PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for Nov 2007
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage

Confused? What is malware? Click here for the definition.

Trojan.Randsom.B August 17 2007

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the worm creates the following files:
%UserProfile%\Desktop\ASAP!!!.txt
C:\ASAP!!!.txt

It then creates the following registry entry so that the ransom note is displayed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run\"Notepad" = "notepad.exe C:\ASAP!!!.txt"

The worm then encrypts files with the following extensions, other than those in the %Windir% folder:
.mmf
.dbf
.txt
.xls
.doc
.pps
.ppt
.docx
.xlsx
.pptx
.rtf
.mdb
.vsd
.vst
.csv
.mpl
.zip
.rar
[NO EXTENSION]

It then opens the file C:\ASAP!!!.txt with Notepad, which contains the following text:
Dear User,

Thank you for using our service.
We've recently inspected your system and found out
[REMOVED]
life worse.You'll certanly get the Decription Program.

Thank you ,
Network Security Audit Plus.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

W32.Himu.A@mm July 21, 2007

Also Known As: WORM_HIMU.A [Trend], Email-Worm.Win32.VB.cv [Kaspersky]
Type: Worm
Infection Length: 37,376 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Himu.A@mm is a mass-mailing worm that also spreads through network drives and shared folders. The worm also attempts to disable security related applications and block access to certain Web sites.

When the worm is executed, it first displays a dialog box with the following characteristics:

Title: Compressed (zipped) Folders Error
Body: The Compressed (zipped) Folder is invalid or corrupted

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

 

It then attempts to terminate the following processes, some of which are security related:
avgctrl.exe
avgamsvr.exe
avgserv.exe
avgmsvr.exe
avgcc32.exe
avgcc.exe
avginet.exe
avgupsvc.exe
avgemc.exe
avgnt.exe
avgregcl.exe
Script
avgserv9.exe
avgw.exe
alogserv.exe
avsynmgr.exe
Mpfsheild.exe
MpfAgent.exe
mpf.exe
MpfConsole.exe
mcagent.exe
mcappins.exe
McDash.exe
mcdetect.exe
mcinfo.exe
mcmnhdlr.exe
mcshield.exe
mctskshd.exe
mcupdate.exe
mcvsescn.exe
mcvsshld.exe
mcvsftsn.exe
mcvsrte.exe
vstskmgr.exe
vsmain.exe
vshwin32.exe
pccpfw.exe
pccclient.exe
pcclient.exe
pccguide.exe
pccnt.exe
Name
pccntmon.exe
pccntupd.exe
PcCtlCom.exe
pcscan.exe
avpm.exe
avpcc.exe
kav.exe
kavmm.exe
kavsvc.exe
AVENGINE.EXE
remupd.exe
inicio.exe
prevsrv.exe
ALsvc.exe
ALMon.exe
SavService.exe
SWNETSUP.exe
ALUNotify.exe
ccApp.exe
nisserv.exe
NISUM.exe
Navapsvc.exe
NMain.exe
Navapw32.exe
VetMsg.exe
VetTray.exe
Vet32.exe
VetNT.exe
vsmon.exe
zlclient.exe
zapro.exe
zonealarm.exe

The worm then goes on to add the following entries into the hosts file in order to prevent access to several security related sites:
www.symantec.com 127.0.0.1
www.sophos.com 127.0.0.1
www.avast.com 127.0.0.1
www.mcafee.com 127.0.0.1
www.f-prot.com 127.0.0.1
www.f-secure.com 127.0.0.1
www.avp.com 127.0.0.1
www.kaspersky.com 127.0.0.1
www.trendmicro.com 127.0.0.1
www.bitdefender.com 127.0.0.1
www.my-etrust.com 127.0.0.1
www.norman.com 127.0.0.1
www.grisoft.com 127.0.0.1
www.pandasecurity.com 127.0.0.1

 

The worm copies itself to the root folder of any available mapped drive between C and Z as:
[DRIVE_LETTER]:\New Compressed (zipped) Folder.exe
[DRIVE_LETTER]:\kills.bat
[DRIVE_LETTER]:\format.bat

It may also copy itself to any shared drives under the following filenames:
Aupee Karim Pics.exe
download.exe
List of the musick.exe
LoveStory.exe
Lyrics Of Papercut.exe
MusicList.exe
readme2006.exe
window shopper.exe

The worm, then creates some or all of the following network shares, all of which are mapped to %PROGRAMFILES%\WindowsUpdate :
Remote Service
Himu
ADMIN$

It then drops and executes D:\SystemVoliumeInfo\rab.bat, which is used to launch a ping flood attack against "http://www.rab.gov.bd"

It then harvests email addresses by searching for the string "mailto:", in files with the following extensions:
* htt
* htm
* hta
* shtml
* stm
* asp
* xml
* doc
* rtf
* dbx
* php
* php3
* phtml
* jsp
* sql
* eml
* ini
* tbb
* tbi

Finally, the worm sends email to the harvested email addresses by using a combination of the following:

Sender Address is one of the following:
* info@rab.gov.bd
* rabbd@yahoo.com
* allert@rabbd.com
* notice@rab.com
* no.reply@rabheadquater.net

Mail Body:
To whom it may concern, We at www.rab.gov.bd are just warning all the online users to watch out for suspicious activities. If you would like to know more about how to report another new violence then please send a mail to us.
Thank you for your time.

Subject is one of the following:
* Reminder to be aware of TERRORISM
* Don't be another victim..!!
* RAPID ACTION BATALION
* HELP US FOR REMOVE THE TERRORISM

Attachment Name is one of the following:
* asdf45396ftADMIN.exe
* USERNAE485369KD5L.exe
* STATUSreport252.exe
* global_report.exe
* BBCandCNNreport.exe

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

W32.Reztrict@mm June 12, 2007

Type: Worm
Infection Length: 68096 bytes; 9061 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once executed, the worm displays the following message, if the worm already exists on the compromised computer:
No abras el virus 2 veces pelotud@!!

The worm then drops and executes the following VB Script
%UserProfile%\Local Settings\Temp\VIRUS v2.0.vbs

It then downloads the following file:
[http://]diexe.t35.com/viru[REMOVED]

The worm then saves this as the following file and executes it:
%Windir%\addins\svchost.exe

The worm creates the following registry entry so that it runs when Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\"svchost" = "%Windir%\addins\svchost.exe"

The worm modifies the following registry entries, which disables the Find, Run, Shut Down, and Log Off options in the Start menu:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer\"NoFind" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\"NoRun" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer\"NoClose" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer\"StartMenuLogOff" = "1"

It also modifies the following registry entries, which hide desktop icons, the system clock, disables access to the Control Panel, and changes the Internet Explorer home page:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\"" = "(valor no establecido)"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer\"NoDesktop" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer\"HideClock" = "1"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\"NoControlPanel" = "1"
HKEY_
Current_USER\Software\Policies\Microsoft\"Homepage" = "1"
HKEY_
Current_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "[http://]prostitutas.com"

The worm enumerates the Windows Messenger contacts and stores them in the following file:
%Windir%\mis contactos.txt

It then reads email addresses from the following registry subkey:
HKEY_
Current_USER\Software\Microsoft\Windows\
CurrentVersion\UnreadMail

It then stores the email addresses in the following file:
%Windir%\mis contactos.txt

It uses the following connection information:
smtp server: mx-adinet.adinet.com.uy
username: marcedeo[REMOVED]et.com.uy
password: di[REMOVED]1

It then sends the following email to email addresses gathered from the registry subkey:
From: Marcel[REMOVED]a <marcedeo[REMOVED]t.com.uy>
To: [GATHERED EMAIL ADDRESS]
Subject: COmo andan??? tanto tiempo che!!
Message body: Y che como estan!! tanto tiempo!! el ot[REMOVED]s todos los gurises!

It may also send the same email message to contacts gathered from Windows Live Messenger with the following characteristics:
From: [WINDOWS LIVE MESSENGER USERNAME]
To: [GATHERED WINDOWS LIVE MESSENGER CONTACT EMAIL ADDRESS]
Subject: COmo andan??? tanto tiempo che!!
Message body: Y che como estan!! tanto tiempo!! el ot[REMOVED]s todos los gurises! [WINDOWS LIVE MESSENGER USERNAME]

It also sends an email to the attacker containing all the harvested contact information:
From: [WINDOWS LIVE MESSENGER USERNAME] <marcedeo[REMOVED]t.com.uy>
To: marcede[REMOVED]ail.com
Subject: MSN TQM!!! como estas?
Message body: MSN cagado: Andres Andrade se la come!!!
Attachment: %Windir%\mis contactos.txt

It then ends the following process:
explorer.exe

W32.Tupofse June 06, 2007

Type: Virus
Infection Length: 448,000 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000

W32.Tupofse is a file-infecting virus that infects Microsoft Word and Microsoft Excel files.

Once executed, the virus creates the following files:

* %System%\kspool.exe
* %System%\avwav32.dll
* %Temp%\UNINSTX[SINGLE CHARACTER].tmp

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\
CurrentVersion\Run\"Kernel spooler" = "%System%\kspool.exe"

The virus attempts to infect files with the following extensions:

* .doc
* .xls

It replaces the original file extenstion with the following extension:
.exe

The virus may stop the following service:
MSSQL

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Recommendations

We encourage all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the Current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

What is malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from 20 July 2007 to 18 August 2007)

Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage

Most Prevalent Global Malware
(from June 2007 to July 2007)

W32.Phoney.A W97M.Mupps Bloodhound.Exploit.158 Trojan.Gpcoder.E W32.Himu.A@mm Trojan.Retvorp W32.Atnas.A W32.Fubalca.N!html W32.Fubalca.N W32.Tisandr.A@mm VBS.Pusia Trojan.Maliframe!html Bloodhound.Exploit.155 Bloodhound.Exploit.157 Bloodhound.Exploit.156 W32.Vispat.A@mm Trojan.Botvoice Trojan.Duganss!inf W32.Cassel W32.Netsky.BG@mm W32.Piffle W32.Weakling W32.Hairy.A W32.Tupofse.B!inf W32.Tupofse.B Trojan.Riler.G W32.Daxijesh Trojan.Trickanclick W32.Svich W32.Espoleo W32.Espoleo!inf W32.Pifio W32.Gexin.A Backdoor.Fonamebot W32.Amca WHS.Vred W32.Nujama.B W32.Stration!dldr W32.Schting.A XF.Helpopy W32.Chiko W32.Ogleon.A Trojan.Flogash W32.Vediance Trojan.Lhdropper W32.Fubalca.I!html W32.Fubalca.I

Most Prevalent Global Malware
(from May 2007 to June 2007)

W32.Tupofse W32.Dizan.D W32.Mubla Trojan.Tooso.S VBS.Nokrupt W32.Alnuh TIOS.Divo W32.Mumawow!gen Trojan.Smallprox Backdoor.Robofo Trojan.Packed.NsAnti W32.Dotex TIOS.Tigraa W32.Quadrule.A W32.Ganbate.A Trojan.Spoofive!html W32.Nomvar Trojan.Mpkit!html Infostealer.Banker.D Bloodhound.Packed.29 W32.Sachy.A W32.Lecivio JS.Badbunny Perl.Badbunny Ruby.Badbunny W32.Sibaru.A SymbOS.Viver.A Trojan.Perfcoo IRC.Badbunny SB.Badbunny!inf Python.Badbunny SB.Badbunny W32.Drom VBS.Lido W32.Autosky VBS.Lido!html W32.Danber W32.Rahiwi.B W32.Amend.A@mm W32.Posse W32.Naplik!inf W32.Naplik W32.Condown.A W32.Uisgon.A W32.Fubalca.E Trojan.Usbsteal W32.Mumawow.D!inf W32.Mumawow.D W32.Neela Trojan.Haradong.C W32.Popwin Backdoor.Graybird!gen W32.Kenety W32.Stration.IZ@mm W32.Pitin.C W32.Odelud Infostealer.Snifula.C Hacktool.Sipbot Bloodhound.Exploit.147 Bloodhound.Exploit.146 Bloodhound.Exploit.141 W32.Tupse W32.Lobekad!inf Backdoor.Coreflood.C Trojan.Zlob.N Bloodhound.Exploit.139 Bloodhound.Exploit.140 Bloodhound.Exploit.142 Bloodhound.Exploit.143 Bloodhound.Exploit.144 Bloodhound.Exploit.145

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus