The Computer Guys

Miami to Fort Lauderdale Since 1994 - Thank You!

 

 

We Build the Best & Repair the Rest! ©

 

Alerts October 2006

FAQ Search Virus Alerts Hardware Faqs

 

 

Computer Repair
PC Maintenance
Disaster Recovery
SpyWare Removal
Company Profile
Disclaimer
Contact Information
Home Users

 

 


Alerts 2005 Alerts January 2006 Alerts February 2006 Alerts March 2006 Alerts April 2006 Alerts May 2006 Alerts June 2006 Alerts July 2006 Alerts August 2006 Alerts September 2006 Alerts October 2006 Alerts November 2006 Alerts December 2006

 

 

 

 

Top 10 malware reported to Sophos in October 2006

Position Last
month		 Malware Percentage of reports
1 1 W32/Netsky-P
   15.2%
2 2 W32/Mytob-AS
   12.2%
3 New W32/Stratio-Zip
   5.7%
4 3 W32/Bagle-Zip
   5.3%
5 5 W32/Netsky-D
   5.1%
6 New W32/Stratio-AY
   4.3%
7 7 W32/Mytob-C
   3.5%
8 8 W32/Zafi-B
   3.4%
9 5 W32/Nyxem-D
   3.1%
10 6 W32/Mytob-E
   2.6%
Others 39.6%

 

 

BackDoor-BAC!55436

Backdoor-BAC!55436 is a trojan that is delivered via a spammed fake email from Walmart. It opens a backdoor port on the compromised computer which allows a remote attacker unauthorized access and also post logged keystrokes and stolen passwords back to the attacker.


Aliases
Backdoor.Haxdoor.R (Symantec) BKDR_HAXDOR.AU (Trend Micro)
Characteristics
Characteristics -

-- Update October 10, 2006 --

A recent spamming has been reported intended to download a variant of Backdoor-BAC. The spammed email message supposedly from Walmart is sent as follows:

From: info@walmart.com
Subject: Order Confirmation number: 37679041
Body:

Dear Customer,

Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat software and can be viewed with Adobe Acrobat Reader.
If you do not already have this viewer configured on a local drive, you may download it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order! Thank you for shopping with us!


More

 

Apple Ships iPods with Windows Virus

W32/RJump.worm is referred to as "Win32.RJump.a" in the article at betanews.com

 

Apple apologized Tuesday for shipping video iPods containing the Windows virus RavMonE.exe, which apparently made its way onto a small number of the ubiquitous devices at a manufacturing plant. Around 1 percent of units shipped after September 12, 2006 are affected.

RavMonE.exe is a mass storage virus that only affects Windows computers. According to antivirus vendors, which dub the malware Win32.RJump.a and Troj/Bdoor-DIJ, the virus is a Trojan that opens links to Web sites and allows others access to a computer.
 

  Read More

 

Worm inside McDonald's MP3 player promo

The article at macworld.co.uk referrs to W32/QQPass.worm as "QQPass Trojan".

 

Winners of 10,000 MP3 players given away in a Japanese fast-food promotion won more than they bargained for, as their prizes contained a worm.

If they connected their new music players to their computers to fill them with songs then the worm, WORM_QQPASS.ADH, could infect the computers and steal personal data.
 

  Read More

 

 

SpamThru Trojan Analysis

Understanding the purpose of malware simply by searching anti-virus writeups can sometimes be a daunting task. Often, we see trojans which have painfully little information about their functionality other than "backdoor", or "keylogger", or "proxy". In many cases, widely varying trojans are given similar, non-descriptive names like "Trojan.Agent.abc", further adding to the murky view we have of just what modern malware is up to.

 

Sometimes, when we shine a light on a particular piece of malware, we find some interesting things that would otherwise go unnoticed. One such piece of malware is the trojan sometimes called "Troj/SpamThru", among other names.

 

VirusTotal output for SpamThru trojan

Note that the current incarnation is not called SpamThru by any vendor who detects it in the above scan result from VirusTotal, however, by correlating behavior with previous writeups, it is apparent that it is the same trojan. Given that SpamThru is the most descriptive and unique name assigned to it, we have chosen to call it that in this writeup as well. Overall, detection by AV vendors is sparse, but that's to be expected given that SpamThru is a money-making operation, and the author takes great care to make sure that detection by the major vendors is avoided by frequently updating the code.

 

Although many trojans and viruses are turning to rootkits to hide their activities on a system, SpamThru uses little more than a few registry keys to keep its hold on the system. It uses the classic HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in order to launch at startup, but also tries to start from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler and SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad just in case the Run key is removed.

 

The registry keys are named based on the trojan's control server port, so you might see any of the following at this time:

 

Run Registry Key Name SharedTaskScheduler/ShellServiceObjectDelayLoad Registry Key Name/CLSID
Explorer 2222 DCOM Server 2222 {2C1CD3D7-86AC-4068-93BC-A02304BB2222}
Explorer 2225 DCOM Server 2225 {2C1CD3D7-86AC-4068-93BC-A02304BB2225}
Explorer 2234 DCOM Server 2234 {2C1CD3D7-86AC-4068-93BC-A02304BB2234}
Explorer 2235 DCOM Server 2235 {2C1CD3D7-86AC-4068-93BC-A02304BB2235}
Explorer 2236 DCOM Server 2236 {2C1CD3D7-86AC-4068-93BC-A02304BB2236}
Explorer 2237 DCOM Server 2237 {2C1CD3D7-86AC-4068-93BC-A02304BB2237}
Explorer 2238 DCOM Server 2238 {2C1CD3D7-86AC-4068-93BC-A02304BB2238}
Explorer 2239 DCOM Server 2239 {2C1CD3D7-86AC-4068-93BC-A02304BB2239}
Explorer 2240 DCOM Server 2240 {2C1CD3D7-86AC-4068-93BC-A02304BB2240}
Explorer 2241 DCOM Server 2241 {2C1CD3D7-86AC-4068-93BC-A02304BB2241}
Explorer 2242 DCOM Server 2242 {2C1CD3D7-86AC-4068-93BC-A02304BB2242}
Explorer 2243 DCOM Server 2243 {2C1CD3D7-86AC-4068-93BC-A02304BB2243}

 

Basically SpamThru is designed to send spam from an infected computer. This type of operation is now years old, however, SpamThru has some new twists.

 

Peer-to-Peer Communication

SpamThru uses a custom P2P protocol in order to share information with other peers including the IP addresses and ports and software version of the control server, template servers, and all the peers they each know about. Control is still maintained by a central server, but in case the control server is shut down, the spammer can update the rest of the peers with the location of a new control server, as long as he/she controls at least one peer.

The network generally consists of one control server (running multiple peer-nets on different ports), several template servers, and around 500 peers per port. There appears to be a limit to how many peers each port can effectively control, as the overhead in sharing information between hosts is fairly large. The estimated number of infected hosts connected to the one control server we looked at was between one and two thousand across all open ports (however this is only counting IP addresses, which can skew the actual numbers due to on dynamic IPs and NAT.)

The protocol is binary-based and the initial packets usually begin with a header: 

01 = protocol version?
68 73 35 70 00 = magic (hs5p\x00)

The header is followed by a one-byte command code, and any arguments to the command. The command codes we've seen are:

 

Command Code Type Direction
00 Peer login/information exchange to control, to/from peers
01 Request update to control
03 Request file (usually empty) to control
04 Request spam template to template server
05 Report on results of spam run to template server
07 Request AV DLL to control
08 Report AV scan status (usually not used) to control

 

So far, the network appears to use 208.66.195.67 (bn.i-ru.net) as the sole control server, and the template servers seen are 208.66.193.26, 208.66.193.29, 216.255.178.170, 216.255.178.178, 216.255.182.202.

 

Read More here...

 

 

 

Sophos Anti-Virus detects as W32/Bagle-Zip the password-protected archive files created by W32/Bagle-F, W32/Bagle-G, W32/Bagle-H, W32/Bagle-I, W32/Bagle-J, W32/Bagle-K (ZIP archives), W32/Bagle-N, W32/Bagle-O (ZIP and RAR archives), W32/Bagle-W, W32/Bagle-AA , W32/Bagle-AF, W32/Bagle-AG, W32/Bagle-CL, W32/Bagle-KL and W32/Bagle-KM.

 

Please follow the instructions for removing worms.

 

Google
 
This web is optimized for 800 x 600 monitor resolution or above and the latest web browser.  Get the latest IE or Netscape web browser. (you need to connect to the internet first)

 

 

Copyright © 1998 The Computer Guys

 Back Home Up Next