|
>
Computer Virus Alerts - Maintenance
Symantec Corp. is advising customers to immediately update or disable its pcAnywhere software following the exposure earlier this month of source code stolen six years ago.
The company is notifying customers of potential problems and advising them to immediately update pcAnywhere software or disable it, said Cris Paden, a company spokesman. The product's roughly 50,000 users, most of which are businesses, haven't reported suspicious activity or penetration of network security, he said.
On Monday, the Cupertino, Calif., company began distributing updates to pcAnywhere version 12.5. The updates will continue through Friday.
"With pcAnywhere there may be some vulnerability," Paden said. "We're erring on the side of caution."
Symantec's efforts come after portions of some of its enterprise security source code were posted to the Web earlier this month. The company said the pilfered code was six years old but determined that it still posed a potential problem to pcAnywhere. The company's updates are designed to address any potential vulnerabilities.
The pcAnywhere product generates about $20 million annually, a sliver of the company's roughly $6 billion in total revenue.
In midday trading Thursday, Symantec shares were down 1% at $16.89.
The threat emerged on Jan. 5, when a group posted the source code on the Internet, claiming it exposed a weaknesses in Symantec's Norton Antivirus software, the leading product in the company's $2 billion consumer software business. It is used by 150 million customers worldwide.
Request a free trial.
Protect yourself from the latest threats!
This week, a long-living Estonian botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with a number of antivirus industry partners.
In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia.
The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.
DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.
A variety of methods of monetising the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.
ESET NOD32 Anti-Virus even alerts you to update Windows.
Contact Us for a free antivirus trial to the end of this month.
Type: Trojan, Virus
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Trojan.Zbot!gen18 is a heuristic detection used to detect threats associated with the Trojan.Zbot family.
Type: Worm
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Waledac.B!gen1 is a heuristic detection that may include members of the W32.Waledac.B family of threats.
|
Other names: W32.Erkez.B
Win32/Zafi.B is a worm spreading via e-mail and P2P networks. It runs on Windows 95 and higher versions. Its size is 12800 bytes compressed by the FSG utility. After its decompression its size is 49 kB.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%.
The worm arrives in an e-mail message with randomly selected subject line and body from the pre-defined subject lines and bodies specified in the worm code. The text in the subject line might be for example:
eIngyen SMS!
Subject line:
eImportante!
Message body:
Informacion importante que debes conocer, -
Subject line:
oKatya
Message body:
ADAOIU
OEIE
Subject line:
eE-Kort!
Message body:
Mit hjerte banker for dig!
Subject line:
eEcard!
Message body:
De cand te-am cunoscut inima mea are un nou ritm!
Subject line:
eE-vykort!
Message body:
Subject line:
eE-Postkort!
Message body:
Vakre roser jeg sammenligner med deg...
Subject line:
eE-postikorti!
Message body:
Iloista kesaa!
Subject line:
eAtviruka!
Message body:
Linksmo gimtadieno!
Subject line:
eE-Kartki!
Message body:
W Dniu imienin...
Subject line:
eCartoe Virtuais!
Message body:
Te amo...
Subject line:
eFlashcard fuer Dich!
Message body:
Hallo!
hat dir eine elektronische Flashcard geschickt.
Um die Flashcard ansehen zu koennen, benutze in deinem Browser
einfach den nun folgenden link:
LINK REMOVED
Viel Spass beim Lesen wuenscht Ihnen ihr...
Subject line:
eEr staat een eCard voor u klaar!
Message body:
Hallo!
heeft u een eCard gestuurd via de website nederlandse
taal in het basisonderwijs...
U kunt de kaart ophalen door de volgende url aan te klikken of te
kopiren in uw browser link:
LINK REMOVED
Met vriendelijke groet,
De redactie taalsite primair onderwijs...
Subject line:
eElektronicka pohlednice!
Message body:
Ahoj!
Elektronick pohlednice ze serveru LINK REMOVED
Subject line:
eE-carte!
Message body:
vous a envoye une E-carte partir du site zdnet.fr
Vous la trouverez, l'adresse suivante link:
LINK REMOVED
LINK REMOVED, plus de 3500 cartes virtuelles, vos pages web
en 5 minutes, du dialogue en direct...
Subject line:
eTi e stata inviata una Cartolina Virtuale!
Message body:
Ciao!
ha visitato il nostro sito, cartolina.it e ha creato una
cartolina virtuale per te! Per vederla devi fare click
sul link sottostante: LINK REMOVED
Attenzione, la cartolina sara visibile sui nostri server per
2 giorni e poi verra rimossa automaticamente.
Subject line:
eYou`ve got 1 VoiceMessage!
Message body:
Dear Customer!
You`ve got 1 VoiceMessage from voicemessage.com website!
Sender:
You can listen your Virtual VoiceMessage at the following link:
LINK REMOVED
or by clicking the attached link.
Send VoiceMessage! Try our new virtual VoiceMessage Empire!
Best regards: SNAF.Team (R).
Subject line:
eTessek mosolyogni!!!
Message body:
Ha ez a kép sem tud felviditani, akkor feladom!
Sok puszi:
Subject line:
eSoxor Csok!
Message body:
Szia!
Aranyos vagy, jó volt dumcsizni veled a neten!
Remélem tetszem, és szeretném ha te is küldenél képet
magadról, addig is csók:
Subject line:
eDon`t worry, be happy!
Message body:
Hi Honey!
I`m in hurry, but i still love ya...
(as you can see on the picture)
Bye - Bye:
Subject line:
eCheck this out kid!!!
Message body:
Send me back bro, when you`ll be done...(if you know what i mean...)
See ya,
The worm is attached in the attachment of the e-mail message. Upon activation Win32/Zafi.B copies itself into the %system% directory with a random name and the extension .exe. In the same directory it creates the new file with a random name and extension .dll. The worm uses this file as a store for collected e-mail addresses used for further spreading.
The worm changes the following system Registries to ensure starting on the following system start up:
HKEY_LOCAL_MACHINE\SOFTWARE
\MicrosoftWindows\CurrentVersion\Run
It creates a new key named _Hazafibb.
The worm also creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb
Where it stores its internal information.
The worm searches the hard disk for folders named "share" and "upload" and copies itself into them using one of the following names:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe
The worm searches the disk for the files with the following extensions:
htm
wab
txt
dbx
tbb
asp
php
sht
adb
mbx
eml
pmr
The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:
win
use
info
help
admi
webm
micro
msn
hotm
suppor
syma
vir
trend
panda
yaho
cafee
sopho
google
kasper
The worm terminates all the process that contain the following strings in their names:
"firewall"
"virus"
The worm also blocks starting of the following utilities:
Regedit
Msconfig
Task
Infected computers send requests to malicious web sites:
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Rixobot!gen2 is a heuristic detection used to detect threats associated with the W32.Rixobot family of worms. Files that are detected as W32.Rixobot!gen2,, W32.IRCBot!gen2, W32.Yimfoca!gen2, Trojan.Zlob!gen1, Trojan.Zlob.P, Trojan.FakeAV!gen30, Packed.Coravint!gen, Packed.Coravint!gen1, W32.Expichuare considered malicious.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows 7, Windows XP
Trojan.GootKit is a Trojan horse that steals confidential information. It also opens a back door and downloads additional files on to the compromised computer.
Note: Definitions prior to May 11, 2010 may detect this Trojan as one of the following threats:
- Backdoor.Trojan
- Downloader
- Packed.Cupx!gen5
- Trojan Horse
- Trojan.Dropper
- Trojan.Gen
- W32.Ircbrute
Trojan.Holisnif
Updated: May 6, 2010
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows 7, Windows NT, Windows Server 2003, Windows 2000
Once executed, the Trojan cretes the following file:
%CurrentFolder%\[RANDOM FILE NAME].exe
The Trojan creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run\"sniffer" = "%CurrentFolder%\[RANDOM FILE NAME].exe"
It proceeds to drop the following legitimate packet sniffing library files:
* %System%\Packet.dll
* %System%\wpcap.dll
* %System%\drivers\npf.sys
The Trojan then attempts to initialise the dropped files and start sniffing on available ethernet interfaces to look for user credentials sent over the following TCP ports:
* TCP port 110 for POP3
* TCP port 25 for SMTP
* TCP port 21 for FTP
It then gathers the stolen confidential credentials and sends them to the remote attacker by posting them to a script at the following remote server:
holiza.com
Windows Security
Criminals can gain access to your computer through email, attackers' websites, instant messaging & file sharing.
All of these are safe, when you have the best antivirus software & your Windows or Mac updates.
ESET NOD32 Anti-Virus even alerts you to update Windows.
Contact Us for a free antivirus trial to the end of this month.
You may download, install & scan your computer using the best antivirus avaiable. (Data from independant tests at www.av-comparatives.org shows ESET NOD32 Anti-Virus is the best of 16 tested. AVG free is bottom of the list & Nortons comes in the lower half of results.)
What is a virus or trojan or malware?
We have a comparison of NOD32 Eset to other antivirus products.
Contact Us for a free antivirus trial to the end of this month.
Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.
01. a variant of Win32/Injector.BZ trojan December 09 09
02. Win32/Netsky.Q worm
03. Win32/Zafi.B worm
04. a variant of Win32/Kryptik.BIT trojan
05. Win32/Netsky.C worm
06. Win32/Mydoom.Q worm
07. Win32/Netsky.AB worm
08. Win32/Merond.AA worm
09. Win32/Netsky.Z worm
10. Win32/Xorer.NAE virus
Trojan-Spy:W32/ZBot.XF Bloodhound.Exploit.192 - W32.Tufik.E!inf - W32.Tufik.E - Trojan.Cymdos - Trojan.Installscash - Bloodhound.Exploit.189 - Bloodhound.Exploit.190 - Infostealer.Fertippy - Packed.Generic.119 - Trojan.Virantix.C - W32.Mariofev.A - W32.Zapinit - JS.Faizal - W32.Wowinzi.A - VBS.Solow.F - W32.Madag.A - Downloader.Lozavita -W32.Bassyl!inf - W32.Zatyudi.A - Trojan.Garntet - Trojan.Qipian - Trojan.Asnoms!inf - W32.Mandaph - Infostealer.Gamler
What is a virus or trojan or malware?
Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.
Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.
Recommendations
We encourage all users and administrators to adhere to the following basic security "best practices":
* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the Current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Contact Us for a free antivirus trial to the end of this month.
|
