PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for Feb 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info
Netsky is still infecting computers after being first discovered in April 2004.

To remove some viruses it is advisable to turn off System Restore.

February 22 2006 Trojan.Satiloler.D

When Trojan.Satiloler.D is executed, it performs the following actions: Scan your registry for ctfmon.exe if you think you are infected.

1. Creates the following mutex, so that only one instance of the Trojan runs on the compromised computer at any one time:

_Toolbar_Class_32

2. Creates the following backup copy of the valid system file %System%\userinit.exe:

%Windir%\system\userinit.exe

The Trojan then creates a copy of itself as the following file, overwriting the original %System%\userinit.exe file in the process:

%System%\userinit.exe

Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Copies itself as the following files:

* %ProgramFiles%\Common Files\system\lsass.exe
* %Windir%\system\ctfmon.exe

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

4. Creates the following files:

* %System%\divx5.dll
* %System%\h323.txt

The library file %System%\divx5.dll is a user-mode rootkit that tries to hide the Trojan's processes from the Windows Task Manager utility.

5. Adds the value:

"ctfmon.exe" = "%Windir%\system\ctfmon.exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

6. Adds the values:

"Userinit" = "%ProgramFiles%\Common Files\system\lsass.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

7. Adds the value:

"tvr" = "[PATH TO TROJAN EXECUTABLE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE

to act as an infection marker.

8. Adds the value:

"gold" = "[RANDOM ID]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

to act as an infection marker.

9. Adds the values:

"%Windir%\system\ctfmon.exe" = "%Windir%\system\ctfmon.exe:*:Enabled:ctfmon"
"%System%\userinit.exe" = "%System%\userinit.exe:*:Enabled:userinit"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

in order to bypass Windows Firewall restrictions.

10. Modifies the values:

SFCDisable" = "FFFFFF9D"
"SFCScan" = "0"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

in order to disable Windows File Protection.

11. Adds the value:

"System" = ""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

12. Deletes all entries under the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Explorer\Browser Helper Objects

13. Attempts to download a configuration file using one of the following domains:

[http://]www.certdreams.com/cm[REMOVED]
[http://]www.certdreams.com/pm[REMOVED]
[http://]www.certdreams.com/down[REMOVED]

Alternatively, the Trojan may use a domain configured under the following registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\"d" = "[DOMAIN NAME]"

The Trojan saves this file as the following file:

%System%\cmd.txt

14. May then modify the hosts file with data copied from a downloaded configuration file, %System%\hst.txt.

15. Modifies the following .dll files, and any backup copies in the %Windir%\dllcache folder, in order to disable System File Protection:

* %System%\sfc_os.dll
* %System%\sfc.dll

16. Attempts to close windows that have the following titles, some of which may be security-related:

* Norton Personal Firewall
* Create rule for %s
* Un processus cache requiert une connexion reseau.
* Ne plus afficher cette invite
* Un proceso oculto solicita acceso a la red
* Aceptar
* Warning: Components Have Changed
* &Make changed component shared
* Hidden Process Requests Network Access
* Ein versteckter Prozess verlangt Netzwerkzugriff.
* PermissionDlg
* &Remember this answer the next time I use this program.
* &Yes
* Windows Security Alert
* Allow all activities for this application
* Kerio Personal Firewall Alert
* Create a rule for this communication and don't ask me again.

17. Attempts to end the following processes:

* WINLDRA.EXE
* NETSCAPE.EXE
* OPERA.EXE
* FIREFOX.EXE
* MOZILLA.EXE
* M00.EXE
* WINTBPX.EXE
* SWCHOST.EXE
* SVOHOST.EXE
* SVC.EXE
* WINSOCK.EXE

18. Attempts to disable the following programs:

* C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
* C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

19. Steals the following information and saves it to the %System\h323.txt file:

* POP3 user name
* Password for Internet Explorer AutoComplete
* MSN Explorer Signup account
* The Bat! configuration file

20. Searches for the following strings in the Web browser:

* cahoot
* egg
* if.com
* smile
* first
* nation
* abbey
* natwest
* citi
* barclay
* allianc
* bank
* hsbc
* lloyd
* nwolb
* online
* hali
* npbs
* marbles
* trade
* e-gold
* rbs.

21. Logs the following data, related to Web browsing activities, in the file %System\h323.txt:

* URLs visited
* Radio button and checkbox status
* Keystrokes

22. Posts all the log files it creates to a Web site defined by the remote attacker. The Trojan also sends the following data, which it gathers from the compromised computer, to this Web site:

* Username
* Opened port number
* Connection type (modem or LAN)

23. Opens a proxy server on a random TCP port.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from February 3 to February 9, 2006)

1. WORM_GREW.A
2. SPYW_DASHBAR.300
3. WORM_BAGLE.CL
4. SPWY_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. ADW_SLAGENT.A
10. ADW_WEBSEARCH.

February 02 2006 TROJ_BOMKA.L

TROJ_BOMKA.L may arrive on a system as an attachment to spammed emails, disguised as a non-malicious dart game to entice users into playing it. This non-destructive Trojan is currently spreading in-the-wild and infecting computer systems that run on Windows 98, ME, NT, 2000, XP, and Server 2003.

A rough English translation of the email is:

Subject: you take one pause...
Message Body: I send a game flash!
then you send your score to me max... therefore I say how much I have made I to you... I am training myself:)
bye
{Name of sender}
Possible Attachment: gioco_freccette.zip

Upon execution, this Trojan drops and executes a copy of the legitimate game on the system. This action hides its malicious behavior from the user.

It also drops its .DLL component, which it registers as a Browser Helper Object (BHO) to ensure that it runs every time the user opens Internet Explorer.

This Trojan also attempts to connect to several Web sites to download other files or an update of itself. These downloaded files may be other malware, leaving the affected computer more prone to malicious attacks.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from February 3 to February 9, 2006)

1. WORM_GREW.A
2. SPYW_DASHBAR.300
3. WORM_BAGLE.CL
4. SPWY_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. ADW_SLAGENT.A
10. ADW_WEBSEARCH.K

February 02 2006 WORM_GREW.A

A new malicious worm began infecting systems last week, which promises to launch an attack on February 3rd and the 3rd of every month thereafter, according to threat researchers at antivirus and content security firm Eset. The new worm, known by such names as Nyxem, BlackMal, Mywife, and CME-24, has infected hundreds of thousands of machines over the past week, most from unsuspecting users who do not yet know they are infected.

Like most worms, WORM_GREW.A propagates via email attachments and network shares, including popular P2P file sharing services. The email method of transmission employs common social engineering techniques including the promise of pictures, pornographic content, or a joke to entice users to open the corresponding attachment.

Though this worm utilizes common propagation techniques, the code itself is anything but common. This is a destructive virus that deletes and overwrites any number of files present on a user's system, by targeting the most popular file formats - including .DOC, .XLS, .PPT, .PDF, and .ZIP, to name just a few. In addition to losing a great deal of data, this virus also renders the keyboard and mouse inoperable, thereby leaving the user's system dead in the water. This is a truly global threat, affecting computer systems in over 150 countries, to date.

Since this threat is relatively well-known to the security industry, most major security vendors - including NOD32 - detect this worm and its variants.

Eset NOD32 has specific detection for all currently-known variants of this worm, and successfully detects all new variants generically, thereby providing broad protection against this threat.

The best defense is for users to run a scan of their systems, to ensure they haven't been infected. The attack is hard-coded in the Worm, so if you haven't been infected, then there's no need to worry about the February 3rd attack, as long as you stay clean.

* Do not open any emails from those you don't know
* Do not open attachments from those you do know, if you weren't expecting an attachment from that person, or if the content of the email seems out of character for that person
* Ensure your antivirus definitions are up-to-date.
* Run a manual scan with your updated Eset NOD32 product


Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from January 27 to February 2, 2006)

1. WORM_GREW.A
2. ADW_WEBSEARCH.K
3. SPYW_DASHBAR.300
4. SPWY_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. ADW_SLAGENT.A
8. EXPL_WMF.GEN
9. JAVA_BYTEVER.A
10. ADW_HOTBAR.B