Archive for category Anti-virus and Anti-malware

USAA phishing emails

I am seeing a new phase of USAA spam hitting us. The ones I am seeing hit our servers the most claim to be deposit notifications that, of course, include an attachment they want you to open. The scary thing is that I am seeing more and more phishing emails that look really good. I’m actually kind of impressed by them. I can easily see a lot of people, maybe even some in my office, opening this email and downloading the attachment. Of course for me, the dead giveaway is the fact that there’s an attachment at all – let alone a zip file that includes an exe file. Luckily our spam filter doesn’t let exe files through, even if it doesn’t detect it as a virus.

Being the curious person that I am I downloaded the attachment to see what was in it. I found an exe file, Deposit_Posted_Details_USAA_122012.exe. I scanned the exe with our corporate version of Malwarebytes and it was detected as Trojan.Zbot.CBCGen. I scanned it with GFI’s Vipre anti-virus, but it was not detected.  I then uploaded it to virustotal to see what other scanners were detecting it. As of this post, only 3 scanners are seeing it, one of which was added while I was putting this post together – ByteHero, Kaspersky, and McAfee. You can see the report here.

My next step is do some research based on the names the scanners that detect it have given it to see what kind of infection this is. Hopefully if any of you have it Malwarebytes will just take care of it for you.

Update: It now looks like 6 scanners are able to find this virus. I did some looking around online and from what I see it sounds pretty nasty.

It specifically targets passwords used in Internet Explorer, along with those for FTP and POP3 accounts. It also deletes any cookies stored in Internet Explorer. That way, the user must log in again to any commonly visited Web sites, and the threat can record the login credentials at the time.

From the report Symantec put together and the report I received from submitting this to GFI’s sandbox I can see that it creates a file to dump all your login information into and tries to phone home to suck those passwords off your computer. Symantec lists this as a low threat, but if there is any sign of this being on your computer you need to change all your passwords. That is not something I would want to risk. At least it appears to use the same names to create the files and keys over and over, which would hopefully mean that it wouldn’t be terribly difficult for the anti-virus scanners to find and remove – once they update their definitions to get this newest variation.

Also, this virus can possibly inject forms into your web browser that make it look like your banking site, or whatever site your logging into, is asking extra security questions to confirm who you are. But if the it’s something beyond the basic “what’s your mother’s maiden name?” be careful. I saw on another forum somewhere that when someone tried to log into their banking site it asked them the basic questions, but then asked him what his debit card number is – why would your banking site be asking that?

Here are the DNS requests from the report that GFI sent me after submitting it to their sandbox.

In response to Mosey’s question about whether Filezilla’s credentials would be at risk: it doesn’t sound like they would be based off the the Symantec report and a couple others things I found about it (see the two links I added below). It sounds like it is only monitoring what you type into your web browser. I have not seen anything yet that tells me otherwise. But I did find another blog that describes how Filezilla stores your credentials in a plain text file that is very easy to find. This trojan is also known as Zeus, there are a lot of variations – so I suppose someone out there creating their version of the Zeus trojan could target the Filezilla files that hold your credentials.

Sources:

,

7 Comments

“The Facebook Team” has sent you a virus!

Yet another email is floating around out there trying to get you to download a file that’s really a virus. It’s sent from “The Facebook Team” and says something like “for security reasons your password had to be reset” and it tells you to download the .zip or .exe file that is attached (Facebook_Password_4cf91.zip or Facebook_Password_4cf91.exe).

If you look at the email closely enough, it probably isn’t even addressed to you. My Aunt got this email and the name they used referring to her, in the body of the email, was just a bunch of random letters. That, the random letters at the end of the file name and the fact that there is even an attachment at all should throw up red flags. But there will always be people who fall for this kind of thing or just don’t pay attention and download it anyway, which is why there are geeks like me around to fix things when this happens. Unless you reset your password yourself and triggered a confirmation email, you will not get these kind of emails, period.

My Aunt flipped out because she thought she may have saved the file on her computer so this prompted me to do a bit of research on what this virus is. I found the virus total report that shows which scanners are able to locate and eliminate the virus. Only 14 out of the 41 scanners are able to detect it – my Aunt happens to have Symantec, which if you notice is not one of those 14. I’m currently running F-Secure’s online scan and will run Microsoft’s Security Essentials since both of those are listed as being able to detect it.

Here’s the page on F-Secure’s website about the virus. There isn’t a whole lot of information on it. But it does list a registry key that is installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”RunGrpConv” = “1”

If you’re comfortable working with computers you can check the registry yourself for that key. If not then I suggest running the F-Secure online scan on complete mode, if you have time to let it sit for awhile, and also running Microsoft Security Essentials. They are both user-friendly and free. Just be sure to remove security essentials once you’re done if you do have another anti-virus currently installed. Having more than one can really slow the computer down.

The good news is, from what I’ve read it looks like it’s just another virus that causes messages to pop up telling you that you need to pay to download a fake anti-virus in order to fix your computer.  So it doesn’t appear to be something that is terribly difficult to get rid of.

, ,

5 Comments

Malwarebytes installation error

I went to install Malwarebytes on my desktop computer but got a weird installation error message; “mbam.exe – Unable To Locate Component.  This application has failed to start because MSVBVM60.DLL was not found. Re-installing the application may fix the problem.”

I tried downloading another copy of Malwarebytes and re-installing it, thinking I got a bad file, but I just got the same error.  Doing a quick google search led me to the bleepingcomputer.com forum.  I guess that error means that visual basic is damaged.  How it got damaged is beyond me, but it’s a pretty easy solution.  Be sure to uninstall Malwarebytes first.  Then all you have to do is download and install service pack 6 for visual basic 6.0.  Install Mbam again after that is finished.  *Poof*, all fixed.

15 Comments

You have received a Hallmark e-card!

hallmark-e-cardYes, it’s that time of year again.  A friendly reminder to NEVER open attachments or click on links in emails if you don’t know who or where it’s coming from.  Curiosity killed the cat, your curiosity might kill your computer.

This virus is probably most commonly known as W32.Ackantta@mm, at least to those familar with Symantec/Norton.  What happens is you get an email like the one above and get sucked into clicking on the link which then downloads a file to your computer.  I’m not quite certain whether clicking the link automatically executes the virus, just downloads the file, or if the virus is a file attached to the email.  So far I’ve seen it where a file called postcard.zip is attached to the email and then where you click on a link to download a file called postcard.pdf.exe.  Either way, a file eventually ends up on your computer that installs the virus if you execute it.

This virus is a variant of the Trojan.Vundo virus we saw an outbreak on campus of a little over 4 years ago.  It’s such a pain to remove because, like before, we got it when it was fairly new so none of the anti-virus programs out there could do anything to prevent or remove it.  I heard from one of the other Tech departments on campus that we were the first to report it to Symantec.  I had someone forward me the virus so I could upload to VirusTotal.com to see which programs are able to detect it and hopefully remove it.  Here’s the list as of 3 hrs ago:

virustotal-postcardzip1

What happens?

  1. Once the file mentioned above is opened and the virus installs itself in numerous places in the computer.  What a user will notice is tons of pop-up ads showing up all of a sudden saying that you need to download a fake program to remove the spyware on your computer.  Don’t fall for that, it’s just more spyware/viruses to bog down your computer.
  2. It creates copies of itself in the system folder as javale.exe, javawx.exe, and a random .dll file.
  3. It also creates and edits registry keys in order to imbed itself in the startup processes so it’s running at all times.  To see the specific registry keys and file names see the links at the end of the post.
  4. The virus finds your address book on your computer and sends out mass-emails to everybody in it.
  5. It blocks access to some security related websites.
  6. Spreads through any USB drives you plug into the computer and also has the potential to spread through network drives, this can create an evil loop of cleaning and re-infecting.

How do I get rid of it?

  1. Disable system restore.
  2. Update your anti-virus & anti-spyware programs and definitions.  You want to make sure you have the most up-to-date client as well as the definitions. AVG Free and Malwarebytes are known to detect and remove the virus when used in conjunction with each other.
      a) If you don’t have the programs on your computer or are unable to update them, burn the programs and their most recent definition files to a CD and install them that way. This virus jumps onto USB drives so you do not want use them on an infected computer.
  3. Restart your computer into safe mode.
  4. Scan with both your anti-virus and anti-spyware programs.  You may need to do this a few times in order to make sure it found everything.

Malwarebytes and either Symantec/Norton or AVG was used to clean computers on campus. AVG was used on student computers since we couldn’t install Symantec Endpoint Protection on there for licensing reasons. But I can confirm that both Malwarebytes and AVG work together to get rid of it. Be sure to disable system restore and boot into safe mode though, as stated above.

There are far too many different files this virus creates and registry keys it creates and edits, so I avoided putting that specific information in the post.  All of the specifics can be seen at the links below.

Information Sources:

,

4 Comments

The conficker virus – 9 million PCs and counting

What is conficker and what does it do?

It’s a worm/virus that will infect computers via a vulnerability (MS08-067) in any Windows XP or Vista machines if the computer hasn’t been patched with the patch Microsoft released back in October/November.  Once infected, the virus:

  • Embeds itself into the system services and makes some changes to the registry in order to run constantly, including after reboots.
  • Disables antivirus and other security services, as well as blocks websites related to those services.
  • Disables system restore and deletes all restore points making the recovery process that much more difficult.
  • Opens the infected machine to more infections.
  • Scans the subnet the infected computer is on for vulnerable machines and passes the infection on by creating an HTTP server for the new victim to download it from.
  • Also copies itself to any usb drives, making the potential for spreading on networks much higher.
  • Can crack weak passwords to accounts and lock you out of your own files and folders.
  • It also schedules tasks and edits the autorun.inf file enabling it to re-activate after a computer is “cleaned.”

How do I know if my computer is infected?

I mentioned a few noticeable things above but here are the things an average computer user would notice:

  • The computer will feel much more sluggish than normal.
  • Your internet connection might become much slower as well.
  • You may not be able to log into your computer.  If the password is weak it could crack it and lock you out.
  • Automatic Windows updates will not work.
  • You may not be able to get to any websites related to virus scanner updates or Windows updates.
  • This virus is known to disable any security software you have – firewalls or virus scanners.

What can I do to protect myself?

  1. Run a Windows update to make sure your computer has the patch installed.
  2. Windows XP
    Open Internet Explorer  -> go to the tools menu -> click on windows update -> choose express and download all suggested updates.

    Windows Vista
    Click on your start menu -> in the search box type windows update -> click check for updates in the left column and download any important updates.

  3. Update your virus scanner and run a scan to be safe.  If you do not have a scanner I personally like AVG free.  Symantec has a new thing called Norton Security Scan which is also free.  I’ve never tried it so I don’t have an opinion about it.

What if my computer is infected?

Run a virus scan in safe mode (hold F8 down when restarting the computer).  Safe mode is used in times like this because nearly every service and program that typically runs whenever you turn your computer on will be turned off, making it easier for the scanner to remove any infections.  Microsoft suggests downloading their Windows Malicious Software Removal Tool.  If you have a Norton product you can go here for information on how to remove it.  McAfee also has information, although not very helpful in my opinion.  In some instances the virus scanner may not be able to remove the infection so a more technical solution is needed.

F-Secure is the only company I’ve found so far that has an actual removal tool specifically for this virus/worm, but it is in the beta stage so be careful using it if you choose to do so.  I just ran it on my laptop without any issues.  If I come across someone at work who has this I’ll have no problem using it if a normal virus scan is unable to help.  Especially since it sounds like unless your scanner can remove it, all you can do is reformat so you don’t have much to lose.

More information can be found at pcworld.com and BBC News.  If you’re a geek like me F-Secure is keeping track of the number of infections and also has a list of domains network admins can block to help prevent this from spreading.

3/31/09: With yet another explosion in news coverage I’m adding a couple more removal tool links from F-Secure.  The one linked to above is no longer a beta version.  They are all for different variants of this same virus.

Everything in the article is still accurate, the basic behavior hasn’t changed at all.  I heard that the security professionals haven’t been able to reverse engineer the virus so they don’t even know what is supposed to happen on April 1st.  That leads me to a question, if they haven’t reversed engineered it to figure out exactly what it does, where did the doomsday date of April 1st come from?

Removal tool #2

Removal tool #3

, ,

2 Comments

McAfee/Firefox popup blocker bug

Ever since I updated my version of Firefox, either that or McAfee, I don’t remember, I had this weird problem where the the popup blocker option would randomly uncheck itself. It seems like every website now has irritating windows that pop up when you leave their site. I got frustrated with it so I poked around online and found a mozillazine article about it. Apparently McAfee doesn’t like firefox taking control of the web security type things.

If you disable the popup security option in McAfee then it changes a preference in the user.js file, “dom.disable_open_during_load” to “false”.  I didn’t think I needed two programs blocking popups so I went ahead and disabled it in McAfee.  I don’t particularly like using McAfee, but it’s free from comcast, so what the hell?

What’s even worse about this bug is that if you uninstall McAfee that preference is still set to false so it still won’t allow Firefox to block the popups.  The article I linked to has directions on how to fix the problem even if you have removed McAfee.  At least it’s a simple fix.

,

5 Comments