Marker.GO-1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/374585141/default5.asp
For details on this malware, please refer to the description for W97M_MARKER.GO.

Sun, 24 Aug 08
WORM_DREFIR.C
http://feeds.trendmicro.com/~r/MalwareTop10/~3/178716441/default5.asp

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

It generates email addresses by using a list of names and any of the domain names of the previously gathered addresses.

The email it sends out has the following details:

Subject: (any of the following)
Â• here are the pictures you asked me to send you.
Â• Resume
Â• My Story
Â• Your Files
Â• Your Stuff

Message Body: (any of the following)
Â• for any help,mail me back
Â• here are the porn screen saver you asked me to show you...
Â• here are the programms you asked me to mail you
Â• just read it,its fantastic
Â• please read again what i have written to you !

Attachment: (a .RAR file any of the following file names)
Â• info.rar
Â• My Life.rar
Â• package1.rar
Â• pictures.rar
Â• porn.rar

File in .RAR Attachment: (any of the following)
Â• linda.scr
Â• mail_READ.txt...scr
Â• musicbox.MP3.pif
Â• pictures.JPG...pif
Â• Story.scr

It spreads via Internet Relay Chat (IRC) servers. It connects to various servers and uses certain nicks. It then displays certain messages either containing a URL or hyperlinked phrases that when clicked downloads a copy of itself.

It checks for the current month and day of the system. If it finds the month and day to be June 29 it deletes the contents of all accessible files in fixed and mapped network drives. It also displays the following message box:

Sun, 24 Aug 08
PE_LOOKED.MA-O
http://feeds.trendmicro.com/~r/MalwareTop10/~3/372923927/default5.asp
When Julius Caesar arrogantly proclaimed "Veni. Vidi. Vici." (I came. I saw. I conquered.) to describe his swift and total victory in the Battle of Zela, he must have been sitting atop his horse and looking over his spoils, contemplating the lethal brilliance of his planning. Sitting atop its Trojan spyware, one of this year's most prevalent file infectors, PE_LOOKED, can lay claim to that same arrogance. To know why, read an in-depth article about PE_LOOKED's routines and payloads here: PE Came, LOOKED, and Conquered.

This mother file infector arrives on a system either downloaded from the Internet or dropped by another malware. When executed, it creates the folder, uninstall, in the Windows folder and then drops a copy of itself as, RUNDL132.EXE.

It also drops the file, RICHDLL.DLL, in the Windows folder. This .DLL file is detected by Trend Micro as TROJ_LOOKED.LU.

This mother file infector prepends its code to .EXE files located in drives C: to Z: of the affected system. All infected files are detected by Trend Micro as PE_LOOKED.MA. It then drops the file, _DESKTOP.INI, in every folder that this mother file infector has searched.

Moreover, it waits for active Internet connection and accesses the URL, http://{BLOCKED}90.222.233 to download and execute, on the affected system, files detected by Trend Micro as:

TSPY_AGENT.FRF
TSPY_LINEAGE.CEG
TSPY_LINEAGE.CRQ
TSPY_LINEAGE.DRX
TSPY_LINEAGE.DRY
TSPY_ONLINEGA.AB
TSPY_QQPASS.AIF
TSPY_WOWSTEAL.BA

Sat, 23 Aug 08
MAL_OLGM-6
http://feeds.trendmicro.com/~r/MalwareTop10/~3/372048974/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TSPY_ONLINEG

For support on detected files, samples may be submitted to Trend Micro. Detailed analysis will be done on submitted samples and corresponding cleaning instructions may be applied, if necessary.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

Tue, 19 Aug 08
WORM_SOBER.GEN
http://feeds.trendmicro.com/~r/MalwareTop10/~3/368020810/default5.asp
This detection covers most SOBER variants.

Mon, 18 Aug 08
PE_CORELINK.C-1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/206192015/default5.asp
This is the Trend Micro detection for files infected by PE_CORELINK.C-O.

It drops a certain DLL component which is detected as PE_CORELINK.C-O.

As a result, malicious routines of the dropped file are also exhibited on the affected system.The said .DLL file is injected into the legitimate process EXPLORER.EXE to prevent easy detection and removal.

Mon, 18 Aug 08
WORM_BAGLE.GM
http://feeds.trendmicro.com/~r/MalwareTop10/~3/207277222/default5.asp

This worm usually arrives as a file dropped by other malware or as a file downloaded unknowingly by a user when visiting malicious Web sites. Upon execution, it drops files a file detected by Trend Micro as TROJ_BAGLE.GEN.

It propagates by dropping copies of itself to folders it assumes as shared. It does the said routine by searching for folders with the string shared in the folder name. it then drops copies of itself whose file names masquerade as popular applications. It is possible for this worm to propagate via peer-to-peer file-sharing applications (P2P) when it drops copies of itself into shared folders of P2P applications.

Sat, 16 Aug 08
CRYP_TAP-5
http://feeds.trendmicro.com/~r/MalwareTop10/~3/365544440/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TROJ_VUNDO

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

Fri, 15 Aug 08
PE_MABEZAT.B-1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/365006251/default5.asp

This is Trend MicroÂ’s detection for the files infected by the mother file infector PE_MABEZAT.B-O. The malicious code in this type of infection is appended to the host file.

This file infector drops several files, some of which are detected as PE_MABEZAT.B-O and TROJ_MABEZAT.D. The dropped files are executed and as a result, malicious routines of these files are manifested in the system.

It drops a copy of its mother file infector in all folders found in removable drives using the folder name as its file name. It also drops another copy of the mother file infector in folders found in removable drives using file names of legitimate applications.

Fri, 15 Aug 08
PE_MABEZAT.B-2
http://feeds.trendmicro.com/~r/MalwareTop10/~3/365006252/default5.asp

This is Trend MicroÂ’s detection for the files infected by the mother file infector PE_MABEZAT.B-O. The malicious code in this type of infection is appended to the host file and a portion of this file is overwritten and encoded.

Upon execution, this file infector drops several component files, some of which are detected as as PE_MABEZAT.B-O and TROJ_MABEZAT.D.

The dropped files are executed and as a result, malicious routines of these files are manifested in the system. It also drops a copy of its mother file infector in all folders found in removable drives using the folder name as its file name. It also drops another copy of the mother file infector in folders found in removable drives using random file names of legitimate applications.

Thu, 14 Aug 08
W97M_MARKER.A
http://feeds.trendmicro.com/~r/MalwareTop10/~3/207068975/default5.asp
This macro virus infects documents and templates that are closed in Microsoft Word. It deletes all user macros from infected files.On the 1st day of each month, it sends a log file via FTP to its author containing the following information:

Time and date of infection
User name of the infected system
User address of the infected system

Sat, 9 Aug 08
TROJ_FAKEALER.HO
http://feeds.trendmicro.com/~r/MalwareTop10/~3/359556438/default5.asp

This Trojan may be downloaded from remote sites by the Trend Micro detection TROJ_RENOS.ADX.

It installs itself as a fake antivirus application named ANTIVIRUS XP 2008. It shows fake alert pop-ups stating that the affected system is infected with several viruses.

It then leads the user to a spoofed antivirus application window.

When the user tries to remove the viruses, it will prompt the user to pay for the service before cleaning the infection.

It modifies the system registry such that its automatic execution at every system startup is enabled. It creates folders and drops files.

Thu, 7 Aug 08
CRYP_NSANTI-3
http://feeds.trendmicro.com/~r/MalwareTop10/~3/357552418/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TSPY_ONLINEG

Wed, 6 Aug 08
TROJ_FAKEALER.GJ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/357089697/default5.asp
A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

Wed, 6 Aug 08
POSSIBLE_PCLIENT
http://feeds.trendmicro.com/~r/MalwareTop10/~3/357176744/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

Tue, 5 Aug 08
HTML_IFRAME.AZ
http://feeds.trendmicro.com/~r/MalwareTop10/~3/355578502/default5.asp

Sun, 3 Aug 08
POSSIBLE_HIFRM
http://feeds.trendmicro.com/~r/MalwareTop10/~3/353974695/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

HTML_IFRAME

Sat, 2 Aug 08
MAL_PATCH-1
http://feeds.trendmicro.com/~r/MalwareTop10/~3/352916002/default5.asp

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

TROJ_PATCHED