Securelist / All Updates

Blog: Will Google Bouncer definitely remove all malware from the Android Market?

webmaster@securelist.com (Dmitry Bestuzhev) — 06 Feb 2012 19:21:57 +0400

Will the Bouncer be effective in addressing the malware problems with Android apps? Is it still a good idea to use a mobile security program for protection even with Bouncer in place? Are there ways for hackers to sneak infected apps into the store despite Bouncer?

Descriptions: Trojan-Downloader.Java.OpenStream.av

webmaster@securelist.com () — 06 Feb 2012 17:43:00 +0400

The Java class file "gamesload" includes a JAR archive and is part of a piece of malware. The following components of the Trojan are also stored in the archive: Game.class - 672...

Descriptions: Trojan-Downloader.Win32.Agent.fwcp

webmaster@securelist.com () — 06 Feb 2012 17:37:00 +0400

This Trojan downloads another program to the computer and launches it for execution without the user's knowledge. It is a Windows application (PE EXE file) and is 56 320 bytes in size. It is packed...

Descriptions: Trojan-Downloader.Win32.Agent.ejui

webmaster@securelist.com () — 06 Feb 2012 17:31:00 +0400

This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 53 760 bytes in size. It is written in...

Descriptions: Backdoor.Win32.Agent.amps

webmaster@securelist.com () — 03 Feb 2012 19:28:00 +0400

Once launched, the backdoor uses the function "GetSystemDefaultLCID" to obtain the ID for the group of national settings that the operating system uses by default. If the value obtained corresponds...

Descriptions: Trojan-Ransom.Win32.XBlocker.bcp

webmaster@securelist.com () — 03 Feb 2012 19:23:00 +0400

This Trojan stops the computer from functioning normally in order to obtain a ransom for restoring the system to its initial condition. It is a Windows application (PE EXE file) and is 40 448 bytes in...

Descriptions: Trojan-Ransom.Win32.Gimemo.ns

webmaster@securelist.com () — 03 Feb 2012 18:57:00 +0400

This Trojan stops the computer from functioning in order to obtain a ransom for restoring it. It is a Windows application (PE EXE file) and is 355 328 bytes in size. It is packed using UPX. The...

Descriptions: Trojan-Downloader.Win32.Agent.dlyf

webmaster@securelist.com () — 02 Feb 2012 18:01:00 +0400

This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows dynamic library (PE EXE file). It is 53 248 bytes in...

Descriptions: Trojan.Win32.VB.aeke

webmaster@securelist.com () — 02 Feb 2012 17:51:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 352 256 bytes in size. It is written in Visual Basic. Installation When launching,...

Descriptions: Trojan.Win32.Smardf.mlt

webmaster@securelist.com () — 02 Feb 2012 17:10:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 142 848 bytes in size. It is written in Delphi.

Blog: Lab Matters - The death of browser trust

webmaster@securelist.com (Ryan Naraine) — 02 Feb 2012 16:15:00 +0400

In this webcast, Kaspersky Lab senior security researcher Roel Schouwenberg talks about the Diginotar certificate authority breach and the implications for trust on the Internet. Schouwenberg also provides a key suggestion for all major Web browser vendors.

Descriptions: Trojan.Java.Payphish.a

webmaster@securelist.com () — 01 Feb 2012 13:17:00 +0400

When the infected page is opened, Java class code starts to run, which leads to the following actions: The following file is created and launched: Ñ:\Windows\pay.reg This causes a change in...

Descriptions: Backdoor.Win32.Delf.ugd

webmaster@securelist.com () — 01 Feb 2012 13:03:00 +0400

This Trojan provides a malicious user with remote access to the infected computer. It is a Windows application (PE EXE file). It is 365 568 bytes in size. It is written in Delphi. Installation Once...

Descriptions: Trojan-Downloader.Win32.Genome.atab

webmaster@securelist.com () — 01 Feb 2012 12:39:00 +0400

Once launched, the Trojan decrypts its body and then downloads files from the following URL addresses: http://195.***.144.79/psyim_dfgjkeqw.exe http://195.***.144.79/setup.exe http:...

Blog: Kelihos/Hlux botnet returns with new techniques

webmaster@securelist.com (Maria Garnaeva) — 31 Jan 2012 15:00:00 +0400

It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet.

Blog: CVE-2012-0003 Exploit ITW

webmaster@securelist.com (Kurt Baumgartner) — 27 Jan 2012 21:44:43 +0400

S. Korean handlers are slow to take down the publicly distributed malicious code exploiting CVE-2012-0003, a vulnerability patched in Microsoft's January 2012 patch release MS12-004.

Descriptions: Exploit.JS.Pdfka.dna

webmaster@securelist.com () — 26 Jan 2012 18:15:00 +0400

This exploit program uses vulnerabilities in Adobe Reader and Acrobat to execute itself on the user's computer. It is a PDF document containing XML Forms Architecture and Java Script. It is 26,393...

Descriptions: Trojan-Downloader.Win32.Genome.asvq

webmaster@securelist.com () — 26 Jan 2012 15:41:00 +0400

This Trojan downloads other malicious programs from the Internet and launches them for execution without the user's knowledge. It is a Windows application (PE EXE file). It is 21 504 bytes in size....

Descriptions: Trojan-Downloader.Win32.Genome.asut

webmaster@securelist.com () — 26 Jan 2012 14:54:00 +0400

Descriptions: Trojan.Win32.Slefdel.fpk

webmaster@securelist.com () — 26 Jan 2012 14:42:00 +0400

The Trojan creates a file named "Deleteme.bat" in its working directory and launches it for execution: %WorkDir%\Deleteme.bat The launched file deletes the Trojan's original body and deletes...

Descriptions: Trojan.Win32.Sasfis.rer

webmaster@securelist.com () — 25 Jan 2012 17:55:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 18 944 bytes in size. It is written in C++.

Descriptions: Trojan.Win32.Sasfis.ole

webmaster@securelist.com () — 25 Jan 2012 17:46:00 +0400

Once launched, the Trojan decrypts and extracts the following file from its body to the current user's temporary directory: %Temp%<rnd1>.tmp where <rnd1> is a random set of numbers and...

Descriptions: Trojan.Win32.Qhost.nhn

webmaster@securelist.com () — 25 Jan 2012 17:37:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 16 384 bytes in size. It is written in C++.

Analysis: Congratulations, you’ve won! The reality behind online lotteries

webmaster@securelist.com (Maria Rubinstein) — 25 Jan 2012 11:54:00 +0400

It’s amazing how often we get a message telling us we’ve won the lottery.

Descriptions: Trojan-SMS.J2ME.Agent.s

webmaster@securelist.com () — 24 Jan 2012 15:51:00 +0400

Òðîÿíñêàÿ ïðîãðàììà, ïîðàæàþùàÿ...

Descriptions: Trojan.Win32.Qhost.mxb

webmaster@securelist.com () — 24 Jan 2012 12:40:00 +0400

The Trojan creates a copy of the original "hosts" file under the following name: C:\h.tmp The Trojan writes the following string in the file created: 85.***.206.115 u070***010u.com It replaces the...

Descriptions: Trojan.Win32.Agent.fadd

webmaster@securelist.com () — 24 Jan 2012 12:31:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 49 162 bytes in size. It is written in Delphi. Installation Once launched, the...

Descriptions: Trojan.Win32.Agent.ezqu

webmaster@securelist.com () — 24 Jan 2012 12:20:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 48 650 bytes in size. It is written in Delphi. Installation Once launched, the...

Descriptions: Trojan.Win32.Agent.ezqk

webmaster@securelist.com () — 23 Jan 2012 16:18:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 47 114 bytes in size. It is written in Delphi. Installation Once launched, the...

Descriptions: Trojan.Win32.Agent.ezqg

webmaster@securelist.com () — 23 Jan 2012 16:11:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 49 162 bytes in size. It is written in Delphi. Installation Once launched, the...

Descriptions: Trojan.Win32.Agent.dfab

webmaster@securelist.com () — 23 Jan 2012 14:33:00 +0400

Once launched, the Trojan decrypts and extracts the following file from its body to the current user's temporary directory: %Temp%<rnd1>.tmp where <rnd1> is a random set of numbers and...

Blog: Brazilian cybercriminals’ daily earnings - more than you’ll ever earn in a year!

webmaster@securelist.com (Dmitry Bestuzhev) — 20 Jan 2012 17:20:50 +0400

Here is the profile of one criminal using Bitly as a URL shortening service. As you can see, in just one day, he was able to gain more than 33,000 clicks or potential infections! So, how much did the criminal make on that particular day? Let’s see...

Descriptions: Trojan.Win32.Agent.daec

webmaster@securelist.com () — 20 Jan 2012 16:14:00 +0400

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 27 136 bytes in size. It is written in C++. Installation The Trojan copies its body...

Descriptions: Exploit.HTML.CVE-2010-1885.ad

webmaster@securelist.com () — 20 Jan 2012 16:04:00 +0400

This exploit program uses vulnerability in Microsoft Windows Help and Support Center to execute itself on the user's computer. It is an HTML document containing Java Script scenarios. It is 11 723...

Descriptions: Backdoor.Win32.Bredavi.he

webmaster@securelist.com () — 20 Jan 2012 15:58:00 +0400

This malicious program provides a malicious user with remote access to the infected computer. It is a Windows application (PE DLL file). It is 25 600 bytes in size. It is written in...

Blog: Malware wallpaper calendars for 2012

webmaster@securelist.com (David) — 19 Jan 2012 19:42:48 +0400

Malware wallpaper calendars for 2012

Blog: Lab Matters - The threat from P2P botnets

webmaster@securelist.com (Ryan Naraine) — 19 Jan 2012 17:35:00 +0400

Kaspersky Lab malware researcher Tillmann Werner joins Ryan Naraine to talk about the threat from peer-to-peer botnets. The discussions range from botnet-takedown activities and the ongoing cat-and-mouse games to cope with the botnet menace.

Descriptions: Backdoor.Win32.Bredavi.anx

webmaster@securelist.com () — 19 Jan 2012 16:10:00 +0400

If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:...

Descriptions: Trojan-Spy.Win32.SPSniffer.a

webmaster@securelist.com () — 19 Jan 2012 15:58:00 +0400

This malicious program is designed to steal confidential data from users. It is a Windows PE EXE file. It is 53248 bytes in size. It is written in Visual Basic.

Descriptions: Trojan-Dropper.Win32.Sality.r

webmaster@securelist.com () — 19 Jan 2012 15:49:00 +0400

This Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. The program itself is a Windows PE DLL file. It is 76800 bytes in...

Descriptions: Trojan-Downloader.WMA.GetCodec.s

webmaster@securelist.com () — 18 Jan 2012 18:11:00 +0400

The Trojan exploits the ability of Windows Media to integrate the scenario command "URLAndExit" into the video stream. This allows the default browser to be launched during playback with a subsequent...

Descriptions: Trojan-GameThief.Win32.Magania.cnkt

webmaster@securelist.com () — 18 Jan 2012 17:39:00 +0400

This Trojan is one of a family of Trojans that steal passwords from users' online gaming accounts. It is a Windows PE EXE file. It is 115016 bytes in size. It is written in C++. Installation After...

Blog: Two-pronged attack: Argentine site hit by malware and data leak

webmaster@securelist.com (Dmitry Bestuzhev) — 18 Jan 2012 17:13:10 +0400

Lots of confidential information has been leaked in Argentina and we are talking about home addresses, telephone numbers, details of education centers attended, mobile phone numbers, email addresses, marital status, children and even personal references. This is very bad because the same information can easily be used for all kinds of fraudulent activities: on-line ID theft, targeted attacks and so on.

Descriptions: Packed.Win32.Black.d

webmaster@securelist.com () — 18 Jan 2012 13:02:00 +0400

This sample does not have a malicious payload. It is an installation file of the program E-Drill Master Folder Encryption. It is 1 772 451 bytes in size. It is packed using PE Patch and...

Blog: The Zappos Breach and Textual Password Based Authentication

webmaster@securelist.com (Kurt Baumgartner) — 17 Jan 2012 18:42:32 +0400

Following their major database breach, Zappos leadership is doing the right thing by what seems to be quickly and clearly communicating what data was accessed and what was not - there are no unexplained delays or confusion on their part about the event. It's like another Aurora moment in my book, when Google extraordinarily opened up about their breach while the other 30-odd Aurora-breached major corporations did the opposite, aggressively maintaining NDA's to hide their Aurora incidents and hide their heads in the sand. Zappos reset 24 million customers' passwords and emailed all of them about the problem last night.

Blog: A School for Cybercrime: How to Become a Black Hat

webmaster@securelist.com (Fabio Assolini) — 17 Jan 2012 17:40:47 +0400

To help beginners interested in a life of cybercrime, some Brazilian bad guys started to offer paid courses. Others went even further, creating a Cybercrime school to sell the necessary skills to anyone who fancies a life of computer crime but lacks the technical know-how.

Descriptions: Worm.Win32.VBNA.iby

webmaster@securelist.com () — 17 Jan 2012 15:16:00 +0400

This worm propagates by creating copies of itself on local disks and write-accessible removable disks. It is a Windows application (PE EXE file). It is 45056 bytes in size. It is written in Visual...

Descriptions: Worm.Win32.Agent.abe

webmaster@securelist.com () — 17 Jan 2012 15:04:00 +0400

This worm carries out destructive activity on the victim machine. It is a Windows PE-EXE file. It is 480308 bytes in size. It is written in C++.

Descriptions: Trojan.JS.Agent.bmx

webmaster@securelist.com () — 17 Jan 2012 14:01:00 +0400

This program has a malicious payload. The program is a Java Script scenario. It is 3,467 bytes in size.

Blog: IRC bot for Android

webmaster@securelist.com (Denis) — 13 Jan 2012 22:36:42 +0400

Not so long time ago we found a very interesting piece of malware for Android. Unfortunately, it is not clear how it was spread but in any case it’s worth mentioning. The malicious application displays itself as ‘MADDEN NFL 12’ game after the installation. The file size is over 5+ MB and actually is a Trojan that drops a set of malware components onto the system: root exploit, SMS Trojan and IRC bot. The .class file "AndroidBotAcitivity" maintains this dropper functionality.