|
|
|
Top 10 malware reported to Sophos in November 2006
| |
| W32/HLLP.Philis.bq was first
discovered on 11/17/2006 Overview -
W32/HLLP.Philis.bq is a file infecting virus. It searches for executable
files on the infected machine to prepend its viral code. It is also
responsible for dropping a .DLL file, which downloads a password
stealing trojan from a website.
Aliases
PE_LOOKED.LF-O (Trend) W32.Looked.O (Symantec) Win32/Looked.BZ (CA)
Characteristics
Characteristics -
-- Update November 17, 2006 --
The 4899 DAT files are being released early as there is concern that
this thread will spread globally. The web site hosting malware
downloaded by this threat also contains Exploit-MS06-014 to
automatically download and installs this virus on vulnerable systems.
--
On execution, this variant copies itself into %WinDir%\Uninstall folder
as rundl132.exe and adds a load registry entry to activate itself on
reboot. It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto:
"1"It drops a .DLL file named RichDll.dll (detected as W32/HLLP.Philis.dll
since the 4896 DATs) in %WinDir%. It then injects this dll into
processes Explorer.exe and IExplore.exe. This dll is responsible for
downloading the PWS-Lineage password stealing trojan from the following
location:
guajfskajiw.43242.com/[hidden]/a1.exeW32/HLLP.Philis.bq searches for
executable files and prepends its viral code to target files.
The virus creates files with the name "_desktop.ini" in every folder
that it visits while looking for executable files to infect. This is
created as a hidden system file and contains the date on which virus was
executed to visit the folder in which the file resides. The date is
shown in yyyy/mm/dd format.
Read More Here...
|
W32/Nuwar@MM is referred to as "Dref-N worm," in the article
Nuclear war worm fails to explode
VXers have created an email-aware worm that offers outrageous, and
bogus, news stories about the supposed the outbreak of nuclear war and
the fictional deaths of either George W Bush and Vladimir Putin as bait.
The
Dref-N worm, whose payload comes in emails with subject lines such
as 'White house news!', 'Incredible news' and 'ATTN TO EVERYBODY!',
tries to dupe recipients by claiming that the attachment contains
details of a major global news story. Opening the attached file disables
the Windows firewall, infecting Windows PCs with code that allows
hackers to steal sensitive information. Infected Pcs churn out copies of
the worm, which are sent to contacts harvested from compromised PCs.
Read More
|
Slobodan Trojan poses as murder pics (Dropper-FB)
Emails purporting to prove that the recently deceased former Yugoslav
president Slobodan Milosevic was killed contain a malicious Trojan,
called Dropper-FB. Milosevic, whose trial on charges of genocide was
nearing its conclusion, was found dead in his cell in the Netherlands on
Saturday.
Prospective marks are invited to open emails with subject line "Slobodan
Milosevic was killed" and open a file which claims to offer an "image"
purporting to prove the war crimes suspect was done in. If this attached
file (actually an 16.5KB executable, compressed in the UPX format) is
opened, a Trojan is downloaded onto Windows PCs. Online security firm
BlackSpider estimates that more than 800,000 emails containing the new
Trojan-downloader were sent to UK businesses before the first anti-virus
software firm updated their software early this morning.
Read More..
|
W32/Stratio-Zip is a family of zip files containing worms in the Stration
family.
Please follow the
instructions
for removing worms.
|
|
|
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
