Malware Disasters Team

Increase in Dutch banking phishing

2011-04-11T18:44:00.000-07:00

The last few months there was an increase in a phishing campaign targeted on customers from Rabobank and ING, two major banks in The Netherlands and Belgium. Some examples of a phishing mail:

Phishing email for ING with the subject “Account Verificatie” (or in English: “Account Verification”)

Phishing email for Rabobank with the subject “Customer Services Update”.

If you speak the Dutch language, you notice the content of the emails are actually more different than most phishing mails. In fact there’s a bigger variety, and in the first version there is almost no grammatical or spelling error. The second email - for Rabobank- however, is clearly a Google Translate copy/paste job.

All emails seem to be originating from valid email addresses, domains are pointing to @rabobank.nl and @ing.nl , which are in fact legitimate addresses from the two banks.
However, if we check the message headers we can see IP’s originating from Nigeria:

41.155.32.70 – IPVoid results
82.128.38.67 – IPVoid results

Another IP address is originating from New Zealand and is actually blacklisted on several blacklists, as can be confirmed when checking with IPVoid:

203.97.33.68 – IPVoid results

This means the email-addresses are spoofed to trick users into believing the email is valid.
Now, what happens if you click on the link included in the message? You will be redirected to any of these pages:

Phishing website for ING. The user needs to login with his/her username and password. You can also opt to login with the ‘calculator’. The calculator is in fact a card reader which you can use to login.

Phishing website for Rabobank. You can login using your account number, access code, and PIN code. You can also use your card reader.

The intention of these emails is of course to steal user credentials and empty the account of the duped user. These attacks are pretty well orchestrated. If you click on any of the links on the phishing page, it will redirect you to the real ING website which provides extra information on the topic you clicked on.

The following tips do not only apply to the above story, but apply to any other (suspicious) email you receive:

Do not click on any of the links (or anything for that matter) in the email you have received.
Do not reply to the email.
Delete the email immediately, certainly if you are not a customer of the aforementioned bank or did not order anything, changed your password, and so on.
If you really need to access or check your bank account, visit the website directly by typing the address in your browser’s address bar. Also verify the URL starts with https instead of http.
Another useful trick is to hover over the link in the email. In the bottom left corner you should be able to see the real address behind the URL displayed.
When in doubt, you can double-check using URL scanning services such as VirusTotal or URLVoid by our partner NoVirusThanks.

Bart Parys
Malware Research
Twitter: @bartblaze

New whitepaper about Carberp Botnet

2011-02-21T02:06:00.000-08:00

Is available a new whitepaper that describes the operation of one of the botnets "wanted" by the security community: Carberp.

The article, called Inside Carberp Botnet and written by Francisco Ruiz, Crimeware Research of MalwareIntelligence, details the different parts of this crimeware, leaving evidence of its full operating mode.

In recent weeks, has returned to Carberp impact due to the revival of several of his former C&C. However, experts believe MalwareIntelligence have concrete evidence that would demonstrate that in fact the original group that was behind the first generation of Carberp is broken, and that some of the new botnets that spread banking trojan Carberp are managed through a modified version of the original.

MalwareIntelligence have a Carberp Working Group, responsible for private research and demand of this particular threat. In the main blog, Ruiz also said that a botnet Carberp private market in a very closed environment, but since a few days ago, the marketing model has been released, giving some details of its current features and costs.

Facebook rogue applications still lurking around

2011-02-14T12:10:00.000-08:00

For quite some time now there are rogue applications trying to convince you that you are able to check whoever viewed your profile. There are a lot of different names for this rogue application, some but not all include:

creep exterminators
catch them being creepy
creepy profile peekers
privacy bros
we catch stalkers

So what will this fake application do? For starters, it will surely NOT show you who's been viewing your profile. If you land on this application, you will be presented with the following screen:

Profile Creeps application

Request for permission

You then have to allow access from the application so they can show you who's been lurking around your profile. But wait ! You first have to complete a survey and then you are able to check it out. Simple, right?

Facebook verification

Not exactly. These fake surveys are pretty common on the internet. It is a typical scam. For example, I had one particular survey that urged me to download SmileyCentral, the other tried to deliver me Webfetti.

9ed197b533fdf53ab8cf9e83a1b5951d (Webfetti.exe)
ff8d221113615909b07b1ba9ceb8466a (SmileyCentralPFSetup2.3.78.2.NoSA.NoHP.ZNfox000.exe)

Another fake survey wanted me to fill in my phone number, and afterwards send an (expensive) text message to 'unlock' the application. In addition to letting you fall into one of these scams, the rogue application also promotes itself on all of your friends’ walls:

Rogue application spreading itself on other people’s wall

If you would like to remove it, follow the steps below:

Go to your Facebook profile. Find the post that mentions the "stalker" application
Skim over it and you will see an X appear. Click on it and choose "Remove (name of the fake application here)".
Additionally, you can also report it as abusive to help in stopping these type of applications.
Next step is to click on My Account and choose Privacy Settings. Down below you can see "Apps and websites". Click on Edit your settings.
Select Remove unwanted or spammy apps. You can now Edit the application and remove it.

Bart Parys
Malware Research
twitter: @bartblaze

Big Brother Brazil 2011 (AKA BBB 2011) malware attack

2011-01-30T07:47:00.000-08:00

Big Brother 2011 (AKA BBB 2011) begins in Brazil and it's a motivation for social engineering attacks.

Big Brother Brasil 2011 began on January 11th in Brazil and malware authors should be celebrating, thus, because this is something very popular so it's easy to attract victims (via social engineering) to 'see' videos or pictures of the BBB 2011 participants.

We will show you a threat which came in form of a phishing and using social engineering ask recipients to click in a link in order to watch a video of a transsexual which is making the man's participants of the BBB 2011 confused.

As you can see on the original e-mail below, the attacker uses a technique known as DHA (Directory Harvest Attack) against the @hotmail.com domain in order to send the phishing message to valid e-mail addresses.

Note that when you move the mouse to the link which appears that will get you to the youtube.com, on the status bar you can see that it will not get you to the youtube.com website. It will get you to the website hxxp://twurl.nl/rbpm6s.

Below you have the source code of the phishing message:

----------------------------------------------------------------
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-PRA: globo.com (BBB 2011)
X-SID-Result: Fail
X-DKIM-Result: None
X-AUTH-Result: FAIL
X-Message-Info: DkpufaDli9Iih8M1I3rOCBHB3/E1htFb2qXrXVLfpfjlNFuHVG90WYrx2zq5Mw1fmsHKOjL4weQGCOatyx0Pn7FYN0czafnY9kSTqtv24cY=
Received: from wl01.ws.poa.ige ([201.94.125.1]) by col0-mc3-f16.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
    Tue, 18 Jan 2011 10:21:08 -0800
Received: from wl01.ws.poa.ige (dcrs8211 [127.0.0.1])
    by wl01.ws.poa.ige (8.13.8/8.13.8) with ESMTP id p0IH1auJ030937;
    Tue, 18 Jan 2011 15:01:36 -0200
Received: (from httpd@localhost)
    by wl01.ws.poa.ige (8.13.8/8.13.8/Submit) id p0IH1ZXl030933;
    Tue, 18 Jan 2011 15:01:35 -0200
To: baa@hotmail.com, bbb@hotmail.com, bcc@hotmail.com,
bdd@hotmail.com, bee@hotmail.com
Subject: ariadna (transesual) no bbb 2011 deixa homens confuso....
X-PHP-Script: mylove2010.info/catastrofe/feed10.php for 187.57.247.86
Date: Tue, 18 Jan 2011 15:01:34 -0200
From: "globo.com (BBB 2011)"
Reply-to: "globo.com (BBB 2011)"
Message-ID: <63a5faa6442cd3b2f870f2ac7a99bde7@mylove2010.info>
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.10.2800.1409.1718742875.rg.sm31
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"
Return-Path: httpd@wl01.ws.poa.ige
----------------------------------------------------------------

As you can see on the source code, this phishing message involves three main characteristics:

A file named feed10.php
A file named ariedina.jpg3
A link pointing to the website hxxp://twurl.nl/rbpm6s.

Analyzing the file feed10.php
I have downloaded this script page by using the webget utility. See the screenshot below:

wget -v mylove2010.info/catastrofe/feed10.php

As you can see above, this is a smtp engine used by this threat. Just in case I have submitted this PHP script to virustotal and you can see the results. This sounds a true smtp engine script, so there is no malware associated to this program, while it might be used by malwares.

Analyzing the file ariedina.jpg3

This is just a picture which is used to attract people to click and see a 'video' at youtube.com, however, as you can see on the source code there is a HREF instruction so when the user clicks on this picture (anywhere) it will get the user to the malicious website: hxxp://twurl.nl/rbpm6s

I have downloaded this picture so I could analyze it and saw that it's really just a picture:

wget -v http://lh4.ggpht.com/_FJQwbg0nrOk/TTGRJVC1KtI/AAAAAAAAAMs/CUvYCECUkhM/ariedina.jpg3

I have submitted this file to the virustotal website so you can get the report using the link below. There are no detection since this is just a picture.

Analyzing the link hxxp://twurl.nl/rbpm6s

Using wget pointing to the URL hxxtp://twurl.nl/rbpm6s resulted in downloading a file named youtube_video756.exe.

wget -v http://twurl.nl/rbpm6s

Analyzing youtube_video756.exe

After submitting this sample to virustotal you can see that some AV vendors detects this threat. Some of them using signatures and a couple of them using a in-cloud technology.

If you run youtube_video756.exe, it will basically perform the following activities:

Create a copy of itself using a file named Recorte de tela e Iniciador do OneNote 2007.exe on the folder "C:\Documents and Settings\%user%\Start Menu\Programs\Startup\". This process is then launched.

It connects to the ftp site ftp.biancarox.net using the username cohabrox and a password which will not be reported here just in case. It downloads 10 files (listed below) to the folder C:\documents and setings\%user%\. While all of these files have a .txt extension, they are not a true .txt file. Looking at its strings you can see that they are really executables.

Taking a look at the process strings (below), we can see several internet bank sites of Brazil and two webmail websites.

When you open Internet Explorer and type one of the target URLs, like www.bradesco.com.br (which is a true bank of Brazil), it will kill iexplorer.exe and will load a new process C:\Document and Settings\%user%\®¢Ÿª¤ª¥ž¥.txt. If you type anoher URL on the IE address bar like www.bradescoprime.com.br, another process will be launched on this case it would be the ®ž“§«š§«š.txt.

This process is a fake application which emulates the requested website and it will capture your bank agency, account, token, passwords, etc. See screenshots below:

While you are typing your bank agency, account, password, token, etc, the trojan is capturing everything and is written it to a *.bsp file on the C:\Documents and settings\%user%\. Below you have an example:

Indicators of compromise

Check for the existence of the following MD5 on the C:\Documents and Settings\%user%\.

edaa81ad2165c65bb340e636bf642291
b82c51f94b0e516f461b6f84a668dfde
76184bebea96f59086368b64a896d224
f590d18d7b50109c03c6237d86e8415d
52ea037028eb2274147aef1edfb64865
daa21069ae179cc0f195cd42795b592b
86802efad8fb5b8153d7c7de67cb66bb
fc7592c9f2e2264c687a806459387d30
9547ff6be241b5bb8a87f0dabe3b3218
5cd6a3ac2b2d97e36091a1ecd2fd0aec

Check if the process Recorte de tela e Iniciador do OneNote 2007.exe is running or present on the folder C:\Documents and Settings\*\Start Menu\Programs\Startup\ (it's MD5 is d34c8d3ad55f65d701264a5e8e278915)

Network connections to:

hxxp://mylove2010.info/catastrofe/feed10.php
hxxp://twurl.nl/rbpm6s
hxxp://livinianot.com.br/
ftp.biancarox.net

Below you have a report from VirusTotal regarding the samples that we have analyzed here:

id=968db70645fceeb734ba941ee78d51848057762b0559709238c59d4391d1c25e-1295986300
id=961a9c536b98d02172eb48bd2e0e4881591ac1eb607bf1ea7f267f4994c6b6f6-1295986210
id=e6a33cbba7e6348c41cb7e10acac4efaf47286603d54d1c7088f8772bb0f23e8-1295986257
id=4e908de9a38bb3b90435b0d8b733ad11836a8f65bff2cd6cd247fd47a332af16-1295996254
id=d12ef9562f2deae6ef8e7d5842bf1f1425fc23ce7b6c2265a62189eac14e966f-1295985855
id=8d1a2ece03010fe9610c852a70d13c22f9e91d93e39abc939a742d84b279ea64-1295996475
id=457278ad3bc382dd5159c0be8e9f2f2e3e1cf9191861b56497c81f21f423808d-1295996615
id=55d9afec1ad24fcfec03f03cbc7be9b6c21a614db87432e925cdc8112c551c5e-1295996949
id=73cc47196be7bd8c0f7764a46cb4488266bef2ea1ffccbdbd91cd0b62c79919d-1295997136
id=26f542326786e4facd624fcb170a71c6a2e709e23c8f4cffa4715e133869316b-1295980568
id=8f5c8ad99ded74d3cc233b691a803fc6f00ac3113ad67c6f6802ac3ea0f727fc-1295389644

Bruno Caseiro
Malware Researcher

SMS Ransomware. From Russia to the world

2010-10-27T09:07:00.000-07:00

The new generation of malicious code designed to increase the economic life of criminal groups through exercises that involve sending a text SMS message rate, is now a pattern that has already spread worldwide.

While this type of ransomware is developed for the Russian-speaking public, being a very common malware in Russia, any user anywhere in the world is a potential victim.

Daily offenders change the graphic design of what is shown on screen, although minimalist very aggressive, and always providing the necessary information so that, in theory, the victim can get the key to unlock access to the operating system, clear that exchange for a sum of money in this case, amounts to 360 rubles (just over $ 10).

SMS Ransomware template
The latest campaign to spread and infection of this family of ransomware, occurs with this design.

The truth is that despite not having a complex structure around its development; represent one of the malicious codes more aggressive and invasive. Not only because by blocking the system also blocks the ability to access any functionality and operating system software, but also while the user looks ransomware design, it’s reported against an affiliate business (usually the type Pay-per-Install), and in some cases, trying to steal information related to authentication credentials.

Related Information

New variant of SMS Ransomware ItW

Microsoft Security Antivirus ransomware
New SMS ransomware template with slight change
Campaign to disseminate russian ransomware
New Russian SMS ransomware In-the-Wild
SMS Ransomware porn template update
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

New variant of SMS Ransomware ItW

2010-10-20T20:07:00.000-07:00

Malicious code types Ransomware have become more emphatically positioned on the stage of the business malicious round about malware.

In this respect, far left the programs in this style using complex encryption algorithms exploiting conventional aspects of cryptovirologhy, to meet at the present with a sort of ransomware seeking to block access to the victim operating system, calling for minimum sums but daily feed back the economy by criminal groups.

This time, the template used is referred to in the following screenshot:

SMS Ransomware
New variant of SMS Ransomware requesting the sum of 400 rublos (Russian money)

This new variant is another example similar to the family those previously propagated, with the particularity of incorporating number keys on-screen, needed to "write" the number that will unlock the system.

This maneuver isn't capricious and responds to the strategic defensive and evasive to block the use of the keyboard, precluding any attempt to access internal programs of the affected system.

Although this new generation of ransomware aggressive approach does not address the abduction expressed by old programs in this category as GPCode malware, but is an extremely invasive and difficult to eradicate if it does not provide preventive tools available to protect infections of this caliber.

Microsoft Security Antivirus ransomware

2010-09-13T16:59:00.000-07:00

Criminal groups from Russia are trying constantly to raise money fraudulently, maliciously re-launched a proposal through a ransomware. In this case, the strategy is to display a window that is positioned in the center of the desktop, displaying a message in Russian under the title "Microsoft Security Antivirus".

Ransomware opening message
The window displayed by the ransomware is located in the center of the screen and block any possibility to access Windows programs

This malware is part of the same family that has plagued Internet ransom and are expressed through different designs, some more aggressive than others but ultimately with the same magnitude of risk and same objectives.

Although this variant does not endorse any websites with pornographic content, claims his reward through a text message SMS rate in this case, the number 89030064850. The reward consists of being the payment of 400 rubles (Russian currency).

Reward Request
In this way the offender makes an economic profit at the expense of a mechanism fraudulent and illegal, in many cases, requires users to pay the amount of money without a guarantee that you will receive the unlock key

The ransomware have become commonplace, providing a highly resource exploited by computer criminals who through affiliate systems collect the profits and manage the spread of the threat using specific crimeware.

Countermeasures
S!Ri has published some unlock codes can be used to regain control of the system. Thanks S!Ri

Number to Call: 89030139823
Number to Call: 89030065742
Code to unlock Windows: 77294738T

Number to Call: 89030064258
Number to Call: 89030064960
Number to Call: 89030065384
Number to Call: 89030139997
Code to unlock Windows: 720194320Q

New SMS ransomware template with slight change

2010-09-08T19:15:00.000-07:00

Recently a new variant of SMS ransomaware family that spread and promote pornographic sites, is In-the-Wild presenting a superficial makeover.

Several weeks ago a campaign is active through which spreads a variant of this type of ransomware, which displays a black window covering the entire desktop. This time, the window does not cover the entire desktop but is located in the center of it, but disables any possibility to access any of the applications of the system.

As in previous campaigns for the release request to send an SMS message such as a certain number requesting the sum of, according to the variants detected so far, 350, 400 and 410 rubles (Russian money).

SMS Ransomaware asking for 350 rubles

SMS Ransomaware asking for 400 rubles

Countermeasures

For cases where the requested ransomware 410 rubles for a key to unlock the system can use any of the following keys to unlock provided by SiR! from his blog (thanks SiR!):

Number to Call: 89654028516
Number to Call: 89654028759
Number to Call: 89654028794
Code to unlock Windows: 403947563!

Number to Call: 89654028519
Code to unlock Windows: $334327890$

Number to Call: 89654028477
Number to Call: 89654028491
Number to Call: 89654028518
Code to unlock Windows: $009264834$

Related information
Campaign to disseminate russian ransomware
New Russian SMS ransomware In-the-Wild
SMS Ransomware porn template update
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

Jorge Mieres
Founder & Director of MalwareIntelligence
Crimeware & Intelligence Analyst Researcher

Campaign to disseminate russian ransomware

2010-09-02T19:18:00.000-07:00

Updated 09/03/2010

S!Ri is doing a great job getting information needed to unlock this and other variants of ransomaware. Has kindly agreed to share with us their work by providing an update with new codes. Great job S!Ri and thank you very much for sharing data :)

Number to Call: 89654028569
Number to Call: 89654028703
Code to unlock Windows: !8912034'

Number to Call: 89654028578
Number to Call: 89654028597
Number to Call: 89654028594
Number to Call: 89654028566
Number to Call: 89654028563
Number to Call: 89654028583
Number to Call: 89654028725
Number to Call: 89654028717
Number to Call: 89654028703
Code to unlock Windows: (30958374)

Number to Call: 89654028562
Number to Call: 89654028563
Number to Call: 89654028590
Number to Call: 89654028595
Number to Call: 89654028598
Number to Call: 89654028578
Number to Call: 89654028614
Number to Call: 89654028723
Code to unlock Windows: ~2058205~

You can find more information about the type ransomware malware and rogue on his blog:

http://siri-urz.blogspot.com

Original 09/02/2010
Every so often a new ransomware campaign designed to block access to the operating system by displaying a message which requests to send a text message SMS rate to a certain number, in theory, to receive a key to regain control access to the system.

SMS Ransomware
The window occupies the whole screen by closing access to any program. When you enter the correct password, the window disappears and the binary executable is self-eliminated.

The distribution of this ransomware is being carried out since late July and so far has more campaigns. All show the same message and design style, but change the phone number to be sent the text message. Some of the executables that are part of this campaign are:

vip_porno_12730.avi.exe (5b1d7ce7acf6de3e8b7d856bdc6127ba) - PornoBlocker/LockScreen
vip_porno_49873.avi.exe (20830c687b1535aefa1f281fb1c6a513) - PornoBlocker/LockScreen
vip_porno_79341.avi.exe (6e4ecc96a88e36c9ec12d4b500aef331) - PornoBlocker/LockScreen
vip_porno_81380.avi.exe (3c637427af826f877a50c5a8763fe4f0) - PornoBlocker/LockScreen

The business of the offender is the percentage of money that is carried by each SMS that is recorded at these different numerical ranges, sent by the victims. The amount of money requested by the offender through the message to aspire to unlock access to the system is 400 rubles. That sum is expressed in Russian currency (рубль) and its equivalent in U.S. dollars is $ 13.

In all campaigns has appeared so far of this variant of ramsomware, provided the amount requested was 400 rubles.

Another peculiarity is that it belongs to the generation of ransom whose dissemination strategy is exploited using pornographic resources, either through websites or domains conditional content, using SEO strategies, are content with words that refer to the type of content referred to.

Countermeasures
Unlock the following codes:

89653625352
Unlock code: @34208923@

89653686497
Unlock code: 10779401

89653276574
Unlock code: 17661888

89652404438
Unlock code: !48950345!

89646283842
Unlock code: 10070000008000

89636385700
89636385707
89636385755
89636385675
Unlock code: $73747589$

89629911485
89629911932
89629911658
89629910152
89629910824
89629910747
89629910275
89629909846
Unlock code: 10200000000000003

89057635571
89055280410
89055280241
Unlock code: $73747589$

89055282108
Unlock code: ^77723094^

Related information

New Russian SMS ransomware In-the-Wild
SMS Ransomware porn template update
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

Jorge Mieres

AntiSpy Safeguard with new social engineering approach

2010-08-30T20:05:00.000-07:00

AntiSpy Safeguard is a new rogue that is In-the-Wild and that its spread is new coverage of using deception in a video shown and a false report in the style of the services offered by VirusTotal or Virscan.

The following image belongs to the inicial interface that is displayed in the first instance on a system infected by this rogue.

To read the full report MalwareIntelligence blog.

Related information

Litter Korean rogue lurking V
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Litter Korean rogue lurking V

2010-08-28T19:01:00.000-07:00

Another piece of rogue from Korea and belonging to the family of PrivacyKeep, PrivacyCorp and PCScan.

ProtectInfo
protectinfo.co.kr - 114.108.168.8 - DACOM-NET LG DACOM

The IP address also resolves the following domains:
ad-clear.com
privacycop.co.kr
privacykeep.co.kr
protectinfo.co.kr

protectinfo_home.exe (a48e62c64f68a2b32dc601efffa2973d)

update.protectinfo.co.kr/instchk.php

226
[COUNTER]
NUM=6

[CHECK1]
HKEY=HKLM
REGPATH=............
REGNAME=DisplayName
REGVALUE=............

[CHECK2]
HKEY=HKLM
REGPATH=PrivacyCheck
REGNAME=DisplayName
REGVALUE=.......... ....

[CHECK3]
HKEY=HKLM
REGPATH=............
REGNAME=DisplayName
REGVALUE=............

[CHECK4]
HKEY=HKLM
REGPATH=............
REGNAME=DisplayName
REGVALUE=............

[CHECK5]
HKEY=HKLM
REGPATH=..........
REGNAME=DisplayName
REGVALUE=..........

[CHECK6]
HKEY=HKLM
REGPATH=privacykeep
REGNAME=DisplayName
REGVALUE=............

[HISTORYREG]
PATH="............"

protectinfo.co.kr/app_linkage/app_install.php?addr=000C29CA888C&ptn=infocode0067
protectinfo.co.kr/app_linkage/app_setting.php?mac=00-0C-29-CA-88-8C

3d
payed=0
pw_usr=
pw_sup=1470
hp1=
hp2=
hp3=
small=300
big=300

log.adsence.co.kr/logexp.php?aid=protectinfo&pid=infocode0067&kind=inst
file.protectinfo.co.kr/update.php

protectinfo.exe=0.325
pnfoupdater.exe=0.113
pnfohk.dll=0.110
pnfouninst.exe=0.1
pnfowcher.exe=0.116
pnfopopd.dll=0.1

protectinfo.co.kr/app_linkage/app_boot.php?ver=.0.398
protectinfo.co.kr/popup_settle.html?addr=00-0C-29-CA-88-8C
protectinfo.co.kr/settlement/paysys/mobile/Deliver.php
protectinfo.co.kr/settlement/paysys/pbill/Deliver.php
protectinfo.co.kr/settlement/paysys/ars/Deliver.php

Countermeasures

Uninstall from Program Files
Running updated antivirus

Related information

Litter Korean rogue lurking IV
Litter Korean rogue lurking III
Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Jorge Mieres

Litter Korean rogue lurking IV

2010-08-22T08:38:00.000-07:00

Korean rogue fourth part of the "litter" that haunts the past few days looking for potential victims caught in Korea. At times the rogue that spread can have an option to change the language, so that coverage is much wider infection, however, in this case, it's directed at specific populations rogue.

PrivacyCorp
privacycop.co.kr - 114.108.168.8 - DACOM-NET LG DACOM

The IP is also the following domains:
ad-clear.com
info-dr.com

privacycop_setup.exe (8362c089bc4f7932dc885e23044cb2f6)
privacy_mediccop.exe (46f2a84d7217a5ca56208ea0b13c6f52)

The circuit is part rogue criminal systems led by members who pay a percentage of money for each installation of the threat spread. This case is no exception. The rogue reports successful installation immediately after infection.

privacycop.co.kr/app_linkage/app_install.php?addr=000C29CA888C&ptn=home
log.adsence.co.kr/logexp.php?aid=privacycop&pid=home&kind=inst
privacycop.co.kr/app_linkage/app_setting.php?mac=00-0C-29-CA-88-8C
3e
payed=0
pw_usr=
pw_sup=1470
hp1=
hp2=
hp3=
small=300
big=3660

file.privacycop.co.kr/update.php
6d
privacycop.exe=0.328
pvcupdater.exe=0.112
pvchk.dll=0.1
pvcuninst.exe=0.1
pvcwcher.exe=0.112
pvcpopd.dll=0.1

privacycop.co.kr/app_linkage/app_boot.php?ver=.0.4.5.3
privacycop.co.kr/popup_settle.html?addr=00-0C-29-CA-88-8C

Countermeasures
Terminate the processes called privacycop.exe and pvcwcher.exe. You can use the ProcessExplorer to view and terminate processes.

Uninstall from Program Files
Running updated antivirus

Related information

Litter Korean rogue lurking III
Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Litter Korean rogue lurking III

2010-08-22T06:16:00.000-07:00

PCScan is another rogue Koreans that have appeared in recent days, in addition to the two previously showed.

pcscan.kr - 114.108.129.233 - DACOM-NET LG DACOM

The IP also resolves the following domains:
eroza.net
master.to84.net
to84.net
www.tvbaro.net

Setup.exe (a85900759318ea66dc94ba789aae2cfe)
PCScan.exe (665b846b82d959843744d9d3a7b39bdc)
PCScanMon.exe (01cdb8f8955a4df6eebb1aca04d6a43c)
Uninstall.exe (76cd1340bded9d96050df30999f6274d)

Unistaller.exe file simulates the uninstaller antivirus program assumes, however, no effect arises because it’s false.

Check the following pages:
pcscan.kr/request/module_setup.php?p=PCScan&a=type1
pcscan.kr/request/License.txt
pcscan.kr/down/install.exe
down.elineguide.com/down/install.exe

pcscan.kr/down/files.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c
pcscan.kr/down/PCScan.exe
pcscan.kr/down/PCScanMon.exe
pcscan.kr/down/Uninstall.exe
pcscan.kr/down/PCScanControl.dll

pcscan.kr/value.php?strMode=setup&strID=PCScan&arg=type1&strSite=&strPC=000c29ca888c&url=
pcscan.kr/settle.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr
pcscan.kr/bill_danal/bill_home/with_bill.php?strID=PCScan&arg=type1&strPC=000c29ca888c&strSite=pcscan.kr
pcscan.kr/consultation.php

Countermeasure

Terminate the processes called PCScan.exe. You can use the ProcessExplorer to view and terminate processes.

Remove PCScan folder (which houses six files) located in C:\Program Files\pcscan\

Delete the system registry pcscan key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to "C:\Program Files\pcscan\pcscan.exe". You can use the Autoruns to view and delete the key.

Delete the desktop shortcut.

Running updated antivirus

Related information

Litter Korean rogue lurking II
Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

Litter Korean rogue lurking II

2010-08-21T12:50:00.000-07:00

Se trata de otro rogue perteneciente a la camada que actualmente se encuentra al acecho. Su nombre es PC Boan Plus.

pcboanplus.com - 222.122.84.56 - KORNET KOREA TELECOM

Domains that resolve to the same IP:
postmaster.8282tv.co.kr
pspd.org

PcBoanPlus2SetupH.exe (0ab2cc07373a4b88a0084f12ae63f54f)

This rogue report a system of affiliates Pay-per-Install that resolves the domain to an IP address corresponding to the ISP "KRNIC".

211.33.123.40/pcboanplus/install.php?mac=000C29CA888C&partner=PcBoanPlus&ver=

file.pcboanPlus.com/app/updater/PcBoanPlus2Up.exe
file.pcboanplus.com/app/Client/PcBoanplus2.exe
pcboanplus.com/app/badinfo.php?Vn=2005010100&Kind=comp

s223.pc-korea.net/badlist/2010080700_badfile.dat

Countermeasure

Uninstall from Program Files
Running updated antivirus

Related information

Litter Korean rogue lurking I
PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!
Pirated Edition. Affiliate program Pay-per-Install
Pay-per-Install through VIVA INSTALLS / HAPPY INSTALLS in BKCNET “SIA” IZZI

Litter Korean rogue lurking I

2010-08-21T12:39:00.000-07:00

Language issues are not limited to developers of malicious code and the objectives of the criminals are far beyond any border, and although it is usually the largest flow of varieties are in English and, to a lesser extent Russian every now and then the guns are aimed at specific audiences, as in this case: Korean rogue.

MegaVaccine

megavaccine.com - 218.146.255.151 - KORNET KOREA TELECOM

The IP is also the following domains:
goodprivacy.co.kr
megavaccine.com
pc-privacy.co.kr
pc-up.co.kr
pcsweeper.co.kr
pctool.co.kr
privacyboan.com
privacyq.com
rprotect.co.kr
uprivacy.net
wowprotect.co.kr

megavaccine_setup.exe (2234041b04e072aa7585209fa66e8550)

down.megavaccine.com/autoupdate/MegaVaccine/MVaccine.exe
down.megavaccine.com/Update_db/addb.dat
down.megavaccine.com/Update_db/adsub.dat
down.megavaccine.com/Update_db/adtc.dat
down.megavaccine.com/Update_db/avmon.dat
down.megavaccine.com/Update_db/inter.dll
down.megavaccine.com/Update_db/pwdb.dat
down.megavaccine.com/Update_db/vsdb.dat
down.megavaccine.com/Update_info/2010081900-00-.txt
down.megavaccine.com/Update_ini/MegaVaccine/autoupdate.ini
down.megavaccine.com/app/weboard.html

Countermeasure

Uninstall from Program Files
Running updated antivirus

Related information

PC Defender Antivirus rogue update system registry
Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Desktop Hijack by Internet Security 2010. Your System Is Infected!

New Russian SMS ransomware In-the-Wild

2010-08-15T18:07:00.000-07:00

The development of malware designed to block access to the operating system is in full expansion. Despite being at present a very different generation of ransomware the first generations where, using cryptovirology, literally kidnapped by encrypting user files and requesting a financial compensation in exchange for the release key, the concept and goal has not changed.

In this case, it’s a new variant of SMS ransomware blocking access to the operating system screen showing an alleged safety report in which reference is an infection caused by a variant of trojan recruits zombie botnets for ZeuS is actually false.

The brief report is in Russian language with which it follows that the objectives of malware are the users of that country. However, the spread of the threat has no boundaries and no language limitations.

According to the text, to get a key to unlocking it's necessary to send a message such as SMS to 4161 with the message 2AV112239. This set of alphanumeric characters isn’t the only one who can show, as it has a list that is displayed at random. The list consists of the following springs:

2AV166522, 2AV288764, 2AV222419, 2AV288888, 2AV266555, 2AV119999, 2AV121436, 2AV178477, 2AV166522, 2AV111199, 2AV187211, 2AV133211, 2AV111223, 2AV243562, 2AV211246, 2AV244533, 2AV277631, 2AV233884, 2AV242665, 2AV233211, 2AV288599, 2AV299884, 2AV286442, 2AV248864, 2AV222464, 2AV288434, 2AV265543, 2AV211278, 2AV299977, 2AV165431, 2AV131313, 2AV132218, 2AV155543, 2AV166666, 2AV186443, 2AV155422, 2AV198775, 2AV144366, 2AV199797, 2AV197797, 2AV177979, 2AV166321, 2AV111229, 2AV155322, 2AV187532, 2AV112239, 2AV164554, 2AV134274, 2AV153221, 2AV311111, 2AV311112, 2AV311113, 2AV311114, 2AV311115, 2AV311116, 2AV311117, 2AV311118, 2AV311119, 2AV311120, 2AV311121, 2AV311123, 2AV311124, 2AV311125, 2AV311126, 2AV311127, 2AV311128, 2AV311129, 2AV311130, 2AV311131, 2AV311132, 2AV311133, 2AV311134, 2AV311135, 2AV311136, 2AV311137, 2AV311138, 2AV311139, 2AV311140, 2AV311141, 2AV311142, 2AV311143, 2AV311144, 2AV311145, 2AV311146, 2AV311147, 2AV311148, 2AV311149, 2AV311150, 2AV311151, 2AV311152, 2AV311153, 2AV311154, 2AV311155, 2AV311156, 2AV311157, 2AV311158, 2AV311159, 2AV311160, 2AV311161, 2AV311162, 2AV311163, 2AV311164, 2AV311165, 2AV311166, 2AV311167, 2AV311168, 2AV311169, 2AV311170, 2AV311171, 2AV311172, 2AV311173, 2AV311174, 2AV311175, 2AV311176, 2AV311177, 2AV311178, 2AV311179

The malware disables the possibility to access the system in Safe Mode and access the following programs:

TASKMGR.EXE
REGEDT32.EXE
MSCONFIG.EXE
EXPLORER.EXE
TEXPL.EXE
ANVIR.EXE

Countermeasure
Unlock using the following key:

Environ

Click the first button and press the Enter key.
Restart the system.
Delete the registry key from ctfmon.exe.

Run an updated antivirus.

Related information

PC Defender Antivirus rogue update system registry

2010-08-11T12:18:00.000-07:00

The criminals who are behind the development of PC Defender Antivirus rogue in the last few hours have updated the registration system for the false application.

The record in the first version was to send a text message SMS rate telephone number located in Russia, while this new version requests a serial number (supposedly under the hardware-locked system) generated using as part of a activation key.

It also adds a button (Buy) that redirects to a form hosted on Plimus, and updated the malware into English. The first version was only in Russian.

This action makes it quite evident that behind the spread of these threats, lies across an organization intended to develop malware to accommodate an underground economy that feeds, increasingly, fraudulent methods.

Phoenix Exploit's Kit and Pay-per-Install via PC Defender Antivirus

2010-08-11T11:07:00.000-07:00

Pay-per-Install is one of the business models by which an affiliate system provides a set of "clients" one or more malicious code, paying each a percentage of money as a commission for each installation the malicious application successful.

Phoenix Exploit's Kit is a crimeware by which intelligence is done collecting statistical information related to each of the infected computers. You enter through an access panel via the http protocol as we see in the screenshot.

PC Defender Antivirus is a rogue Russian origin whose spread is being made through Phoenix Exploit's Kit, reporting at the same time to an affiliate system that records the installation of each downloaded copy.

In addition to collaborating with the criminal circuit feeding back the fraudulent business through Pay-per-Install, the rogue has the grain of usual business whereby it’s intended that the fraudulent application is purchased, also via the web, this action involving form information stored somewhere confidential credit card. The cost of the rogue is USD 59.95.

Through Phoenix Exploit's Kit spreads a trojan downloader called exe.exe, in this case MD5 e49be7ef82250a36cf7410004ac3d69c that, after it establishes a connection to fordkaksosat.info (193.105.207.45 - AS50793 "ALFAHOSTNET") from which it downloads and executes the rogue (PCDefenderSilentSetup.msi - ecff63c1f983858dfd7fb926738cb478).

In this instance, the rogue is reported to the affiliate system to load the information on successful installation through count_installs.php file, and begins a malware scan issuing alerts about alleged attempts to connect infections and also false. This activity is usual in this type of malware to be one of their employers.

The release system for the alleged security application is similar to that used by some families of ransomware through the business model that involves sending a text message SMS to a specific type of phone number.

In this case, the information should be sent to the number 5711000002209 with the message 6681.

The threat has a timer which generates a false statement Blue Screen of Death (BSoD), in which shows the incentive to record the program, exerting a fear (psychological warfare) on the user that after reading this information might think register/buy what you think, this is a real antivirus solution.

Countermeasures
Terminate the processes called prockill32.exe, proccheck.exe and rundelay.exe. You can use the ProcessExplorer to view and terminate processes.

Remove PC Defender folder (which houses six files) located in C:\Program Files\Def Group\

Delete the system registry PC Defender key from HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run, which refers to c:\program files\def group\PC Defender\pcdef.exe. You can use the Autoruns to view and delete the key.

Related Information

Campaign infection through Phoenix Exploit's Pack

New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites II
New variant of ransomware through porn sites
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

SMS Ransomware porn template update

2010-07-22T19:58:00.000-07:00

A new variant of ransomware type blocker that promotes pornographic sites is In-the-Wild, with the inner slightly modified. Basically you have changed the number to which the victim must send messages like SMS. Now the number is 86571252 and the message remains the same: 6005.

Another change is in the location which holds the copy of the threat. In this case, the path is C:\Documents and Settings\Default User\Media\ under the name run32.exe. The first image shows the previous version, while the second corresponds to the new variant of the SMS Ransomware.

The ransomware is distributed, as in previous cases, through porn sites. This variant uses the same name as cover (flash_player.exe), its MD5 is 2e8f56ce39270e10f7082a35d13a735a and as I write this update has a detection rate average, 12/42 being detected by antivirus engines.

Countermeasures
Identify and terminate the process called "run32.exe." At this time ransomware window disappears.
** The name of the process can also be process32.exe.

*** To kill the process you can use Task Manager or the native Windows application ProcessExplorer.

Delete the following system information
Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module
Value:
AModule
"C:\Documents and Settings\Administrador\Media\run32.exe"
*** You can also use Autoruns application to view the record in an orderly manner.

Folders:
C:\Documents and Settings\Default User\Media

Files:
C:\Documents and Settings\All Users\Media\run32.exe
C:\Documents and Settings\All Users\Media\rdb.bat

Related information

New variant of ransomware through porn sites IV

2010-07-17T19:11:00.000-07:00

Another variant of the family ransomware of type blocker is In-the-Wild, using as cover for attacks to be the Flash Player installer via an executable file called flash_player.exe and whose MD5 is acf591ac5ad2a26bf348708dda174b33.

This time is also related to a porn site that opens immediately after infecting the system. However, unlike past versions, the window does not display an image block with conditional connotation.

As we see in the image, just simply presents the user requirements towards obtaining the necessary password to allow, in theory, to unlock the appearance of the annoying window, but does not occupy the whole desktop (also very common case in ransomware), the window stays malicious in the lower right of this, superimposed on any other window.

In this case the user should send a short text message SMS to 86577491 with message 6005.

When the binary is executed through a simple sentence written in BAT, tells the malicious application that copies itself to C:\Documents and Settings\All Users\Media under the name kasper_zaebal.exe, add a reference in Run registry key and adds information security area.

Parallel open a browser session by redirecting traffic to the porn site that resolves www.redtube.eu IP address 216.155.139.158 (AS20473 - CHOOPA), classified as malware server and C&C of some botnets.

Countermeasures
Enter the following code: 29543874

If you want to try a more "traditional" follow the steps below:

Identify and terminate the process called "kasper_zaebal.exe." At this time ransomware window disappears.

To kill the process you can use Task Manager or the native Windows application ProcessExplorer.

Delete the following system information

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module
Value:
AModule
“%ALLUSERSPROFILE%\Media\kasper_zaebal.exe”

You can also use Autoruns application to view the record in an orderly manner.

Folders:
C:\Documents and Settings\All Users\Media

Files:
C:\Documents and Settings\All Users\Media\kasper_zaebal.exe
C:\Documents and Settings\All Users\Media\rdb.ba

Related information

New variant of ransomware through porn sites III
New variant of ransomware through porn sites II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

New variant of ransomware through porn sites III

2010-06-20T10:54:00.000-07:00

Another variant is ransomawre In-the-Wild. Like previous variants, it spreads through porn sites. The case presented axporno.ru page uses a vector of propagation.

When infecting the computer displays a window that overlaps any other, and by showing the information needed to theoretically unlock the system.

When you try to close the image is displayed in a new window that provides information on how to eliminate it. The maneuver, as is usual in the latest generation of ransomware type blocker, is to encourage the user to send a text message SMS rate to a certain number (162772132) and certain information (3381).

Create files sc.ini and delself.bat, both housed in the System32 folder. The first stores information equivalent to the number of infection and route where the malware binary, while the second saves the information to remove some tracks.

sc.ini
600
C:\Documents and Settings\All Users\Media\module.exe

delself.bat
…
del C:\Documents and Settings\All Users\Media\module.exe
if exist C:\Documents and Settings\All Users\Media\module.exe goto try
del C:\WINDOWS\system32\sc.ini
del C:\WINDOWS\system32\delself.bat

The malware uses the service SmsCost (smscost.ru) to provide information on the cost of the SMS message.

In addition to promoting another page with sexually explicit material through which also spreads malware (amporno.ru).

Countermeasures
Remove the "module" process through task manager (Ctrl + Alt + Del).
Search and delete the following processes:

module.exe (MD5: 4D6C1F95ED90DDEE122FC749FCE1084E)
sc.ini (MD5: FEADA1AF5309D97A537D02DD6678E847)
delself.bat (MD5: E327DE8BC4BC1183CC9A60776717DA38)

Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\module.exe

Install an updated antivirus security program and perform a deep scan mode.

Related information

New variant of ransomware through porn sites II

New variant of ransomware through porn sites

Another very active SMS Ransomware

SMS Ransomware for Windows In-the-Wild

New variant of ransomware through porn sites II

2010-05-04T04:26:00.000-07:00

A new variant of this malware is In-the-Wild. It spreads through pornographic websites. When the user clicks on any of the images that presents the page to view the video course, an alert box warns about the need to install the Flash Player 10 application and offers the download of executable called flash_player.exe course (f26c45393af03e80a40ea06aafb01c63).

Like the case previously presented in this blog, this is a ransomware that displays a window with pornographic content.

As usual in this type of malicious code in order to eliminate the annoying image, requests to send a text message SMS rate (3381) to a specific phone number (84234321)

In addition, constantly opening a website with pornographic content is also hosted at IP address 77.247.179.176

Countermeasures
Delete the following processes:

plugin.exe
watcher.exe

Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\plugin.exe

Or unlock with the following code: 19282736

Related information
Copyright violation: copyrighted content detected

New variant of ransomware through porn sites

Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

Copyright violation: copyrighted content detected

2010-04-24T20:47:00.000-07:00

New ransomaware In-the-Wild that under the excuse of being issued by an alleged entity that protects copyrights, tries to obtain money by deception strategy that seeks to "negotiate" with the victim to pay a fine.

At the time of executing its payload, operating system crashes showing a window as shown below, in which "warned" of the alleged violation of the copyright in the computer to detect copyright material.

The information presented on the screen can be displayed in ten languages: English, Czech, Danish, Dutch, French, German, Italian, Portuguese, Slovak and Spanish. This feature shows the professional looking for the attackers because every translation is well done, which is achieved by outsourcing translation work.

On occasion wallpaper set as the following image:

Furthermore, to ensure a good level of credibility, the strategy uses the legal aspect of the present as set forth in the Copyright Law of the European Union, and displays information from the headquarters of the agency who understands this type of conflict, depending on country is the victim.

For geo-location information, the malware establishes a connection from IP address 91.209.238.2 found in Moldova, Republic Of Eugenia E. Groza reporting IP address, and then do a whois to establish the country of origin of the victim.

> 91.209.238.2/m5tools/ip.php
> 91.209.238.2/m5tools/whois.php

Countermeasures
Press the Ctrl + Alt + Del to bring up task manager.
End process "iqmanager.exe"
Delete the folder IQmanager that is located in C:\Documents and Settings\Administrator\Application Data
Delete the Desktop icon

Enter the code below: RFHM2-TPX47-YD6RT-H4KDM

Related information
New variant of ransomware through porn sites
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

New variant of ransomware through porn sites

2010-04-19T16:03:00.000-07:00

The targets of this ransomware are the visitors to pornographic sites. In this case it's a type ransom "Blocker" that when activated displays a little message, and in the lower right corner of the screen, an image with pornographic content.

Here is an example:

Calls on sending an SMS message like the number 3862816 with the text 8353 in order to unlock the opening of this picture, besides eliminating the automatic opening of pornhub.com porn site (146.82.200.125).

The malware, which MD5 is db836ddad526869bc750b62fbe36e936 has a low level of detection: 6/40 (15.00%)

Countermeasures
Delete the following processes:

plugin.exe
watcher.exe

Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Module > c:\documents and settings\all users\media\plugin.exe

Related information

Dangerous trojans, keyloggers and Spyware detected in you computer!!!

Another very active SMS Ransomware

SMS Ransomware for Windows In-the-Wild

LockScreen. Your computer is infected by Spyware!!!

Dangerous trojans, keyloggers and Spyware detected in you computer!!!

2010-03-13T06:12:00.000-08:00

This is a new variant of ransomware that is In-the-Wild with, so far, a poor detection rate, the report from VirusTotal. Only 9 of 42 detected by antivirus engines.

It's a technique used by some scareware aggressive to try to "compel" the victims to "buy" the alleged antivirus solution is, in fact, the scareware.

In this case, the malware is hidden under a file called avlck.exe (md5: 04cb597a4ffddfbae9a76cde53833ab7). When run blocking access to the system screen showing the image above position which is expressed in an alleged problem of infection.

In that instance the malware connects to the site

Make a copy of itself into the Windows System folder under the name myserv.exe, and a reference in the registry Run key.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

KeyMy c:\windows\myserv.exe 

Countermeasures

Restart in Safe Mode and delete the file myserv.exe found in the Windows folder.
Delete the reference KeyMy (c:\windows\myserv.exe) located in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Unlock the system to any of the following keys:

PozisyonAyarla
HerZamanUstte

Related information

Another very active SMS Ransomware

SMS Ransomware for Windows In-the-Wild
LockScreen. Your computer is infected by Spyware!!!

myLoader. Base C&C to manage Oficla/Sasfis Botnet

2010-03-07T17:48:00.000-08:00

myLoader a particular purpose Framework developed to manage the activities of a botnet. The data reflected in this report were collected based on the study of the criminal activities of a botnet containing a quantity of more than 210,000 zombies zombies.

We describe the potential threat of this crime through the breakdown of the modules comprising the package that allows the management of the botnet ophicleide / Sasfis. Also presents some information that helps explain his behavior both in propagation strategy as in the processes of infection and prevention to help counteract their actions.

Spanish | English | Author: Jorge Mieres | Malware Intelligence | 2010, March

Another very active SMS Ransomware

2010-03-05T05:00:00.000-08:00

Ransomware activities originating with Russia don't stop. Constantly looking for committing fraudulent business feeding the information located in the system.

In this case, it's another ransomware that is In-the-Wild, and its detection rate is very low.

When the malicious binary is executed, it causes an alleged error in IE.

Just create a plain text file called xFoLOOOSErs.txt with the following information:

installed
19793214

And creates a registry key.

The number stored in this file corresponds to the telephone number the user must send an SMS to unlock the system. However, this is not the only number that uses the cyber criminal, and that also can display the following:

1971482
19777877
197852
197971412

Furthermore, the number of activation may vary between:

5370
5373
7250

Technical data:
MD5: 0cc435c5bfe3444ce7151f8f2a319728
SHA1: 9c00c70b220da9b59fc9be55d37d7a1f94abb2e0
File size: 71168 bytes
Packer: -

Countermeasures

For any telephone numbers used by this variant of ransomware and above can use any of the following codes:

0000000
1973143

Maintain updated antivirus program.

Related information

SMS Ransomware for Windows In-the-Wild
LockScreen. Your computer is infected by Spyware!!!

SMS Ransomware for Windows In-the-Wild

2010-03-04T20:55:00.000-08:00

Within the criminal business of the malicious code, a variant of well-known are the strategies implemented by ransomware malware type, where the main objective is financial gain in exchange for the return of something maliciously "hijacked".

In this case, it's the operating system crash by a malware Russian origin. According to the nomenclature of antivirus companies, the same is detected under names alluding to Blocker (Comodo/Fortinet/Kaspersky), LooksLike (McAfee), LockScreen (ESET), Fraud (Avast), Winlock (DrWeb), Dunik! Rts ( Microsoft).

Malware pretends to be the executable to install Flash Player using a file called install_flash_player.exe (ff27289c8a5ac530ce876bc08fe45f1e).

However, to be executed, the operating system crashes through a window, which is expressed in the Russian language (a feature which indicates its orientation toward the Russian audience) the order to send a text message SMS to a particular type phone number to get the unlock key.

Generated in the folder %temp% the files asd [x].cbt (D6110298A4E241BE6E7031ADA220BACC) and asd[x].tmp (this is a MZ file) (5E9C2819DA8463278F0CFA3C1CCAFF70), where [x] is a random number, found under the nomenclature Ransom PogBlock by some AV companies. The latter is the binary that controls the pop-up blocking system.

The ransomware disables the Task Manager and blocks the ability to access the system in Safe Mode by generating a reboot loop through a BSoD.

This activity is under the framework of the business of criminal malware itself, which the malware author attempts through the cost benefit that requires the sending of SMS. A more within the criminal world of crimeware that even if it's addressed to the Russian public, constitutes a serious threat to any system.

Countermeasures
Restart in Safe Mode.
Delete the file asd[x].tmp alocated in %temp%.
Delete the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
c:\documents and settings\administrador\configuración local\temp\asd1.tmp
Maintain updated antivirus program.

The easiest part. Unblock with any of the following keys:

code:592100041 unlock:2002972524
code:592131650 unlock:3807350716
code:592108426 unlock:2111921530
code:592128602 unlock:838761711
code:592122374 unlock:4272582034
code:592100773 unlock:3071200006
code:592109181 unlock:2803729885
code:592109325 unlock:1494973728
code:592129826 unlock:3062337563
code:592105732 unlock:2478558886

Note: Should appear on your display a different number for those exposed, send an email to with the number disastersteam[at]malwareint[dot]com to receive the unlock key.

Related information
LockScreen. Your computer is infected by Spyware!!!

SpyEye Bot (Part two). Conversations with the creator of crimeware

2010-02-23T17:31:00.000-08:00

In recent weeks, SpyEye (a new financial trojan) has been the talk of many for the positive acceptance was so in the underground scene due to its balance about cost/benefit, and the great impact that achievement to whiten the features in its latest version that allows systems to eliminate the activities of your competition: ZeuS.

Our previous report, “SpyEye. Analysis of a new crimeware alternative scenario,” addressed known technical issues involving the activities of this threat.

In this second part we present the exclusive interview by Ben Koehl, Crimeware Researcher of Malware Intelligence. Through interviews with the creator of crimeware, we reveal information that shows some of the thought process and brains behind the creator of SpyEye. We also see the source code for the Zeus Killer addition.

The way that Gribodemon thinks is not unique anymore in the cybercrime world. We are seeing individuals and groups becoming more specialized in the services they provide and are no longer spreading themselves thin. There are many industries within the cybercrime world. From coding to infrastructure support to public relations.

There was a large language barrier between me and the author so I had to keep the questions short and basic so his translator program could handle them (Lingvo.) We broke up the conversation in pieces to make it flow better to the reader.

This document can be downloaded from:

English version
Spanish version

Related information
SpyEye Bot. New bot on the market
Compendio Anual de Información. El crimeware durante el 2009

Jorge Mieres

SpyEye Bot. Analysis of a new alternative scenario crimeware

2010-02-10T14:13:00.000-08:00

Earlier this year saw the light in the underground black market that moves the axes of crimeware, a new application designed to provide feedback for criminal and fraudulent business.

This application, called SpyEye, is aimed at facilitating the recruitment of zombies and managing your network (C&C - Command and Control) through management panel via the web, from which it is possible to process the information obtained (intelligence) and stored in statistics, a common activity of criminal packages today.

Depending on their characteristics, very similar to those proposed by his counterpart ZeuS, SpyEye is presented as a potential successor to this within the scenario crimeware. Furthermore, it is evident that the criminal activities now represent a large business where cyber criminals and would-be cyber criminals abuse their "kindness".

This document describes the activities of SpyEye from the stage of infection giving relevant information about their purpose.

The full document can be downloaded from:

Spanish version
English version

Related information
Compendio Anual de Información. El crimeware durante el 2009
SpyEye Bot. New bot on the market

Jorge Mieres

Crimeware in 2009

2010-01-05T09:03:00.000-08:00

"Crimeware in 2009" presented in one document all that was channeled through this blog during the year in question on crimeware and associated hazards.

There are a total of 262 pages and is divided by the most relevant topics that describe the criminal activities that were a source of news on this blog. Has two indices for getting the news in a simple (content) and another on the images (image index).

Then let some of the themes they found in the document in question:

Current business outlook caused by crimeware
Framework Exploit Pack for botnets general purpose
Framework Exploit Pack for botnets particular purpose
Services associated with crimeware
Intelligence in the fight against crimeware
Campaigns of spread and infection
Other Exploits packs that were investigated

Short information
Malware Intelligence
Annual compendium of information. Crimeware in 2009
262 pages
Spanish language

Download

Jorge Mieres

Desktop Hijack by Internet Security 2010. Your System Is Infected!

2009-12-26T12:22:00.000-08:00

The Desktop Hijack is to "hijack" the desktop background, changing the image and blocking its configuration defined in a way that this can not be restored. This is a clear indication that the system was the victim of a malicious code, a kind of rogue, also known as scareware.

Internet Security 2010 is a rogue who performs this activity. The same is distributed through a crimeware called Siberia Exploit Pack. Below is a screenshot of the Desktop Hijack.

When this malware infects your system, then block the Desktop background settings, installs in the Program Files folder. This threat is aimed at Windows platforms infection in English, so that those who have Spanish versions aren't affected. We then see a screenshot of the interface of the rogue.

Each particular seconds, deploy dissuasive actions designed to generate "fear" in the user through warnings about malicious activity generated by alleged infections. Some of the warnings are:

In order for the user, looking for a solution to the alleged problems of infection, finish buying the full version of the antivirus program. To which, in this instance, you must access via a web form from which you request the "product", even, in some cases you may find advice in real time.

This modus operandi is common and is a rogue employer, including "purchase form" that in many cases until they are supported by https. In this case, Internet Security 2010, is marketed at a cost of nearly USD 50, so if you believe that its spread is related to a botnet, is easy to deduce the amount of money that criminals get through this type of activities.

Countermeasures
Terminate the processes called winupdate86.exe and IS2010.exe (eventually you can find the process winlogon86.exe).
NOTE: The malware can deshactiva conventionally access to cmd, registry and the Task Manager, therefore, to complete the process easily recommend using Process Explorer.

Then, access the system registry and delete the following keys:
In HKLM\Software\Microsoft\Windows\CurrentVersion\Run delete the key Internet Security 2010.
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run delete the key winupdate86.exe.
Under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit change the call reference that points to C:\WINDOWS\system32\winlogon86.exe with C:\WINDOWS\system32\userinit.exe.

Unregister the dll call winhelper86.dll
NOTE: To perform this action you must access the Start/Run/cmd and type regsvr32 /u [dll name].

Delete the folder InternetSecurity2010 located at C:\Program Files, and files 41.exe (this number may vary found files with numeric names such as 5705.exe, 28145.exe, etc.), winhelper86.dll, winlogon86.exe and winupdate86.exe found in C:\WINDOWS\system32\.

Remove also the direct link called Internet Security 2010 which is on the Desktop and reboot the machine.

Install and run an updated antivirus

Malware Disasters Team

LockScreen. Your computer is infected by Spyware!!!

2009-12-14T20:08:00.000-08:00

LockScreen is a trojan designed to block access to the operating system as a primary resource using the fear factor.

First, when activated displays a warning about an alleged infection caused by spyware, inciting to buy an antispyware which is really other malicious code. On the other hand, states that "if not eliminate spyware from the system in three hours, will be formatted".

Thus, the user victim of this malicious code will be forced to take extreme measures to try to access the operating system, or accept the purchase of a false solution to get the unlock key.

This activity is typical of the concept ransomware, which produces the "kidnapping" of the operating system or part thereof, but through more complex processes which usually involves some encryption algorithm and the "payment" (usually money) to obtain the unlock key.

Although malware isn't a complex, currently has a low detection rate, being detected only by 11 antivirus companies a total of 41, as shown in the report of VirusTotal.

Technical Data
MD5: f3a7d1054e79dda8e8a16901d95770e1
SHA1: c1887445b1fd5d89f61e638231d554c5bcff49ab
File size: 32768 bytes
Packer: -

Countermeasure

Restart the computer in Safe Mode Errors (by pressing the F8 key during startup) and delete the file "benimserverim.exe" which is hosted in the Windows folder.

Then clean the system registry by removing the key "benimAnahtar" from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

In case you can not restart the computer in Safe Mode Errors, another alternative is to restart the computer and for the moment, after the inception of the desktop is displayed, quickly press the Ctrl + Alt + Del to access the Task Manager and end the process called "Project1".

Then delete the file "benimserverim.exe" hosted in the WINDOWS folder and the registry key "benimAnahtar" found at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Or... the password required to unlock the system is DosyaYolu.

Malware Disasters Team

Waledac/Storm. Past and present a threat

2009-12-13T16:08:00.000-08:00

At the beginning of 2007 jumped from the darkness to begin a malicious code to be a source of important news because of their particular strategies of deception and a major campaign at the global level of infection that still remain a subject of research by the community security.

This is Storm, aka Nuwar or Zhelatin depending on the identity assigned by the antivirus companies, although it's known as "storm", perhaps alluding to the manner in which systems ravaged by which he transformed into zombies, recruiting teams under the command of the botnet.

At present, the threat posed Storm hasn't been to one side, but transferred to its twin brother, Waledac, which remains essentially the characteristic of trying to innovate in terms of apology necessary for the spread and recently has awakened after a period of hibernation.

Some features of this threat are:

The spread is through the unwanted e-mail (spam)
Uses deception strategies (Social Engineering) different for each campaign to spread
Through a link embedded in the body of a message routed to a site where malware is downloaded
The infected computers are part of a botnet
To complete the cycle of infection through the spread of spam
Fast-Flux networks
They have polymorphic capabilities at the server level

During virtually the entire 2007, Storm (the first appearances as a strategy of deception used to display a video on a storm unleashed in Europe) used as a means of propagation/infection e-mail with questions and topics varied inciting to click on a link embedded in the message body, which in some cases direction of a page (some of them also tried to spread Storm exploit vulnerabilities using iframe tags as resources) and others directed to the download of a binary in Storm both cases.

Already for next year (2008), Storm joined the "surprise effect" linking the e-mail link provided to a web site that accompanied the excuse presented in the case of mail with an image alluding also to the theme that, the as in 2007, rotating with each major event (Valentine's Day, Independence of the USA, Christmas, etc). In addition, some variants spread through blogs.

After several months of inactivity in terms of the spread of the threat, in January of this year appears Waledac, a trojan that uses the same mechanisms used by Storm and many security professionals are beginning to see the similarity between them.

After several investigations, says that Waledac is, one might say, the twin brother of Storm. Using the same methodologies of Social Engineering with a broad portfolio of images and themes used as an excuse to capture users' attention. Passing through images rather the typical "love" for the month of Valentine Cases of alleged terrorist attacks, among others, to the recent course on a video on YouTube.

There are, among others, two very interesting features in both Waledac Storm: the use of Fast-Flux networks and polymorphic capabilities on the server.

The first of these threats were allowed to spread across different IP addresses and using different domain names that constantly rotate between each other with the name resolution. This causes, through a certain time to live (TTL) pre-configured every x amount of jumps between nodes (infected computers) from the same domain, you download a different prototype of malware.

This leads to the second feature, the polymorphism. In this way, each time the package (malware) is established TTL attempt to download a different version of the malicious code to be "changes" every certain amount of time (also predetermined by the attacker) establishing capacity polymorphic.

The diagram below provides the direct relationship, over time, the threat was used as a strategy of deception.

Each of the zombies that are part of the botnet created by Waledac, focus your intentions in sending spam. In this sense, a very interesting extract from a report that says Waledac has the ability to send about 150,000 spam emails per day.

Perhaps, then you know that Storm/Waledac are running campaigns with high rates of spread of infection globally and overcrowded, it's clear that their creators are continuing their criminal operations for a financial issue, which is nothing new for malware today.

via Pistus Malware Intelligence Blog
Malware Disasters Team

Symbiosis malware present. Koobface

2009-12-13T16:01:00.000-08:00

Koobface is a worm designed to exploit the user profiles of popular social networks like MySpace and FaceBook in order to obtain sensitive and confidential information of their victims, although the latest versions limiting their goal FaceBook. In fact, the word Koobface is a transposition of the word Facebook.

His early versions date back to late 2008 and since then continues In-the-Wild with an infection rate of concern. Thus, the same company released a series of preventive measures to minimize the potential risk of infection, which is constantly latent for users who use the social network.

In principle, the usual means of dissemination used Koobface is via web through visual Social Engineering and is the first facet of propagation.

The second facet (infection) channeled their malicious actions in a very common at present, based on a combination of malware, creating a symbiosis where each component of ambient display instructions to seek a common objective and comprehensive.

But let's see which are these components that form a part of the stage of infection of the variant Koobface. NBO. This worm, detected nowadays by approximately 31 companies antivirus of 41 (75.61 %), on having infected the system establishes connection with the following URL's:

http://oberaufseher.net/img/cmd.php
http://pornfat.net/img/cmd.php

It also downloads the following malware:

TrojanDownloader.Small.OCS Troyano
Tinxy.AD Troyano
Tinxy.AF Troyano
BHO.NOE Troyano
Koobface.NBH gusano
PSW.LdPinch.NEL Troyano

From the technical point of view, some data can be collected in the brief preliminary analysis of each of the malicious code downloaded by Koobface:

The trojan TrojanDownloader.Small.OCS has a detection rate of 35/40 (87.5%) creates keys in the registry and backs himself.

HKLM\SOFTWARE\Microsoft\MSSMGR\
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winccf32
C:\WINDOWS\system32\winccf32.dll (copy of itself).

Tinxy.AF, another trojan, it also creates files in the system and has a detection rate of slightly less than the previous 30/40 (75.00%).

C:\windows\ld09.exe
C:\docume~1\user\locals~1\temp\podmena.bat

The trojan Tinxy.AD has a detection rate of 35/40, was detected by approximately 87.50% of the virus. Creates a copy of itself and makes use of the tool to enable a NetShell DLL, open ports, and specify a proxy.

C:\WINDOWS\system32\SYSDLL.exe (copy of itself)
netsh add allowedprogram "SYSDLL" C:\WINDOWS\System32\SYSDLL.exe ENABLE
netsh firewall add portopening TCP 80 SYSDLL ENABLE
netsh firewall add portopening TCP 7171 SYSDLL ENABLE
netsh winhttp set proxy proxy-server="http=localhost:7171" Agrega la información del proxy en:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f

BHO.NOE is another of the trojans as part of the process of infection Koobface, with a detection rate of 92.11% (35/38), create a folder and a file.

C:\WINDOWS\system32\796525
C:\WINDOWS\system32\796525\796525.dll

As to PSW.LdPinch.NEL trojan, detected by 34 antivirus of 40 (85.00%), is designed to steal passwords from different web browsers, mail clients, IM clients and other services.

Finally, download a variant of the family, the worm Koobface.NBH, in this case, the detection rate was 27/40 (approx. 67.50%).

As we can see, the infection of this malware isn't just limited to malicious instructions they have, but it goes beyond that and download another. This action is a common behavior in the present, where the fusion of Web applications and control of botnets and the administration of different types of malware, joining forces with a common goal: improving the economics of crime.

via Pistus Malware Intelligence Blog
Malware Disasters Team

Swizzor reload. Adware and control of P2P networks

2009-12-05T15:20:00.000-08:00

P2P networks are one of the sources used to propagate different types of malicious code. That makes him very dangerous vector for those who don't take into account certain preventive measures.

Moreover, the main function is to deploy adware popups displaying advertising without us even asking him many times after infection, it can display advertising even when a connection is made.

This is an increasingly common case where different types of malware interact with each taking control of the computer to download and install additional malware.

Nomenclature: NSIS/TrojanDownloader.Swizzload.A (ESET)
Md5: e2a2089255811ff295cdb695e426adc4
Sha1: 99eccdc87671138b9f4b15b0610bef8a3df418b6
Report VirusTotal 15/41 (36.59%)
Packer: NSIS

It spreads through web pages using a strategy of social engineering. When run a number of file download from which there is an update of itself.

From install.x3codec.com/get_file.php?file=program&program=codec_x3 download:

Nomenclature: -
File: x3codec.exe located in codec_x3.zip
Md5: 06579ded81b2b648c5106d4732a4b06f
Sha1: a2d05264eeb807e5fadd3bd60df3c0b6495c5a75
Report Virus Total 0/41 (0.00%)
Packer: -

From install.x3codec.com/get_file.php?file=program&program=p2pc download

Nomenclature: Trojan-Dropper.Agent (Ikarus)
File: p2pc.exe alojado en p2pc.zip
Md5: 9964ee2867cb2128c8f3c84b311bdb86
Sha1: a83edbe783856edf5c1838e2e1f9df9bca6ea6f2
Report Virus Total 3/41 (7.32%)
Packer: NSIS

Nomenclature: Downloader.Agent (Ikarus)
File: VistaPutcher.exe alojado en p2pc.zip
Md5: c899655cf6c26eadcd4f8adbc32d7da6
Sha1: f316b3d09519cb73b512a58be6b7b688374839eb
Report Virus Total 9/41 (21.95%)
Packer: NSIS

After checking a number of information in the system makes the connection against connect.p2pcontrol.com/?command=install&uid={EE72CD72-7427-E246-A983-AF903B5DEC0E}&affid_tr=&os=XP where down the instructions to install the programs.

The aim is to control the downloads through P2P networks by establishing a number of eDonkey servers and Kademila.

From http://connect2.p2pcontrol.com/?command=download&filename=known_e.met establishes the following servers:

208.53.131.220:4662
208.53.131.221:4662
76.73.89.210:61895
208.53.131.220:27600
208.53.131.221:7258
76.73.77.66:52352
76.73.77.66:53352
208.53.131.221:4500

From install.x3codec.com/get_file.php?file=minime connects to http://space.cachefly.net/7714569/ and download the malware

Nomenclature: a variant of Win32/TrojanDownloader.Swizzor.NCV (ESET)
File: minime.exe
Md5: 898a21afe498579797e8bc8163f4b1e2
Sha1: 817f44e1fbf98f51f3266a35b246af757574ebd1
Report Virus Total 22/39 (56.41%)
Packer: -

It also installs adware, responsible for changing the settings of Internet Explorer and Firefox through the following lines:

[InternetExplorer]
MinVersion=6
HomePage=http://www2.iesearch.com/
DefaultSearchEngine=Ask
SearchUrl=http://www2.iesearch.com/s/?q={searchTerms}&iesrc={referrer:source?}
GuidHash=x3Codec-search

[FireFox]
MinVersion=2.0
HomePage=
DefaultSearchEngine=Ask
SearchUrl=http://www2.firesearch.com/s/?q={searchTerms}&src=FF-SearchBox

Some countermeasures

Uninstall programs Ask Search, P2PControl and x3Codec
Delete the folders option bird and x3Codec located in the Program Files
Delete entry inside eggs located in the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Delete entry eggs joy math type located in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete the folder option bird located in X:\Documents and Settings\Administrator\Application Data. This folder contains the files: SEEKOWNSMETA.exe [a variant of Win32/TrojanDownloader.Swizzor.NDE Trojan (ESET)]. borereadmebike.exe [a variant of Win32/TrojanDownloader.Swizzor.NCS Trojan (ESET)]. tfonuuvu.exe [E:\malware\not\tfonuuvu.exe - a variant of Win32/TrojanDownloader.Swizzor.NCY Trojan (ESET)]
Restart your computer
Delete the folder Bind army eggs joy located in Documents and Settings\All Users\Application Data
Change the start page in the browser and delete temporary files
Run your antivirus program updated

Malware Disasters Team

IMPORTANT READ

2009-12-01T15:17:00.000-08:00

Malware Disasters Team is comprised of a group of enthusiasts who are dedicated to the study and analysis of what computer security is known under the term "Malicious Code" (Malware).

The intention is to concentrate in this space, a series of brief analysis, curiosities and manual disinfection proposals to help counter the negative effects that these types of threats caused by infecting a system.

About proposals that seek to eliminate certain actions caused by an infection, we must bear in mind that the steps mentioned herein may change depending on the variant and family of malware, and from any point of view completely solves the problems that might have caused the infection.

However, in complex problems where it isn't possible to access certain features of the operating system, the manual removal of certain harmful actions can help regain control of the system.

On the other hand, also helps the study and understanding of the most common patterns that identify malicious activities and strategies different from malicious code.

Accordingly, it leaves established that the contents of this site has as primary aim to provide the information necessary to understand how these threats and to act accordingly.

The author also takes no responsibility for the misunderstanding that it could ever have of what transpired in this site, or the consequences which might arise in the implementation of countermeasures provided.

Malware Disasters Team is a division of MalwareIntelligence.

Malware Disasters Team