| Virus alerts for Feb 2006 Current virus alerts here.  |
We stock the most efficient anti virus program which checks for updates hourly
Contact Us for a free antivirus trial to the end of this month.
To remove some viruses it is advisable to turn off System Restore. February 22 2006 Trojan.Satiloler.D When Trojan.Satiloler.D is executed, it performs the following actions: Scan your registry for ctfmon.exe if you think you are infected. 1. Creates the following mutex, so that only one instance of the Trojan runs on the compromised computer at any one time: _Toolbar_Class_32 2. Creates the following backup copy of the valid system file %System%\userinit.exe: %Windir%\system\userinit.exe The Trojan then creates a copy of itself as the following file, overwriting the original %System%\userinit.exe file in the process: %System%\userinit.exe Note: 3. Copies itself as the following files: * %ProgramFiles%\Common Files\system\lsass.exe Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. 4. Creates the following files: * %System%\divx5.dll The library file %System%\divx5.dll is a user-mode rootkit that tries to hide the Trojan's processes from the Windows Task Manager utility. 5. Adds the value: "ctfmon.exe" = "%Windir%\system\ctfmon.exe" to the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. 6. Adds the values: "Userinit" = "%ProgramFiles%\Common Files\system\lsass.exe" to the registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. 7. Adds the value: "tvr" = "[PATH TO TROJAN EXECUTABLE]" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE to act as an infection marker. 8. Adds the value: "gold" = "[RANDOM ID]" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft to act as an infection marker. 9. Adds the values: "%Windir%\system\ctfmon.exe" = "%Windir%\system\ctfmon.exe:*:Enabled:ctfmon" to the registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\ in order to bypass Windows Firewall restrictions. 10. Modifies the values: SFCDisable" = "FFFFFF9D" in the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon in order to disable Windows File Protection. 11. Adds the value: "System" = "" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 12. Deletes all entries under the following registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 13. Attempts to download a configuration file using one of the following domains: [http://]www.certdreams.com/cm[REMOVED] Alternatively, the Trojan may use a domain configured under the following registry entry: HKEY_LOCAL_MACHINE\Software\Microsoft\"d" = "[DOMAIN NAME]" The Trojan saves this file as the following file: %System%\cmd.txt 14. May then modify the hosts file with data copied from a downloaded configuration file, %System%\hst.txt. 15. Modifies the following .dll files, and any backup copies in the %Windir%\dllcache folder, in order to disable System File Protection: * %System%\sfc_os.dll 16. Attempts to close windows that have the following titles, some of which may be security-related: * Norton Personal Firewall 17. Attempts to end the following processes: * WINLDRA.EXE 18. Attempts to disable the following programs: * C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe 19. Steals the following information and saves it to the %System\h323.txt file: * POP3 user name 20. Searches for the following strings in the Web browser: * cahoot 21. Logs the following data, related to Web browsing activities, in the file %System\h323.txt: * URLs visited 22. Posts all the log files it creates to a Web site defined by the remote attacker. The Trojan also sends the following data, which it gathers from the compromised computer, to this Web site: * Username 23. Opens a proxy server on a random TCP port. Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. WORM_GREW.A February 02 2006 TROJ_BOMKA.L TROJ_BOMKA.L may arrive on a system as an attachment to spammed emails, disguised as a non-malicious dart game to entice users into playing it. This non-destructive Trojan is currently spreading in-the-wild and infecting computer systems that run on Windows 98, ME, NT, 2000, XP, and Server 2003. A rough English translation of the email is: Subject: you take one pause... Upon execution, this Trojan drops and executes a copy of the legitimate game on the system. This action hides its malicious behavior from the user. It also drops its .DLL component, which it registers as a Browser Helper Object (BHO) to ensure that it runs every time the user opens Internet Explorer. This Trojan also attempts to connect to several Web sites to download other files or an update of itself. These downloaded files may be other malware, leaving the affected computer more prone to malicious attacks. Contact Us for a one month free antivirus trial. Top 10 Most Prevalent Global Malware 1. WORM_GREW.A February 02 2006 WORM_GREW.A A new malicious worm began infecting systems last week, which promises to launch an attack on February 3rd and the 3rd of every month thereafter, according to threat researchers at antivirus and content security firm Eset. The new worm, known by such names as Nyxem, BlackMal, Mywife, and CME-24, has infected hundreds of thousands of machines over the past week, most from unsuspecting users who do not yet know they are infected. Like most worms, WORM_GREW.A propagates via email attachments and network shares, including popular P2P file sharing services. The email method of transmission employs common social engineering techniques including the promise of pictures, pornographic content, or a joke to entice users to open the corresponding attachment. Though this worm utilizes common propagation techniques, the code itself is anything but common. This is a destructive virus that deletes and overwrites any number of files present on a user's system, by targeting the most popular file formats - including .DOC, .XLS, .PPT, .PDF, and .ZIP, to name just a few. In addition to losing a great deal of data, this virus also renders the keyboard and mouse inoperable, thereby leaving the user's system dead in the water. This is a truly global threat, affecting computer systems in over 150 countries, to date. Since this threat is relatively well-known to the security industry, most major security vendors - including NOD32 - detect this worm and its variants. Eset NOD32 has specific detection for all currently-known variants of this worm, and successfully detects all new variants generically, thereby providing broad protection against this threat. The best defense is for users to run a scan of their systems, to ensure they haven't been infected. The attack is hard-coded in the Worm, so if you haven't been infected, then there's no need to worry about the February 3rd attack, as long as you stay clean. * Do not open any emails from those you don't know Top 10 Most Prevalent Global Malware 1. WORM_GREW.A |
