Category: Malware

Viruses, Trojans, Spyware, etc

She has already gone to hospital!…

Below is a new scam email being sent around the internet. The topic of the email is shown above. The email’s contents are shown below (I’ve removed the link):

Listen to me carefully, i don’t know what your name is, but i’ll find you and i’ll cripple you, because this is you who tempted her!!! She has already gone to hospital, you’re next, this is evidence:

http://www.———.sk/fotos/

If you receive this email just delete it. It’s a scam to get you to click on the link, which will then have malicious code. More details in the comments below.

HTML_IFRAME.TW virus

Microsoft Certificate Enrolment Code

There’s a new phishing trick that involved the user downloading a security certificate. It’s been spotted on a fake Bank of America web site. When this fake page is accessed the user is asked to create a digital certificate.

US money The control is downloaded to the PC using Microsoft Certificate Enrolment Code. This ads a false sense of security for users.

The next step on the web site asks users to download a file called sophialite.exe This is a malicious program.

So if you end up at a web site that looks like the Bank of America pay close attention to the address shown in your web browser, make sure it’s exactly right.

ActiveX Flaw in Symantec Products

Symantec is well known for making security products (they also use the Norton brand for home products). A serious flaw has been found in some of their products including Norton AntiVirus, Norton Internet Security, Norton SystemWorks and Norton 360.

The flaw is in an ActiveX control that gets installed on the PC (the control is called SymAData.dll). This control is normally used for their AutoFix tool, however it was discovered that it can be exploited by adding some malicious code to a website. The exploit allows someone to take over the computer (generally a bad thing).

Two ways to fix this problem are:

Earlier we wrote about problems with ActiveX and suggested you disable it.

iMunizator

iMunizator is an application for the Mac that claims to scan the computer and report problems.

iMunizator actually searches the computer for important files and tells the user that they are dangerous. It then offers to remove them.After removing them the computer is no longer usable.

In other words, iMunizator is a malicious program. Don’t ever run this program on a Mac.

It’s actually another version of MacSweeper, which we warned you about earlier this year.

imunizator
Imunizator’s website

HP Flash Drives Ship With Malware

Hp flash drives were found to contain malware. These devices were sent as promotional items with new Proliant Servers.

usb Both 256MB and 1GB USB drives were infected with worms (W32.Fakerecy and W32.SillyFDC), and the worm can copy itself to all other mapped drives on your network.

This is particularly bad because IT technicians generally install these servers and generally have access to quite a few network drives.

HP’s software security response team admitted to the fault and has issued the following list of servers that shipped with the infected USB drive:

ProLiant BL20pG4; ProLiant BL25pG2
ProLiant BL45pG2
ProLiant BL260c
ProLiant BL460c; ProLiant BL465c; ProLiant BL465cG5; ProLiant BL480c
ProLiant BL680cG5; ProLiant BL685c; ProLiant BL685cG5
ProLiant DL120G5; ProLiant DL140G3; ProLiant DL145G3; ProLiant DL160G5;
ProLiant DL165G5; ProLiant DL180; ProLiant DL180G5; ProLiant DL185G5
ProLiant DL320G5; ProLiant DL320G5p; ProLiant DL320s; ProLiant DL360G5;
ProLiant DL365; ProLiant DL365G5; ProLiant DL380G5; ProLiant DL385G2;
ProLiant DL385G5
ProLiant DL580G4; ProLiant DL580G5; ProLiant DL585G2; ProLiant DL585G5
ProLiant ML110G4; ProLiant ML110G5; ProLiant ML115; ProLiant ML115G5;
ProLiant ML150G3; ProLiant Ml150G5
ProLiant ML310G4; ProLiant ML310G5; ProLiant ML350G5; ProLiant ML370G5
ProLiant ML570G4
IP Console Switch with virtual media
Server Console switch
Server Console Switch with virtual media
TFT7600 (USB Pass-through)
1U Rackmount Keyboard with USB

This kind of threat isn’t limited to HP customers. Any device you plug into a USB port can potentially carry malware. Therefore you should always have a good antivirus program running on your computers.

A while back we reported on similar incidents: Digital Picture Frames with malware, MP3 players sold with malware

Malware Targeted Against Pro-Tibet Groups

Chess piecesA new malware infected email is being sent to people on Pro-Tibet mailing lists. This is an example of a targeted attack whereby a particular group of people are the intended recipients of the malware, and in this case politically motivated.

F-Secure have investigated the malware and have concluded that it originates from China. It carries a PDF file that installs a key-logger on a recipient’s computer. The key-logger sends all of the user’s key strokes to a server located in China.

To recognise the malicious email look for the following:

  • The email is forged to appear to originate from Unrepresented Nations and Peoples Organization (UNPO)
  • From: unpo@unpo.org
  • Subject: UNPO Statement of Solidarity
  • First few lines of the email:

The Hague, 17 March 2008 – The Presidency of the Unrepresented Nations and Peoples Organization (UNPO), led by President Mr Ledum Mitee, expresses its solidarity on behalf of all UNPO Members with the people of Tibet in this period of extreme tensioni and reiterates its support for their decades-long nonviolent campaign against Chinese suppression.

  • Has an attachment called “UNPO Statement of Solidarity.pdf”

If you receive this email or others like it, delete it.

According to F-Secure there are other similar emails that are also part of the targeted attack and may contain any of the following attachments:

  • UNPO Statement of Solidarity.pdf
  • Daul-Tibet intergroup meeting.doc
  • tibet_protests_map_no_icons__mar_20.ppt
  • reports_of_violence_in_tibet.ppt
  • genocide.xls
  • memberlist.xls
  • Tibet_Research.exe
  • tibet-landscape.ppt
  • Updates Route of Tibetan Olympics Torch Relay.doc
  • THE GOVERNMENT OF TIBET.ppt
  • Talk points.chm
  • China’s new move on Tibetans.doc
  • Support Team Tibet.doc
  • Photos of Tibet.chm
  • News ReleaseMassArrest.pdf
  • Whole Schedule and Routing for Torch Relay.xls

For more information see here.

Brazilian Tax Return Site

Another fraudulent tax return site has appeared, this time targeting people in Brazil. It begins with a forged email claiming to be from Brazil’s Ministry of Finance, Ministerio da Fazenda.

The email has a link to a virus file called formulario.exe.

Brazil If you receive this email just delete it. Don’t click on the links and don’t download (or even worse, Run) the .exe file it offers you.

And of course invest in a good anti virus package that will filter these sites and block them.

Other recent tax scams:

BBB Infected Website

The Better Business Bureau website has been infected with malware. Visitors to the site are asked to download and install an ActiveX control (that has malicious code). Their web site is www.national-bbb.com.

If you ever receive an alert you weren’t expecting, especially one asking you to download and install anything, cancel everything it asks you to do. There is no reason to install anything to view a web page.

We’ve written earlier about websites that ask visitors to install things, and on how to take more extreme measures to completely block ActiveX code.

Fake Anti Spyware

Brave Sentry is a fake anti spyware product that’s been going around a lot lately. It’s also known by these names:

  • Brave Sentry
  • Spy Sheriff
  • Spyware Quake
  • SpyFalcon

Once it gets onto your computer it tells you it found a large number of threats. For example, it could say “BraveSentry Scan found 138 threats“. This is false, following its instructions takes you to a site asking for money to remove the spyware.

Here’s a procedure on how to remove Brave Sentry, if you happen to become infected.

And to avoid infection follow these tips:

  • Install a good (and well known) anti virus/anti spyware product.
  • Avoid using Internet Explorer. Use one of the current alternative browsers such as:
  • Always use the latest web browser versions, download updates frequently.
  • Never ever download or run programs just because an email or a web site asked you to. This includes things like codecs to watch videos (unless you’re quite technical and know what you’re doing).
  • Avoid warez and porn sites (they’re often infected with malware)