Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.

Netsky is still infecting computers after being first discovered in April 2004.

To remove some viruses it is advisable to turn off System Restore.

April 21 2006 W32.Banleed.A

Discovered on: April 20, 2006
Last Updated on: April 21, 2006

W32.Banleed.A is a network worm that spreads on shared drive and folders. It steals confidential information and accounts when users contact a bank Web site. The worm may download and execute remote files and send gathered information to a remote host.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Banleed.A is executed, it performs the following actions:

1. Copies itself as the following file:

C:\Windows\system.exe

2. Checks for the presence of the following file and stops the execution if that file exists:

C:\halt.txt

3. Adds the value:

"[FILENAME]" = "[PATH TO WORM]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
so that it runs every time Windows starts.

4. Creates and executes the following batch file to enumerate all the hosts in network shares of the infected machine:

C:\Windows\system.bat

5. Creates the following files:

* C:\Windows\view.txt - output of system.bat
* C:\Windows\maq.txt - list of hosts in network shares
* C:\Windows\okey.txt - clean text file

6. Attempts to spread across local network shares by copying itself on the startup folder of remote machines found. The worm tries to copy its executable in the following remote folder:

\[NETWORK_HOST]\C$\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar

NOTE: The worm uses a hardcoded path during its replication so that it will work only Brazilian/Spanish Windows machines.

7. Updates its code by downloading a configuration file from the following URL:

[http://]www.rulandocash.net/upd/upd[REMOVED]

The downloaded file contains the following configuration information:

* version = [VERSION NUMBER]
* download = [DOWNLOAD URL]
* installdir = [INSTALL PATH]

8. Uses the configuration file to download the following remote file that at the time of writing was not available from the remote location:

[http://]www.sinmadam.net/.%20/upd/lsas[REMOVED]

9. Saves the downloaded file as the following file and then executes it:

c:\windows\system\NVSVC32.EXE

10. Monitors the browser windows of Internet Explorer and Firefox looking for any of the following bank URLs:

* [https://]www2.bancobrasil.com.br/aapf/aai/logi[REMOVED]
* [https://]internetcaixa.caixa.gov.br/nasapp/siibc/login_autent
[REMOVED]
* [https://]wwwss.bradesco.com.br/scripts/ib2k1.dll/lo[REMOVED]
* [https://]net.sofisa.com.br/netbanking/tvirt[REMOVED]
* [https://]bankline.itau.com.br/gripnet/gracg[REMOVED]
* [https://]wwws.nossacaixa.com.br/bemvin[REMOVED]
* [https://]www2.rural.com.br/ruralibank/princi[REMOVED]
* [http://]www.unibanco.com.br/hom/inde[REMOVED]
* [http://]www.equifax.com.br
* [http://]www.tibia.com/ho[REMOVED]
* [http://]login.passport.net/uilog[REMOVED]
* [https://]www.orkut.com/glogi[REMOVED]
* [http://]www.banespa.com.br/portal/bnp/script/templates/gcmreq
[REMOVED]

Depending on the URL entered into the browser, the worm hijacks the current browser window and displays its fraudulent Web page of the bank site.

11. Gathers this information and send it to a remote mail address, once the user enters his authentication information into the malicious Web page.

12. May contact the following remote site to retrieve the interenet IP address of the infected machine:

[http://]checkip.dyndns.org

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from April 14 to March 21 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A

April 14 2006 Trojan.Lisentkey

Trojan.Lisentkey is a Trojan horse that tries to log all keystrokes and send the information to an?FTP site. Trojan.Lisentkey is generated by Hacktool.Lisentkey.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Trojan.Lisentkey is executed, it performs the following actions.

1. Copies itself as the following file:

%System%\[PREDETERMINED FILE NAME]

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Creates the following temporary file:

%System%\tempinfo.txt

3. Adds the value:

"[PREDETERMINED VALUE]" = "%System%\[PREDETERMINED FILE NAME]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run

so that the Trojan runs every time Windows starts.

4. Logs all keystrokes and saves them into %System%\
[LOG FILE NAME].

5. Sends the logged keystrokes and the following information to its creator via FTP:

* OS version
* Computer name
* Current User name
* Memory size
* All local drive type and size
* Clipboard data

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.

NOTE:
Advanced websites encourages all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from April 07 to March 14 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A

April 01 2006 Vulnerability Exploit - EXPL_TXTRANGE.A

EXPL_TXTRANGE.A is a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. Exploiting this vulnerability enables a user to create a text range within an object. This exploit affects Internet Explorer 6.0 and Internet Explorer 7.0 Beta 2 (January Edition) running on Windows 98, ME, NT, 2000, XP, and Server 2003.

This exploit causes an error in the mentioned text range, which is applied to a an affected system's memory and to execute arbitrary codes on the system. It can also download and execute malicious codes on the system.

Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This poses a threat whereby many computers may be affected due to the availability of exploit code, and the fact that vendors do not have much time to patch it.

One malicious JavaScript that uses this exploit is detected as JS_DLOADER.BXR.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from March 24 to March 30, 2006)

1. WORM_NYXBM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. WORM_ANIG.A
7. WORM_MOFEI.B
8. JAVA_BYTEVER.A
9. EXPL_WMF.GEN
10. PE_PARITE.A

March 25 2006
Internet criminals - spyware & adware food chain.

If someone breaks into your house or car, they are a criminal!. If someone breaks into your computer are they a criminal? We say yes! Broadly defined, spyware is any software program that surreptitiously monitors and gathers user information. What was once written and installed only by malicious authors seeking to steal users' personal information, adware has emerged as a new and more prominent form of spyware. A slightly less malicious form of spyware, adware can display pop-up advertisements produced by so-called legitimate adware companies. Adware companies are well funded, to the extent that some have even discussed launching multi-million dollar IPOs.

The current mix of spyware and adware presents a compelling challenge to both computer users and security companies, because of the lack of clarity about what constitutes legitimate marketing techniques ? and is further complicated by the fact that the rules vary widely throughout the world.

A narrow definition of spyware includes programs on a user's computer that report user behavior, such as keystrokes or Web browsing history. According to this definition, some types of spyware may be used for marketing purposes, while other types are used for the purpose of criminal fraud leading to profit making.

We use both broad and narrow definitions of spyware. "A broad definition of spyware would include adware and Trojan spyware. Anything that interferes with the privacy, productivity, or security of your PC can be called spyware - with the caveat that it is non-propagating. Spyware stays on a system as long as it can without being noticed. Also, while viruses and worms are essentially about vandalism, broad-definition spyware is about monetary gain."

The story of how the money flows in the spyware cycle involves four contributors or sources. First are the advertisers themselves, and second are the agents they hire to market their products. Third in the spyware food chain is the publishers, the writers of the program 'payload', the crimeware or grayware that actually gets delivered to the user's computer. Fourth are the distributors, who often distribute multiple payloads for a variety of publishers, since they earn their money on a "per install" basis.

Spyware and adware were prevalent trends in 2005. 29 per cent of the total threat landscape for the year till February 2006 was comprised of spyware and adware. 2005 2006 also saw the use of blended threats, in which malware authors initiated multi-trojan attacks ? including worms that drop or download spyware/adware programs onto systems ? to take advantage of marketing programs that pay a small fee per installation.

The trend is likely to continue in 2006 and beyond. Adware-driven campaigns can generate significant amounts of money, and many adware companies are eager to have their products installed in as many PCs as possible. As the threat of spyware and adware continues to grow, it becomes even more critical for computer users to scan any program downloaded through the Internet - including any downloads from P2P networks (peer to peer), via the Web, or any FTP server, regardless of the source - with updated anti-virus and anti-spyware software.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.

Top 10 Most Prevalent Global Malware
(from March 17 to March 23, 2006)

1. WORM_NYXEM.E
2. SPYW_DASHBAR.300
3. SPYW_GATOR.F
4. HTML_NETSKY.P
5. WORM_NETSKY.P
6. JAVA_BYTEVER.A
7. WORM_MOFEI.B
8. WORM_ANIG.A
9. EXPL_WMF.GEN
10. JAVA_BYTEVER.A-1