|
|
|
Top 10 malware reported to Sophos in February 2006
This section helps you to understand how it behaves:
OSX/Inqtana.a
|
Bluetooth worm targets Mac OS X
Just a day after experts warned of what is believed to be the first
Trojan in the wild to target Apple Computer's Mac OS X, alerts are being
published on a new worm that exploits an 8-month-old vulnerability in
the operating system.
The new Inqtana worm spreads through a security flaw in Apple's
Bluetooth software, antivirus vendors Symantec and F-Secure said on
Friday. Apple provided a fix for the flaw last June with security update
2005-006.
The worm attempts to use Bluetooth to propagate. Once it infects a
computer it searches for other Bluetooth-enabled devices and sends
itself to those it finds, Symantec said.
Inqtana is a "proof-of-concept" worm, according to Symantec and
F-Secure, meaning it's an example of attack code, but itself likely
won't affect many users, if any at all. Inqtana is not believed to have
actually attacked Mac users. Furthermore, it uses a Bluetooth component
that is locked to a specific address and expires next week, according to
F-Secure.
More |
J2ME/RedBrowser.a
|
J2ME/RedBrowser.a
Aliases
Trojan-SMS.J2ME.RedBrowser.a (Kaspersky)
Characteristics
Characteristics -
-- Update Feb. 27, 2006 --
The risk assessment of this threat has been updated to Low-Profiled as
it represents a new Proof of Concept (POC) for premium-rate SMS fraud on
a variety of mobile platforms.
--
J2ME/RedBrowser.a is a trojan horse program that pretends to access WAP
web pages via SMS messages. In reality instead of retrieving WAP pages,
it sends SMS messages to Premium Rate numbers thus costing the user more
than intended.
Symptoms
Symptoms -
J2ME/RedBrowser.a arrives in a JAR file named “redbrowser.jar ”.
Upon startup the following text(translated from Russian) is displayed:
"Carefully read following description of RedBrowser program This program
allows viewing WAP pages without GPRS connection.
RedBrowser connects to SMS server of your operator (MTS, BEELINE,
MEGAFON).
Page is loaded by receiving encoded SMS. First 5Mb (650 SMS) of traffic
are provided free of charge in test mode. ATTENTION!!! Program
RedBrowser works ONLY on above mentioned cellular operators."
More
|
W32/Bagle-CH is a mass-mailing worm for the
Windows platform.
W32/Bagle-CH will attempt to harvest email addresses from the infected
computer and then mail itself to those addresses as an attachment.
Messages sent by the worm have the following characteristics:
Sender: an address harvested from the infected computer
Subject: price
Message text: February Price
Attachment name: chosen at random from
price.zip
pricelst.zip
pricelist.zip
price_lst.zip
new_price.zip
February_price.zip
21_price.zip
The worm will also attempt to modify the Windows HOSTS file and terminate
various anti-virus and security related processes.
Recovery
Summary Description Recovery Advanced
This section tells you how to remove the threat.
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the
changes that the worm has made.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry
entry for each user who ran the virus. The removal of this entry is optional
in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry'
menu, click 'Export Registry File'. In the 'Export Range' panel, click
'All', then save your registry as Backup.
Each user has a registry area named HKEY_USERS\[code number indicating
user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
sysformat
<System>\sysformat.exe
and delete it if it exists.
Close the registry editor.
Advanced
Summary Description Recovery Advanced
This section is for technical experts who want to know more.
W32/Bagle-CH is a mass-mailing worm for the Windows platform.
W32/Bagle-CH will attempt to harvest email addresses from the infected
computer and then mail itself to those addresses as an attachment.
Messages sent by the worm have the following characteristics:
Sender: an address harvested from the infected computer
Subject: price
Message text: February Price
Attachment name: chosen at random from
price.zip
pricelst.zip
pricelist.zip
price_lst.zip
new_price.zip
February_price.zip
21_price.zip
The zip contains two files:
<random1>.exe : the W32/Bagle-CH executable
<random2> (no extension) : a text file containing random lowercase
characters
W32/Bagle-CH will attempt to copy itself to folders whose name contains the
word 'shar' using the following filenames:
1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe
The worm will not function after the 30th of April, 2007.
When first run W32/Bagle-CH copies itself to <System>\sysformat.exe.
The following registry entry is created to run sysformat.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sysformat
<System>\sysformat.exe
W32/Bagle-CH sets the following registry entries, disabling the automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).
Registry entries are created under:
HKCU\Software\Microsoft\Params\
The worm will also attempt to modify the Windows HOSTS file and terminate
various anti-virus and security related processes.
|
|
|
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
