Sex movie worm causes HAVOC to "WEB USER" :
A e-mail virus that promises access to free sex films is wrecking some of the business across the world.
The "TROJAN VIRUS" with the subject "HEAR YOU HAVE" is filling inbox with multiple E-MAILS after affecting user's address books.
In some cases ,the virus is bringing down corporate E-MAIL system with the sheer weight of msgs,The DAILY MAIL reported.Virus arrives as an E-MAIL With the subject line "HEAR YOU HAVE" and invites the USER TO CLICK on a link to the PDF file.One of the common variant promises a link to free SEX DOWNLOADS.One version of the E-MAIL says ,"THIS IS THE FREE DOWNLOAD OF SEX MOVIES","AND YOU CAN FIND IT HERE". If you receives mgs's ,computer security firm McAfee says delete the msg without clicking the link and alert your IT office.
Ram Herkanaidu,security researcher at Moscow headquarter Kasper sky Lab, said that E-MAIL closely resembles the "I LOVE YOU" virus which caused havoc About 10 years ago.
His firm has now raised their global "THREAT" level.
Monday, September 13, 2010
Friday, September 3, 2010
Thursday, September 2, 2010
MOST DANGEROUS VIRUSES
Nyxem (2006)
ALIAS: Mywife, Hunchi, I-Worm.Nyxem, Blackmal, Blueworm, Blackworm
Nyxem worm was first found on March, 2006. The worm spreads in e-mails using an external SMTP engine. It sends itself with different subjects, body text and attachment names. The worm also copies itself multiple times to an infected hard drive. Blackworm is designed to corrupt data on infected computers on February 3, 2006, in respect to The Day the Music Died.
The most scary thing in this worm is, It can deletes your antivirus programs, if they are installed in the same directories as the ones specified in the worm's code. It can also delete the entries in the Windows Registry belonging to these antivirus programs, so these applications will not be run automatically the next time Windows is started.
The worm also contains one GIF file which is used to make a recipient of infected e-mails think that the message was scanned by Norton Anti-Virus and no infection was found.
But its havoc ended soon and it gone off the records after October 26.
storm Worm (2007)
ALIAS: Small.dam, Trojan.Peacomm, Trojan.Peed, Trojan.Tibs, W32/ZhelatinBut soon after the Nyxem ended, a new virus has been discovered on January 17, 2007 named Storm Worm having the same functionality as Nyxem, It hides himself in a email attachments that had the following title line: "230 dead as storm batters Europe." Users that opened the attachment let the virus come in their machines. This virus infected around 10 million computers worldwide and after the computer is infected it could be used to launch millions of spam emails that would advertise Web links.
But it has also got some new features of stealing identity and according to the United States Federal Bureau of Investigation the Storm highly helped hackers in bank fraud, identity theft, and a number of other cybercrimes.
Conficker (2008)
ALIAS: Downup, Downadup, Kido
Conficker is a computer worm targeting the Microsoft Windows operating system that was first detected 20th November 2008 affected more than seven million government, business and home computers in over 200 countries.
The worm attacks the Microsoft vulnerability MS08-067 in Server Service which allows remote code execution. This vulnerability allows a remote attacker to run arbitrary code on the machine without authentication and take full control of the computer. Second, Conficker Worm uses the infected machine computing power to execute password brute force attacks to crack administrator passwords in the local network. This will allow the worm to spread through network shares as well.
The worm is said to have caused 9.1 billion in damage, mostly in Asia, South America and Europe.
New versions of Conficker came with the power to
-Blocks DNS lookups.
-Disables AutoUpdate.
-Kills anti-malware.
-Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals.
Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author.
Daprosy Worm (2009)
Daprosy was first observed in early May 2009 and first announced to public as Daprosy trojan worm by Symantec on July 2009 . This worm is a malicious computer program that spreads via LAN connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe filewhere several dozens of clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.
The worm is known to destabilize, corrupt and even stall the operating system due to programming bugs. It appears that it is incomplete and was probably created by students or amateur Visual Basic programmers. As of October 2009 special scripts are available to remove it from infected computers but till then many Windows system were stalled.
Alureon (2010)
Alureon is a trojan and rootkit which is designed to steal data by intercepting a system's network traffic and searching it for usernames, passwords and credit card data. Microsoft has confirmed that Alureon is the cause of a series of BSoD problems on Windows systems which were triggered by Patch Tuesday update MS10-015. Microsoft will not install the patch on these systems. The Alureon rootkit was first seen in 2006 and now started affecting computers.
PCs become infected by downloading software also particularly off torrent sites and visiting certain posting sites.
ALIAS: Mywife, Hunchi, I-Worm.Nyxem, Blackmal, Blueworm, Blackworm
Nyxem worm was first found on March, 2006. The worm spreads in e-mails using an external SMTP engine. It sends itself with different subjects, body text and attachment names. The worm also copies itself multiple times to an infected hard drive. Blackworm is designed to corrupt data on infected computers on February 3, 2006, in respect to The Day the Music Died.
The most scary thing in this worm is, It can deletes your antivirus programs, if they are installed in the same directories as the ones specified in the worm's code. It can also delete the entries in the Windows Registry belonging to these antivirus programs, so these applications will not be run automatically the next time Windows is started.
The worm also contains one GIF file which is used to make a recipient of infected e-mails think that the message was scanned by Norton Anti-Virus and no infection was found.
But its havoc ended soon and it gone off the records after October 26.
storm Worm (2007)
ALIAS: Small.dam, Trojan.Peacomm, Trojan.Peed, Trojan.Tibs, W32/ZhelatinBut soon after the Nyxem ended, a new virus has been discovered on January 17, 2007 named Storm Worm having the same functionality as Nyxem, It hides himself in a email attachments that had the following title line: "230 dead as storm batters Europe." Users that opened the attachment let the virus come in their machines. This virus infected around 10 million computers worldwide and after the computer is infected it could be used to launch millions of spam emails that would advertise Web links.
But it has also got some new features of stealing identity and according to the United States Federal Bureau of Investigation the Storm highly helped hackers in bank fraud, identity theft, and a number of other cybercrimes.
Conficker (2008)
ALIAS: Downup, Downadup, Kido
Conficker is a computer worm targeting the Microsoft Windows operating system that was first detected 20th November 2008 affected more than seven million government, business and home computers in over 200 countries.
The worm attacks the Microsoft vulnerability MS08-067 in Server Service which allows remote code execution. This vulnerability allows a remote attacker to run arbitrary code on the machine without authentication and take full control of the computer. Second, Conficker Worm uses the infected machine computing power to execute password brute force attacks to crack administrator passwords in the local network. This will allow the worm to spread through network shares as well.
The worm is said to have caused 9.1 billion in damage, mostly in Asia, South America and Europe.
New versions of Conficker came with the power to
-Blocks DNS lookups.
-Disables AutoUpdate.
-Kills anti-malware.
-Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals.
Microsoft sets a bounty of $250,000 USD for information leading to the capture of the worm's author.
Daprosy Worm (2009)
Daprosy was first observed in early May 2009 and first announced to public as Daprosy trojan worm by Symantec on July 2009 . This worm is a malicious computer program that spreads via LAN connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe filewhere several dozens of clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.
The worm is known to destabilize, corrupt and even stall the operating system due to programming bugs. It appears that it is incomplete and was probably created by students or amateur Visual Basic programmers. As of October 2009 special scripts are available to remove it from infected computers but till then many Windows system were stalled.
Alureon (2010)
Alureon is a trojan and rootkit which is designed to steal data by intercepting a system's network traffic and searching it for usernames, passwords and credit card data. Microsoft has confirmed that Alureon is the cause of a series of BSoD problems on Windows systems which were triggered by Patch Tuesday update MS10-015. Microsoft will not install the patch on these systems. The Alureon rootkit was first seen in 2006 and now started affecting computers.
PCs become infected by downloading software also particularly off torrent sites and visiting certain posting sites.
LATEST VIRUS
Name Type Risk Date Discovered
Skintrim.gen.k!3C66A4FCAF50 Trojan Low 2010-09-02
Generic PUP.z!bi!C8EF9FFAFA43 Program Low 2010-09-02
Generic.dx!tqp!98D66DD92993 Trojan Low 2010-09-02
Skintrim.gen.f!1C099175D43C Trojan Low 2010-09-02
Skintrim.gen.k!1BD0DAA11B14 Trojan Low 2010-09-02
W32/Alisa.d!1BBCD8F0EAD4 Virus Low 2010-09-02
Skintrim.gen.k!3C66A4FCAF50 Trojan Low 2010-09-02
Generic PUP.z!bi!C8EF9FFAFA43 Program Low 2010-09-02
Generic.dx!tqp!98D66DD92993 Trojan Low 2010-09-02
Skintrim.gen.f!1C099175D43C Trojan Low 2010-09-02
Skintrim.gen.k!1BD0DAA11B14 Trojan Low 2010-09-02
W32/Alisa.d!1BBCD8F0EAD4 Virus Low 2010-09-02
Virus - P2P-Worm.win32.Black Control.g
P2P-Worm.Win32.BlackControl.g
Detected Aug 18 2010 13:59 GMT
Released Aug 18 2010 20:24 GMT
Published Aug 20 2010 09:51 GMT
Technical Details
The malicious program intercepts the user’s requests to various sites and redirects them to a malicious URL. It also contains a tool for sending phishing messages. It propagates via e-mail and peer-to-peer networks. It is a Windows PE EXE file. The file is ~300 KB in size. It is written in C++.
Installation
When launched, the Trojan copies its executable file to the Windows system folder
It also extracts itself and creates an executable file on the hard drive which is also part of the malicious program
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable files in the following system registry autorun keys
The Trojan adds its executable file to the Windows firewall list of trusted applications
The malicious program may also create the following system registry keys in which it stores its configuration data
Payload
Once the malicious program has installed, it sends an "infection successful" message to the C&C server at the following address
It requests the victim computer’s IP address from the following site to determine its location
The malicious program then tracks the operation of the following browsers:
Internet Explorer
Opera
Google Chrome
Mozilla Firefox
If the user visits a web page with a header containing any of the following words
the program intercepts this request and redirects it to:
http://oxobla***.com/se.php?pop=1&aid=YmxhY2tvd
XQA9D8&sid=&key=
The malicious program also tracks all search requests the user sends to any of the following search engines:
google
yahoo
live
msn
bing
youtobe
The search request data is sent to the following URL:
http://tetro***.com/request.php?aid=blackout&ver=25
The malicious program terminates the processes of popular IT security products and antivirus tools, including:
Kaspersky Anti-Virus
Antivirus System Tray Tool
Avira Internet Security
AntiVir PersonalEdition Classic Service
Rising Process Communication Center
It simultaneously deletes information about them from the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
It may block user requests to IT security vendors’ sites.
IT terminates the User Account Control service in Windows Vista/7:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UACDisableNotify"=dword:00000001
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"=dword:00000000
The malicious program also terminates the following services:
ERSvc - Error Reporting Service
wscsvc - Windows Security Center Service
It downloads an update from one of the following URLs:
http://simfree***.com/update.php?sd=2010-04-27&aid=blackout
http://posit***.com/update.php?sd=2010-04-27&aid=blackout
http://rts***.com/update.php?sd=2010-04-27&aid=blackout
http://qul***.com/update.php?sd=2010-04-27&aid=blackout
The new version of the malicious program is downloaded to the file C:\autoexec.exe and launched for execution. The file is then deleted.
At the time of writing this link was inactive
The malicious program also propagates using peer-to-peer networks by copying itself to the following shared folders:
%ProgramFiles%\winmx\shared\
%ProgramFiles%\tesla\files\
%ProgramFiles%\limewire\shared\
%ProgramFiles%\morpheus\my shared folder\
%ProgramFiles%\emule\incoming\
%ProgramFiles%\edonkey2000\incoming\
%ProgramFiles%\bearshare\shared\
%ProgramFiles%\grokster\my grokster\
%ProgramFiles%\icq\shared folder\
%ProgramFiles%\kazaa lite k++\my shared folder\
%ProgramFiles%\kazaa lite\my shared folder\
%ProgramFiles%\kazaa\my shared folder\
Its copies may have any of the following names:
YouTubeGet 5.6.exe
Youtube Music Downloader 1.3.exe
WinRAR v3.x keygen [by HiXem].exe
Windows2008 keygen and activator.exe
[+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
Windows Password Cracker + Elar3 key.exe
[Eni0j0 team] Windows 7 Ultimate keygen.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
Website Hacker.exe
[Eni0j0 team] Vmvare keygen.exe
VmWare 7.x keygen.exe
UT 2003 KeyGen.exe
Twitter FriendAdder 2.3.9.exe
Tuneup Ultilities 2010.exe
[antihack tool] Trojan Killer v2.9.4173.exe
Total Commander7 license+keygen.exe
Super Utilities Pro 2009 11.0.exe
Sub7 2.5.1 Private.exe
Sophos antivirus updater bypass.exe
sdbot with NetBIOS Spread.exe
[fixed]RapidShare Killer AIO 2010.exe
Rapidshare Auto Downloader 3.8.6.exe
Power ISO v4.4 + keygen milon.exe
[patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
[patched, serial not needed] PDF to Word Converter 3.4.exe
PDF password remover (works with all acrobat reader).exe
Password Cracker.exe
Norton Internet Security 2010 crack.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Norton Anti-Virus 2005 Enterprise Crack.exe
NetBIOS Hacker.exe
NetBIOS Cracker.exe
[patched, serial not need] Nero 9.x keygen.exe
Myspace theme collection.exe
MSN Password Cracker.exe
Mp3 Splitter and Joiner Pro v3.48.exe
Motorola, nokia, ericsson mobil phone tools.exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
Microsoft Visual Studio KeyGen.exe
Microsoft Visual C++ KeyGen.exe
Microsoft Visual Basic KeyGen.exe
McAfee Total Protection 2010 [serial patch by AnalGin].exe
Magic Video Converter 8.exe
LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
L0pht 4.0 Windows Password Cracker.exe
K-Lite Mega Codec v5.2 Portable.exe
K-Lite Mega Codec v5.2.exe
Keylogger unique builder.exe
Kaspersky Internet Security 2010 keygen.exe
Kaspersky AntiVirus 2010 crack.exe
IP Nuker.exe
Internet Download Manager V5.exe
Image Size Reducer Pro v1.0.1.exe
ICQ Hacker Trial version [brute].exe
Hotmail Hacker [Brute method].exe
Hotmail Cracker [Brute method].exe
Half-Life 2 Downloader.exe
Grand Theft Auto IV [Offline Activation + mouse patch].exe
Google SketchUp 7.1 Pro.exe
G-Force Platinum v3.7.6.exe
FTP Cracker.exe
DVD Tools Nero 10.x.x.x.exe
Download Boost 2.0.exe
Download Accelerator Plus v9.2.exe
Divx Pro 7.x version Keymaker.exe
DivX 5.x Pro KeyGen generator.exe
DCOM Exploit archive.exe
Daemon Tools Pro 4.8.exe
Counter-Strike Serial key generator [Miona patch].exe
CleanMyPC Registry Cleaner v6.02.exe
Brutus FTP Cracker.exe
etc...........................
Detected Aug 18 2010 13:59 GMT
Released Aug 18 2010 20:24 GMT
Published Aug 20 2010 09:51 GMT
Technical Details
The malicious program intercepts the user’s requests to various sites and redirects them to a malicious URL. It also contains a tool for sending phishing messages. It propagates via e-mail and peer-to-peer networks. It is a Windows PE EXE file. The file is ~300 KB in size. It is written in C++.
Installation
When launched, the Trojan copies its executable file to the Windows system folder
It also extracts itself and creates an executable file on the hard drive which is also part of the malicious program
In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable files in the following system registry autorun keys
The Trojan adds its executable file to the Windows firewall list of trusted applications
The malicious program may also create the following system registry keys in which it stores its configuration data
Payload
Once the malicious program has installed, it sends an "infection successful" message to the C&C server at the following address
It requests the victim computer’s IP address from the following site to determine its location
The malicious program then tracks the operation of the following browsers:
Internet Explorer
Opera
Google Chrome
Mozilla Firefox
If the user visits a web page with a header containing any of the following words
the program intercepts this request and redirects it to:
http://oxobla***.com/se.php?pop=1&aid=YmxhY2tvd
XQA9D8&sid=
The malicious program also tracks all search requests the user sends to any of the following search engines:
yahoo
live
msn
bing
youtobe
The search request data is sent to the following URL:
http://tetro***.com/request.php?aid=blackout&ver=25
The malicious program terminates the processes of popular IT security products and antivirus tools, including:
Kaspersky Anti-Virus
Antivirus System Tray Tool
Avira Internet Security
AntiVir PersonalEdition Classic Service
Rising Process Communication Center
It simultaneously deletes information about them from the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
It may block user requests to IT security vendors’ sites.
IT terminates the User Account Control service in Windows Vista/7:
[HKLM\SOFTWARE\Microsoft\Security Center]
"UACDisableNotify"=dword:00000001
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA"=dword:00000000
The malicious program also terminates the following services:
ERSvc - Error Reporting Service
wscsvc - Windows Security Center Service
It downloads an update from one of the following URLs:
http://simfree***.com/update.php?sd=2010-04-27&aid=blackout
http://posit***.com/update.php?sd=2010-04-27&aid=blackout
http://rts***.com/update.php?sd=2010-04-27&aid=blackout
http://qul***.com/update.php?sd=2010-04-27&aid=blackout
The new version of the malicious program is downloaded to the file C:\autoexec.exe and launched for execution. The file is then deleted.
At the time of writing this link was inactive
The malicious program also propagates using peer-to-peer networks by copying itself to the following shared folders:
%ProgramFiles%\winmx\shared\
%ProgramFiles%\tesla\files\
%ProgramFiles%\limewire\shared\
%ProgramFiles%\morpheus\my shared folder\
%ProgramFiles%\emule\incoming\
%ProgramFiles%\edonkey2000\incoming\
%ProgramFiles%\bearshare\shared\
%ProgramFiles%\grokster\my grokster\
%ProgramFiles%\icq\shared folder\
%ProgramFiles%\kazaa lite k++\my shared folder\
%ProgramFiles%\kazaa lite\my shared folder\
%ProgramFiles%\kazaa\my shared folder\
Its copies may have any of the following names:
YouTubeGet 5.6.exe
Youtube Music Downloader 1.3.exe
WinRAR v3.x keygen [by HiXem].exe
Windows2008 keygen and activator.exe
[+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
Windows Password Cracker + Elar3 key.exe
[Eni0j0 team] Windows 7 Ultimate keygen.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
Website Hacker.exe
[Eni0j0 team] Vmvare keygen.exe
VmWare 7.x keygen.exe
UT 2003 KeyGen.exe
Twitter FriendAdder 2.3.9.exe
Tuneup Ultilities 2010.exe
[antihack tool] Trojan Killer v2.9.4173.exe
Total Commander7 license+keygen.exe
Super Utilities Pro 2009 11.0.exe
Sub7 2.5.1 Private.exe
Sophos antivirus updater bypass.exe
sdbot with NetBIOS Spread.exe
[fixed]RapidShare Killer AIO 2010.exe
Rapidshare Auto Downloader 3.8.6.exe
Power ISO v4.4 + keygen milon.exe
[patched, serial not needed] PDF Unlocker v2.0.5.exePDF-XChange Pro.exe
[patched, serial not needed] PDF to Word Converter 3.4.exe
PDF password remover (works with all acrobat reader).exe
Password Cracker.exe
Norton Internet Security 2010 crack.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Norton Anti-Virus 2005 Enterprise Crack.exe
NetBIOS Hacker.exe
NetBIOS Cracker.exe
[patched, serial not need] Nero 9.x keygen.exe
Myspace theme collection.exe
MSN Password Cracker.exe
Mp3 Splitter and Joiner Pro v3.48.exe
Motorola, nokia, ericsson mobil phone tools.exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
Microsoft Visual Studio KeyGen.exe
Microsoft Visual C++ KeyGen.exe
Microsoft Visual Basic KeyGen.exe
McAfee Total Protection 2010 [serial patch by AnalGin].exe
Magic Video Converter 8.exe
LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
L0pht 4.0 Windows Password Cracker.exe
K-Lite Mega Codec v5.2 Portable.exe
K-Lite Mega Codec v5.2.exe
Keylogger unique builder.exe
Kaspersky Internet Security 2010 keygen.exe
Kaspersky AntiVirus 2010 crack.exe
IP Nuker.exe
Internet Download Manager V5.exe
Image Size Reducer Pro v1.0.1.exe
ICQ Hacker Trial version [brute].exe
Hotmail Hacker [Brute method].exe
Hotmail Cracker [Brute method].exe
Half-Life 2 Downloader.exe
Grand Theft Auto IV [Offline Activation + mouse patch].exe
Google SketchUp 7.1 Pro.exe
G-Force Platinum v3.7.6.exe
FTP Cracker.exe
DVD Tools Nero 10.x.x.x.exe
Download Boost 2.0.exe
Download Accelerator Plus v9.2.exe
Divx Pro 7.x version Keymaker.exe
DivX 5.x Pro KeyGen generator.exe
DCOM Exploit archive.exe
Daemon Tools Pro 4.8.exe
Counter-Strike Serial key generator [Miona patch].exe
CleanMyPC Registry Cleaner v6.02.exe
Brutus FTP Cracker.exe
etc...........................
Subscribe to:
Posts (Atom)