GFI WebMonitor – Web Security and Internet Access Control Software
October 25, 2011 by admin
Filed under Protection Tools
Most of companies want able to monitor and control user access to the Network and the Internet, GFI Software has a solution that can help you meet there need. Available as a standalone proxy version or as a dedicated plug-in for organizations that have deployed Microsoft ISA Server, GFI WebMonitor is a great, policy-based Web monitoring, filtering, scanning and control solution.
TDL4 – Top Bot
July 24, 2011 by admin
Filed under Security News
TDSS variants
The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.
The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.
TDL-3 encrypted disk with SHIZ modules
At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.
The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.
Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.
In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.
Yet another affiliate program
The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.
Affiliates spreading TDL
Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.
The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.
The ‘indestructible’ botnet
Encrypted network connections
One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.
Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.
Example of configuration file content
Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.
Part of the code modified to work with the TDL-4 protocol.
Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.
The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.
An antivirus of its own
Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
TDSS module code which searches the system registry for other malicious programs
TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.
This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.
Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.
TDSS downloads
Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.
Botnet access to the Kad network
One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?
We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:
- The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
- Computers infected with TDSS receive the command to download and install the kad.dll module.
- Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
- The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
- Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.
Encrypted kad.dill updates found on the Kad network
Below is a list of commands from an encrypted ktzerules file.
- SearchCfg – search Kad for a new ktzerules file
- LoadExe – download and run the executable file
- ConfigWrite – write to cfg.ini
- Search – search Kad for a file
- Publish – publish a file on Kad
- Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.
The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.
How publicly accessible and closed KAD networks overlap
Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.
Kad.dll code responsible for sending commands from the TDL-4 cybercriminals
Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.
The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:
- By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
- When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.
Extended functionality
In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.
The proxy server module
A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.
Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.
Firefox add-on for anonymous Internet use via the TDSS botnet
64-bit support
The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.
List of botnet command and control center commands
Working with search engines
The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.
List of search engines supported by TDSS
Botnet command and control servers
When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.
| Control server address |
Server address at the beginning of February |
Server address at the beginning of March |
Percentage of mentions in C&C lists |
| 01n02n4cx00.cc | noip | noip | 0,05% |
| 01n02n4cx00.com | 91.212.226.5 | noip | 0,43% |
| 01n20n4cx00.com | 91.212.226.5 | 91.193.194.9 | 0,21% |
| 0imh17agcla.com | 77.79.13.28 | 91.207.192.22 | 0,80% |
| 10n02n4cx00.com | 194.28.113.20 | 194.28.113.20 | 0,22% |
| 1il1il1il.com | 91.212.158.72 | 91.212.158.72 | 6,89% |
| 1l1i16b0.com | 91.193.194.11 | 91.193.194.11 | 0,43% |
| 34jh7alm94.asia | 205.209.148.232 | noip | 0,03% |
| 4gat16ag100.com | noip | noip | 2,07% |
| 4tag16ag100.com | 178.17.164.129 | 91.216.122.250 | 6,69% |
| 68b6b6b6.com | noip | noip | 0,03% |
| 69b69b6b96b.com | 91.212.158.75 | noip | 6,89% |
| 7gaur15eb71.com | 195.234.124.66 | 195.234.124.66 | 6,85% |
| 7uagr15eb71.com | noip | noip | 2,07% |
| 86b6b6b6.com | 193.27.232.75 | 193.27.232.75 | 0,14% |
| 86b6b96b.com | noip | noip | 0,24% |
| 9669b6b96b.com | 193.27.232.75 | 193.27.232.75 | 0,22% |
| cap01tchaa.com | noip | noip | 2,19% |
| cap0itchaa.com | noip | noip | 0,58% |
| countri1l.com | 91.212.226.6 | 91.212.158.72 | 6,89% |
| dg6a51ja813.com | 91.216.122.250 | 93.114.40.221 | 6,85% |
| gd6a15ja813.com | 91.212.226.5 | 91.212.226.5 | 2,07% |
| i0m71gmak01.com | noip | noip | 0,80% |
| ikaturi11.com | 91.212.158.75 | noip | 6,89% |
| jna0-0akq8x.com | 77.79.13.28 | 77.79.13.28 | 0,80% |
| ka18i7gah10.com | 93.114.40.221 | 93.114.40.221 | 6,85% |
| kai817hag10.com | noip | noip | 2,07% |
| kangojim1.com | noip | noip | 0,14% |
| kangojjm1.com | noip | noip | 0,24% |
| kur1k0nona.com | 68.168.212.21 | 68.168.212.21 | 2,19% |
| l04undreyk.com | noip | noip | 0,58% |
| li1i16b0.com | noip | noip | 0,05% |
| lj1i16b0.com | noip | noip | 0,05% |
| lkaturi71.com | noip | noip | 0,14% |
| lkaturl11.com | 193.27.232.72 | 193.27.232.72 | 0,22% |
| lkaturl71.com | 91.212.226.6 | 91.212.158.72 | 7,13% |
| lo4undreyk.com | 68.168.212.18 | 93.114.40.221 | 2,19% |
| n16fa53.com | 91.193.194.9 | noip | 0,05% |
| neywrika.in | noip | noip | 0,14% |
| nichtadden.in | noip | noip | 0,02% |
| nl6fa53.com | noip | noip | 0,03% |
| nyewrika.in | noip | noip | 0,03% |
| rukkeianno.com | noip | noip | 0,08% |
| rukkeianno.in | noip | noip | 0,08% |
| rukkieanno.in | noip | noip | 0,03% |
| sh01cilewk.com | 91.212.158.75 | noip | 2,19% |
| sho1cilewk.com | noip | noip | 0,58% |
| u101mnay2k.com | noip | noip | 2,19% |
| u101mnuy2k.com | noip | noip | 0,58% |
| xx87lhfda88.com | 91.193.194.8 | noip | 0,21% |
| zna61udha01.com | 195.234.124.66 | 195.234.124.66 | 6,85% |
| zna81udha01.com | noip | noip | 2,07% |
| zz87ihfda88.com | noip | noip | 0,43% |
| zz87jhfda88.com | 205.209.148.232 | 205.209.148.233 | 0,05% |
| zz87lhfda88.com | noip | noip | 0,22% |
A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.
Command and control server statistics
Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Distribution of TDL-4 infected computers by country
Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.
To be continued…
This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.
TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.
Source: Securelist.com
Free DE-Cleaner by Avira, Kaspersky and Symantec for Anti-Botnet
March 9, 2011 by admin
Filed under Removal Tips,Tools and Videos
DE-Cleaner powered by Avira
Minimum Requirements for the DE-Cleaner powered by Avira:
- Computer from Pentium, at least 266MHz
- Windows XP with at least SP 2, (32 oder 64 Bit)
- Windows Vista (32 oder 64 Bit, SP 1 or higher recommended) Windows 7 (32 or 64 Bit)
- At least 150 MB free disk space
- At least 192 MB memory on Windows XP
- At least 512 MB memory on Windows Vista, Windows 7
- Internet connection for Updating und first time Download
- Please note: At the moment there is no DE-Cleaner available for Linux or Mac OS. Since Internet criminals mainly concentrate on and attack Windows based computers.
Former Kaspersky Employee Responsible for Leaked Source Code
January 29, 2011 by admin
Filed under Security News
The Kaspersky source code that recently made its way onto public websites was leaked by a former employee of the antivirus vendor, who is already serving a prison sentence for intellectual property theft.
Remove Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh from windows 7 by kaspersky removal
November 28, 2010 by admin
Filed under Removal Tips,Tools and Videos
The recommendations given concerning disinfection of a computer from Virus.Win32.Sality should be applied only if NO Kaspersky Lab product is installed on an infected computer, and/ or if the computer is already infected and a Kaspersky Lab product cannot be installed by regular means. Kaspersky Lab experts also recommend using Rescue Disk to disinfect an infected computer.
The SalityKiller.exe utility given in this article allows detecting and disinfecting only the following Sality modification Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh.
Tests Show Problems With AV Detections
February 7, 2010 by admin
Filed under Security News
Dateline: Moscow.
Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.
The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.
After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.
But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.
Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.
Click on these to see some of the detections:
- http://www.virustotal.com/analisis/5aee7…1264831301
- http://www.virustotal.com/analisis/0de6d…1264867956
- http://www.virustotal.com/analisis/b2a11…1264867934
- http://www.virustotal.com/analisis/7e79b…1264867923
- http://www.virustotal.com/analisis/0b974…1264831241
- http://www.virustotal.com/analisis/0b974…1264867640
But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.
And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”
I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.
This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.
Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.
By Larry Seltzer from PCMag.com
Autorun no more
September 24, 2009 by admin
Filed under Protection Tools
A little while ago, Microsoft released an update which partially disables some autorun functionality on Windows operating systems prior to Windows 7. The update, known as KB971029, is intended for Windows XP, Vista, Server 2003, and Server 2008. The autorun function is used to automatically start installation processes from CDs, DVDs, and USB drives, as well as other types of removable media.
Autorun works by using a file named autorun.inf found in the root of the file system for removable drives. While this is a helpful process when used with a trusted resource, such as a software installer from a CD, it has long been a successful malware infection vector on rewritable drives.
At Kaspersky, we’ve frequently urged Microsoft to disable this process, as anything that automatically installs software or code without properly informing the user can and will be used maliciously. In the past we’ve discovered infected consumer devices, and the autorun function has been used to spread incredibly successful threats as Conficker (Kido). This listing gives you a partial idea of just how often “autorun” gets used as an infection vector.
Early versions of Windows, including Windows XP Service Pack 1 and earlier, would automatically launch software on a rewritable drive with no notification. XP Service Pack 2 and later would automatically launch a window when the drive was inserted, and you could then choose to run an executable. In fact, you could check a box at the bottom to “Always do the selected action”. Malware creators often create an autorun.inf file on removable media when a malicious program launches, and this extends the attack vectors beyond network propagation. A shared USB drive becomes a threat to a network that may not even have Internet access.
With Windows XP Service Pack 2, and in Vista and Server 2008, a new feature called Autoplay was introduced. The Autoplay function pops up a window when an autorun.inf file is detected and requests action from the user. The options are to install a program, which launches the intended executable, or to open the folder to view files. While this approach is better than automatically running an executable without user knowledge, it’s not exactly safe. Most casual computer users are conditioned to keep clicking until the file opens, so this just adds a step on the road to infection. The update mentioned above disables the autoplay function on writable media like USB drives, while leaving the autoplay function intact for CDs and DVDs.
Windows 7 disables the function altogether on writable external drives by default. This is a much safer approach; although it makes it more difficult for the average person to find out what to do next when trying to install something new, there’s always a trade-off between security and usability. While we commend Microsoft for finally implementing this fix, it took far too long. Countless infections could have been avoided, and Conficker might have spread less widely if this simple fix had been pushed out earlier.
Source: viruslist.com
The New Version of Swizzor Trojan Not Detected Yet and How to Remove it Manually
August 18, 2009 by admin
Filed under Removal Tips,Tools and Videos, Security News
Today I found new version of trojan (Swizzor Trojan) the damage that Trojan do is slowing down IE and maybe it send personal information to remote server, therefore it can be a real threat to your privacy.
Swizzor can also try to download and install malicious software such as adware.
How did I detect it :
I saw 2 IExplore.exe processes is running without seeing any IE windows even if I closed any of them it will run again saw I tracked whitch software is running IE without any permission and I found it in Startup tab at Msconfig the file name is : admin dumb.exe with other files @ “C:\Documents and Settings\”Administrator”\Application Data\Extra 16″ .
I copied the folder that have the trojan and uploaded the files to virus total some of them have been detected from kaspersky but admin dumb.exe not detected from kaspersky,Mcafee,Symantec,Nod32,Sophos,….etc. to see the result from virustotal.com Click Here .
How to remove Swizzor Trojan Manually :
1- Open Msconfig from Start>Run and click on startup tab the uncheck from admin dumb.exe .
2- Go to admin dumb.exe path like “C:\Documents and Settings\”Administrator”\Application Data\Extra 16″ and rename the folder that include trojan file .
3- End admin dumb.exe process from Task Manager if its running.
3- Restart your PC then go back to the folder that you renamed before and delete it with all contects.
4- Your PC is clean now, Enjoy.
For any help please comment or contact us.
Kaspersky Lab detects new version of Conficker worm (Net-Worm.Win32.Kido.js)
August 16, 2009 by admin
Filed under Security News
Kaspersky Lab, a leading developer of secure content management solutions, announces that a new version of the malicious program Kido (aka Conficker and Downadup) has been detected.
How To Remove Win32/Mabezat, Win32/Mabezat.A, Win32/Mabezat.B, Worm.Win32.Mabezat.b
July 5, 2009 by admin
Filed under Removal Tips,Tools and Videos
Overview
This description is for a worm that is capable of spreading through removable devices and network shares.
The characteristics of this worm in regards to file names, folders created etc. will differ from one version to another. Hence, this is a general description.
