What are the odds?

Last weekend, one of our sales managers was at a trade fair in Amsterdam.
When he received a message asking if he wanted to accept a file via bluetooth, he agreed.

Turns out he had the doubtful honor of being the first to report a sighting of Worm.SymbOS.Comwar.a (also known as Commwarrior.b) ITW in the Netherlands.

So that's yet another country we can add to the list.

We've seen a report that the author of the Bozori (or Zotob) worm has been arrested in Morocco.

It's unusual for an arrest to take place so soon after the release of malicious code. Perhaps it's not only the time-lag between vulnerability and exploit that is being reduced.

The anatomy of the Bozori worm outbreaks that we've seen in the last day or so leads us to believe that we're witnessing the emergence of a new type of infection, what we're calling the 'business worm'.

Read the full story here

We've recently detected a third modification of Email-Worm.Win32.Monikey. It might seem that there's nothing interesting about it - it spreads as an email with the subject heading «Îòêðûòêà ñ POSTCARD.RU» [A Card from POSTCARD.RU]. The body of the message contains what seems to be a link to POSTCARD.RU, but it's actually a link to a compromised site - if the user visits this site, malicious programs will be downloaded onto his/her computer.

In itself, this isn't very interesting. But our interest was piqued by the fact that Monikey incorporates modifications of Trojan-PSW.Win32.Vipgsm and Trojan-PSW.Win32.LdPinch.

Why is this interesting? Well, it's yet more confirmation of our suspicions that LdPinch, Bagle, Monikey and Vipgsm are created by one and the same group of virus writers. (We wrote earlier about LdPinch and Bagle being written by the same group.) Until now, we weren't sure that Monikey and Vipgsm were created by the same people - it was just a suspicion. Monikey contains code which is almost identical to some of Bagle's code, but until now we thought that Monikey was simply based on Bagle's source code, which is probably out there somewhere on the Internet.

The fact that nearly all the embedded malicious programs are encrypted using Trojan-PSW.Win32.LdPinch's “proprietary” algorithm seems to confirm our theory. And it's noteworthy that the latest version of Monikey appeared at the same time that the Bagle authors returned to 'work' after their summer vacations.

All of the above reinforces our suspicions that it's the same people behind a number of families of malicious programs. It also confirms our prediction that the authors of Bagle would start using new approaches and technologies.

All the malicious programs have been deleted from the compromised sites, and a lot of sites have published information and apologies, stating that they did not initiate any mass mailing. However, it's still not clear how these sites were accessed - this might have been done using passwords which were stolen using a program similar to LdPinch.

All these malicious programs have been added to Kaspersky Anti-Virus database updates.

We've decided to rename Net-Worm.Win32.Small.d to Net-Worm.Win32.Bozori.a.

Infection reports are coming mostly from the USA, with some high-profile targets being hit.

Shortly after Bozori.a was detected we found Bozori.b. This variant doesn't seem very widespread at the moment.

Instead of wintbp.exe, Bozori.b has wintbpx.exe as the filename. Otherwise the two variants don't differ much, both around 10KB in size.

Bozori.b's MD5: 7ef9b103143c15563ee386846fd4db77

The worm makes use of an exploit to get introduced to the system. And this exploit is a buffer overflow which is likely to result in a crash of services.exe.
This will lead to the infamous "System Shutdown" pop-up box made notorious by Lovsan and Sasser.

With only 60 seconds on the clock, administrators will have a tough time cleaning this mess up.

We've received numerous reports on a new worm spreading via the PnP vulnerability.
We detect it as Net-Worm.Win32.Small.d.

Normally the worm's filename is wintbp.exe, it contains a basic IRCBot with Trojan-Downloader functionality. MD5: 7a67f7a8c844820c1bae3ebf720c1cd9

An urgent update has been released.

Net-integrations, a site dedicated to malware removal and especially known for its forum has fallen victim to malicious hackers.
Attackers seem to have made use of a vulnerability in the forum software used by Net-integrations to gain access to the server, although this has not yet been confirmed.
The most notable effect so far has been that the server has sent out many emails containing a link to a trojan.

It's is not the first time an anti-malware site gets compromised via the accompanied forum.
Although phpBB is often the target, this time Invision Power Board fell victim.

A spammed mail looks like this:
(Email adress slightly altered)

From: "Net-Integration Forums"
To: webmaster@net-]integration[.net
Subject: Protect Your PC !!! ( From Net-Integration Forums )

Protect Your PC !!!

Please download antivirus protection
http://antivirusprotection.[removed].net/avp.exe

The file, which next to a Kaspersky related filename also has a Kaspersky AV-like icon, is detected by Kaspersky Anti-Virus as Trojan-Spy.Win32.LdPinch.gen.
LdPinch is a very popular password stealing Trojan family, a generic description of it can be found here.

Several copies of this email have been sent out by the hacker to the members of the forum.

This incident once again shows that your operating system as well as all software needs to be kept uptodate and patched.
I do wonder if the attacker fellt s/he would have much success spamming a security conscious crowd.

Phishing - nothing new in tricking computer users into disclosing personal details (username, password, PIN number or any other access information) and then using this fraudulently obtained data to steal money.

It's always relied heavily on 'social engineering', limited only by the imagination of the scammers. New approaches often tap into legitimate user fears. A new phishing technique that has appeared in the last few days clearly demonstrates this.

The scam involves an email (nothing new there) which targets PayPal customers (nothing new there either), asking them to confirm email address, credit card information and PayPal passwords. However, instead of asking the user to complete an online form, the email urges them to print out the form and fax it to a US toll-free number. This is something new.

We have to give phishers some credit for their creativity. And while we are at it, maybe it's a good time to review some basics of safe computing.

A quick update: over the last twenty four hours, we had eleven new Bagle variants, from Bagle.bz to Bagle.cj. Some of them were new versions, and some were old variants which had been repacked.

All the new versions were either spammed, or placed on sites for download. They're being used to ensure that the Bagle botnet survives.

A very old Bagle variant was also spammed; it had been repacked using a new version of the packing program.

The Bagle bakery is clearly still in business, but hasn't come up with any new recipes for a while.

It looks as though the Bagle author is back from his vacation. Today we've detected several new variants (actually old variants which have been repacked) and they are still coming in.

New malware has been placed on the sites listed in the worms' bodies, so it maybe that we will see some of these Bagles updating themselves automatically. We'll keep you posted.

We've recently received several inquiries regarding a certain worm.
At first glance, this worm didn't seem to have any new features. The combination of spreading via P2P and IM is not new at all.

When I had time to investigate further, I noticed something interesting.
Instead of relying on 'real' webservers, this malware simply turns the infected machine into a webserver.
The biggest advantage this approach has is the fact that the host is fairly unlikely to be shut down quickly.

As you can see from the description the worm connects to a specific server to determine the computer's (outside) I.P. address.
Most likely this is done to circumvent the problem of internally used I.P. addresses on computers, such as the 10.x.x.x and the 192.168.x.x ranges.

This is an interesting new approach. But for it to be effective, machines within a LAN will have to have the necessary portforward in place, and I'm not sure that this is widespread. We'll keep you posted on any developments.

A user notified us about a suspicious link being spread via MSN. Normally we would assume that there's a new IM-Worm out there, since we've had quite a few of them this year.

However, the link itself attracted our attention:

http://www.vbulettin.com/[removed]

Naturally, anyone who follows information security knows Virus Bulletin: one of the oldest and most respected publications in the AV industry. Getting a VB award is a must for any reputable antivirus.

No, their site has not been hacked. If you read the URL carefully, you'll notice that the word bulletin is misspelled - bulettin. Moreover, Virus Bulletin can be found on-line at a slightly different URL: www.virusbtn.com.

Most of us only scan URLs at best, and the malicious version is certainly close enough to the real thing to fool people. Virus writers are at it again: masquerading as a respected AV publication is a good way to get people to trust you.

Oh, before I forget... a new version of Backdoor.Win32.Landis is lurking at this link. If you receive this link, don't click on it. There's no IM-Worm involved, by the way - Landis sends the link out on command from its owner.

We've added detection for this new Trojan to our databases, so update just in case.

There was a time when image files, such as JPEGs, were considered harmless. Some industry pioneers stated outright that only executable (EXE, COM) files could carry viruses. And then came macro viruses, spreading from .DOC files, another "impossible" propagation vector. And later, some said that you couldn't really get a virus from just reading an email - you had to click on an attachment. Of course, this has been proved false, thanks to an (almost) unending stream of Outlook vulnerabilities.

The misconception that JPEGS can't carry viruses was disproved by a major vulnerability discovered last year in a graphics format parsing library used in many products. Several Trojans exist which attempt to make use of this vulnerability to infect computers. We've added a generic detection for malicious JPEG files of this type: Exploit.Win32.MS04-028.gen.

This weekend we intercepted an interesting attempt at spreading a Trojan using the above mentioned JPEG exploit. Somebody mass mailed a large number of messages containing a downloader for Backdoor.Win32.Haxdoor.dw. The downloader,a malcrafted JPEG exploit 4098 bytes in size (md5: 09617ea4db6de83455ed4079facdbc36) doesn't work.

As often happens with virus writers, he/she probably didn't bother to test the exploit before sending it out, and as a result, the exploit which has been widely distributed doesn't work. So this time at least, the JPEG file wasn't infectious. However, fixing the mistake would be relatively easy and we wouldn't be surprised to see a second wave, this time with a working exploit.