Latest News

Virus Alerts from Viruslist.com

• Net-Worm.Win32.Kido Kaspersky Lab has detected that multiple variants of Kido, a polymorphic worm, are currently spreading widely.

  Net-Worm.Win32.Kido exploits a critical vulnerability (MS08-067) in Microsoft Windows to spread via local networks and removable storage media.

  The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

  Users are strongly recommended to ensure their antivirus databases are up to date. A patch for the vulnerability is available from Microsoft.

  Detailed descriptions of Net-Worm.Win32.Kido.bt, Net-Worm.Win32.Kido.dv and Net-Worm.Win32.Kido.fx are available in the Virus Encyclopaedia. A dedicated removal tool is available here.

• Virus.Win32.Gpcode.ak Kaspersky Lab has detected a new version of the ‘malicious blackmailer’ Gpcode - Virus.Win32.Gpcode.ak.

  The new Gpcode variant encrypts files with extensions DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. on hard drives using an RSA algorithm with a 1024-bit key.

  After encrypting files, the virus leaves a text file in the folder next to the encrypted files with following message:

  Your files are encrypted with RSA-1024 algorithm.
  To recovery your files you need to buy our decryptor.
  To buy decrypting tool contact us at: ********@yahoo.com

  Currently, we detect the new variant, but we are unable to crack the 1024-bit key. Our analysts are continuing to work on both the key and the virus to resolve this issue.

  Kaspersky Lab recommends that all Internet users enable maximum protection from malicious code and network attacks on their computers, refrain from executing suspicious programs received from untrustworthy sources and back up any important information on their computers.

  Detection of Virus.Win32.Gpcode.ak was added to Kaspersky Anti-Virus signature databases yesterday, on June 4th, at 15:39 GMT. Please make sure to update if you haven’t already.

  If you have fallen victim to Gpcode.ak, try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine. Contact us by email stopgpcode@kaspersky.com and tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected: which programs you have executed, which websites you have visited, etc. We'll try and help you recover any data that has been encrypted.

  For more information about the malicious program, please read our weblog.

• Email-Worm.Win32.Warezov.nf Kaspersky Lab has detected mass mailings of a new variant of Warezov, Email-Worm.Win32.Warezov.nf. At 8.00 Moscow Standard Time, 19 April 2007, 70-85% of the malicious content in mail traffic consisted of various forms of a new modification of Warezov - the Warezov.nf worm.

  A few hours before this point, there was a noticeable increase in mail traffic of an earlier modification of Warezov - Warezov.do which featured in the October 2006 Top 20.

  If you are using Kaspersky Anti-Virus 6.0 or Kaspersky Internet Security 6.0 with Proactive Protection turned on, new variants will be detected without the need to update your antivirus databases.

  A full description of Email-Worm.Win32.Warezov.nf is now available in the Virus Encyclopaedia.

• Email-Worm.Win32.Warezov.mx A new version of Warezov, Email-Worm.Win32.Warezov.mx has been mass-mailed.

  The worm spreads as an attachment to infected emails. Once launched, it may terminate antivirus and firewall programs and download other malware.

  An urgent update to antivirus databases has been released.

  If you are using Kaspersky Anti-Virus/ Kaspersky Internet Security 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

• Email-Worm.Win32.Warezov.ms Kaspersky Lab has detected mass mailings of a new variant of Warezov, Email-Worm.Win32.Warezov.ms. The mass mailing started on 3rd April 2007.

  The worm spreads as an attachment to infected emails. Once launched, it may terminate antivirus and firewall programs and download other malware.

  An urgent update to antivirus databases has been released.

  If you are using Kaspersky Anti-Virus/ Kaspersky Internet Security 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

  A detailed description of Email-Worm.Win32.Warezov.ms will be available in the near future.

• Email-Worm.Win32.Zhelatin Multiple variants of Email-Worm.Win32.Zhelatin are currently spreading. The most recent variants are Zhelatin.u, Zhelatin.r and Zhelatin.t

  New variants may be functionally similar to each other and to previous variants.

  Users are reminded to keep their antivirus protection up to date, and to scan any suspicious emails with an antivirus solution.

  If you are using Kaspersky Anti-Virus or Kaspersky Internet Security 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

  A detailed description of Email-Worm.Win32.Zhelatin.o is available in the Virus Encyclopaedia.

• Email-Worm.Win32.Zhelatin.u Kaspersky Lab has detected a new variant of Zhelatin, Email-Worm.Zhelatin.u.

  Zhelatin.u is a repacked version of an earlier modification, and has the same functionality as previous variants.

  Users are reminded to keep their antivirus protection up to date.

  If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

• Email-Worm.Win32.Zhelatin.r Kaspersky Lab has detected a sharp increase in the volume of Email-Worm.Win32.Zhelatin.r in mail traffic.

  It is functionally identical to Zhelatin.o. Zhelatin.r is simply a repacked version.

  If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

• Email-Worm.Win32.Zhelatin.o

  Kaspersky Lab has detected a mass mailing of Email-Worm.Win32.Zhelatin.o, which is spreading as an attachment to infected emails.
  

  Zhelatin.o is very similiar to the first Zhelatin variant - Zhelatin.a.
  

  The Kaspersky anti-virus databases have been updated and users are recommended to update as soon as possible.

  Possible subjects in infected emails:

  • I Always Knew
    
  • I Am Lost In You
    
  • I Believe
    
  • I Can't Function
    
  • I Dream of you
    
  • I Give to You
    
  • I Love Thee
    
  • I Love You Mower
    
  • I Love You So
    
  • I Love You Soo Much
    
  • I Love You with All I Am
    
  • I Still Love You
    
  • I Think of You
    
  • I Win with You
    
  • I Woof You
    

  Possible names for attachments containing the body of the worm:

  • Postcard.exe
    
  • flash postcard.exe
    
  • greeting card.exe
    
  • greeting postcard.exe
    

  Possible texts in the emails:

  • You + Me
    
  • You Are My Guiding Star
    
  • You Asked Me Why
    
  • You Brighten My Day
    
  • You Lucky Duck!
    
  • You Rock Me!
    
  • You Were Worth the Wait
    
  • You and I
    
  • You and I Forever
    
  • You are out of this world
    
  • You're My Hero
    
  • You're Soo kissable
    
  • You're so Far Away
    
  • You're the One
    
  • Your Love Has Opened
    
  • Your Silly Smile
    
  • flash postcard.exe
    
  • greeting card.exe
    
  • greeting postcard.exe
    

  
  

  A detailed description of Email-Worm.Win32.Zhelatin.o is now available in the Kaspersky Virus Encyclopaedia.

• Email-Worm.Win32.Warezov Kaspersky Lab has detected mass mailings of new variants of Email-Worm.Win32.Warezov, which started on 15th January, 2007.

  A new version is being sent out in each mass mailing. The variants are all highly similar, and spread as an attachment to infected emails. Once launched, they may terminate antivirus and firewall programs and download other malware.

  Antivirus updates have been released for all the latest variants. Users are strongly recommended to ensure that they keep their antivirus software up to date.

  If you are using Kaspersky Anti-Virus 6.0, enable Proactive Protection, and new variants will be detected without the need to update antivirus databases.

  Further details of the latest variants will be available in the near future.

Latest Virus Descriptions from Viruslist.com

• Backdoor.Win32.Bredolab.eua The program connects to the server: http://*****lo.ru where it sends the following request (some of the data may vary): GET...
• Trojan.Win32.Oficla.w This malicious program is intended for the unauthorized downloading and launching of other malware on a computer. Installation When launched, the malicious program extracts from itself and creates...
• Trojan-PSW.Win32.Qbot.mk This Trojan is designed to steal the user's confidential data, as well as providing a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is approximately 85...
• Trojan.Win32.Vilsel.ato This Trojan is designed to install and launch other malicious programs on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 1083904 bytes in size....
• Trojan-Banker.Win32.Banz.cri This malicious program is designed to steal user data that has to do with banking systems, e-money and plastic cards issued by Brazilian banks. It is a Windows PE EXE file. It is 942047 bytes in...
• Virus.Win32.Virut.ce This file virus infects Windows executable files. It is a malicious code contained in Windows PE EXE files. The virus body is about 17 Kb, though the use of polymorphic encryption means its size may...
• Virus.Win32.Sality.ag This malicious program infects files on the victim computer. It is designed to download and launch other malicious programs on the victim computer without the user’s knowledge or consent. It is...
• Trojan-Downloader.JS.Gumblar.x This Trojan downloads and runs malicious scripts on the victim machine without the user's knowledge or consent. It is a JavaScript scenario. It is 809 bytes in size.
• Backdoor.Win32.Clampi.a If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program: Use Task Manager to terminate...
• Trojan-Dropper.Win32.Agent.albv This Trojan has a malicious payload. It is a Windows PE EXE file. It is 23552 bytes in size. Installation The Trojan copies its executable file as follows: %WinDir%\system\svhost.exe In order to...

Latest Virus Descriptions from f-prot.com

• Warezov.AKD This virus was discovered on: 30 Aug 2007
• Downloader.AYEV This virus was discovered on: 21 Jan 2007
• Mitglieder.UZ This virus was discovered on: 12 Dec 2006
• Quickspace.A This virus was discovered on: 7 Dec 2006
• Downloader.ANCJ This virus was discovered on: 14 Nov 2006

Virus Weblog Viruslist.com

• Zbot and CVE2010-0188

  I just came across a suspicious PDF file, so I decided to take a deeper look. Once the file was unpacked, I got an xml file with TIFF image. However, the whole thing looked very strange. The whole thing looked very fishy, and ultimately, it turned out that the xml file contained an exploit for
  CVE-2010-0188.

  I thought it was a bit odd that we hadn’t come across files like this before, so I decided to tak a look at stats for this vulnerability:

  

  CVE-2010-0188 exploit statistics 2010

  The graph shows that malware exploiting CVE=2010-0188 started spreading actively at the end of June. It was pretty much a rarity until then. Maybe the virus writers needed a few months to catch up with creating exploits for the new hole in Adobe – who knows?

  When I took a closer look, it turned out that the PDF was mainly designed to download and launch another file, Trojan-Dropper.Win32.Zbot.cm. Which, in its turn, is mainly designed to secretly install Zbot (ZeuS) to the system and to combat antivirus software.

  I was able to get a final example of Zbot, but it turned out to be encrypted and obfuscated. I then got its dump and decrypted strings, which included a clear link to the banking site under attack, the bot’s http requests and some of the commands used by the botnet C&C:

  

  Part of the decrypted Zbot file

  This is the first example of an encrypted Zbot variant spreading via CVE-2010-0188. Clearly, the guys behind this program aren’t sitting on their hands, but working on the most up-to-date methods of delivering their malware to end users.

• Myrtus and Guava, Episode 5

  So far in our series about Stuxnet we’ve focussed on the main issue: the threat posed by the zero-day vulnerability in the processing of LNK files, and the fact that cybercriminals have somehow got their hands on digital certificates. What we haven’t done in any detail is look at the worm’s functionality.

  Anyone following the story has probably already read about how the worm, in addition to replicating, attempts to gain access to industrial systems running WinCC from Siemens.

  I can’t remember which journalist or antivirus researcher first mentioned power plants (some of which certainly do run WinCC) in connection with Stuxnet. Since then, the whole story’s taken on the air of a Hollywood movie, with dark and repeated murmurings of ‘attacks on industry’ and ‘inter-government espionage’.

  
  
  
  
  (How WinCC works; image from Siemens documentation)

  Stuxnet does attempt to connect to the WinCC SCADA visualization system using the default password from Siemens. Part of the worm is a very interesting component, a dll, which acts as a wrapper for the original Siemens dll. It’s this wrapper that tries to connect to WinCC, redirecting the majority of the functions to the original dll, while emulating the remaining functions itself.

  The functions are:

  s7db_open
  
  s7blk_write
  
  s7blk_findfirst
  
  s7blk_findnext
  
  s7blk_read
  
  s7_event
  
  s7ag_test
  
  s7ag_read_szl
  
  s7blk_delete
  
  s7ag_link_in
  
  s7db_close
  
  s7ag_bub_cycl_read_create
  
  s7ag_bub_read_var
  
  s7ag_bub_write_var
  
  s7ag_bub_read_var_seg
  
  s7ag_bub_write_var_seg
  
  

  The module also contains several encrypted blocks of data – here’s an example of a decrypted block:

  
  
  
  

  Siemens is currently conducting its own investigations and analysis of the malware. They’ve published official information about the incident, which reports one confirmed case of infection of a WinCC client in Germany.

  From the report:

  
  
  

  "Currently there is still only one known case where a customer's WinCC computer has been infected. The virus infiltrated a purely engineering environment of a system integrator, but was quickly eliminated. A production plant has not been affected so far."

  "There is only one known case of infection in Germany. We are, at present, trying to find out whether the virus caused any damage."

  Siemens also confirms that the worm is able to transmit process and production data, and that it attempts to establish a connection with the cybercriminals’ servers. At the moment, however, the servers are apparently inactive.

  P.S. Siemens has just issued an update:

  "Currently we know of two cases worldwide where a WinCC computer has been infected. A production plant has so far not been affected."

• Myrtus and Guava, Episode 4

  A few days ago we wrote about a new variant of the Stuxnet worm’s rootkit component, signed not with Realtek’s digital signature, but with one owned by JMicron. Costin posted about it in detail.

  The media jumped on the news, and there was a lot of talk about "New worm variant discovered". However, the situation isn’t quite as simple as the headlines made out.

  There wasn’t a clear answer to the main question i.e. where’s the worm which the signed driver would have come from? The fact that the driver was created on 14 July could indicate that a new variant of the worm, potentially with new functionality, was out in the wild.

  However, all of our attempts to find the dropper of the second rootkit driver (there are meant to be two) came to nothing.

  Over the last few days, all the discussions have boiled down to two possible explanations: either cybercriminals stole the digital certificates using a Trojan, or it was the work of an insider. Our failure to find the dropper or second driver, though, makes the whole story all the more complicated.

  So we decided to look at some statistics: how many times has the Kaspersky Security Network detected Rootkit.Win32.Stuxnet.c (the driver signed with the JMicron certificate)? The numbers are discouraging – since 20 July, the module’s been detected all of twice, once in Russia and once in Ukraine. These figures look pretty silly when compared to the detection statistics for the rootkit component signed with the Realtek signature.

  Verisign has now revoked the JMicron certificate, making it invalid. Our whitelisting database contained 124 programs which had been signed using the certificate – all of them, of course, were clean.

  At the moment, I’m not drawing any conclusions about the origins of this mythical driver. I don’t doubt that it is a modified variant of mrxcls.sys. We’re still looking for whatever is launching it, or computers which it’s infected.

  If we look at the stats relating to the initial Stuxnet variant, they show epidemics in India, Iran, and Indonesia. The number of infected computers increases by about a thousand every day, and this is only what our monitoring systems show us. In other words, it’s merely the tip of the iceberg.

  

  Apart from the three countries hit by Stuxnet, Azerbaijan and Afghanistan have also been heavily affected, with more than a thousand infected machines each.

  The geographical spread of the Trojan, together with the "missing" variant, has given us all a lot to think about.

• Different x86 Bytecode Interpretations

  Working on an efficient generic shellcode detection engine and verifying results with randomly generated input, I've effectively ended up fuzzing different open source disassembler libraries. The disassembler library of choice for my current project is libdasm because of its comparatively long history and public domain license. But writing a sound and complete x86 disassembler is obviously not a trivial task due to the complex nature of the x86 instruction set.

  libdasm used to have issues correctly disassembling certain floating point instructions in the past, but this was simply caused by an off-by-three error in the opcode lookup tables (three NULL rows missing) and thus the fix was comparatively easy.

• How does your vacation affect your security?

  Vacation is a time for visiting friends and family, going abroad, eating ice-cream, gardening – whatever helps you regroup and recharge. Computer security is probably the last thing on your mind, even if you’ve taken your laptop home with you to keep tabs on what’s going on at the office.

  But as my colleague Christian pointed out in this article last year, summer often brings some serious security issues. And I’ve got recent further proof of this: just a few weeks ago I was attending our annual security conference at a very classy hotel in Cyprus. Everything seemed perfect – until we connected to the hotel Wi-Fi.

  If you’ve ever taken your laptop with you on business or vacation, you’ll know the drill. When you want to connect to the Internet via a hotel network, you get redirected to a site controlled by the hotel’s router. You need to either enter a code provided by the hotel, or your credit card details – all on a site which may or may not be secure.

  In Cyprus, we found out that the page you get redirected to when you try and access the Internet was infected with Gumblar. The hotel was lucky to have 30+ security experts staying there – but if we hadn’t been holding our conference there, the site could have stayed infected for quite a while!

  Logging on via insecure connections isn’t the only seasonal security issue. People’s computer and online habits change when they’re on holiday – they tend to use their computers less, and in short bursts, just to get the information they need. For instance, you’ll often see people logging on for ten minutes to quickly check email, download maps or details about the places they’re planning to visit, etc.

  If you’re quickly checking for some information that you need via GPRS or a slow Wi-Fi connection, you’re probably not going to bother updating your antivirus or installing security patches. You might rationalize your decision (if you even think about it) by telling yourself that you don’t go to dodgy sites which are likely to be hosting malware. But our experience in Cyprus really highlights the fact that malware is everywhere.

  Ignoring security patches and antivirus updates while you’re on vacation means that if you log on, you are putting yourself at risk. And when you get back to work after two, three, or even four weeks off, if you haven’t been using your computer, the very first thing you should do is make sure that it’s fully patched, and security software up to date. Of course you want to get to all the funny YouTube links etc. that your colleagues sent while you were away – but update before you start checking your mail or clicking through links and attachments.

  Insecure networks, infected sites, and vulnerable software and systems are all technical aspects of IT security. But apart from all the technical stuff, lots of people are giving out far too much information on Facebook, Twitter, and even in their Out Of Office replies. Posting that you’re off to some exotic resort for two weeks is almost an open invitation to burglars and other criminals to come and rifle your property while you’re gone…

  Simple tips on how to have a more secure vacation

  Before you go
  

  
  
  • Don’t write on your social network that you’re going on holiday!
    
  • Make sure you’ve got all the latest security patches installed, including patches for third party applications such as PDF readers, browsers, chat programs, etc.
    
  
  

  While you’re away
  

  
  
  • Make sure that your antivirus is up to date. You never know what might be lurking on the network!
    
  • Use common sense - don’t enter credit card details or passwords unless it’s essential, and only if you’re confident the network is secure
    
  • If you’re paranoid, disable programs that autostart such as Skype or MSN – you wouldn’t want someone to steal your passwords over an insecure network.
    
  
  

  When you get back
  

• Make sure you scan and patch your work computer before you start reading emails and working.