PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for Jan 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly
.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info
To remove some viruses it is advisable to turn off System Restore.

January 29 2006 W32.Antinny.AX

W32.Antinny.AX is a worm that propagates through the Winny file-sharing network. The worm performs denial of service attacks on certain Web sites and steals confidential information from the compromised computer.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003

When W32.Antinny.AX is executed, it performs the following actions:

1. Copies itself as the following:

%System%\Microsoft\svchost.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the value:

"Windows Security Manager" = "%System%\Microsoft\svchost.exe -c -ax"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\RunOnce so that it is executed when Windows starts.

3. Adds the value:

"DisableSR" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore to disable System Restore.

4. Creates the following clean file:

%Windir%\svdat.m1v

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

5. Creates the following hidden folders:

* %Temp%\4407A9BE6535\6A8C9B51993A
* %Temp%\4407A9BE6535\773232357FF9

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

6. Searches the Winny file-sharing network program folder and modifies the file UpFolder.txt.

7. Adds the folder %Temp%\4407A9BE6535\773232357FF9 as a shared folder in the Winny file-sharing network.

8. Captures screen shots and saves them as:

%Temp%\4407A9BE6535\773232357FF9\
[JAPANESE TEXT][USER NAME]
[JAPANESE TEXT]([DATE]).jpg

9. Searches for files with the following extensions:

* .doc
* .xls
* .eml
* .ppt
* .dbx
* .txt
* .pdf

10. Searches for the following files in the Winny file-sharing program folder:

* Nodref.txt
* Download.txt
* kakikomi.txt
* tab1.txt
* tab2.txt

11. Searches for files in the following folders:

* %UserProfile%\Favorites
* %UserProfile%\Recent
* %UserProfile%\LocalSettings\Application Data\[RANDOM]\Identities\[RANDOM]\Microsoft\Outlook Express

12. Creates .zip files containing the found files and saves them as:

%Temp%\4407A9BE6535\773232357FF9\[JAPANESE TEXT][USER NAME][JAPANESE TEXT].zip

13. Creates a .zip file that contains a copy of itself with randomly chosen Japanese words taken from the worm body. The worm then copies the .zip file to %Temp%\4407A9BE6535\773232357FF9.

14. Drops and executes the following file, which is a variant of Trojan.Sientok:

%Temp%\sttemp.exe

15. Drops the following files:

* %System%\winsm.exe
* %System%\ms[RANDOM].exe

16. Creates the following service:

WindowsSecurityManager

17. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\Services\"WindowsSecurityManager"
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\"WindowsSecurityManager"

18. Checks current date periodically. If the day is Monday and the date is between the 1st and 6th of the month, it will perform a denial of service attack against the following Web sites:

* [http://]www.accsjp/[REMOVED]/.or.jp
* [http://]www2.accsjp/[REMOVED]/.or.jp

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from January 20 to January 26, 2006)

1. SPYW_DASHBAR.300
2. SPYW_GATOR.F
3. HTML_NETSKY.P
4. WORM_GREW.A
5. WORM_NETSKY.P
6. EXPL_WMF.GEN
7. JAVA_BYTEVER.A
8. WORM_MOFEI.B
9. ADW_SLAGENT.A
10. PE_PARITE.A

January 21 2006 Grow Up - WORM_GREW.A

WORM_GREW.A propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It can then send email messages without using mailing applications (such as Microsoft Outlook). It gathers email addresses from files with certain extensions, such as DOC, PSD, RAR, and ZIP. It also propagates through network shares, by searching the network for ADMIN$ and C$ shares, where it drops a copy of itself using the file name WINZIP_TMP.EXE. It is currently spreading in-the-wild, and infecting computers that run Windows 98, ME, NT, 2000, XP, and 2003 Server.

Upon execution, it drops and opens a .ZIP archive named SAMPLE.ZIP in the Windows system folder. This worm also deletes autostart registry entries, as well as associated files of several programs, most of which are related to security and antivirus applications. These routines may cause referenced programs to malfunction, effectively making the affected system more vulnerable to further attacks.

In addition, it is capable of disabling the mouse and keyboard of an affected system.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from January 13 to January 19, 2006)

1. SPYW_DASHBAR.300
2. SPYW_GATOR.F
3. HTML_NETSKY.P
4. WORM_GREW.A
5. WORM_NETSKY.P
6. EXPL_WMF.GEN
7. JAVA_BYTEVER.A
8. WORM_MOFEI.B
9. ADW_SLAGENT.A
10. PE_PARITE.A

January 15 2006 Crash - Trojan wmfcrash.b

TROJ_WMFCRASH.B is a .WMF file that takes advantage of an unpatched vulnerability found in Windows Picture and Fax Viewer. It runs on Windows XP and Server 2003, and is currently spreading in-the-wild.

The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are thus named because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may leave systems vulnerable, due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

Once this malicious .WMF file is opened, it proceeds to launch a denial of service attack in an attempt to restart or terminate the legitimate system process EXPLORER.EXE. The said action leaves an affected user unable to navigate through Windows.

After performing its routine, this Trojan terminates itself.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from January 6 to January 12, 2006)

1. WORM_SOBER.G
2. SPYW_DASHBAR.300
3. JAVA_BYTEVER.A
4. SPYW_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. WORM_MOFEI.B
8. ADW_LOP.A_
9. TSPY_SMALL.SN
10. TROJ_BAGLE.AH

January 04 2006 Worm in the Sky - WORM_LOCKSKY.Y

Worm locksky is a memory-resident worm that propagates by sending a copy of itself as an attachment to email messages. It is currently spreading in-the-wild and infecting systems that run Windows NT, 2000, XP, and Server 2003.

The email that it sends has the following details:

Subject: Your mail Account is Suspended
Message body: We regret to inform you that your mail account has been suspended due to the violation of our site policy, more info is attached.
Attachment: acc_info{random number}.exe

It spoofs the From: field in an attempt to trick users into thinking that the spammed email is from a trusted source.

It bypasses an affected system's firewall thereby effectively lowering system security.

This worm checks for an updated copy of itself by onnecting to a specific Web site, and if an updates is available, ownloads the update.

It also logs keystrokes and saves the gathered information.

Upon execution, it drops a copy of itself in the Windows folder, and also drops component files, and other copies of itself in the Windows system folder.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from December 30, 2005 to January 5, 2006)

1. WORM_SOBER.G
2. SPYW_DASHBAR.300
3. JAVA_BYTEVER.A
4. SPYW_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. WORM_MOFEI.B
8. ADW_LOP.A_
9. TSPY_SMALL.SN
10. TROJ_BAGLE.AH

January 04 2006 WMF Vulnerability

AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee, and NOD32 are known to detect and block the four known variants of the dangerous WMF vulnerability.

If you are using other antivirus software (AVG, Microsoft AntiSpyware, Panda, Norton, Trend Micro, etc) then you are not protected against some or all variants at time of writing.

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site.

In an e-mail based attack involving the current exploit, customers would have to click on a link in a malicious e-mail or open an attachment that exploits the vulnerability. It is important to remember that this malicious attachment may not be a .wmf. It could also be a .jpg, .gif, or other format. At this point, no attachment has been identified in which a user can be attacked simply by reading mail.

An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope and are not widespread.

Customers are encouraged to keep their anti-virus software up-to-date.

Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. While we have not encountered any situation in which simply opening an email can result in attack, clicking on a link in an email could result in navigation to a malicious site.

The intentional use of exploit code, in any form, to cause damage to computer users is a criminal offense. Accordingly, Microsoft continues to assist law enforcement with its investigation of the attacks in this case. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from December 23 to Decemer 30, 2005)

1. WORM_SOBER.G
2. SPYW_DASHBAR.300
3. JAVA_BYTEVER.A
4. SPYW_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. WORM_MOFEI.B
8. ADW_LOP.A_
9. TSPY_SMALL.SN
10. TROJ_BAGLE

December 30 2005 Trojan.Spamlia

This nasty piece of work uses your personal lists of friends and or business associates to send spam. When Trojan.Spamlia executed, it performs the following actions:

1. Obtains all email addresses from the Windows Address Book and saves them to %Temp%\~BG.

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

2. May also obtain SMTP Display Name, SMTP Email Address, and SMTP Server information from the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\[RANDOM]

3. Sends SPAM email to all email addresses gathered from the Windows Address Book. Some of the emails contains the following characterstics:

Subject:
babbo natale indagato
Message:
evviva la stupidit!!
[DOMAIN]/video9.html
Della serie.... infierisci anche tu !!
buone feste! Buon anno!!!
[SMTP DISPLAY NAME]

Subject:
incoscienza natalizia
Message:
non fraintendere !!
[DOMAIN]/video8.html
Buone feste
[SMTP DISPLAY NAME]

Subject:
scherzo Natalizio
Message:
a natale si
tutti pi
imbranati
[DOMAIN]/video7.html
hehehe ciao tanti auguri
[SMTP DISPLAY NAME]

Subject:
video simpatico natalizio
Message:
scherzetto simpatico...eheheh
[DOMAIN]/video6.html
a presto, vi auguro buone feste
[SMTP DISPLAY NAME]

Note:

* [SMTP DISPLAY NAME] is the SMTP Display Name gathered from the registry entry listed above.
* [DOMAIN] is one of following:

* [http://]www.nice-movie-laugh.com/[REMOVED]
* [http://]www.nice-movie-jokes.com/[REMOVED]
* [http://]www.movielaugh.com/[REMOVED]
* [http://]www.moviejump.com/[REMOVED]
* [http://]www.movie-smile.com/[REMOVED]
* [http://]www.goodmoviejokes.com/[REMOVED]
* [http://]www.good-movie-smile.com/[REMOVED]
* [http://]www.good-movie-play.com/[REMOVED]
* [http://]www.good-movie-laugh.com/[REMOVED]
* [http://]www.good-movie-jokes.com/[REMOVED]
* [http://]www.goodmovielaugh.com/[REMOVED]
* [http://]www.nicemoviesmile.com/[REMOVED]
* [http://]www.nicemovieplay.com/[REMOVED]
* [http://]www.nicemovielaugh.com/[REMOVED]
* [http://]www.movie-play.com/[REMOVED]
* [http://]www.movie-laugh.com/[REMOVED]
* [http://]www.goodmoviesmile.com/[REMOVED]
* [http://]www.goodmovieplay.com/[REMOVED]

4. Deletes itself and %Temp%\~BG.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from December 23 to Decemer 30, 2005)

1. WORM_SOBER.G
2. SPYW_DASHBAR.300
3. JAVA_BYTEVER.A
4. SPYW_GATOR.F
5. HTML_NETSKY.P
6. WORM_NETSKY.P
7. WORM_MOFEI.B
8. ADW_LOP.A_
9. TSPY_SMALL.SN
10. TROJ_BAGLE