Latest News

Virus Alerts from Viruslist.com

• Trojan-Ransom.Win32.Gpcode.ax

  Kaspersky Lab warns users about the emergence online of a new version of the Gpcode ransomware program.

  The program spreads via malicious websites and P2P networks.

  Kaspersky Lab products detect the program as Trojan-Ransom.Win32.Gpcode.ax.

  You can read more on our blog.

• Email-Worm.Win32.VBMania

  Kaspersky Lab is monitoring a new email worm which is currently spreading. Emails spreading the worm say “Here you have” in the subject line.

  We detect the worm as Email-Worm.Win32.VBMania.

  While the servers hosting related downloads have been taken down, we are keeping customers updated and protected against any new variants.

  
  
  

• Net-Worm.Win32.Kido Kaspersky Lab has detected that multiple variants of Kido, a polymorphic worm, are currently spreading widely.
  
  Kaspersky Lab has detected that multiple variants of Kido, a polymorphic worm, are currently spreading widely.

  Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media.

  The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

  Users are strongly recommended to ensure their antivirus databases are up to date. A patch for the vulnerability is available from Microsoft.

  Detailed descriptions of Net-Worm.Win32.Kido.bt, Net-Worm.Win32.Kido.dv and Net-Worm.Win32.Kido.fx are available in the Virus Encyclopaedia. A dedicated removal tool is available here.

• Virus.Win32.Gpcode.ak Kaspersky Lab has detected a new version of the ‘malicious blackmailer’ Gpcode - Virus.Win32.Gpcode.ak.
  
  Kaspersky Lab has detected a new version of the ‘malicious blackmailer’ Gpcode - Virus.Win32.Gpcode.ak.

  The new Gpcode variant encrypts files with extensions DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. on hard drives using an RSA algorithm with a 1024-bit key.

  After encrypting files, the virus leaves a text file in the folder next to the encrypted files with following message:

  Your files are encrypted with RSA-1024 algorithm.
  To recovery your files you need to buy our decryptor.
  To buy decrypting tool contact us at: ********@yahoo.com

  Currently, we detect the new variant, but we are unable to crack the 1024-bit key. Our analysts are continuing to work on both the key and the virus to resolve this issue.

  Kaspersky Lab recommends that all Internet users enable maximum protection from malicious code and network attacks on their computers, refrain from executing suspicious programs received from untrustworthy sources and back up any important information on their computers.

  Detection of Virus.Win32.Gpcode.ak was added to Kaspersky Anti-Virus signature databases yesterday, on June 4th, at 15:39 GMT. Please make sure to update if you haven’t already.

  If you have fallen victim to Gpcode.ak, try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine. Contact us by email stopgpcode@kaspersky.com and tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected: which programs you have executed, which websites you have visited, etc. We'll try and help you recover any data that has been encrypted.

  For more information about the malicious program, please read our weblog.

• Email-Worm.Win32.Warezov.nf Kaspersky Lab has detected mass mailings of a new variant of Warezov, Email-Worm.Win32.Warezov.nf.
  
  Kaspersky Lab has detected mass mailings of a new variant of Warezov, Email-Worm.Win32.Warezov.nf. At 8.00 Moscow Standard Time, 19 April 2007, 70-85% of the malicious content in mail traffic consisted of various forms of a new modification of Warezov - the Warezov.nf worm.

  A few hours before this point, there was a noticeable increase in mail traffic of an earlier modification of Warezov - Warezov.do which featured in the October 2006 Top 20.

  If you are using Kaspersky Anti-Virus 6.0 or Kaspersky Internet Security 6.0 with Proactive Protection turned on, new variants will be detected without the need to update your antivirus databases.

  A full description of Email-Worm.Win32.Warezov.nf is now available in the Virus Encyclopaedia.

• Email-Worm.Win32.Warezov.mx New Warezov variant mass mailed
  
  A new version of Warezov, Email-Worm.Win32.Warezov.mx has been mass-mailed.

  The worm spreads as an attachment to infected emails. Once launched, it may terminate antivirus and firewall programs and download other malware.

  An urgent update to antivirus databases has been released.

  If you are using Kaspersky Anti-Virus/ Kaspersky Internet Security 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

• Email-Worm.Win32.Warezov.ms A new variant of Warezov has been mass mailed, and is spreading rapidly
  
  Kaspersky Lab has detected mass mailings of a new variant of Warezov, Email-Worm.Win32.Warezov.ms. The mass mailing started on 3rd April 2007.

  The worm spreads as an attachment to infected emails. Once launched, it may terminate antivirus and firewall programs and download other malware.

  An urgent update to antivirus databases has been released.

  If you are using Kaspersky Anti-Virus/ Kaspersky Internet Security 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

  A detailed description of Email-Worm.Win32.Warezov.ms will be available in the near future.

• Email-Worm.Win32.Zhelatin Multiple variants spreading
  
  Multiple variants of Email-Worm.Win32.Zhelatin are currently spreading. The most recent variants are Zhelatin.u, Zhelatin.r and Zhelatin.t

  New variants may be functionally similar to each other and to previous variants.

  Users are reminded to keep their antivirus protection up to date, and to scan any suspicious emails with an antivirus solution.

  If you are using Kaspersky Anti-Virus or Kaspersky Internet Security 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

  A detailed description of Email-Worm.Win32.Zhelatin.o is available in the Virus Encyclopaedia.

• Email-Worm.Win32.Zhelatin.u New variant of Zhelatin spreading rapidly
  
  Kaspersky Lab has detected a new variant of Zhelatin, Email-Worm.Zhelatin.u.

  Zhelatin.u is a repacked version of an earlier modification, and has the same functionality as previous variants.

  Users are reminded to keep their antivirus protection up to date.

  If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

• Email-Worm.Win32.Zhelatin.r Sharp increase in the volume of Email-Worm.Win32.Zhelatin.r
  
  Kaspersky Lab has detected a sharp increase in the volume of Email-Worm.Win32.Zhelatin.r in mail traffic.

  It is functionally identical to Zhelatin.o. Zhelatin.r is simply a repacked version.

  If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

Latest Virus Descriptions from Viruslist.com

• Trojan-Downloader.Win32.Agent.dlyf This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows dynamic library (PE EXE file). It is 53 248 bytes in...
• Trojan.Win32.VB.aeke This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 352 256 bytes in size. It is written in Visual Basic. Installation When launching,...
• Trojan.Win32.Smardf.mlt This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 142 848 bytes in size. It is written in Delphi.
• Trojan.Java.Payphish.a When the infected page is opened, Java class code starts to run, which leads to the following actions: The following file is created and launched: Ñ:\Windows\pay.reg This causes a change in...
• Backdoor.Win32.Delf.ugd This Trojan provides a malicious user with remote access to the infected computer. It is a Windows application (PE EXE file). It is 365 568 bytes in size. It is written in Delphi. Installation Once...
• Trojan-Downloader.Win32.Genome.atab Once launched, the Trojan decrypts its body and then downloads files from the following URL addresses: http://195.***.144.79/psyim_dfgjkeqw.exe http://195.***.144.79/setup.exe http:...
• Exploit.JS.Pdfka.dna This exploit program uses vulnerabilities in Adobe Reader and Acrobat to execute itself on the user's computer. It is a PDF document containing XML Forms Architecture and Java Script. It is 26,393...
• Trojan-Downloader.Win32.Genome.asvq This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows application (PE EXE file). It is 21 504 bytes in size....
• Trojan-Downloader.Win32.Genome.asut This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows application (PE EXE file). It is 21 504 bytes in size....
• Trojan.Win32.Slefdel.fpk The Trojan creates a file named "Deleteme.bat" in its working directory and launches it for execution: %WorkDir%\Deleteme.bat The launched file deletes the Trojan's original body and deletes...

Latest Virus Descriptions from f-prot.com

• Warezov.AKD This virus was discovered on: 30 Aug 2007
• Downloader.AYEV This virus was discovered on: 21 Jan 2007
• Mitglieder.UZ This virus was discovered on: 12 Dec 2006
• Quickspace.A This virus was discovered on: 7 Dec 2006
• Downloader.ANCJ This virus was discovered on: 14 Nov 2006

Virus Weblog Viruslist.com

• Lab Matters - The death of browser trust

  In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.

• Kelihos/Hlux botnet returns with new techniques

  It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages - it is possible to disable a botnet rather quickly without taking control over the infrastructure.However,as this particular case showed, it is not very effective if the botnet’s masters are still at large.

  Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:

  Let’s start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:

  №	Old Hlux	New Hlux
  1	Blowfish with key1	Blowfish with new key1
  2	3DES with key2	Decompression with Zlib
  3	Blowfish with key3	3DES with new key2
  4	Decompression with Zlib	Blowfish with new key3

• CVE-2012-0003 Exploit ITW

  S. Korean handlers are slow to take down the publicly distributed malicious code exploiting CVE-2012-0003, a vulnerability patched in Microsoft's January 2012 patch release MS12-004. We have discussed with reporters that the code has been available since the 21st, and a site appears to have been publicly attacking very low numbers of Korean users over the past day or so. The site remains up at this time.

• Brazilian cybercriminals’ daily earnings - more than you’ll ever earn in a year! ��� How much do you earn per day? If we look at how much a cybercriminal from Brazil earns every day, we’ll understand why Brazil is one of the main sources of malware in the world. Brazilian cybercriminals really like to use short URLs to track infections and have their own stats. Here is the profile of one criminal using Bitly as a URL shortening service.

  

• Malware wallpaper calendars for 2012

  As some of you may remember, during 2011 we published a malware calendar wallpaper for each month of the year.

  We're doing so again this year, with updated information from 2011. However, we've decided to take a slightly different approach this year and publish all 12 wallpapers in one place. You can find them all here.

  We hope you like this year's designs and find the data interesting.

• Lab Matters - The threat from P2P botnets

  Kaspersky Lab malware researcher Tillmann Werner joins Ryan Naraine to talk about the threat from peer-to-peer botnets. The discussions range from botnet-takedown activities and the ongoing cat-and-mouse games to cope with the botnet menace.

• Two-pronged attack: Argentine site hit by malware and data leak ��� I was browsing through compromised websites used for spreading malware and found one from Argentina which belongs to a veterinary supplier. The admin panel got p0wned and, worst of all, it had a tab with the personal details of people who had posted their CVs (curriculum vitae). So, what exactly has happened? Well, basically lots of confidential information has been leaked and we are talking about home addresses, telephone numbers, details of education centers attended, mobile phone numbers, email addresses, marital status, children and even personal references. This is very bad because the same information can easily be used for all kinds of fraudulent activities: on-line ID theft, targeted attacks and so on. Here are just a few examples of real CVs uploaded and saved on the compromised site:

  

  

• The Zappos Breach and Textual Password Based Authentication

  Following their major database breach, Zappos leadership is doing the right thing by what seems to be quickly and clearly communicating what data was accessed and what was not - there are no unexplained delays or confusion on their part about the event. It's like another Aurora moment in my book, when Google extraordinarily opened up about their breach while the other 30-odd Aurora-breached major corporations did the opposite, aggressively maintaining NDA's to hide their Aurora incidents and hide their heads in the sand. Zappos reset 24 million customers' passwords and emailed all of them about the problem last night.

  

• A School for Cybercrime: How to Become a Black Hat

  Life looks good for Brazilian hackers: the absence of a specific law against cybercrime leaves them feeling so invulnerable that the bad guys are shameless about publicizing their thefts and showing off the profits of a life of crime. We showed some of this in a presentation at the latest Virus Bulletin Conference, and it’s commonplace to find YouTube clips of Brazilian bankers and carders reveling in their ill-gotten gains and rubbing their easy money in the faces of hard-up victims (there’s one example here, and several more out there). It’s also common to find bad guys’ profiles on social networks such as Twitter, Tumblr, etc. Everything is done out in the open, without fear of being caught.

  To help new “entrepreneurs” or beginners interested in a life of cybercrime, some Brazilian bad guys started to offer paid courses. Others went even further, creating a Cybercrime school to sell the necessary skills to anyone who fancies a life of computer crime but lacks the technical know-how. On a website dedicated to selling these courses and promoting the “school”, a careful search turns up courses like “How to be a Banker”, “Kit Spammer” or “How to be a Defacer”.

  

• IRC bot for Android

  Not so long time ago we found a very interesting piece of malware for Android. Unfortunately, it is not clear how it was spread but in any case it’s worth mentioning. The malicious application displays itself as ‘MADDEN NFL 12’ game after the installation.

  

  The file size is over 5+ MB and actually is a Trojan that drops a set of malware components onto the system: root exploit, SMS Trojan and IRC bot. The .class file "AndroidBotAcitivity" maintains this dropper functionality. It creates a ‘/data/data/com.android.bot/files’ directory and sets ‘777’ permission (read/write/execute for all users). After that it extracts three files - ‘header01.png’ (root exploit), ‘footer01.png’ (IRC bot), ‘border01.png’ (SMS Trojan) - into this directory. Then it sets ‘777’ permission on the root exploit file and executes it. Finally, it displays the text ‘(0x14) Error - Not registred application’ on the screen.

  If the exploit is executed successfully and the device is rooted, it launches the IRC bot ‘footer01.png’.

  First of all, the IRC bot will try to delete ‘etc/sent’ using the ‘rm’ command: