|
|
|
| |
|
Top 10 malware
reported to Sophos in April 2007 |
|
W32/Fujacks.aa
|
| W32/Fujacks.aa was first discovered on
March 31, 2007
W32/Fujacks.aa is a copied variant of the W32/Fujacks worm that
infects PE and possibly HTML files with malicious hyperlinks of Windows
ANI 0-day exploit; and spreads over floppy drive and possibly other
removable devices. It will also download additional malware on the
infected machine.
Aliases
Trojan-Downloader.Win32.Agent.bky (Kaspersky)
Characteristics
Characteristics -
---Update April 1, 2007---
The risk assessment of this threat has been updated to Low-Profiled due
to media attention at:
http://www.itnewsonline.com/showstory.php?storyid=9182&scatid=6&contid=3
W32/Fujacks.aa is a copied variant of the W32/Fujacks worm that infects
PE and possibly HTM files with malicious hyperlinks of Windows ANI File
Format Handling 0-day exploit; and spreads over floppy drive and
possibly other removable devices. It will also download additional
malware on the infected machine.
These malicious hyperlinks may be appended as JavaScript, and pointing
to these site(s) containing the 0-day exploit:
hxxp://{hidden}.microfsot.com/{hidden}.jsMore information of the Windows
ANI 0-day vulnerability at:
http://vil.nai.com/vil/content/v_vul28505.htmThis exploit is already
proactively detected as Exploit-ANIFile.c using the current DATs.
Upon execution, it spawns notepad.exe and injects a malicious thread
into this process. It also installs itself into %Windir%\System32.
(Where %Windir% is the Windows folder; e.g. C:\Windows)
The worm then contacts hxxp://{hidden}.2007ip.com/{hidde}.css to
download a list of files that it can download. At the time of writing,
these malware were found to be PWS-LegMir, PWS-Lineage and new variants
of W32/Fujacks.aa.
Instead of the usual W32/Fujacks strings used in earlier variants,
inside the virus body of each variant contain one or more of these silly
messages:
"I Hate AVP!!" "Well, Boss will come in !!" "I will by one BMW this
year!"The W32/Fujacks.aa thread in notepad.exe then prepends itself to
Win32 PE files. It may also create a copy of itself in A:\tools.exe and
A:\autorun.inf to autostart itself.
It creates the following registry key(s) to start itself at boot up
time:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"System Boot Check"="%Windir%\system32\{filename}.exe"
Read more
here...
|
|
Exploit-TaroDrop.b |
| Exploit-TaroDrop.b was first discovered
on April 6th, 2007
Exploit-TaroDrop.b is referred to as a "Zero-day attack" in the
article at itpro.nikkeibp.co.jp.
Overview -
-- Update: Apirl 11, 2007 --
JustSytems has released a patch for the vulnerability, see:
http://www.justsystem.co.jp/info/pd7002.html (in Japanese)
This detection covers malformed JustSystems Ichitaro Document files that
attempts to exploit a 0-day vulnerability discovered April in 2007. When
opened in Ichitaro, it causes a buffer overflow that can lead to
arbitrary code execution in the targeted system.
This malware was previously detected as Exploit-TaroDrop trojan.
Characteristics
-- Update April 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due
to media attention at:
http://itpro.nikkeibp.co.jp/article/NEWS/20070409/267749/
This is a generic detection that covers files attempting to exploit a
0-day vulnerability in Justsystem Ichitaro discovered April in 2007.
Ichitaro is a Japanese word processing application provided by
JustSystem.Exploit code with malicious payload has been found to be used
in the wild.
Upon launching the document, it exploits a 0-day vulnerability in
Ichitaro and executes an embedded executable .
The following file is installed when the document is opened:
%Windir%\system32\hkdown.exeThe file is detected as BackDoor-DKI.dldr
trojan with DAT 5003.
Symptoms
Unexpected execution of files upon opening a JTD file.
Read More Here...
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
This section is for technical experts who want to know more.
W32/Dref-AF is an email worm for the Windows platform.
W32/Dref-AF harvests email addresses from the infected computer and
attempts to send itself to them, though due to a bug in the code will
usually send a file detected as W32/Dref-Dam.
W32/Dref-AF tries to send itself in an email from <random name>@yahoo.com
with the following characteristics:
Subject line (one of the following):
Iran Just Have Started World War III
USA Just Have Started World War III
Israel Just Have Started World War III
Missle Strike: The USA kills more then 10000 Iranian citizens
Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 20000 Iranian citizens
USA Missle Strike: Iran War just have started
USA Declares War on Iran
Attachment filename (one of the following):
Video.exe
News.exe
Movie.exe
Read Me.exe
Click Me.exe
Click Here.exe
Read More.exe
More.exe
W32/Dref-AF attempts to drop a file with an EXE extension and a random
7-letter filename to the same folder as itself. This file is already
detected as W32/Dref-AB.
W32/Dref-AF deletes the following registry entry to stop the file referenced
from running on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Agent
W32/Dref-AF sets the following registry entry, disabling the automatic
startup of the SharedAccess service:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).
W32/Dref-AF terminates processes certain processes and windows related to
security and anti-virus applications, including windows names "Registry
Editor".
|
|
|
This web is optimized for 800 x 600 monitor resolution or above and
the latest web browser. Get the latest IE or Netscape web browser. (you
need to connect to the internet first) |
|
|
