|
|
|
Top 10 malware reported to Sophos in December 2006
|
PWS-LDPinch.dr!4f8fa1f |
| PWS-LDPinch.dr!4f8fa1f is
referred to as "PSW.Win32.LdPinch.aze" within the article.
This is a password stealing trojan designed to send the local
passwords to the trojan author.
Aliases
Infostealer.Ldpinch (Symantec) Trojan-PSW.Win32.LdPinch.aze ( Kaspersky
) TSPY_LDPINCH.KI (Trend Micro)
Characteristics
Characteristics -
This is a password stealing trojan designed to send the local passwords
to the trojan author.
The trojan is delivered in the following filename.
Windows Vista All Versions Activation 21.11.06.exe (839,830 bytes)
(detected as PWS-LDPinch.dr!4f8fa1f since DAT 4913)Upon execution, the
following files are dropped.
%WINDIR%\csrss.exe ( 33760 bytes ) detected as PWS-LDPinch!6e51bf02
since DAT 4913 C:\Documents and Settings\%USER%\Local Settings\Temp\smss.exe
( 33760 bytes ) detected as PWS-LDPinch!6e51bf02
since DAT 4913 C:\Documents and Settings\%USER%\Local Settings\Temp\vista.exe
innocent file C:\Documents and Settings\%USER%\Local Settings\Temp\tokens.dat
C:\Documents and Settings\%USER%\Local Settings\Temp\pkeyconfig.xrm-ms
C:\Documents and Settings\%USER%\LocalSettings\Temp\windows.vista.rtm.activation.crack-ind.txtThe
following registries entries are added.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"system" = "%WINDIR%\csrss.exe"
The trojan attempts to gather the following information.
SMTP Email address POP3 Server, UserName, Password IMAP Server,
UserName, PasswordIt also gathers the password from the following
applications.
Read
More Here...
|
|
Exploit-MSWord.b |
| This is a Threat
Notice for Exploit-MSWord.b
Exploit-MSWord.b is an exploit for a new Microsoft Word zero-day
vulnerability that drops a password stealer detected as Generic PWS.j.
While this threat has been seen in the wild, reports are minimal, but
McAfee Avert Labs is releasing emergency dat files as a precaution.
Overview -
This detection covers malformed Word Document files that attempts to
exploit a new
Microsoft Word vulnerability. When opened in Microsoft Word XP or
2003, it causes a buffer overflow that can lead to arbitrary code
execution in the targeted system.
Characteristics -
This detection covers malformed Word Document files that attempts to
exploit a new
Microsoft Word vulnerability. When opened in Microsoft Word XP or
2003, it causes a buffer overflow that can lead to arbitrary code
execution in the targeted system.
McAfee Host IPS customers are proactively protected from this threat
with sig 3754.
McAfee Avert Labs is currently investigating this threat. The vendor
for the affected software has been notified for a security patch. More
information will be posted here when available.
More details of this vulnerability at:
|
|
PWS-JO |
| PWS-JO
is referred to as "sp.exe" in the article at theregister.co.uk.
Malware authors are using Skype to help spread a pair of Trojan
packages.
The malware does not exploit flaws in Skype as such, as a computer
worm might do, but spreads by tricking users into agreeing to run
hostile code, which poses as a "cool program" from one of their
contacts.
F-Secure
reports that two different and separate malware samples are using
Skype as an attack vector. One malware sample - called "sp.exe" -
attempts to link to a site called nsdf.no-ip.biz to download additional
malware components. The other sample of malware, first
detected at the beginning of October, attempts to download
components from marx2.altervista.org.
The websites used to download secondary malware samples have both
been pulled since the attack was
detected earlier this week.
Read
more here...
|
|
BackDoor-CWA.dr |
| BackDoor-CWA.dr
is referred to as Hupigon within the article.
Chinese Hackers Launch New Office Attack
Popular Christmas PowerPoint slide show circulating by e-mail contains
a security threat developed by paid-for-hire hackers.
A Microsoft (NSDQ: MSFT) PowerPoint presentation circulating via
e-mail is the latest example of a 2006 trend in which paid-for-hire
Chinese hackers target Western businesses with malicious Office
documents, a security researcher said Wednesday.
The newest threat, said Ken Dunham, director of VeriSign iDefense's
rapid response team, hides within an apparently innocent PowerPoint
slide show, "Christmas+Blessing-4.ppt," which is attached to an e-mail
message. The PowerPoint file, which circulated sans exploits last year
around Christmas, has been making the rounds since Sunday.
"The reality is that this is a very popular file," said Dunham, "and
poorly detected by most antivirus scanners." However, some security
companies, including F-Secure, have created signatures to sniff out the
threat.
More important is that Christmas+Blessing-4 shares characteristics with
the Office document-based attacks that began seven months ago. "This is
very similar to other Office attacks from May and June," Dunham said.
"It's a targeted attack, this time [against a company] in the public
utility sector."
Read More Here...
|
|
W32/Dref-V |
W32/Dref-V is a virus with mass-mailing capability for the Windows
platform. Files infected by W32/Dref-V are detected by Sophos
as W32/Dref-L.
W32/Dref-V spreads to other network computers and via email.
W32/Dref-V sends emails with the following characteristics:
From: <forged>
Subject line: "Happy New Year!"
Message text: <empty>
Attached file: postcard.exe
or
From: <forged>
Subject line: chosen from
"Annual Fun Forecast!"
"Baby New Year !"
"Best Wishes For A Happy New Year!"
"Fun 2007!"
"Fun Filled New Year!"
"Happiness And Continued Success!"
"Happiness and Success!"
"Happiness In Everything!"
"Happy 2007!"
"Happy Times And Happy Memories!"
"May Your Dreams Come True!"
"New Hopes And New Beginnings!"
"New Year..Happy Year!"
"Promises Of Happy Times!"
"Raising A Toast To Happy Times!"
"Scale Greater Heights!"
"Sparkling Happiness and Good Times!"
"Warm New Year Hug!"
"Warmest Wishes For New Year!"
"Welcome 2007!"
"Wishing Your Happiness!"
"Wishing You Happy New Year !"
"Wish You Smiles And Good Cheer!"
Message text: <empty>
Attached file:chosen from
Postcard.exe
postcard.ex
Greeting Card.exe
greeting card.exe
Greeting Postcard.exe
greeting postcard.exe
A typical email sent by the Dref-V worm.
W32/Dref-V includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run W32/Dref-V copies itself to <System>\alsys.exe and creates
the following registy keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Agent
<System>\alsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
<System>\alsys.exe
W32/Dref-V sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).
W32/Dref-V may also attempt to drop a randomly named file into the
current folder and run it. This file is detected by Sophos as W32/Dref-V.
|
|
|
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
