Virus Info

Nyxem.E Infections Growing Quickly

Infections of the Nyxem.E Worm are growing quickly, as reported by F Secure. They have spotted a counter that is supposed to be counting the number of infected computers and it is already over 500,000. Of course that could be a made up number, they could’ve started at 300,000, etc, but could be growing rapidly.

The worm’s destructive payload activates on every third day of the month by replacing the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]“. Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.

The worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. When we first saw the counter (earlier today) it was below 300,000 . Now it’s already over 417,000 and growing. The counter didn’t necessarily start from zero.

I recommend you get Panda Internet Security right now to make sure you are secure. Or try their Free Online Scan.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - January 23, 2006 at 12:36 pm

Categories: Virus Info   Tags:

Temporary Fix for the WMF Exploit

Since Microsoft has decided to wait until Tuesday to release it’s patch for the latest Windows exploit, the WMF security flaw, F-Secure has posted on their site about a fix released by the author of Interactive Disassembler and probably one of the best low level Windows experts in the world, Ilfak Guilfanov. The fix is here.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.

This flaw has already spawned dozens of attacks from a MSN Messenger worm to spam that tries to get users to click on malicious web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

“We have seen dozens of different attacks using this vulnerability since Dec. 27,” Hypponen said. “One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks.”

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user’s system and allow sensitive files to be viewed.

A chief researcher at F-Secure said,

“We are still far away from a massive virus,” he said. “Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected.”

In an article from News.com posted today, an antivirus specialist stated that over a million pc’s have been compromised,

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

“I’m sure it’s just a matter of days until the first (self-propagating) WMF worm will appear,” he said. “A patch is urgently needed.”

So, with Microsoft waiting until Tuesday, attackers are going to have about a week with no worries to try to take advantage of this. So far, most of the attacks have involved installing spyware and adware to display pop up advertising on the infected pc’s.

Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. “Microsoft’s goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins,” the company said.

To protect Windows users, Microsoft shouldn’t wait, but release the patch now, several critics said.

“The flaw is actively exploited on multiple sites, and antivirus provides only limited protection,” said Johannes Ullrich, the chief research officer at the SANS Institute. “Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch.”

Once again, we see a large company not really caring about the users and all they are doing is creating even more ill will.

Added: One of the F-Secure researches stated that one of their test machines became infected after downloading an infected file using the Wget command line tool, without even executing it.

It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

2 comments - What do you think?  Posted by Jimmy Daniels - January 4, 2006 at 11:39 am

Categories: Microsoft News, Spyware Info, Tech News, Virus Info   Tags: , , , , , ,

Dutch Trio Hacked 1.5 Million Computers

According to an article on Yahoo.com from the Associated Press, 1.5 million computers were hacked and included in a zombie network that was used to gather paypal and ebay account info, credit card information, personal info, and were planning to use the computers in a denial of service attack against a US company to blackmail them into sending them money. Sounds like a busy little business they had going.

The three, who were arrested Oct. 6 and originally were estimated to have hacked 100,000 computers, have yet to enter a plea.

A court in the town of Breda extended the custody of the 19-year-old main suspect and a 22-year-old accomplice for a month Thursday, and ordered the release of the third, aged 27, pending trial, prosecution spokesman Wim de Bruin said. The suspects’ names have not been released.

The software the hackers used, a variation of the worm known as “W32.Toxbot,” was first detected this year. Antivirus software can remove it, but the hackers adjusted the program constantly to defeat protections.

The existence of the “zombie network” of infected computers was first detected by Dutch Internet provider XS4ALL. The company noticed unusual activity coming from a handful of its users’ infected computers, said the company’s chief technical officer, Simon Hania.

The company traced the network as far as it could, and then turned the matter over to prosecutors.

It’s amazing what people try to get away with, hope they get a nice cell with a very large roommate who is very interested in their personal hygiene.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 20, 2005 at 12:41 pm

Categories: Tech News, Virus Info   Tags:

John Thompson is no Complainer

In an article posted at news.com, John Thompson, CEO of Symantec, says we’re not going to whine about Microsoft competing with us in the security arena, and let’s face it, given Microsoft’s record with security, you can’t really blame him.

Microsoft is set to enter the security arena next year, but Symantec won’t compete by complaining to antitrust regulators or suing the software giant.

“We’re not looking to go whining to the EU or the DOJ for anything,” Symantec Chief Executive Officer John Thompson said Tuesday, referring to the European Union and the U.S. Department of Justice. Thompson was responding to questions from reporters after an event at the Commonwealth Club here.

Symantec, based in Cupertino, Calif., has responded to questions from EU competition authorities about its role in the security industry but has no intent to file a complaint about Microsoft, Thompson said.

“We’re not involved with anything with the EU,” Thompson said. “We don’t need competition in the courtrooms.” Instead, Thompson said Symantec will compete with its products, which he said are superior those Microsoft has yet to launch.

My experience with Symantec’s antivirus products has generally been good and a positive experience overall, although we did standardize on McAfee VirusScan, which I think is a better product. BUT, that does not be any stretch mean I wouldn’t dump them for a better product from Microsoft, especially if that product came already installed and ready to go. Microsoft may not do everything well, but they aren’t afraid to buy a company who does do it well and go from there. I like their anti spyware product and it’s ease of use, even though I don’t like some of the companies they mark as ignore, so there are tradeoff’s in almost every product. I’ll be cautiously pessimistic as always and try it out when they release it.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 12, 2005 at 1:04 pm

Categories: Microsoft News, Virus Info   Tags: , , , , ,

Sony PSP Virus Discovered

This from 1up.com,

Today Symantec Security Response experts identified the first Trojan that targets Sony Playstation Portable systems, Trojan.PSPBrick, as a Category 1 threat (Category 5 being the worst). As of today, there are no confirmed infections, and we’d like to keep it that way!
The virus is designed to look like a downloadable hack that lets users run their own games on the PSP. Once installed, it deletes system files and breaks the PSP. The user must choose to download it – which means you’re safe if you don’t go around taking files from strangers.

Click here for more.

As long as you don’t download a mod and run it on your PSP, you are currently safe. Symantec says they are looking at solutions to protect your PSP in the future.

From news.com,

“The types of people who would be affected wouldn’t be everyone who has gotten the PSP,” he said. “It would be affecting the people who are trying to ‘mod,’ or update, their devices.”

The PSP went on sale in March, with most people snapping it up for its gaming or music- and movie-playing abilities, not to see if they can run Linux. Sony also added Web-surfing capabilities in August.

Still, while the numbers of people likely to be hit are low, the cost is high, Chien said.

“There’s definitely people who have run it and are something on the order of $300 poorer now,” he said. It’s also an indication, Chien said, that virus writers are looking beyond the PC.

“People are writing malicious code for all kinds of devices,” he said.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 10, 2005 at 1:38 am

Categories: Virus Info   Tags:

Kaspersky Software Flaw

Kaspersky anitvirus software flaw was announced by a independent resercher, and Kaspersky has issued the following statement,

There has recently been a wide-ranging discussion in the mass media about a report by Alex Wheeler, an independent researcher, that a vulnerability related to processing files of the CAB format has been discovered in Kaspersky Lab antivirus products. Taking into account the close attention of the computer community, Kaspersky Lab considers it necessary to provide official comments on the incident.

The company confirms the presence of a vulnerability in a Kaspersky Anti-Virus module used to process CAB files. Taking advantage of this vulnerability results in a malfunction of the antivirus program. This effect is present only in the Windows environment and does not affect other operating systems.

The also confirmed that they have created a signature file that will detect any exploits, and that they will update their software soon to fix the flaw. Read more here.

From News.com,

Kaspersky issued the statement in response to a report on Monday of a flaw in its antivirus library. An attacker could exploit the heap overflow vulnerability to commandeer systems that run Kaspersky’s products, security researcher Alex Wheeler wrote in an advisory (download PDF).

“The actual threat posed by the…vulnerability is minimal and cannot affect the level of antivirus protection provided by Kaspersky Lab products,” the company said in the statement.

Wheeler informed Kaspersky of the flaw around Sept. 24, said Stephen Orenberg, president of Kaspersky’s North American operations. After an initial investigation, Kaspersky provided updated antivirus signatures on Sept. 29 to protect customers against attacks exploiting the flaw, he said. A final fix is due Wednesday, Orenberg said.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 4, 2005 at 11:30 pm

Categories: Virus Info   Tags: ,

Common Malware Enumeration initiative

Well, this is a good idea and a long time coming, I’m sure everyone has been confused at some time in the past with viruses and their names, variants, etc. The Common Malware Enumeration initiative is meant to reduce the confusion caused by the different names security companies give viruses, owrms, and other pests.

“There is a lot of confusion over the way that malware is referred to,” Desiree Beck, the technical lead for the CME initiative, said in an interview. “We’re trying to alleviate that by giving malware a common identifier, so everybody is talking about the same thing when some malware event happens.”

The antivirus industry has tried, and failed, before to agree on common naming for worms and viruses. This time, US-CERT, the part of the U.S. Department of Homeland Security that coordinates response to cyberattacks, is running the show. With that in mind, and because the plan allows companies to keep their own naming by assigning an ID rather than a common name, security software makers are hopeful that the effort will be a success, and they’re eager to participate.

Here is a link to their homepage and a link to the news.com story.

CME is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware. Instead, CME is working with the security community to facilitate the adoption of a shared, neutral indexing capability for malware. An example of a CME identifier would be: CME-123.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 22, 2005 at 9:03 am

Categories: Virus Info   Tags: , , ,

The Blebla Worm May Cause an “Access Violation” Error Message (Q319148)

You may receive the following error message:

Sysrnj.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

You may receive this error message if your computer is infected by any variant of the Blebla worm, including:

  • W32/Blebla@mm.Worm
  • W32/Blebla.A
  • W32/Blebla.B

Click here for the article.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - May 3, 2004 at 2:01 am

Categories: Tips, Virus Info, Windows XP, Windows XP Tips   Tags:

« Previous Page