More malware exploiting Windows shortcut vulnerability

It probably won’t come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).

 

Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.

 

Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink – however, here is more information on the specific malware:

 

Troj/Chymin-A:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.

 

Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.

 

W32/Dulkis-A:
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.

 

W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).

 

 

Read More…

 

Backdoors in Twitter, Now in Arabic

Twitter is becoming a common medium to spread spam, malware and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators, and there are no signs of them stopping any time soon.

 

Over the past two weeks, several Twitter accounts were created for the sole purpose of tweeting Poison Ivy or Bifrost download links. Both Poison Ivy and Bifrost are backdoors, malicious programs that allows an unauthorized user access to the infected machine. Interestingly, these backdoor programs are uploaded at either freewebtown.com or leadhoster.com, both free web hosting sites.

 

For some of our readers, these things aren’t new, but what caught my eye are these tweets written in Arabic:

 

Cybercrime groups it seems, are broadening the scope of their social engineering by employing localization techniques. Quite clever huh?

 

Lastly, these rogue Twitter accounts either have very few or no followers and following, which means the only way for potential victims to see the backdoor URL is to do a Twitter Search with the appropriate keywords. Hmmm… blackhat SEO Twitter style anyone?

 

Tips to Detect Virus Files and Infected files

How to detect virus files?

Virus files now a days are more improved and hard to find than earlier, now some files have nice icon so user cant imagine that file is virus or unwanted. Normal Properties of virus or infected files, that always tries to connect internet and get other unwanted softwares or files to the victims computer.

 

Some Trojan files like Sality.AA copies its file to windows\system32 with same file size, so it can identify easily, some may in hidden, and creates files in all folder with same name as folder. For Example, i have a folder in C:\myfolder, when this trojan infect the system, creates files in that folder with name myfolder.exe with size ~499 KB, if we open that file nothing opens but system will get busy. Like that so many files where created in those Drives and folders.

 

How To Delete these files:

Use Windows Search utility or any alternative, before that find file size of file created, like myfolder.exe, if this filesize is 499 KB, add file size in Search parameter so you can easily delete all folder named execute files.

 

Note:

If any exe file is running, you cannot delete some files, before that end those suspected file processess. You can use Windows Task Manager or any Alternative Task Processes lister like Process Explorer.
Get Process explorer from
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://en.wikipedia.org/wiki/Process_Explorer

 

From Process Explorer you can delete files, download this free program.

 

Detect Infected Virus Files.

 

To Detect infected files is simple. If you think your normal application tooks more time than normal, it may be the cause of virus infection. Bitdefender is the Best Antivirus software can be used in Disinfection of virus infected files.

 

 

New Mac backdoor Trojan horse discovered

 

Pinhead or HellRTS? What’s in a name?

 

Mac malware is making the headlines again – this time in the form of a remote access trojan which has been given the name OSX/HellRTS.D by French security firm Intego.

 

The folks at Intego blogged about the new Mac threat they discovered, which when run on a Mac OS X computer can allow remote hackers to gain access.

 

Users of Sophos Anti-Virus for Mac are protected, as we detect the malware as OSX/Pinhead-B, but presently it looks like this is not considered a serious threat and we have received no reports of infections from customers.

 

It does, however, appear to have been distributed disguised as iPhoto, the photo application which ships on modern Mac computers. This is clearly an attempt to fool victims via a social engineering trick into installingt the malicious code on their computers.

 

As always, be careful about the origin of applications you run on your computer, and keep your protection up-to-date. As many Mac users do not presently run any anti-virus software at all, they could be considered a soft target for more attacks like this in the future.

 

There’s a lot less malicious software for Mac computers than Windows PCs, but the fact that so many Mac owners don’t take security seriously enough might encourage an increasing amount of crime on their platform going forward.

 

By Graham Cluley, Sophos

 

 

How to remove International dialer Trojan on 3D Anti Terrorist (Windows Mobile) (Video)

 

You will need a Reg Editor, Notification queue Manager, File Explorer

( we are using http://www.dotfred.net/TaskMgr.htm in the video )

 

Related Blogs

Windows Mobile Terdial Trojan makes expensive phone calls

Some players of a mobile phone game called “3D Anti-terrorist action” are reporting an unexpected feature of the game – expensive international phone calls appearing on their bill.

 

A number of owners of Windows Mobile phones are reporting online that their cellphones have been making pricey calls to numbers to a variety of destinations including the Dominican Republic, Somalia and Sao Tome and Principe, without their permission.

 

What the victims all appear to have in common is that they installed the same game to their Windows Mobile phone.

 

It appears that a Russian-speaking hacker has taken the game “3D Anti-terrorist action”, embedded his Trojan horse inside it, and uploaded it to Windows Mobile download sites on the web. Presumably they are hoping to skim some money from the expensive premium rate phone calls.

 

It’s important to remember that malware for mobile devices is still quite rare, particularly when compared to infections on conventional Windows computers. But what may surprise some is that there is nothing particularly revolutionary about criminals attempting to make money out of mobile malware.

 

For instance, back in 2004 we saw the Mosqit Trojan that could infect Nokia phones running Symbian, forcing affected devices to send text messages to premium rate numbers. Like this latest report, the hackers hid their Trojan inside a cracked version of a mobile phone game.

 

Sophos detects the malware as Troj/Terdial-A, and advises all mobile phone users to exercise caution when downloading and installing new applications.

 

 

By Graham Cluley, Sophos

 

Related Blogs

HouseCall – Free Online Virus Scan NEW v7.1

HouseCall is Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

 

 

HouseCall 7 features an intuitive interface and the ability to perform fast scans that target critical system areas and active malware. It also leverages the Trend Micro Smart Protection Network™ to help ensure that scans catch the latest threats.

 

 

HouseCall 7.1 improves on the recently released HouseCall 7.0 by providing a full system scan option and an option to scan only specific folders. It adds support for 64-bit versions of Windows Vista™ and Windows™ 7.

 

 

HouseCall provides a quick and easy check for threats regardless of the protection status of your existing security solution. For more information about HouseCall, please read the Frequently Asked Questions.

 

 

What’s new in HouseCall?

• Full system and custom scan options allow users to specify which folders to scan (new in 7.1).
• Quick scan option offers targeted scanning of critical system areas and active threats, reducing scan times to within a few minutes.
• Stand-alone, browser-independent implementation eliminates compatibility issues associated with browser-activated scanners.
• Smart Scan technology refers to patterns in the cloud, delivering the latest protection while reducing download times.
• Smart Feedback shares threat information with the Smart Protection Network, which correlates data from a global intelligence network to quickly discover new threats.
• Review and restore lets you check and compare scan results and recover files.
• Enhanced detection and cleanup addresses rootkits and other sophisticated threats.

 

Download HouseCall 7.1 (32-bit) | Download HouseCall 7.1 (64-bit)

 

Getting Started with HouseCall

1. Click Download HouseCall to begin. Please note that HouseCall requires a small download before it can scan your computer.
2. You can choose to save a copy of the launcher (HousecallLauncher.exe) and use it to quickly starts scan. Remember to visit this page occasionally to get the latest copy of the launcher.
3. It is recommended that first-time users select the Quick Scan option, which is available in addition to the Full Scan or Folder Scan options.
4. Enabling the Smart Feedback setting helps increase the strength of the Smart Protection Network by sharing malware and threat data as part of our global neighborhood watch program. No personally identifiable information is gathered as part of participation.

Related Blogs

Removal tool for Sus/Delf-J, Trojan.Heur.GZ.kGX@bKStsDeG (Foto_253.com, javahr.exe, javahr2.exe, javahu.exe) Trojan

 

 

 

Read more

AVG Rescue CD A powerful toolset for rescue & repair of infected machines

The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals and includes the following features:

• Comprehensive administration toolkit
• System recovery from virus and spyware infections
• Suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems)
• Ability to perform a clean boot from CD or USB stick
• Free support and service for paid license holders of any AVG product
• FAQ and Free Forum self-help support for AVG Free users

 

 

Key technologies

 

• Anti-virus: protection against viruses, worms and Trojans
• Anti-spyware: protection against spyware, adware and identity theft
• Administration toolkit: system recovery tools

 

The AVG Rescue CD is essentially a portable version of AVG Anti-Virus supplied through Linux distribution. It can be used in the form of a bootable CD or bootable USB flash drive to recover your computer when the system cannot be loaded normally, such as after an extensive or deep-rooted virus infection. In short, the AVG Rescue CD enables you to fully remove infections from an otherwise inoperable PC and render the system bootable again.

 

Apart from the usual AVG functions (malware detection and removal, updates from internet or external device, etc.), the AVG Rescue CD also contains the following set of administration tools:

• Midnight Commander – a two-panel file manager
• Windows Registry Editor– simple registry editor for more experienced users
• TestDisk – powerful hard drive recovery tool
• Ping – to test the availability of network resources (servers, domains, IP addresses)
• Common Linux programs and services– vi text editor, OpenSSH daemon, ntfsprogs etc.

 

Free of charge

 

The AVG Rescue CD is a free-to-use product that anyone can download. This also covers any new program versions and virus database updates. If you have any other paid AVG license, you are also entitled to receive our full technical support.

 

Download:

Download Rescue CD (for CD creation)

Download Rescue CD (for USB stick)

 

 

No, you’ve not received a postcard from a family member

Over the weekend there has been a new wave of attacks spammed out, spreading a version of the Bredo Trojan horse via malicious emails.

 

The emails claim to be an ecard from a family member, but opening the attachment can infect your computer with the Troj/Bredo-BS Trojan horse.

 

A typical email has the following characteristics:

Subject: You've received a postcard
Attached file: postcard.zip
Message body:
Good day.

Your family member has sent you an ecard
If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, open zip attached file.

 

This is clearly an old tactic to trick people into infecting their computers, but the reason why it’s so familiar is that it really does work.

 

There’s clearly a danger that some people may return to their work email on Monday morning and, with still sleepy eyes after the wekeend, open the attachment before their brain has been woken up by a strong sip of coffee.

 

Sophos detects the ZIP file as Troj/BredoZp-AC, and its contents as Troj/Bredo-BS.

 

Somehow the BS nomenclature seems particularly appropriate for this clearly bogus ecard from a family member.

 

Make sure your anti-virus software is up-to-date, and able to protect against these latest threats, which are still being distributed via spam right now, as you can see in the above snapshot of malware being detected in our traps.

 

Don’t forget you should always be cautious of opening unsolicited email attachments – criminal hackers will often use this technique to try to trick you into running malicious code on your computer.

 

By Graham Cluley, Sophos

 

 

Next Page »