Fermats Security Alerts

Spyware Danger Meets Rootkit Stealth

2005-06-22T09:37:00.000-07:00

Cool Web Search spyware has gotten nastier and harder to remove. A new variant is using rootkit-like methods to hide from removal attempts.

Read more on how the Cool Web Search Spyware Danger Meets Rootkit Stealth

Spyware Floods In Through BitTorrent

2005-06-17T17:50:00.000-07:00

The new darling of file trading formats, BitTorrent, is now a distribution point for spyware/adware.

The article states that Direct Revenue and Marketing Metrix Group are responsible for the infected files. Check your HiJack This logs for "nail.exe" , "aurora.exe". They will be listed alongside "btdownloadgui.exe".

Marketers that use adware/malware like this should be considered lower than lawyers and used car salesman. If you're one of these scumbags please, please, do the world a favor by going home and killing yourself.

These are full details on how Spyware Floods In Through BitTorrent

Download HiJack This and others at this Spywareinfo page.

New Triple virus wears down computer defences

2005-06-08T17:21:00.000-07:00

A three way tag team of baddies is out there waiting to turn personal computers into zombies

Here's where to read more about how the New Triple virus wears down computer defences

Spoofing Risk Returns to Mozilla Browsers

2005-06-07T17:40:00.000-07:00

Watch surfing trusted sites and strange sites at the same time is the word from Secunia, a Denmark-based security company. New versions of Mozilla browsers have just now been found to have a frame-injection vulnerability.

Never fear though, the Mozilla foundation is already looking into it. And take notice, they didn't have anyone arrested or sued for pointing out a vulnerability.

Read about how the Spoofing Risk Returns to Mozilla Browsers

WORM_BOBAX.P - Description and solution

2005-06-03T13:18:00.000-07:00

As of June 3, 2005, 1:38 AM PDT (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, India, Ireland, Japan, Peru, Singapore, and the United States.

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it sends out contains the following details:

Subject: {blank}

Message body: (any of the following)

• Attached some pics that i found
• Check this out :-)
• Hello,
• I was going through my album, and look what I found..
• Long time! Check this out!
• Osama Bin Laden Captured.
• Remember this?
• Saddam Hussein - Attempted Escape, Shot dead
• Secret!
• Testing

(followed by any of the following strings)

• +++ Attachment: No Virus found
• +++ F-Secure AntiVirus - You are protected
• +++ Norman AntiVirus - You are protected
• +++ Norton AntiVirus - You are protected
• +++ Panda AntiVirus - You are protected
• +++ www.f-secure.com
• +++ www.norman.com
• +++ www.pandasoftware.com
• +++ www.symantec.com

Attachment: (any of the following names followed by a .ZIP extension)

• bush.1
• funny.1
• joke.1
• pics.1
• secret.2

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

It also propagates by taking advantage of the Windows LSASS vulnerability. Furthermore, it is capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.As of June 3, 2005, 1:38 AM PDT (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, India, Ireland, Japan, Peru, Singapore, and the United States.

This memory-resident worm usually arrives on a system as a downloaded file of TROJ_SMALL.AHE. It spreads by sending a copy of TROJ_SMALL.AHE as an attachment to an email message that it sends using its own Simple Mail Transfer Protocol (SMTP) engine.

The message it sends out contains the following details:

Subject: {blank}

Message body: (any of the following)

• Attached some pics that i found
• Check this out :-)
• Hello,
• I was going through my album, and look what I found..
• Long time! Check this out!
• Osama Bin Laden Captured.
• Remember this?
• Saddam Hussein - Attempted Escape, Shot dead
• Secret!
• Testing

(followed by any of the following strings)

• +++ Attachment: No Virus found
• +++ F-Secure AntiVirus - You are protected
• +++ Norman AntiVirus - You are protected
• +++ Norton AntiVirus - You are protected
• +++ Panda AntiVirus - You are protected
• +++ www.f-secure.com
• +++ www.norman.com
• +++ www.pandasoftware.com
• +++ www.symantec.com

Attachment: (any of the following names followed by a .ZIP extension)

• bush.1
• funny.1
• joke.1
• pics.1
• secret.2

When an unsuspecting user executes the Trojan attachment, TROJ_SMALL.AHE downloads WORM_BOBAX.P, and the vicious worm-Trojan cycle continues.

It also propagates by taking advantage of the Windows LSASS vulnerability. Furthermore, it is capable of modifying the system's HOSTS file in order to prevent users from accessing certain Web sites.

Get the complete picture on WORM_BOBAX.P - Description and solution

WORM_MYTOB.BI - Description and solution

2005-06-03T13:15:00.000-07:00

As of May 31, 2005 9:11 AM PDT (Pacific Daylight Time), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.BI. TrendLabs has received several infection reports indicating that this malware is spreading in Belgium, Japan, Korea, India, United States, United Kingdom, and Germany.

Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine. Upon execution, it drops a copy of itself using the file name LIEN VAN DE KELDERRR.EXE in the Windows system folder.

The email message it sends has the following details:

Subject: (any of the following)

- {Random}
- *DETECTED* Online User Violation
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- *WARNING* Your Email Account Will Be Closed
- Account Alert
- Email Account Suspension
- Important Notification
- Notice of account limitation
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons

Message body: (any of the following)

- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- Please read the attached document and follow it's instructions.
- Please see the attachement.
- The original message has been included as an attachment.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We attached some important information regarding your account.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (any combination of the following file names and extensions)

File name:
- {random}
- account-details
- document
- document_full
- email-doc
- email-info
- info
- information
- info-text
- instructions
- your_details

Extension:
- BAT
- CMD
- EXE
- PIF
- SCR
- ZIP

It gathers target email addresses from the Temporary Internet Files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm also takes advantage of the LSASS vulnerability to propagate. For more information about the said vulnerability, please refer to the following Microsoft Web page:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

It opens a random port, allowing a remote user to access and perform malicious commands on affected machines. The said routine provides the remote user virtual control over affected systems, thus compromising system security.

Moreover, it prevents affected users from accessing several antivirus and security Web sites by redirecting the connection to the local machine. It also terminates several processes.

This worm also downloads a file, which Trend Micro detects as TSPY_AGENT.H. The downloaded file then drops an adware that Trend Micro detects as ADW_MEDTICKS.A.

It affects Windows 98, ME, NT, 2000, and XP.

Get all the details at WORM_MYTOB.BI - Description and solution

WORM_MYTOB.AR - Description and solution

2005-06-03T13:13:00.000-07:00

As of May 30, 2005 3:12 AM YEAR TIME PST (PDT/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_MYTOB.AR. TrendLabs has received several infection reports indicating that this malware is spreading in Australia, China, Hongkong, India, Japan, Korea, Philippines, Taiwan, United States.

The following is a brief summary of what this worm is capable of doing:

This memory-resident worm propagates by sending a copy of itself as an attachment to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.

This email message has the following details:

Subject: (any of the following)
• {Random}
• *DETECTED* Online User Violation
• *IMPORTANT* Please Validate Your Email Account
• *IMPORTANT* Your Account Has Been Locked
• *WARNING* Your Email Account Will Be Closed
• Account Alert
• Email Account Suspension
• Important Notification
• Notice of account limitation
• Notice: **Last Warning**
• Notice:***Your email account will be suspended***
• Security measures
• Your email account access is restricted
• Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• please look at attached document.
• Please read the attached document and follow it's instructions.
• Please see the attachement.
• The original message has been included as an attachment.
• To safeguard your email account from possible termination, please see the attached file.
• To unblock your email account acces, please see the attachement.
• We attached some important information regarding your account.
• We have suspended some of your email services, to resolve the problem you should read the attached document.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.

Attachment: (any combination of the following file names and extension names)

File name:

• {random}
• account-details
• document
• document_full
• email-doc
• email-info
• information
• info
• info-text
• instructions
• your_details

Extension name:

• EXE
• PIF
• SCR
• ZIP

This worm also takes advantage of the LSASS vulnerability to propagate.

This worm also has backdoor capabilities. It comes with a built-in Internet Relay Chat (IRC) bot that allows it to connect to a specific IRC server. It then waits for commands from a remote user.

It also terminates processes, some of which are related to antivirus and security programs.

More Details on WORM_MYTOB.AR - Description and solution

Download Lavasofts Adaware SE 1.06 Free

2005-05-28T00:58:00.000-07:00

Lavasoft has a new version of Adaware out, SE version 1.06. Download it here Download Lavasofts Adaware SE 1.06 Free.

Scroll down the page to the section titled "Adaware SE Personal" The only choice of download sites is C/Net's Download.com

Malicious Bots Hide Using Rootkit Code

2005-05-20T13:00:00.000-07:00

Good article on rootkits at the link below. Windows XP/2K are vulnerable to these, whereas Win 9x is not. There are a couple of products for detecting and removing rootkits. One is Systernals freeware Rootkit Revealer. available at Rootkit Revealer

The other is F-Secures Blacklight. This is a timelimited beta product. It will stop functioning on July 1st 2005. After that I assume F-Secure will begin charging. Blacklight has to have .NET installed for its GUI. The beta is located here Blacklight

Malicious Bots Hide Using Rootkit Code

Windows 2K Security Patch

2005-05-14T13:18:00.000-07:00

This patch fixes the "Greymagic" Bug In Windows 2000 Pro, Server and Advanced Server. This bug allows the preview pane, or Web view, in Windows Explorer to be targeted to launch malicious code on machines running Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server.

Microsoft said its Windows 98, Windows 98 SE (Second Edition) and Windows ME (Millennium Edition) operating systems were also affected, but because the bug isn't rated "critical," patches were not released.

Microsoft where security comes first huh? You can download the patch for Win 2k at the link below.

Download details: Security Update for Windows 2000 (KB894320)

Firefox 1.0.4 Update

2005-05-14T12:50:00.000-07:00

The update to fix the java exploit in Firefox is out. Go download it at the link below. As always after you download the install package go to control panel | add/remove then scroll down and select your current version of Mozilla Firefox and then click Remove to uninstall it.

Now don't panic, your settings will remain in place. After the uninstall is done just install the new version of Firefox and open it up. Any themes, extensions, plugins, personal settings, homepages or whatever will be there ready to use. If you turned off java and javascript then click tools | options | web features and check both the boxes and you're good to go.

Firefox 1.0.4 Update

Zero-Day Firefox Exploit Sends Mozilla Scrambling

2005-05-11T20:46:00.000-07:00

Yes Virginia, it's true. There's a hole in Firefox. It's being fixed as we speak but for now make sure you have the latest update to Sun's Java. (Control Panel then click the Java icon and select update.)Then in an open Firefox browser window click tools | options | web features and uncheck Java and java script. This will give the maximum protection. Of course it will make browsing a real pain in the ass since every freaking web site on the net these days seems to have to java something or other. Personally I just turn it on when I really need it for some idiot page. I remember when using Javascript in your page code meant your page was a security risk.

Zero-Day Firefox Exploit Sends Mozilla Scrambling

WORM_WURMARK.J - Description and solution

2005-05-11T20:33:00.000-07:00

The worms crawl in , the worms crawl out... Sheesh, here's another one that'll clutter up my inbox with crap. I really wish people would use protection on the internet. The infection rate is getting worse than a Asian whorehouse.

As of May 11, 2005 4:30 AM (Pacific Daylight Time/GMT -8:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_WURMARK.J. TrendLabs has received several infection reports indicating that this malware is spreading in France, India, Taiwan, and Singapore.

This memory-resident worm propagates via email messages. Upon execution, it drops a copy of itself in the Windows system folder using a random file name.

It also drops a randomly named (Dynamic Link Library) DLL file in the Windows system folder, which is a component of < I >IESpy, a spyware program.

This worm has a keylogging capability. It saves the logs typed by the user in a dropped random DLL file.

It drops several .ZIP files in the Windows system folder as email attachment.

This worm propagates by sending a copy of itself via email. The email message contains the following details:

Subject: (any of the following)
-details
-girls
-image
-love
-message
-music
-news
-photo
-pic
-readme
-resume
-screensaver
-song
-video

Attachment: (any of the following file names)
-details.zip
-girls.zip
-image.zip
-love.zip
-message.zip
-music.zip
-news.zip
-photo.zip
-pic.zip
-readme.zip
-resume.zip
-screensaver.zip
-song.zip
-video.zip

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy - 174 (uploaded)
Official Pattern Release - 2.625.00
Damage Cleanup Template - 596

For more information on WORM_WURMARK.J, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WURMARK.J

WORM_WURMARK.J - Description and solution

WORM_MYTOB.EG - Description and solution

2005-05-10T11:58:00.000-07:00

Fast on the heels of MYTOB.ED comes the EG variant. Read up and watch what you open.

Subject: (any of the following)
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- {random}
- Email Account Suspension
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons

Message body: (any of the following)
- Account Information Are Attached!
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- {random}

Attachment: (any of the following file names)
- {random}
- document_full
- email-doc
- email-info
- email-text
- IMPORTANT
- information
- info-text
- your_details

(any of the following extensions)
- BAT
- CMD
- EXE
- PIF
- SCR
- ZIP

It gathers target email addresses from the Temporary Internet Files folder, Windows address book (WAB), as well as from files with certain extension names. It may also generate email addresses by using a list of names and any of the domain names of the previously gathered addresses.

This worm has backdoor capabilities, which allow a remote user to perform malicious commands on the affected machine. The said routine provides remote users virtual control over affected systems, thus compromising system security.

Moreover, it prevents users from accessing several antivirus and security Web sites by redirecting the connection to the local machine.

WORM_MYTOB.EG - Description and solution

WORM_MYTOB.ED - Description and solution

2005-05-09T13:30:00.000-07:00

Another day, another new worm. Read all about it folks, and as always, do your updates.

WORM_MYTOB.ED - Description and solution

Trend Micro Alert - WORM_Sober.s

2005-05-03T12:04:00.000-07:00

I've been getting a lot of notifications from my ISP that messages containing this worm have been sent to my accounts. Be careful out there and as always; Update, Update, Update!

As of May 2, 2005, 11:50 AM (Pacific Daylight Time/GMT -7:00), TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SOBER.S.
TrendLabs has received numerous infection reports indicating that this malware is spreading in Germany and the U.S.A.

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.
Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they have won tickets for the upcoming FIFA World Cup 2006 in Germany.

The email it sends out has the following details:

From: (any of the following)
. Admin
. hostmaster
. info
. postmaster
. register
. service
. webmaster

Subject: (any of the following German subjects)
. Glueckwunsch: Ihr WM Ticket
. Ich bin's, was zum lachen ;)
. Ihr Passwort
. Ihre E-Mail wurde verweigert
. Mail-Fehler!*
. WM Ticket Verlosung*WM-Ticket-Auslosung

(or any of the following English subjects)
. Re:
. Your Password
. Registration Confirmation
. Your email was blocked
. mailing error

Message body: (any of the following)

. Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
*-* http://www.
*-* MailTo: PasswordHelp

. Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http://www.

. Folgende Fehler sind aufgetreten:

. Fehler konnte nicht Explicit ermittelt werden

. End Transmission

. Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden. Wir bitten Sie, dieses zu beruecksichtigen.

. Auto ReMailer# [

. Nun sieh dir das mal an!
Was ein Ferkel ....

. Herzlichen Glueckwunsch,
--- FIFA-Pressekontakt:
ok ok ok,,,,, here is it
r die 64 Spiele der Weltmeisterschaft 2006 in Deutschland sind Sie dabei.
Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang.
ok2006
Team
St. Rainer Gellhaus
error-
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

. Account and Password Information are attached!
Visit: http://www.

. AntiVirus Service
**** WebSite: .

Attachment: (any of the following)
. mail_info.zip
. okTicket-info.zip
. LOL.zip
. _PassWort-Info.zip
. autoemail-text.zip

TrendLabs will be releasing the following EPS deliverables:

TMCM Outbreak Prevention Policy 171
Official Pattern Release 2.611.00
Damage Cleanup Template 588

For more information on WORM_SOBER.S, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.S

Beware How You Google

2005-05-03T11:39:00.000-07:00

I'm back from vacation and ready to alert you again. So here's a real nasty one that can result from a simple mistyping of Google's name in your browsers address bar. Read this one closely folks.

Beware How You Google

New Jeans - WORM_JEANS.A

2005-03-28T00:33:00.000-08:00

From the Trend Micro Weekly Virus Report

New Jeans - WORM_JEANS.A (Low Risk)

WORM_JEANS.A is a memory-resident worm that attempts to propagate via email with itself as an attachment, using its own Simple Mail Transfer Protocol (SMTP) engine. It may use a polymorphic engine to drop a file containing the source code of the worm, and then recompile it to produce a different
appearance. While the inclusion of source code in the worm is not new behavior (BAGLE variants included this), the recompilation of the dropped source code is. This "courier virus" behavior is described as the worm being able to carry within itself, its whole source code and eventually dropping and recompiling it in the infected computer to create new variants of itself. It infects computers running Windows 98, ME, NT, 2000, and XP.

Upon execution, the worm drops a copy of itself as INCUBATOR.SCR in the Windows folder or BIGFISH.SCR in the Windows system folder. It creates registry entries
that allow it to automatically execute at every system startup. It also adds registry entries such that when certain applications are executed, this worm runs instead of the programs selected.

This worm attempts to propagate via email. It searches for target email addresses in files with the following file name extensions:

* .asp
* .htm
* .xml

It retrieves SMTP servers in the system registry, and then attempts to send a copy of itself as an attachment using its own SMTP engine. The email message that it attempts
to send, contains the following details (however, due to bugs in its code, this worm is not able to execute this propagation routine):

From: Don Quijote y Sancho Panza
Subject: juas juas cuidadin con el attachhhhrrrr!!!!!
Message body: juas juas juas peaso de bicho que lleva el attach!!! juas juas!!! ;D
Vallez\29a
Attachment: soyunpeasodebichooooooo.scr

This worm may also display a message box with the following:

Win32.Genome coded by ValleZ/29a

New Jeans - WORM_JEANS.A

Mozilla Foundation Security Advisories

2005-03-24T01:56:00.000-08:00

Another new update/version of Firefox. Why another 4+ meg download so soon? To repair three problems.
MFSA 2005-32 Drag and drop loading of privileged XUL
MFSA 2005-31 Arbitrary code execution from Firefox sidebar panel
MFSA 2005-30 GIF heap overflow parsing Netscape extension 2

Go get it Folks. Download Firefox 1.0.2

Oh and as always with Firefox, even though there is no admonishment to do so on the download site, I have found it better to uninstall the old version before installing the new. Yes, your prefs and customizations will still be there so don't worry. After all, this ain't M$ crapware.

Mozilla Foundation Security Advisories

If you use Mozilla's Thunderbird email program (and you should!) there's an update to version 1.0.2 for it also.
Download TBird 1.0.2

Security Flaws in McAfee

2005-03-21T23:12:00.000-08:00

Yeah and Symantec just patched one also. Big corporate structures make for slow reaction times and bottom lines drive software releases.

I'll stick with AVG thank you.

Security Flaws in McAfee AntiVirus

and on a related note, you might want to read this article as well. A bit dated in security terms but still interesting in light of the McAfee and Symantec flaws.

Security Flaws Found in McAfee AntiVirus

FTC Says Anti-Spyware Vendor Shut Down

2005-03-20T13:51:00.000-08:00

If you purchased Spyware Assassin you had better read this. The free scan returned bogus spyware reports and apparently the program sold did not actually remove any spyware.

Of course why anybody would willingly purchase spyware removers when Spybot S&D and Adaware can had for free boggles my mind. Even M$ has a free spyware removal giveaway.

FTC Says Anti-Spyware Vendor Shut Down

SPIT Into This, Please

2005-03-20T12:47:00.000-08:00

If it ain't SPAM it's SPIT.

For landline phone users the no call list provided some relief from the idiot telemarketers. But if you're into using your broadband connection for a phone line (a la Vonnage) get ready for a flood of unwanted calls. Read the article below to see what's coming to your internet phone line.

SPIT Into This, Please

Sysinfo.org

2005-03-20T12:03:00.000-08:00

Here's a handy page to have around to check on entries in your Registry. Of course registry hacking is not for the faint of heart, as it can and will decimate your system if you screw up. Consider this carefully before using this resource. Always make a backup of your registry first. If you don't backup first, I have NO sympathy for your dumb ass.

Sysinfo.org

Trend Micro's Weekly Virus Report

2005-03-18T14:05:00.000-08:00

Antispyware Killer - TROJ_ASH.A (Low Risk)

TROJ_ASH.A is a destructive, memory-resident Trojan that terminates and deletes all files related to Microsoft Windows Antispyware. It also steals information related to online banking Web sites, by monitoring a user's Internet transactions at certain online banking sites. It runs on Windows 95, 98, ME, NT, 2000, and XP.

This memory-resident Trojan arrives in a system as the file ASH.DLL, in the Windows system folder. It may also be downloaded by the user from the Internet. Before installation, the Trojan checks whether Microsoft Windows Antispyware is installed. If found, it attempts to terminate and delete all files related to this application.

This Trojan steals information related to online banking Web sites, by monitoring the user’s Internet transactions and waiting for the user to access the following online banking sites:

* https://ibank.barclays.co.uk
* https://ibank.cahoot.com
* https://olb2.nationet.com
* https://online.lloydstsb.co.uk
* https://www.bankofscotlandhalifax-online.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.ebank.hsbc.co.uk
* https://www.millenniumbcp.pt
* https://www.ukpersonal.hsbc.com

When the Trojan detects visits to any of these banking sites, it displays a spoofed .HTML page to trick the user into entering their account information. The stolen data is then sent to a remote user.

The Trojan then drops the following log files in the Windows folder, to store the information it gathers from the user:

* Email.log
* Pass.log
* Req.log

In addition to gathering user IDs and passwords, it also gathers email addresses found in the user's system. It gathers email addresses from files with the following extensions:

* .*ht*
* .adb
* .asp
* .dbx
* .doc
* .eml
* .msg
* .oft
* .ph*
* .pl*
* .rtf
* .tbb
* .tx*
* .uin
* .vbs
* .wab
* .xls
* .xml

This Trojan also terminates certain processes, and modifies the HOSTS files. These HOSTS files contain the mappings of IP addresses to host names. This file is loaded into the computer’s memory at startup. Windows checks this file before it connects to a requested Web site. If a requested Web site is listed in the HOSTS file, any attempt to connect to this site is redirected back to the local machine (which is your computer’s IP address). It also blocks other applications from connecting to the Internet, as long the Web site that it attempts to connect to, is listed in the HOSTS file.

HOSTS files are useful for blocking ads, banners, cookies, and known malicious Web sites. However, this technique is now being employed by various malware to prevent users from accessing antivirus and security related Web sites.

This Trojan adds many lines in the system's HOSTS file, preventing a user from accessing the listed Web sites. View the complete list of terminated processes and lines added.

If you would like to scan your computer or TROJ_ASH.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

TROJ_ASH.A is detected and cleaned by Trend Micro pattern file #2.497.00 and above.

3. Top 10 Most Prevalent Global Malware
(from March 11 to March 17, 2005)

1. HTML_NETSKY.P
2. WORM_NETSKY.P
3. JAVA_BYTEVER.A
4. TROJ_SMALL.SN
5. TROJ_DFC.A
6. JAVA_BYTEVER.B
7. SPYW_GATOR.D
8. TROJ_BAGLE.BG
9. WORM_RBOT.GEN
10. TROJ_STARTPA.A

Trend Micro's Weekly Virus Report

Are You Safer With Firefox?

2005-03-16T15:04:00.000-08:00

Good article to read, especially if you're new to Firefox. Here's one excerpt to show you why:

"In Firefox for Windows you can set the options at Tools| Options | -Advanced-|Software Update to check Firefox servers periodically for updates to the program. It will find version 1.0.1, but all it will do is download the whole program and start the installer. On the Linux version you can only update Extensions and Themes, not the program code."

Are You Safer With Firefox?