PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for May 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info

May 20 2006 Trojan.Nebuler

Trojan.Nebuler is a Trojan horse that attempts to download and execute files from remote sites. It also sends information about the compromised computer to a remote site.

Also Known As: Backdoor.Eterok.B

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Trojan.Nebuler is executed, it performs the following actions:

1. Drops an embedded DLL file to the following locations:

* %UserProfile%\Local Settings\Temp\cli??.tmp
* %System%\winowl32.dll

Note:
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Injects %System%\winowl32.dll into the Winlogon system process.

3. Terminates itself.

4. Creates the mutex named "m3d5rt10" so that only one instance of the threat is run on the compromised computer.

5. Creates an instance of iexplore.exe and injects a remote thread into the created instance.

6. Sends information about the compromised computer to the following sites:

* here4search.biz
* content.jdial.biz
* smart-security.biz

Noted: Depending on the response received in the previous step, it may also download and execute files from these sites.

7. Creates the following registry subkey to store information about the compromised computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

8. Creates the following registry key so that the Trojan is loaded every time windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winowl32

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

May 12 2006 Hacktool.DDEExploit

Hacktool.DDEExploit is a Trojan horse that attempts to exploit the Microsoft Windows NetDDE Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-071).

Note: Prior to May 12th, 2006, this threat may be detected as Hacktool.DDE.Exploit.

Also Known As: Hacktool.DDE.Exploit

Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Hacktool.DDEExploit is executed, it performs the following actions:

Exploits the Microsoft Windows NetDDE Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-071) by sending messages to the NetDDE Agent window. If the system is vulnerable, the sent messages are interpreted incorrectly allowing the security threat to execute arbitrary code with the privilege of administrator.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from May 05 to May 12 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A

May 11 2006 W32.Bactera

W32.Bactera is a worm that attempts to spread through file sharing networks.

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When executed, W32.Bactera performs the following actions:

Displays a fake error message indicating that the file "MFClibrary.dll" cannot be found. It does this to trick the user into believing the file is a cracktool/key generator.

Creates the following files:

C:\AntiVirScan.exe
C:\bac.exe
C:\bac2.exe
C:\list

Searches for the presence of the file sharing application eMule. If found it will create the following folder:

C:\Windows\Temp\Bactera

Copies itself to this folder over 1500 times, using file names from a predefined database. Examples of file names used include:

Knight and Merchants Gold Edition Crack & KeyGen all Versions.exe
1st Go Warkanoid Crack & KeyGen all Versions.exe
Sven Bomwollen Zwo Crack & KeyGen all Versions.exe
Enigram Crack & KeyGen all Versions.exe
Road To India Crack & KeyGen all Versions.exe
bacteria.exe

Creates the following registry subkey to store information regarding the installation of the threat:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Bactera

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from May 04 to May 11 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A

May 02 2006 Troj/Bckdr-HPP BackDoor-ARD Backdoor.Monator

Spyware Trojan Troj/Bckdr-HPP is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Affected operating systems Windows

Side effects Allows others to access the computer
Steals information
Downloads code from the internet

Aliases BackDoor-ARD
Backdoor.Monator

Technical
Troj/Bckdr-HPP is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Registry entries are created under:

HKCR\MSWinsock.Winsock\
HKCR\MSWinsock.Winsock.1\

Troj/Bckdr-HPP includes functionality to:
- open/close the CD door
- send messages from the infected computer via AOL Instant Messenger
- steal computer information

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 24 to May 01 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A

April 21 2006 W32.Banleed.A

Discovered on: April 20, 2006
Last Updated on: April 21, 2006

W32.Banleed.A is a network worm that spreads on shared drive and folders. It steals confidential information and accounts when users contact a bank Web site. The worm may download and execute remote files and send gathered information to a remote host.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Banleed.A is executed, it performs the following actions:

1. Copies itself as the following file:

C:\Windows\system.exe

2. Checks for the presence of the following file and stops the execution if that file exists:

C:\halt.txt

3. Adds the value:

"[FILENAME]" = "[PATH TO WORM]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
so that it runs every time Windows starts.

4. Creates and executes the following batch file to enumerate all the hosts in network shares of the infected machine:

C:\Windows\system.bat

5. Creates the following files:

* C:\Windows\view.txt - output of system.bat
* C:\Windows\maq.txt - list of hosts in network shares
* C:\Windows\okey.txt - clean text file

6. Attempts to spread across local network shares by copying itself on the startup folder of remote machines found. The worm tries to copy its executable in the following remote folder:

\[NETWORK_HOST]\C$\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

NOTE: The worm uses a hardcoded path during its replication so that it will work only Brazilian/Spanish Windows machines.

7. Updates its code by downloading a configuration file from the following URL:

[http://]www.rulandocash.net/upd/upd[REMOVED]

The downloaded file contains the following configuration information:

* version = [VERSION NUMBER]
* download = [DOWNLOAD URL]
* installdir = [INSTALL PATH]

8. Uses the configuration file to download the following remote file that at the time of writing was not available from the remote location:

[http://]www.sinmadam.net/.%20/upd/lsas[REMOVED]

9. Saves the downloaded file as the following file and then executes it:

c:\windows\system\NVSVC32.EXE

10. Monitors the browser windows of Internet Explorer and Firefox looking for any of the following bank URLs:

* [https://]www2.bancobrasil.com.br/aapf/aai/logi[REMOVED]
* [https://]internetcaixa.caixa.gov.br/nasapp/siibc/login_autent[REMOVED]
* [https://]wwwss.bradesco.com.br/scripts/ib2k1.dll/lo[REMOVED]
* [https://]net.sofisa.com.br/netbanking/tvirt[REMOVED]
* [https://]bankline.itau.com.br/gripnet/gracg[REMOVED]
* [https://]wwws.nossacaixa.com.br/bemvin[REMOVED]
* [https://]www2.rural.com.br/ruralibank/princi[REMOVED]
* [http://]www.unibanco.com.br/hom/inde[REMOVED]
* [http://]www.equifax.com.br
* [http://]www.tibia.com/ho[REMOVED]
* [http://]login.passport.net/uilog[REMOVED]
* [https://]www.orkut.com/glogi[REMOVED]
* [http://]www.banespa.com.br/portal/bnp/script/templates/gcmreq[REMOVED]

Depending on the URL entered into the browser, the worm hijacks the current browser window and displays its fraudulent Web page of the bank site.

11. Gathers this information and send it to a remote mail address, once the user enters his authentication information into the malicious Web page.

12. May contact the following remote site to retrieve the interenet IP address of the infected machine:

[http://]checkip.dyndns.org

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Top 10 Most Prevalent Global Malware
(from April 14 to March 21 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A