| | |
News,
removal tools, how to delete viruses, trojans, worms |
|
Bogus Microsoft security warning
leads to malware Experts at SophosLabs, Sophos's global network
of virus, spyware and spam analysis centers, have warned of a spammed email campaign
which claims to be security advice from Microsoft, but actually tries to encourage
users to install a keylogger onto their computers.
The spammed emails,
which purport to come from patch@microsoft.com, claim that a vulnerability has
been found "in the Microsoft WinLogon Service" and could "allow a hacker to gain
access to an unpatched computer".
Recipients are advised to click on a
link in the email to download the patch. However, the link really points to a
non-Microsoft website and initiates the download of the Troj/BeastPWS-C Trojan
horse, which is capable of spying on the infected user and stealing passwords.
From: Microsoft <patch@microsoft.com>
Subject: Microsoft
Winlogon Service - Vulnerability Issue
Message:
Microsoft Coorporation
A
new vulnerability has been discovered in the Microsoft WinLogon Service, that
would allow an attacker to gain access to an unpatched computer.
Since
your email is part of our private mail lista and you have successfully registrated
your Microsoft Windows, you can download the patch to fix this vulnerability before
others do.
Plese click the link below to download the patch and protect
your computer against WinLogon attacks:
http://www.microsoft.com/patches-winlogon-critical/
winlogon_patchV1.12.exe
You are free to share this with all your friends
and relatives that are using Microsoft Windows Operating System.
Thank
you
Microsoft Coorp.
Microsoft Coorp.
When first installed
the Trojan horse displays the following bogus message
Microsoft WinLogon
Service successfully patched.
but is secretly logging keystrokes and
sending them to an email address belonging to the hacker.
"People are
slowly learning that Microsoft does not email out security fixes as attachments,
but they also need to learn to be careful of blindly clicking on links to download
fixes too without checking that the email is legitimate," said Graham Cluley,
senior technology consultant at Sophos. "In this case, the hackers made a mistake
by referring to 'Microsoft Coorp' rather than 'Microsoft Corp', but its possible
that users would miss that typo in their rush to protect themselves."
"The
hackers are playing a dangerous game, because if Microsoft finds out who is responsible
for besmirching their name in this way they are likely to throw the full force
of the law at them," continued Cluley. "Security is becoming a hot topic for the
software giant, and they don't want malware and spam to sully the company's public
image through this kind of criminal activity."
Source: www.sophos.com
|
Phishing at record levels in March
The monthly report for March by the Anti-Phishing Working Group shows that
phishing activity remains at very high levels. The number of attacks has for the
first time in history passed the 18,000 mark and reached an all-time high of 18480
registered unique phishing reports. Overall the number of attacks so far this
year has not gone below 17,000, which in itself is higher than the number of attacks
in any given month in 2005.
The number of unique phishing websites found
by APWG has also risen to 9666, but did not reach the record level of 9715 phishing
clone sites set in January. An interesting fact here is that the number of unique
phishing sites has grown nearly two-fold from an average of 4,000 in 2005, but
the number of attacks has not risen as dramatically to about 17,000 from 14,000.
This might indicate that phishing sites are being closed down faster and phishers
do not get the opportunity to use their clone sites for long, thus needing more
and more sites to keep the number of attacks at the same level.
Another
interesting aspect of the March report is that the number of brands used by phishers
as their cover has decreased significantly, going from 105 in February to just
70. The financial sector remains the largest targeted industry group by far with
90% of the share. The USA also remains the largest single hoster for phishing
sites with 35% of sites based there. China consolidates its second spot ahead
of South Korea, but its share drops significantly from 18% in February to “just”
12%, while France drops out of the top 10 altogether.
Phishers also readily
pounced on the browser vulnerabilities that were reported in March. They exploited
the widely publicised “zero-day” vulnerability in Microsoft Internet Explorer
by luring users to infected sites that contained all sorts of malware ready for
surreptitious downloading. One of the more creative attacks involved sending victims
a link to a BBC look-alike page that contained an exploit for the then-unpatched
createTextRange vulnerability in Internet Explorer.
Another new type of
phishing attack was recently reported by security firm Cloudmark, which claims
that VoIP technology is now used by phishers. In this new type of attack scammers
send an email that contains a telephone number accessible via a VoIP service.
The victim is then connected to a line that sounds like their telephone banking
service and is prompted to verify personal details. So far Cloudmark has discovered
two attacks that use this scheme.
Source: http://www.viruslist.com
|
Sudoku game installs spyware on computers
04/04/06.- Several web pages -mainly with pornographic or illegal content- are
downloading spyware programs onto the computers of visitors to the sites without
their consent. These web pages are designed to exploit different software vulnerabilities
in order to install malware automatically on systems.
One of these programs
is particularly dangerous due to its enticing bait: A sudoku puzzle. The application
in fact operates perfectly, allowing users to play the game. However, without
users knowing, every time the application is opened, it downloads YazzleSudoku,
a type of spyware, onto the computer.
Once YazzleSudoku is installed on
a computer, it creates several Windows registry entries in order to ensure it
remains active. Similarly, it generates a series of files that it needs to operate,
with names such as RL_SudokuInstaller.rar.lnk, or Yazzle Sudoku. Then, from time
to time, YazzleSudoku displays advertising messages on screen
It is important
to note that when starting to play the game, users are warned that spyware will
be installed. If the user agrees, the spyware will be installed on the computer.
However, if users do not agree, they will not be able to use the sudoku program.
According to Luis Corrons, director of PandaLabs: "Spyware is, without
a doubt, one of the major threats to users. This type of malware clearly conforms
to the current objective of malware creators: earning money. Nevertheless, as
the effects of spyware are not particularly obvious and do not appear to be dangerous,
many users do not treat spyware with the respect it deserves. This however is
a mistake, as spyware does not just slow down systems and cause errors, it also
intrudes upon the privacy of users who should not consent to its installation."
Source:
http://www.pandasoftware.com
|
February Virus Top 10 from Panda Software
Virus
Name | Percentage | W32/Sdbot.ftp | 2.48 | W32/Netsky.P.worm | 1.28 | Exploit/Metafile | 1.24 | W32/Tearec.A.worm!CME-24 | 0.95 | W32/Sober.AH.worm!CME-681 | 0.85 | W32/Bagle.GS.worm!CME-328 | 0.84 | Trj/Qhost.gen | 0.67 | W32/Gaobot.gen.worm | 0.65 | W32/Alcan.A.worm | 0.61 | W32/Parite.B | 0.56 |
|
Obscene Kama Sutra worm spreads via email
Experts at SophosLabs, Sophos's global network of virus, spyware and spam
analysis centers, have warned users to be wary of unsolicited emails claiming
to contain obscene pictures and sex movies.
The W32/Nyxem-D worm (also
known as Email-Worm.Win32.VB.bi, Blackworm, or W32.Blackmal.E@mm) can spread via
email using a variety of pornographic disguises, in an attempt to disable security
software. If launched it tries to disable a number of anti-virus and firewall
products, and attempts to harvest other email addresses from the infected computer,
in an effort to spread itself further.
Subject lines used in the malicious
emails include the following:
*Hot Movie* Arab sex DSC-00465.jpg Fuckin
Kama Sutra pics Fw: SeX.mpg Fwd: Crazy illegal Sex! give me a kiss Miss
Lebanon 2006 Part 1 of 6 Video clipe School girl fantasies gone bad The
Best Videoclip Ever
"Companies should educate their users to practise
safe computing - that includes never opening unsolicited email attachments and
discouraging the sending and receiving of joke files, pornography and funny photographs
and screensavers," said Graham Cluley, senior technology consultant for Sophos.
"This worm feeds on people's willingness to receive salacious content on their
desktop computer, but they could be putting their entire company's data at risk."
The W32/Nyxem-D worm has a destructive payload, which triggers on the
third day of any month, destroying DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF,
PSD and DMP files by replacing their contents with the string:
DATA
Error [47 0F 94 93 F4 K5]
Source: http://www.sophos.com
|
|