What is a virus or trojan or malware?
We have a comparison of NOD32 Eset to other antivirus products.
Contact Us for a free antivirus trial to the end of this month.
Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.
01. a variant of Win32/Injector.BZ trojan December 09 09
02. Win32/Netsky.Q worm
03. Win32/Zafi.B worm
04. a variant of Win32/Kryptik.BIT trojan
05. Win32/Netsky.C worm
06. Win32/Mydoom.Q worm
07. Win32/Netsky.AB worm
08. Win32/Merond.AA worm
09. Win32/Netsky.Z worm
10. Win32/Xorer.NAE virus
Trojan-Spy:W32/ZBot.XF Bloodhound.Exploit.192 - W32.Tufik.E!inf - W32.Tufik.E - Trojan.Cymdos - Trojan.Installscash - Bloodhound.Exploit.189 - Bloodhound.Exploit.190 - Infostealer.Fertippy - Packed.Generic.119 - Trojan.Virantix.C - W32.Mariofev.A - W32.Zapinit - JS.Faizal - W32.Wowinzi.A - VBS.Solow.F - W32.Madag.A - Downloader.Lozavita -W32.Bassyl!inf - W32.Zatyudi.A - Trojan.Garntet - Trojan.Qipian - Trojan.Asnoms!inf - W32.Mandaph - Infostealer.Gamler
Trojan-Spy:W32/ZBot.XF Nov 15, 2008
Trojan-Spy:W32/ZBot.XF is a trojan-spy.
Trojan-spy applications attempt to steal online banking login-information and other sensitive data from the infected computer.
ZBot.XF also targets online poker and gaming sites.
Trojan-Spy:W32/Zbot
Name : Trojan-Spy:W32/Zbot
Detection Names : Trojan-Spy.Win32.Zbot
Aliases : Trojan.Wsnpoem (Symantec)
Type: Trojan-Spy
Category: Malware
Platform: W32
Summary
This type of trojan secretly installs spy programs and/or keylogger programs.
File System Changes
Creates these files:
* %windir%\system32\wsnpoem
Modified these files:
* %windir%\system32\ntos.exe
Registry Modifications
Sets these values:
* HKLM\software\microsoft\windows nt\currentversion\winlogon userinit = C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\ntos.exe
Additional Details
The primary payload of Zbot trojans focuses on stealing online banking information. They also have limited backdoor and proxy capabilities.
During installation, the Zbot trojan will check the running programs for firewall related processes such as outpost.exe or zlclient.exe. If either of these processes are running, the trojan only copies itself to the system32 folder, then exits. If it is safe to proceed, it will amend the registry keys to enable the malware to execute at every startup, which will also cause it to inject itself into other processes.
The Zbot trojan creates a %windir%\system32\wsnpoem folder in which it places two files, video.dll and audio.dll. These files are used to store information stolen from the infected system, as well as an encrypted configuration file which the trojan downloads from a predefined location. The wsnpoem folder and its content are usually hidden using stealth techniques. The Zbot trojan also copies itself to %windir%\system32\ntos.exe (or in some variants, ...\oembios.exe). A random amount of junk data is appended to the copy in an attempt to make its detection more difficult.
The Zbot-trojan starts its main information-stealing function by opening a connection to a remote server and downloading an encrypted configuration file. This file contains the address where the trojan will later upload the information it has stolen; an address where it can download a new version of itself; and the address of another configuration file. This file also defines what websites the trojan will target for information theft.
Once the configuration file is downloaded, any confidential banking data the victim types in is compromised. If the victim enters account information on an online banking site, the trojan intercepts the data in the webform and uploads it to the server defined in the trojan's configuration file. To gather more information, the malware author can even create additional fields, which are then injected into a targeted webpage for the unsuspecting victim to fill in.
Zbot-trojans are also capable of presenting the victim with a fake version of a webpage. Victims trying to browse specific webpages will be presented with a modified copy of the website from a server controlled by the attacker, rather than the correct webpage from the legitimate server. Again, any information entered is captured by the attacker.
Keylogging, stealing data from the clipboard and taking screenshots of the desktop are also in Zbot arsenal. Zbot trojans steal the content of the Windows Protected Storage, as well as certificates stored on the infected system. Username and password information for POP3 and FTP protocols are also stolen.
Zbot trojans have limited backdoor functionality, which mainly involve executing a file already on the system or downloading a new version of itself. A Zbot-trojan can also act as a proxy-server. Other miscellaneous functionality includes the ability to modify the content of %windir%\system32\drivers\hosts, and to redirect or block access to websites.
Recommendations
We encourage all users and administrators to adhere to the following basic security "best practices":
* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the Current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Contact Us for a free antivirus trial to the end of this month.
What is a virus or trojan or malware?
Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.
Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.
Most Prevalent Global Malware
(from December 2007 to February 2008)
Bloodhound.Exploit.174 - W32.Agnido.A@mm - W32.Mdmbot - Bloodhound.Exploit.172 - Bloodhound.Exploit.175 - Trojan.Ozdok - W32.Botou - Trojan.Pidief.C - Trojan.Gtaskup - W32.Mumawow.Y!inf - W32.Barten@mm - W32.Mumawow.Y - Trojan.Daymay - Bloodhound.Exploit.171 - SymbOS.Hatihati.A - Trojan.Selex - Trojan.Arposon - W32.Joydotto - W32.Yalove.F - W32.Tufik.B - W32.Tufik.B!inf - Bloodhound.Bancos.1 - W32.Korron.A - W32.Uporesc - SymbOS.Beselo.A - SymbOS.Beselo.B - Trojan.Waytostr - Bloodhound.Exploit.170 - W32.Degnax@mm - W32.Dranyam - W32.Gudek
Most Prevalent Global Malware
(from October 2007 to December 2007)
Bloodhound.Exploit.167 W32.Pagipef.I W32.Drowor.B W32.Pagipef.I!inf W32.Drowor.B!inf W32.Likasimal Trojan.Voterai Trojan.Quimkids W32.Heular W32.Baki.C Trojan.Quimkit Backdoor.Pharvest!inf Backdoor.Pharvest W32.HLLP.Arcer W32.Dawin W32.Shangxing.A O97M.Dropper W32.Tvido.A Trojan.Astry Backdoor.Bandock.A W32.Motsys W32.Mabezat.A VBS.Invadesys.A W32.Imaut.BH Bloodhound.Exploit.166 W32.Baki.A Trojan.Pidief.B W32.Linkfars VBS.Runauto.E W32.Proyo
Most Prevalent Global Malware
(from September 2007 to October 2007) Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage
Most Prevalent Global Malware
(from 20 July 2007 to 18 August 2007)
Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage
Most Prevalent Global Malware
(from June 2007 to July 2007) W32.Phoney.A W97M.Mupps Bloodhound.Exploit.158 Trojan.Gpcoder.E W32.Himu.A@mm Trojan.Retvorp W32.Atnas.A W32.Fubalca.N!html W32.Fubalca.N W32.Tisandr.A@mm VBS.Pusia Trojan.Maliframe!html Bloodhound.Exploit.155 Bloodhound.Exploit.157 Bloodhound.Exploit.156 W32.Vispat.A@mm Trojan.Botvoice Trojan.Duganss!inf W32.Cassel W32.Netsky.BG@mm W32.Piffle W32.Weakling W32.Hairy.A W32.Tupofse.B!inf W32.Tupofse.B Trojan.Riler.G W32.Daxijesh Trojan.Trickanclick W32.Svich W32.Espoleo W32.Espoleo!inf W32.Pifio W32.Gexin.A Backdoor.Fonamebot W32.Amca WHS.Vred W32.Nujama.B W32.Stration!dldr W32.Schting.A XF.Helpopy W32.Chiko W32.Ogleon.A Trojan.Flogash W32.Vediance Trojan.Lhdropper W32.Fubalca.I!html W32.Fubalca.I
Most Prevalent Global Malware
(from May 2007 to June 2007)
W32.Tupofse W32.Dizan.D W32.Mubla Trojan.Tooso.S VBS.Nokrupt W32.Alnuh TIOS.Divo W32.Mumawow!gen Trojan.Smallprox Backdoor.Robofo Trojan.Packed.NsAnti W32.Dotex TIOS.Tigraa W32.Quadrule.A W32.Ganbate.A Trojan.Spoofive!html W32.Nomvar Trojan.Mpkit!html Infostealer.Banker.D Bloodhound.Packed.29 W32.Sachy.A W32.Lecivio JS.Badbunny Perl.Badbunny Ruby.Badbunny W32.Sibaru.A SymbOS.Viver.A Trojan.Perfcoo IRC.Badbunny SB.Badbunny!inf Python.Badbunny SB.Badbunny W32.Drom VBS.Lido W32.Autosky VBS.Lido!html W32.Danber W32.Rahiwi.B W32.Amend.A@mm W32.Posse W32.Naplik!inf W32.Naplik W32.Condown.A W32.Uisgon.A W32.Fubalca.E Trojan.Usbsteal W32.Mumawow.D!inf W32.Mumawow.D W32.Neela Trojan.Haradong.C W32.Popwin Backdoor.Graybird!gen W32.Kenety W32.Stration.IZ@mm W32.Pitin.C W32.Odelud Infostealer.Snifula.C Hacktool.Sipbot Bloodhound.Exploit.147 Bloodhound.Exploit.146 Bloodhound.Exploit.141 W32.Tupse W32.Lobekad!inf Backdoor.Coreflood.C Trojan.Zlob.N Bloodhound.Exploit.139 Bloodhound.Exploit.140 Bloodhound.Exploit.142 Bloodhound.Exploit.143 Bloodhound.Exploit.144 Bloodhound.Exploit.145
Contact Us for a free antivirus trial to the end of this month.
|
