Internet Security News

Malicious PDF files being spammed out in volume. The files have "report" themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.

Zhelatin.CQ email worm started spreading late on April 8th, 2007. The worm spreads in e-mails with war-related subjects and several different attachment names.

Internet Security News says an internet worm using the new zero-day ANI exploit has been found. It modifies HTML pages to contain a link to a malicious ANI file. It also tries to spread via USB sticks and Chinese-language emails.

New Trojan has been spammed widely, using a real storm in Europe as a decoy message. The emails have a variable subject, including "230 dead as storm batters Europe". Attachment names include "Full Story.exe" or "Video.exe".

Internet Security News says a Malware known as Tibs.jy or Luder.A is spamming out massive amounts of malicious New Year greetings cards. They come with variable texts and attachment names, but are always themed around New Year.

My Radar has detected intrusion attempt from remote address 220.249.91.114. The intrusion came from China, Hubei region, Hong Shan district, Wuhan city, Luoyu Road. The intrusion has happened twice and blocked.

Internet Security News says a large new batch of Warezov email worm variants has been spammed during the early hours of Monday. They download additional components from a malicious website called ertinmdesachlion.

Security Alerts disclose a new variant of the Warezov email worm that has spammed out lately and say it includes different updates from within different packer. This new version, known as Warezov.AT, updates itself via web. Every update looks different as they are packed with a variable packer.

Internet Security News says a new backdoor called rootkit-hidden backdoor has been spammed heavily over the last hours. The backdoor, detected as Haxdoor.KI. It has sent out in German and Swedish messages as Rechnung.zip and Rakningen.zip.

First bot to exploit the MS06-040 vulnerability in Windows has been found. The vulnerability was patched only five days ago. The bot, known as Mocbot, creates a botnet of the infected computers.

Internet Security News says new Breplibot variant has been mass spammed to thousands of email addresses today. It was spoofed to look like it was coming from f-secure email address, including two email addresses to f-secure.com.

Nyxem.E is becoming more widespread. This is a destructive mass-mailing worm that also spreads using shares. In addition to this medium, it tries to disable security software. It may overwrite user files on certain dates.

Internet Security News says some new vulnerability was found from many versions of Windows starting from 27 December 2005. This vulnerability allows an attacker to execute code on the user's system via a specially crafted WMF image file. Microsoft issued a patch for this vulnerability on 5 January 2006. Although F-Secure Anti-Virus detects known versions of exploit files, it recommends all users to update their systems via http://update.microsoft.com

F-Secure issued a Level 2 alert on the serious WMF vulnerability. However, so far no viruses or worms using it have been found. FSAV detects malicious WMF files as PFV-exploit or Exploit.Win32.IMG-WMF.

F-Secure has raised the Sober.Y worm to a Level 1 Alert after an increased amount of submissions. As technologies involve risks sometimes, folk should be careful. This new Sober variant, spreads in German and English emails, and it is becoming the years largest email worm outbreak.

Internet Security News says in addition to the new Sober variant (Sober.Y) that has spammed widely in German or English emails, the Sober variant might look like a serious warning from FBI, CIA or the German Bundeskriminalamt. The emails spammed carried attachment as ZIP files.

Internet Security News says Sober variants have attachment recognized as registration.zip, reg_text.zip, pword_change.zip, screen_photo.zip, Privat-Foto.zip or excel_table.zip. Some messages claim that someone else has been receiving your emails in error.

Internet Security News says new Bagle.BI variant has been spammed out in significant numbers. The infected emails always contain as described by the news alerts, a 35kB file called "text.exe" inside an archive with names like newprice.zip, price_09.zip or price2.zip.

Internet Security News says F-Secure has been receiving an increasing amount of infection reports worldwide of a new Zotob network worm variant using filename WINTBP.EXE and spreading via the week-old PnP MS05-039 vulnerability.

Zotob worm uses a five-day old MS05-39 Plug-an-Play vulnerability. The worm targets unpatched machines by scanning port 445 and downloading the virus file via ftp.

I have witnessed a Malware attack on my PC. The attack came with the following tracking information:

Description: Inbound Malware probe
Services: Malware - MyDoom in
Remote address: 66.173.254.173
Remote port: 3884
DNS name: www.clondalkin-group.com
The IP Address is located in US, Pennsylvania region, Philadelphia. ISP Clondalkin Group

See more IP Address that used to send Malware attacks to my system at this link, so you can copy sources and paste them into your protection system to block them.

A series of at least seven new Bagle variants have been distributed lately. Bagle.cf and Bagle.ch are the most common of them. They mail ZIP/RAR attachments with names related to Taxation.

New downloader resembling the Bagle email worm is reported globally. This Trojan has been spammed widely as "doc_01.exe". When it runs, it disables antivirus programs and attempts to download more Malware.

Internet Security News says at least three variants of a new mass mailer/network worm combo are on the loose. This virus, known as Lebreat, claims to be "Breatle Antivirus v1.0". It sends variable messages with EXE/SCR/BAT/CPL/PIF attachments.

Internet Security detected an intrusion attempt with the following details attacking my system:

Description: Intrusion attempt detected: Nmap TCP scan
Direction: Inbound
Protocol: tcp
Services: TCP High ports in
Remote address: 202.194.159.98
Remote port: http(80)

However, the Security shield has blocked that intrusion at time and recorded details about the intrusive IP.

Internet Security News says Mydoom spreads with increased number of infections. It collects email addresses using Google and other search engines and installs a spam proxy to infected computers. Mydoom new variant sends variable emails with EXE / SCR / PIF / ZIP attachments. Some mails contain sexually explicit images and claim that the attachment contains passwords for adult websites.

Internet Security News says tracking systems has reported a new Bagle.AY that spreads from several different countries in Europe and Asia. It spreads in variable emails with different icons and via P2P networks. The worm contains a backdoor that listens on TCP port 81.

Internet Security News says the Net worm "Sanity" is spreading. This worm infects only web servers. It infects online discussion forums running phpBB software and defaces them with a text mentioning "NeverEverNoSanity". Be careful.

Trojan has Downloader that beings active operation lately through Google Toolbar's path. Google should be the first to take action and close this door.

My Virus and Spy Protection has detected Trojan-Downloader.Win32.Agent.aaza virus in my computer.
Name: Trojan-Downloader.Win32.Agent
Type: Trojan
File: located and deleted.
Path: googletoolbarinstaller.exe

The hacker tries to use a standalone program to hidE downloads and run other files from remote web and ftp sites. When a Trojan-Downloader runs, it installs itself, roots it to the system in a Rootkit, and waits until an Internet connection becomes available. After that, it attempts to connect to a web or ftp site, download a specific file or files and run them.

In some anti-viruses the disinfect operations could fail to disinfect the computer because the Trojan-Downloader has the ability to rename itself.

It is important to know that Trojan Downloader Comes with Different Names!

Another kind of Trojan-Downloader is the Trojan-Downloader.Java.OpenStream.ac (virus).
Using strong antivirus protection is enough to disinfect your computer. However, when disinfection is not possible, you can manage that manually. To disinfect standalone Malware (backdoors, worms, Trojans, etc.) manually, it is usually enough to delete all infected files from a computer and to restart it.

You can do that by tracking the root and the destination of the virus (where it resides). You can for example rename the file and delete it. However, manual disinfection is a risky process, so ignore this advice if you are not advanced user and request help from your antivirus provider.

I have found the following process at one of the Internet Security providers useful:

If Windows 95, 98 and ME operating system is used, it is recommended to restart a computer from a bootable system diskette and to delete an infected file from command prompt. For example, if a malicious file named ABC.EXE is located in Windows folder, it is usually enough to type the following command at command prompt: DEL C:\WINDOWS\ABC.EXE and to press Enter. After that, an infected file will be gone.

If Windows NT, 2000 or XP is used, a malicious file has to be renamed with a different extension (for example .VIR) and then a system has to be restarted. After restarting, the renamed malicious file will no longer be active and it can be easily to delete manually.

As we know Malware Mydoom-in, Malware - Dabber in, Malware NetBus in and Malware Server Sasser-in, there is now a Malware called Kuang2.in. It seems that developers of those Malware and viruses need strong fists to break their noses. Sorry, we need to be tough sometimes with rude people only.

As I know Greeks are very peaceful people, I am surprised by having the late Malware - Kuang2.in coming from there two times to attack two computers at the same time. I moved from this computer to the second to track and see the same blocked traffic with the following information, thanks to my Internet guard:

Description: Inbound Malware prope
Direction: Inbound
Protocol: tcp
Services: Malware - Kuang2.in
Remote address: 84.205.241.5, Location: Country: Greece, Region: Attiki, City: Athens, ISP: Greek Public Administration Network, Domain: OTE.GR
Remote port: 31029
DNS name: host-84-205-241-5.cpe.syzefxis.ote.gr

Somebody called Zelma Fraser with the email address ten@groo1.telmex.net sends Trojan-D in attachment with the subject line "Contract of retirement" and the file name "contract_n2.zip".

The body message goes like this:

"Good morning,

We have prepared a contract and added the paragraphs that you wanted to see in it. Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.

If necessary, we can send it by fax.
Looking forward to your decision."

Do not open email spam with the subject line "Statement of fees 2008/09". The attached file in such email spam will be a Worm W32/Autorun.

I have received such Virus in an email spam with the following information:

The first lines of the body of the message go this way: Please find attached a statement of fees as requested; this will be posted today. I received such spam with a Trojan included in the attachment from astonrose dot co dot uk ([195.72.48.170]) UK United Kingdom, ISP: Worldinternet.

The sender was JetBlue Airways at erxsr at bmrcpas.com and the Subject line says, Your Online Flight Ticket N 67003 and the multi-part message was in MIME format.

My Security system says about Worm W32/Autorun, Worm W32/Autorun is a Malware that works in W32 Platform. Autorun worms are capable to spread by copying themselves into the root of the directories of hard drives and other writable media such as USB memory sticks.

The worms create an autorun.inf into the root directory of drives they want to infect.

The autorun.inf includes the name and path of the actual worm executable. When an infected media device (CD, DVD OR USB drive) is inserted into the computer, the autorun.inf and consequently the actual malicious program is automatically executed.

In addition to drives on the local computer, an Autorun worm can also spread to remote computers by infecting shared network drives.

Members of the Autorun family also often contain other functionality in addition to just spreading. In fact, this infection method can be used to propagate any malicious playload, such as a backdoor, password stealer, or some other kind of Trojan.

You may receive the following message in two email-spam from different email addresses if you have not received it yet. I published some details here to prevent you from opening such emails, as they include Worm's attachment.

The message goes this way: "Unfortunately, we were not able to deliver postal package you sent on Sept the 28 in time because the recipient's address is not correct.

Please print out the invoice copy attached and collect the package at our office

Your UPS"

The words on the "From" fields are as the same as these words: United Postal Services.

The words on the Subject line are also the same. However, it is only that the numbers of the tracking are changed. The word read as this: UPS Tracking Number 30935741114; and UPS Tracking Number 02498012147.

The first email spam dropped in through the following details:

IP Address: 81.149.217.89, ISP Location UNITED KINGDOM, ENGLAND, LONDON SP: SINGLE STATIC IP ADDRESSES, domain: BTOPENWORLD.COM

The second email spam dropped in through the following details:

IP address: 62.45.25.10, ISP Location: NETHERLANDS, ZUID-HOLLAND, NAALDWIJK, IP: KABELFOON, Domain: CAIWAY.NL

I captured two emails spam while they were dropping at the same time into my mailbox. I could see them with some details about Trojan Spy they carried together while attacking my system.

I read the details on the screen and followed the two emails until they landed naked from that virus into my folder. I then followed them through the email system to discover the following details.

The two emails were received: from ([221.189.225.27]) located in Japan. Region: Gifu City: Gifu ISP: OPEN COMPUTER NETWORK
with the "From" line: "Microsoft" <customerservice@microsoft.com> and the "Subject" line: Security Update for OS Microsoft Windows, on Tue, 14 Oct 2008 13:11:59 +0900.

The same stupid message was addressing me this way: Dear Microsoft Customer, and the lines followed:

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

There are so many stories like this you can read at the following links at the Ezine Act IP| IP Address| Malware|

Email spammers and hackers began lately to use PayPal in French language to send French spam messages to Internet users. They use tracking tools and other Malware to spot active users on the Internet to send them their spoofs. Luckily, I have captured this stupid PayPal email spam.

Cher PayPal User.

Nous recemment avons determine que les differents ordinateurs ont note sur votre compte de PayPal, et les echecs multiples de mot de passe etaient presents avant les ouvertures.

Nous avons besoin maintenant de vous pour reconfirmer votre information de compte . Si ceci n'est pas accompli avant le 13 Octobre 2008, nous serons forcés de suspendre votre compte indefiniment, comme il a pu avoir ete employe pour des buts frauduleux.

Nous vous remercions de votre cooperation de cette maniere.

Cliquez ci-dessous pour confirmer et vérifier votre compte de PayPal :

https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit

Note : si vous choisissez d'ignorer notre demande, vous ne nous laissez aucun choix mais ? provisoire suspendez votre compte.

Les Meilleurs souvenirs.

PayPal

Securité de PayPal et departement Anti-Frauduleux.

If you were internet marketer then it is probably that you have received or will receive some Trojan-Spies attached to notifications from message boards, forums, groups and social networks you have joined. There are some silly hackers all over there using Google Groups to send in those Trojan-Spies.

However, since the processes goes through Google, so Google should be the first to block this door. Yes, it worth mentioning this note again and again. The following is a complete information of one silly hacker using this method to send his or her Trojan-Spy in.

Trojan-Spy.HTML.Fraud is fraudulent e-mail messages and website HTML. They include a mismatch in HREF tags used by hyperlinks. This happens when hackers attempts to disguise or obfuscate the hyperlink. An example to HREF mismatch is < a href="http://www.nananana.com" >http://www.paradox.com< / a>

The HREF tag in this example directs to nananana.com while the displayed hyperlink will show paradox.com. Phishers attempt to lure victims to spoofing sites in order to steal personal account details.

Nonsense, they try to hurt the new President. As if they do not know, he is the promise to the world. Therefore, hackers follow even the late trends in politics to send Trojan-D. The following case intended to send Trojan in attachment named zeland-01.zip. He or she entered a challenging Subject Line as the following: Barak Obama sex scandal. These (kinds of people) know the opening rate of such email should be 7/10 at least.

Name: Adware
Category: Spyware
Alias: Adware.win32.agent

This software produces advertisements on the infected computer. It collects data and exposes it to users.

A silly spammer uses different emails I own in the "From" line, the "To" line and the "Return-Path" line, to send the same emails that intended to be from MSN to 4 of my email addresses.

All messages go this way:

About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.

Following this message are three text links to Chinese websites at hudardd.cn, iicurpx.cn, and one site none cn at legacymethod.com. The text links are Unsubscribe | More Newsletters | Privacy.

I do not know what the spammer will feel if somebody told him or her nothing like this will work.

They know very well their tricks will not pass and no one is that stupid to follow them. However, they intend to be deaf and send continuous spoofs to other people. Those hackers send emails to people who do not have even any eBay accounts. eBay has a chatting box where people can submit details about spoofing emails, but they don't took measures to know how are those hackers and if they have eBay accounts or not.

Details of the Spam!

Return-Path: member@ebay.com
Received: from ALLOY.MNAlloys.local ([70.148.53.183])
Received: from User ([83.110.102.209]) by ALLOY.MNAlloys.local with Microsoft SMTPSVC(5.0.2195.6713); Wed, 15 Oct 2008 16:02:23 -0500
From: "eBay member : poppy20016"< member@ebay.com >
Subject: You've received a question about your eBay item
Date: Thu, 16 Oct 2008 00:49:20 +0400
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: member@ebay.com
Message-ID: < ALLOYSs21Ud9mTP2vZX00000290@ALLOY.MNAlloys.local >
X-OriginalArrivalTime: 15 Oct 2008 21:02:23.0656 (UTC) FILETIME=[522B7280:01C92F09]
Fra: "eBay member : poppy20016" member@ebay.com
Bcc: "eBay member : poppy20016" member@ebay.com

The Message Body

Dear member,

eBay member poppy20016 left you a message regarding item #120316315275

View the dispute thread to respond. This is a text link that redirects to: http://210.71.14.74/xampp/img/lt1.gif/singin.
ebay.com/ws/ebayISPp.dll/SignIn/index.html?SignIn&co_partnerId=2&pUserId=&siteid=0&page
Type=&pa1=&i1=&bshowgif=&UsingSSL=&ru=http%3A%2F%2Fwww.ebay.com&pp=&pa2=&errmsg=&runame=&
ruparams=&ruproduct=&sid=&favoritenav=&confirm=
&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=

Regards,

eBay