2010年10月4日星期一

How to Detect and Remove the Trojan.IRCBot



1. What is the Trojan.IRCBot
Trojan.IRCBot is a malicious back door Trojan which makes use of the popular IRC(Internet Related Chat)program, to cause you many unwanted computer problems.
Trojan.IRCBot.Gen can open a backdoor on your computer that allow a remote attacker to use Internet Relay Chat (IRC) to remotely control your system, send the worm to other IRC channels, update the Trojan, download and execute additional malware to your PC, perform Denial of Service (DoS) attacks against a specific target and send spam email messages, using the Internet connection of your computer.
This network-aware worm uses known exploits in order to replicate across vulnerable networks. In order to replicate itself through the network, Trojan.IRCBot.Gen can use common TCP ports used by some other worms: 135,139,445 or 593. This capability makes him a real threat for the company networks and servers. Using it like a backdoor, a remote attacker can compromise sensitive company data.
The most common ways to get infected with this worm are of three types:
by visiting Warez sites,
downloading pirated software from P2P networks,
or by opening an infected email attachment.

2. How to detect the Trojan.IRCBot with Sax2
Please update the policy basic knowledge of sax2 in time, we have add some polices for sax2 to detect the Trojan.IRCBot, once sax2 detects that the Trojan IRCBot attempt to establish a connection with the remote hosts, it will break the connection immediately to ensure your network & business security.
(Sax2 detected that the Trojan IRCBot attempt to establish a connection with the remote hosts)
(Sax2 breaked the connection successfully)
3. How to manually remove Trojan.IRCBot
Files associated with Trojan.IRCBot infection:svchost.exe1clickpcfix.exetakod.exeWindowsLive.exesystem32.exeegun.exe
Trojan.IRCBot processes to kill:svchost.exe1clickpcfix.exetakod.exeWindowsLive.exesystem32.exeegun.exe
Remove Trojan.IRCBot registry entries:HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN svchostHKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN 1 Click PC Fix - 3.5HKEY_LOCAL_MACHINESystemCurrentControlSetServices akodHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ svchostHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 1 Click PC Fix - 3.5HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\takodHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Windows LiveHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Windows System32 MonitorHKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Windows System Guard
4. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit https://store.malwarebytes.org/342/cookie?affiliate=13249&redirectto=Malwarebytes-Anti-Malware.htm&product=29945 and download Malwarebytes' Anti-Malware to help you.

How to Detect and Remove the Trojan.FakeAV

1. What is the Trojan.FakeAV
Trojan.FakeAV is a malicious trojan horse that may represent a high security risk for the compromised system or its network environment. Trojan.FakeAV, also known as Trojan.Win32.Small.ccz, creates a startup registry entry and may display annoying fake alerts of malware payloads in order to persuade users to buy rogue antispyware products. Trojan.FakeAV contains characteristics of an identified security risk and should be removed once detected.

a. File System Modifications
%CommonFavorites%\_favdata.dat
%Temp%\eapp32hst.dll
%Temp%\PRAGMAb224.tmp
%Temp%\PRAGMAb253.tmp
%Temp%\PRAGMAc84c.tmp
%Temp%\TMP43307.tmp
%Temp%\topwesitjh
%Temp%\wscsvc32.exe
%Windir%\PRAGMAsesmccxtir\PRAGMAc.dll
%Windir%\PRAGMAsesmccxtir\PRAGMAcfg.ini
%Windir%\PRAGMAsesmccxtir\PRAGMAd.sys
%Windir%\PRAGMAsesmccxtir\PRAGMAsrcr.dat

Notes:
%CommonFavorites% is a variable that refers to the file system directory that serves as a common repository for all users' favorite items. A typical path is C:\Documents and Settings\All Users\Favorites (Windows NT/2000/XP).
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
The following directory was created:
%Windir%\PRAGMAsesmccxtir
.
b. Memory Modifications
There were new processes created in the system:
Process Name
Process Filename
Main Module Size
wscsvc32.exe
%Temp%\wscsvc32.exe
314,368 bytes
c. Registry Modifications
The following Registry Key was created:
HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA\versions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir\modules
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE]
f7c5da73-b4a5-4947-8f40-08f2871eb36b = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
DisableTaskMgr = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups]
ConvertedToLinks = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "PRAGMAsesmccxtir"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000]
Service = "PRAGMAsesmccxtir"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "PRAGMAsesmccxtir"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PRAGMASESMCCXTIR]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "PRAGMAsesmccxtir"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR\0000]
Service = "PRAGMAsesmccxtir"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "PRAGMAsesmccxtir"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PRAGMASESMCCXTIR]
NextInstance = 0x00000001
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\feature_enable_ie_compression]
svchost.exe = 0x00000001
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0x00000000
[HKEY_CURRENT_USER\Printers\Connections]
affid = "396"
subid = "landing"
[HKEY_CURRENT_USER\Software]
24d1ca9a-a864-4f7b-86fe-495eb56529d8 = ""
7bde84a2-f58f-46ec-9eac-f1f90fead080 = ""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 0x00000001to prevent users from starting Task Manager (Taskmgr.exe)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
dfrgsnapnt.exe = "%Temp%\dfrgsnapnt.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA]
affid = "5"
type = "no"
build = "no"
subid = "direct"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir\modules]
PRAGMAd = "\systemroot\PRAGMAsesmccxtir\PRAGMAd.sys"
PRAGMAc = "\systemroot\PRAGMAsesmccxtir\PRAGMAc.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAsesmccxtir]
start = 0x00000001
type = 0x00000001
imagepath = "\systemroot\PRAGMAsesmccxtir\PRAGMAd.sys"
The following Registry Value was deleted:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) =
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) =
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Cache =
d. Other details
There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host
Port Number
91.212.127.86
80
91.212.127.96
80
The data identified by the following URL was then requested from the remote web server:
http://mediafulluns.com/any3/5-direct.ex
http://www.searchaverage.org/a/ad
http://searchaverage.org/readdatagateway.php?type=stats&affid=396&subid=landing&version=4.0&adwareok

2. How-to's
a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan.FakeAV Manually?
Step 1 : The associated files of Trojan.FakeAV to be deleted are listed below:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*]
Step 2 : The registry entries of Trojan.FakeAV that need to be removed are listed as follows:
File Name
File Size
MD5
CLADD
2560
e229a2fa3acd3f307ede63b89db833a4
WI3e94.exe
1943552
02fed38ea8975716f5f8f2595f905010
ddexpshare.exe
790528
8b4840953e5511d0a08ee67ff0034e2c
services.exe
47616
da9976cd71469bbcf0f87ec40e2ce798

c. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

How to Detect and Remove the Trojan-Banker.Win32.Banbra

1. What is the Trojan-Banker.Win32.Banbra
Trojan-Banker.Win32.Banbra is a malicious Trojan designed to steal banking details. Trojan-Banker.Win32.Banbra uses stealth tactics to enter the PC before downloading other harmful files from the Internet. Trojan-Banker.Win32.Banbra steals financial data like credit card numbers and online banking login details by taking screen snapshots of user activity. Trojan-Banker.Win32.Banbra also downloads additional components and poses a severe security risk to computer safety.

a. File System Modifications
%AppData%\36383.js
%AppData%\hotfix.exe [file and pathname of the sample #1]
%AppData%\srsf.bat
Notes:
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
.
b. Memory Modifications
There were new processes created in the system:
Process Name
Process Filename
Main Module Size
[filename of the sample #1]
[file and pathname of the sample #1]
3,796,992 bytes
hotfix.exe
%AppData%\hotfix.exe
3,796,992 bytes
c. Registry Modifications
The following Registry Key was created:o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The newly created Registry Values are:o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]+ WarnOnPost = 0x00000000+ WarnOnZoneCrossing = 0x00000000+ WarnOnPostRedirect = 0x00000000+ WarnonBadCertRecving = 0x00000000o [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]+ Shell = "%AppData%\hotfix.exe"so that hotfix.exe runs every time Windows starts
The following Registry Value was deleted:o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]+ WarnOnPost = 01 00 00 00
d. Other details
The following port was open in the system:
Port
Protocol
Process
1053
UDP
[file and pathname of the sample #1]
There was registered attempt to establish connection with the remote host. The connection details are:
Remote Host
Port Number
85.234.191.174
80
The data identified by the following URL was then requested from the remote web server:
http://85.234.191.174/zz.php?id=t_a_d_01

2. How-to's
a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Banker.Win32.Banbra Manually?
Step 1 : The associated files of Trojan-Banker.Win32.Banbra.ukb to be deleted are listed below:%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\zh_CHT%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\zh_CHS%ProgramFiles%\Bulk Image Downloader\locale\uk\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\uk%ProgramFiles%\Bulk Image Downloader\locale\tr\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\tr%ProgramFiles%\Bulk Image Downloader\locale\sv\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\sv%ProgramFiles%\Bulk Image Downloader\locale\sr\lc_messages%ProgramFiles%\Bulk Image Downloader\locale\sr%ProgramFiles%\Bulk Image Downloader\locale\sk\LC_MESSAGES%ProgramFiles%\Bulk Image Downloader\locale\skStep 2 : The registry entries of Trojan-Banker.Win32.Banbra.ukb that need to be removed are listed as follows:HKEY_CURRENT_USER\Software\Javasoft\ExHKEY_CURRENT_USER\Software\JavasoftHKEY_CURRENT_USER\Software\Antibody Software\Bulk Image DownloaderHKEY_CURRENT_USER\Software\Antibody SoftwareHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post PlatformHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User AgentHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BID Link E&xplorerHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open current page with BI&DHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open &link target with BIDHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Enqueue link tar&get with BIDHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\En&queue current page with BIDHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExtHKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\Old_CurrentHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bulk Image Downloader_is1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\open\commandHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shell\openHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\shellHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueue\DefaultIconHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloaderQueueHKEY_LOCAL_MACHINE\SOFTWARE\Classes\BulkImageDownloader\shell\open\command
c. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

How to Detect and Remove the Trojan-PSW.Win32.Agent.skv

1. What is the Trojan.PSW.Agent.skv
Trojan.PSW.Agent monitors and records your keystrokes and scans your computer for stored passwords. This information is then sent to the parasite authors. Trojan.PSW.Agent is highly dangerous and is a serious threat to your financial and personal information.

a. File System Modifications
%ProgramFiles%\auclt.exe
%System%\engine32.dll
%System%\mlang32.dat
%System%\sound32.exe
5 %System%\winmn.dll
Notes:
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
b. Memory Modifications
There were new processes created in the system:
Process Name
Process Filename
Main Module Size
[filename of the sample #1]
[file and pathname of the sample #1]
561,152 bytes
sound32.exe
%System%\sound32.exe
561,152 bytes
c. Other details
There was registered attempt to establish connection with the remote host. The connection details are:

Remote Host
Port Number
222.73.165.154
80
The data identified by the following URL was then requested from the remote web server:
http://m468.3322.org/m/t.php?m=&v=&is=0

2. How-to's
a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan.PSW.Agent.skv Manually?
Step 1 : Use Windows Task Manager to Remove Trojan.PSW.Agent ProcessesRemove the "Trojan.PSW.Agent" processes files:relpop.exesvvosts.exenmhxy.exe5Sy.exe5[1].exeStep 2 : Use Windows Command Prompt to Unregister Trojan.PSW.Agent DLL FilesSearch and unregister "Trojan.PSW.Agent" DLL files:nmhxy.dllmywow.dllStep 3 : Detect and Delete Other Trojan.PSW.Agent FilesRemove the "Trojan.PSW.Agent" processes files:relpop.exesvcsvvosts.exenmhxy.exe5Sy.exe5[1].exenmhxy.dllmywow.dllStep 4 : View the Trojan.PSW.Agent Components with its MD5sRemove the "Trojan.PSW.Agent" components:
File Name
File Size
MD5
svchost.exe
35840
65cdc258d2ec47f25d2bec762d6550df

c. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

2010年9月26日星期日

New trojan with "You’ve got a fax" emails

A new trojan attached to emails with the subject “You’ve got a fax” were intercepted by Ax3soft. The body of the email contains attached a ZIP file and an embedded JPEG file.

It looks like it is sent from the online service eFax (http://www.efax.com) but it’s not. The email are sent from a spoofed address efax@efax.com.

The ZIP file has the name eFax83243DOC.zip and it contains the 40 kB large file efax97901DOC.exe – please note that the numbers may vary.

The trojan is known as Trojan.Generic.KDV.37882 (BitDefender), W32/Trojan3.BZW (F-Prot), Troj/Agent-OSI (Sophos) or Trojan-Downloader:W32/Agent.DMWG (F-Secure).

Create files as followings:

%Temp%\1.tmp
%System%\hyli.igo

Created the registry key as following :

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

Appendix:

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

If you want to unsubscribe, please click here.

2010年9月25日星期六

New Oficla trojan in emails with subject "Your facebook password has been changed"

A new trojan distribution campaign by email were intercepted by Ax3soft, the subject of this email may be "Facebook password details changed!", "Facebook password has been changed!" or "Facebook Password Reset Confirmation!".

The email is send from the some spoofed address, for example: “information@facebook.com”, "lhofmeis@facebook.com", "clinkard@facebook.com", "freshlix@facebook.com", "germanzetti@facebook.com", "blueyescc@facebook.com" or "stiftungen@facebook.com".

The body of the email:

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

The attachedZIP file has the name Facebook_document.zip and contains the 36 kB large file Facebook_document.exe.

The trojan is known as Win32/Oficla.II (NOD), Trojan.Win32.Oficla.lh (Kaspersky), Troj/Mdrop-CWY (Sophos), Win32:Trojan-gen (Avast).

Create files as followings:

%Temp%\1.tmp
%System%\fvfj.sxo

Created the registry key as following :

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid

The following registry key is modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell =

How-to's

1. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

2. We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

Appendix:

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

2010年7月27日星期二

How to Detect and Prevent Phishing Scams

Overview of Phishing Scams


The unique purpose of a Phishing scams is to obtain your sensitive information to do frauds. Scammers send mass emails to every address they can find. Typically the email will appear to come from a bank or financial institution. It is e-mail content to prompt you to update your information for some reason, and they usually provide a link that you can click to do so.
This all sounds reasonable and it may look legitimate; phishing scams are anything but legitimate. The link provided does not take you to the financial institution’s website. Instead, you’ll be submitting your information to a website run by the scammers.

Why Scammers Use Phishing Scams


Why would somebody do this? Well, you can gather a lot of sensitive information with a phishing scam. First, you can get somebody’s account number and password. Then you can try to hijack their assets. Some phishing scams ask for all of your personal information (SSN, mother’s maiden name, date of birth, etc) so that they can steal your identity and open credit accounts in your name. Some victims of phishing scams have given up their credit card numbers only to find that the card was used fraudulently.

How to Detect Phishing Scam Emails


Most of the phishing scams are carried through phishing emails,so the most important key to prevent phishing scam is how to distinguish phishing emails. Detecting most of these phishing emails is easy, using a number of security products is the most convenient way, such as Ax3soft Sax2,it is a professional intrusion detection and prevention system (IDS) used to detect intrusion and attacks, for more information, visit http://www.ids-sax2.com/SaxIDS.htm.
if you are a bit careful. Then the followings are several ways that can help you identify phishing emails。

*

Look for your Name in the address: Phishers, generally don’t know the names of their targets. They are actually phishing for the weak and unalarmed users to make their targets. Look for the header of the email you received. If you do not find your name or email address in the address bar, this is a red sign. You have to be cautious on this email. See Figure below.
*

Look for the Salutation / Greetings: Generally, the financial organizations are very careful about the personal experience which their users get while transacting with them. One usual practice taken care by them is to greet their customers with the name. If you do not find any greeting or salutation, then it is also a thing to deal the email with caution. We are not saying that all emails without salutation are phishing emails, but this is definitely a preliminary way of raising your alarm bell. See Figure Below.
* Look for the URLs as shown in the emails and your Browser Status Bar: Nowadays, most of the browsers display the URL in their status bar if you hover your mouse over a hyperlink. This is your most important trick to quickly discover most of the phishing attempts. Hover your mouse over the link, and without clicking just look down below at your status bar. Compare the two links very cautiously.
*

Look if any generic name is there in the salutation: Like mentioned above, if you do not find a salutation, or you find a generic salutation, then it is time to be concerned. We are not saying that all such emails are phishing, there are many exceptions to this as well, but it is surely a sign to be more cautious and look for other clues. See Figure Below.
*

Look for Poor Grammer and Salutation: Without prejudice to any country or race, it has been observed that most of the phishing attacks are from countries where population is not English speaking. And it leaves a mark everywhere. Since phishers are generally individuals, not organizations, and mostly operating from close confines, there are small grammatical and punctuation mistakes in their copy. Look for them, and be warned.
* Do not rely on the link address shown in the Browser Status Bar: Even if, you find that the URL address as shown in the Browser Status Bar is exactly the same as that shown in the email, there are chances that the actual hyperlink is pointing to somewhere else. In such a case, your safest bet is to just select the URL and copy it. Open a second browser windows, paste the address there and press enter. Remember, do not use the Copy Link Location command from the right click menu. It will defeat the entire purpose.

*

Do not rely even if you find your name in the salutation or address: With the advancement of technology, phishing techniques are also getting smarter every day. Now phishers dig deep and research to find the name and addresses of their targets. So even if you find that proper Greetings and salutations are there, still there are chances that you are staring at a phishing scam attempt.
*

Look for the domain name of the link: The domain names tell you many things. If the domain name of the URL, to where your Browser status bar is pointing, is same as your financial institution, then you are most like safe. But be very cautious here. You should be knowing, what exactly is the domain address in a URL. Phishers try to make it look like the original domain, and you have to find the actual domain name from that.
* Use Copy & Paste: Yes it is really good idea. But remember, don’t use Copy Link Location from the right click menu.

Fake Xerox WorkCentre Pro Scans Hide Trojan

Ax3soft have intercepted a new spam campaign, it attempts to trick users into executing malicious files by claiming they are scanned documents. The email are sent from a spoofed email address and contains a subject in one of the following formats:

Scan from a Xerox WorkCentre Pro N 6204257
Scan from a Xerox WorkCentre Pro #866521

The email targets business users. An office print and scan center such as a Xerox machine sent a scanned document by email to a recipient. This kind of condition is really very common.

The body of the email:

Please open the attached document. It was scanned and sent to you using a Xerox
WorkCentre Pro.

Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: XRX6150AA7ACDB45706461

For more information on Xerox products and solutions, please visit

http://www.xerox.com

It looks like that the true email template used by Xerox scanning devices was copied by the spammers and the listed file type only be modified by it. When Xerox WorkCentre Pro can send scanned documents through email, these are never sent in ZIP format. Reported by the Tech Herald


An executable file called Xerox_doc.exe will be showed while opening the file archive, it is a new variant of the Official Trojan. Trojans in the Official family of malware can work as botnet clients and are basically used as distribution platform for other menaces, such as adware or scareware.

The trojan also called Gen: Variant.Oficla.4 (F-Secure, GData, NSecure) or W32/Oficla.AP (Authentium).



The files will be created as followings:

%Temp%\1.tmp
%System%\thxr.wgo
%Temp%\2.tmp
%System%\svrwsc.exe

The following directories are created:

%CommonAppData%\Microsoft\OFFICE
%CommonAppData%\Microsoft\OFFICE\TEMP

Stop the Windows service SvrWsc - Windows Security Center Service with the filename %System%\svrwsc.exe. Do not be cheated by it. The Windows Security Center Service is a bad service ,it can do nothing with the legitimate service Security Center from Windows.

It will execute a lot of Windows registry changes and the trojan establish connection with the following IPs on port 80

80.74.132.218
91.212.127.40
91.216.215.66

Data can be obtained from following URLs:

*

hxxp://www.kollo.ch/images/cgi.exe
*

hxxp://musiceng.ru/music/forum/index1.php
*

hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&b=avpsales&tm=1
*

hxxp://hulejsoops.ru/images/bb.php?v=200&id=465538349&tid=26&b=avpsales&r=1&tm=1

At the time of writing, only 6 of the 41 AV engines did detect the trojan at Virus Total. Virus Total permlink and MD5: 1d378a6bc94d5b5a702026d31c21e242.

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

New trojan variant in mails with "Look my CV. Thank you!"

Pay attention to the subject "Look my CV. Thank you! MyID NR4557547.",it is a new trojan variant in emails and Ax3soft intercepts it.

The similar subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

It chooses the number at the end of the subject not in order and the from email address is fake.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The resume098.zip attached in the email. The extracted file resume.exe has 36kb capacity.

The trojan also called W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools)

Creat files as followings:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

Load the following modules into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

195.78.109.6
212.78.71.81
95.211.98.246

Download data from the following hosts:

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1

· hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

The download file sepod.exe has 60kB capacity and it is malware which called W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

Create the files as followings:

%Windir%\dsmd32.dll

Load the following modules into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IP95.211.98.246 on port 80 as followings:

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

New trojan variant in mails with "Look my CV. Thank you!"

Pay attention to the subject "Look my CV. Thank you! MyID NR4557547.",it is a new trojan variant in emails and Ax3soft intercepts it.

The similar subject are:

Look my CV. Thank you! MyID NR4557547.
Please look my CV. Thank you! MyID NR0663460.

It chooses the number at the end of the subject not in order and the from email address is fake.

The body of the email:

Good day.

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.

The resume098.zip attached in the email. The extracted file resume.exe has 36kb capacity.

The trojan also called W32/Heuristic-210!Eldorado (Authentium, F-Prot) or Backdoor.Bredolab (PCTools)

Creat files as followings:

%Temp%\1.tmp
%System%\fjof.sto
%Temp%\2.tmp
%Windir%\atapsrb.dll

Load the following modules into the address space of other processes:

%Windir%\atapsrb.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\atapsrb.dll::

Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1952000

%Windir%\atapsrb.dll::

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IPs on port 80 as followings:

195.78.109.6
212.78.71.81
95.211.98.246

Download data from the following hosts:

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&b=6165430227&tm=1

· hxxp://olgashelest.ru/babun/bb.php?v=200&id=603225387&tid=4&b=6165430227&r=1&tm=1

· hxxp://www.scottishchefs.com/photogallery/Slideshows/SLteam2008/p7hg_img_1/fullsize/sepod.exe

The download file sepod.exe has 60kB capacity and it is malware which called W32/Hiloti.I.gen!Eldorado (F-Prot), Trojan.Win32.Hiloti (Ikarus) or Mal/Hiloti-D (Sophos).

Create the files as followings:

%Windir%\dsmd32.dll

Load the following modules into the address space of other processes:

%Windir%\dsmd32.dll:

Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E70000 – 0x1E82000

%Windir%\dsmd32.dll:

Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10012000

A lot of Windows registry modifications are created and the trojan tries to establish a connection with IP95.211.98.246 on port 80 as followings:

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

Emails with the subject "UPS INVOICE NR9094991" and "Delivery Problem NR2204780" contains trojan

Ax3soft noted the highest virus detection rate from these months, which owes to the combination of the “Thank you for buying iTunes Gift Certificate!” and the latest UPS related emails with subjects like “UPS INVOICE NR9094991″ or ”Delivery Problem NR2204780″

The similar subjects are (the numbers are choosed randomly):

UPS INVOICE NR9094991
Delivery Problem NR2204780

The body of the email:

Hello!
Unfortunately we were not able to deliver your postal you have sent on the 11th of March in time because the addressee’s is inexact.
Please print out the invoice copy attached and collect the package at our department.
UPS Global Services.

Hello!
We failed to deliver the postal you have sent on the 24th of March in time because the addressee’s is wrong.
Please print out the invoice copy attached and collect the package at our department.
UPS Express Services.

The zip archive upsinvoice3325037.zip is contained in the email and it is available to extract the file UPSINVIOCE.exe which has 36 kB capacity.

The trojan is known as W32/FakeAlert.NW (F-Prot), Trojan.Win32.VBKrypt.yj (Kaspersky), Win32/Oficla.EU (NOD32), Troj/Bredo-CX (Sophos) or Trojan.Sasfis (Symantec).

Creat files as followings:

%Temp%\1.tmp
%System%\nnfj.tqo
%Temp%\2.tmp
%Windir%\scindl.dll

Load the following modules into the address space of other processes:

%Windir%\scindl.dll —>
Process name: explorer.exe
Process filename: %Windir%\explorer.exe
Address space: 0x1E90000 – 0x1EA1000

%Windir%\scindl.dll —>
Process name: IEXPLORE.EXE
Process filename: %ProgramFiles%\internet explorer\iexplore.exe
Address space: 0×1940000 – 0×1951000

%Windir%\scindl.dll —>
Process name: [generic host process]
Process filename: [generic host process filename]
Address space: 0×10000000 – 0×10011000

the trojan tries to establish a remote connection with IPs on port 80 as followings:

85.87.17.230
89.149.202.142
95.211.27.238

Download data from the following hosts:

* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&b=newsp&tm=2
* hxxp://funnylive2010.ru/ms/bb.php?v=200&id=653227819&tid=5&b=newsp&r=1&tm=2
* hxxp://www.yunusemre.net/trpanel/fckeditor/editor/
_source/classes/sistempod.exe

We have added some new policies of Ax3soft Sax2 to detect the Trojan, please update the policy basic knowledge of Sax2 in time.

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

If you want to unsubscribe, please click here.