Welcome to 

    mickyj.com

   


















     
     

    

    


Malware Blog

 

This blog is by no means the first or last place to look for Malware alerts. This is where I post about the Malware I have seen or the really big infections. I would not have enough time to list them all so this is my experience and hopefully, you have found this page because you have found something similar and need some help with it.

 

My best source of information about websites to avoid and what malvertisements are out there, is Sandi's blog. Sandi Hardmeier is also a Microsoft MVP (In Internet Explorer) and has her own blog at SpywareSucks

 

Some of her blogs include some of the more recent nasties that infect Mac machines (June 24 2008)and also SQL injections. It is also interesting to see the Malware she has found on Disney websites (June 12 2008) and other sites you would normally trust.

 


Firstly, to survive the net, my recommendations.

Install the latest updates from Microsoft. Run a good antivirus. Check for Malware with Spybot and Hijackthis once a week. Run the latest version of Windows and Internet Explorer. Clean your temporary folders weekly and update all your programs. This includes updating Directx, .Net, Java, Adobe reader, flash, QuickTime, real player and media player. These can all be exploited by those annoying ads you see popping up (Especially flash).

 

 
  Adobe Acrobat reader Microsoft Windows Update  
  Java Office Updates  
  Flash Internet Explorer  
  Shockwave Microsoft .NET Framework  
  QuickTime Direct X  
  Real Player Microsoft Media Player  

  September 5 2009 - Mickyj.com
 

Mpeg Video Vulnerability
Keywords: Code, Exploit, ActiveX, Mpeg

Security Advisory: Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution


September 5 2009 - Mickyj.com  
  July 5 2009
 

Torrents and Peer-Peer (p2p)
Keywords: Frostwire, Gnutella, Morpheus, Ares Destiny, mp3 rocket, eMule, Bearshare, iMesh, Shareaza, bearshare, kazaa, limewire, emule, Grokster, edonkey, WarezP2P, WinMX, Bittorrent, uTorrent,BitComet, ABC, BitLord, TurboBT and Azureus, Vuze

Parents, I implore you. Stop your kids illegally downloading music and movies. Free is not free. They are infecting your PC's with goodness knows what and your banking and passwords are at risk.

Use iTunes, pay for what you want. If you use Torrents and Peer-peer tools, you will likely get hacked. (As seen by me when I come to clean up peoples computers).

Don't risk it !!! while P2P file sharing technology is completely legal, many of the files traded through P2P are copyrighted. Those that upload pirated files, usually include viruses and tojans.

No more Bittorrent, uTorrent,BitComet, ABC, BitLord, TurboBT and Azureus or Vuze (or other torrent tools).

No more Frostwire, Gnutella, Morpheus, Ares Destiny, mp3 rocket, eMule, Bearshare, iMesh, Shareaza, bearshare, kazaa, limewire, emule, Grokster, edonkey, WarezP2P, WinMX (Or other Peer-Peer tools)


July 5 2009 - Mickyj.com  
  December 7 2008
 

MSN, it's not evil
Keywords: MSN, Virus

Here I am telling a parent that their little girl infected the one PC in the house, which they use for banking, with a keylogger and virus. I am explaining that technology is their friend, but it is up to them how they use it. I can prove, in this instance, that the virus came through using MSN messenger. A "Friend" sent the child an image. The child accepted not realising it was "XXXXX.jpg.exe" and ran it. They thought only their friends would popup in MSN and trusted the download was an image of a friend. MSN messenger is not evil. Some of the users are and it can easily be exploited.

Parents be wary.


December 7 2008 - Mickyj.com  

 
  December 6 2008
 

AVI's and MP3's are vulnerable
Keywords: AVI, MP3, Limewire, virus

Yesterday I was dismayed that clients could be so easily duped into downloading a virus and yet had very little concept of what was happening. Today I have to report on a client who was using Limewire.
They were downloading AVI movie files and Music MP3 files.

The client came to my attention as they mentioned how slow their PC was and how they were getting popups. I ran the Trend Micro command line scanner across their Pc and found to my horror, 373 viruses in AVI and MP3 files. The movies apparently worked well in Media player and the music played however, in real life, the downloads were heavily infected with viruses. People need to remember, downloading these items, free movies and music, will cost you in the long term.


December 6 2008 - Mickyj.com  

 
  December 5 2008
 

Attack of the Gif file
Keywords: Virus, Gif File

Today is a sad day. Today I have witnessed a very dangerous virus in a Gif file. The Gif file contained an image as expected, and a virus. It looked like a normal image on a website however, it attacked the Pc that downloaded it and rendered the client and their network useless for 2 days. This means normal computer users, unsuspecting people, will now get infected more and more.

The virus dropped an executable file, MarioForever.exe. The file placed itself onto every open network share, including Linux boxes. It dragged the network to it's knees and proved very hard to remove. What makes today sadder than any other virus attack is the trusting nature we all have around image files. We get them on websites and in our email. We don't think about them containing malicious code. Think about your average PC user, they unknowingly are getting themselves attacked.


December 5 2008 - Mickyj.com  

 
  September 25 2008
 _qbotinj.exe

I have a client who had suspected that they had a virus for some time. They did not deem it important to let me know. When they logged into their PC, after everything had settled and finished loading, Explorer would crash and want to send information off to Microsoft. From that point onwards, popup ads would start appearing. I ran Hijackthis, rootkit revealer, Trend Micro Sysclean, Spybot 1.6 (with Rootkit plugin) and Malware bytes. Nothing found the cause of the popup ads. I manually checked through the running processes and dll files with process explorer. There were no clues. On reboot, I happened to start up task manager and watch processes as they loaded. There was this "_qbotinj.exe" file starting up. Nothing I ran could find it on the hard disk. It seems to be a rootkit of some kind. I found information regarding this, it is a virus and easily removed using Prevx. In this case, Prevx CSI could not find it.

 http://spywarefiles.prevx.com/RRFBGJ29452751/_QBOTINJ.EXE.html

I looked in C:\Documents and settings\all users\_qbothome\ as suggested in various documentation, the path did not exist. Then I ran regrun reanimator and it found it but could not remove it. It did stop it running. When the rootkit was removed from memory I could see C:\Documents and settings\all users\_qbothome\ folder and renamed _qbotinj.exe to _qbotinj.old and created a folder called "_qbotinj.exe".

As it turns out, on reboot, something tried to place the file _qbotinj.exe back into the file system but could not, as I had a folder there by the same name. Then I saw all the text log files. All websites, Internet explorer autocomplate, passwords, usernames and Visa/Banking details had been captured through keylogging and placed into this log file. Not nice. When you see popups ... tell someone. Get it checked.


 September 25 2008 - Mickyj.com  

 
  August 28 2008
It is estimated in 2009, new Malware will appear at a a rate of 4,500 per hour. So much for hourly pattern updates :(





28 August 2008 - Mickyj.com  

 
  August 10 2008
Can't open Executable files anymore, they will not run.

A while back, a virus injected itself into the registry in the following key

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]

This key dictates how executable files should run. The data was:

(default) = %system%\drivers\spools.exe "%1" %*

When you clean the virus off the system, it is gone but you still can not run Executables.

Open the key up in Regedit and change it back to

(default) = "%1" %*

And everything should now work as normal.





10 August 2008 - Mickyj.com  

 
  August 5 2008
Emails that can kill


After the UPS email, more have followed. Popular emails have included "CNN.com Daily Top 10", Microsoft announcing a new internet browser and "New PDF Version for Windows". There have also been emails with subjects relating to recent news events or events we would all consider exciting. All this is aimed at tricking you into downloading something or viewing something. Unless you subscribe to CNN or a specific news service, don't even bother to open them. Adobe and Microsoft do not advertise in this way and the news headlines.... To good to be true.

Reader be aware !!


5 August 2008 - Mickyj.com  

 
  July 28 2008
New Malware killer

In case of infection, break glass
I have a new Tool for you. Especially good at cleaning up the UPS Malware. It is called Malware Bytes. Learn to love it as this tool actually works. If you like it, buy it. This tool has certainly helped my clients today. Thanks to Jerome for putting me onto it.


28 July 2008 - Mickyj.com  
  July 15 2008
UPS
 

A series of emails used to spread the Agent.JEN Trojan has appeared. The messages purport to come from the package delivery company UPS.

The message body, with subjects such as “UPS packet N3621583925”, informs the recipient that it was impossible to deliver a postal package sent by them and advises to print out a copy of the attached invoice.



The invoice is included in an attached “.zip” file that contains an executable file disguised as a Microsoft Word document with names like “UPS_invoice”. However, if the targeted user runs the file, they will be introducing a copy of the Trojan into their computer. (And Rootkit and Virus).

The malicious code copies itself to the system, replacing the Userinit.exe file in the Windows operating system. This file runs the Internet Explorer browser, the system interface and other essential processes. The Trojan then copies the system file to another location under the name userini.exe not interfering with the computer’s work and without raising any suspicion of the infection.

Agent.JEN connects to a Russian domain (already used by other banker Trojans) and uses it to send a request to a German domain to download a rootkit and an Adware detected. This further increases the risk of infection.

I have had several clients infected with this Malware and it is very nasty. I have a work around to remove the Malware however, running the latest Antivirus and Antivirus patterns is the best solution (and not double clicking strange attachments from people you do not know).

One of the side effects of this Malware is that Spybot and Hijackthis will not work. You can double click them but they do not start.

If this is a networked PC, My solution is to have the user log off. This releases various executables from memory and leaves the PC ready to be logged on to. From another PC with local Administrator rights over the PC, I connect remotely (using \\workstationname\c$) and then proceed to replace and remove certain files.

I extract an original file from i386 in the windows installer files, userinit.ex_. 
(Use Expand.exe Userinit.ex_ Userinit.exe)
and place the file over the top of the infected one in C:\Windows\System32.

I locate C:\Windows\buritos.exe and delete it, creating a folder called C:\Windows\buritos.exe.
I locate C:\Windows\karina.dat and delete it, creating a folder called C:\Windows\karina.dat.

Some infections also produce
  • braviax.exe
  • beep.sys
  • XPSecurityCenter.exe


15 July 2008 - Mickyj.com  
  June 28 2008
Did you know?

The number of poisoned web sites is increasing. 1 in 1000 web pages are infected with malicious drive-by downloads (source IDG News).

28 June 2008 - Mickyj.com

 
  June 16 2008
And today was meant to be a good day !

On the 16th we had Wayne Small (MVP) In town to talk about SBS 2008, WooHoo!
 

Starting the evening of the 15th, I had a client infected with Malware after surfing the web. I suspected a particular website after reviewing ISA logs and Trend Micro Alerts. I got to the point where I needed some advice so I contacted Sandi Hardmeier.

We isolated a number of links hidden in Flash advertisements that were downloading flash.exe and system936193ow.dll onto systems and infecting them.

Most of my clients infected were legal practitioners so it was obviously a website they all used.

On the 16th, SQL injections increased dramatically and the Website MVP's use to blog with (http://msmvps.com) was hit badly. Blogs were dying left right and centre and Microsoft were telling us to wipe the servers and start again. No one could get the alert out. Most notably was Susan Badleys (MVP) blog where she showed the server running unknown software after being attacked. It looked like the 16th was going to be a terrible day.  First to my immediate issue, I blocked the following websites to stop the new Malware.

  • heihei117.cn (serving k.js, wow.exe, kn.exe, gx.exe, sl.exe, kiss.exe, bak.exe, cj.htm, 14.htm)
  • o7n9.cn (serving 456.htm, 4561.swf, WIN%209,0,115,0i.swf, flash.exe)

  • www.cc1888.cn (serving ttt.txt)

  • count41.51yes.com

  • down.cry8.com ( serving lmfile.gif)

  • wowgmcs1.3322.org

users are likely being attacked through an embedded iframe that is being used to exploit a security vulnerability in something like RealPlayer, or flash, or QuickTime or something like that.

Onto Susan's findings with the MVP blog server (SQL injection target)

There is no such Microsoft program or service !

In Susan's words

In getting ready for the upgrade to CS 2008 I was trying to make some special backups... that wouldn't work. Well in digging into the matter more, that' service that is missing some files which is causing the peer to peer backups between Brianna and Yoda to fail.. isn't a real service at all.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgos.html

We have backups so first thing tomorrow morning I'll be calling PSS Security to, more than anything else find out the "how" this happened.

Bottom line we got a critter on the box and I didn't (intentially anyway) put it there.

And to check to see if Yoda should be quarantened (aka web server turned off) to protect web visitors as well. So if the blog goes off the air a bit we're just doing it to better protect viewers.

Yoda etc are the names of the servers used to look after MVP blogs. PSS is a Microsoft support team and they recommended wiping the server blank as this was a serious infection.

16 June 2008 - Mickyj.com

 

June 12 2008

Sandi joins Truste.

Well done Sandi, you deserve everything that comes your way for your tireless efforts in keeping Malware at bay.

 

TRUSTe TRUSTe Press Release

Noted Malware Researcher and Microsoft MVP, Sandi Hardmeier Joins TRUSTe Compliance and Network Monitoring Team

June 12, 2008 (San Francisco, Ca) - TRUSTe, the recognized authority on privacy best practices on the Internet, today announced Sandi Hardmeier will join TRUSTe as an Online Compliance Researcher. Ms. Hardmeier is a recognized and widely sought after industry expert in the field of malware and malvertizing and their impact on consumer privacy and security. She will play a key role in TRUSTe's development of improved network monitoring strategies while providing customers with expert insight and recommendations to combat existing and emerging Web threats such as spyware, computer viruses, and other types of malware.

"Sandi has been studying malware since 2000, and has watched its metamorphosis from simplistic, easy to remove adware into the sophisticated crime-motivated products we see today," said Fran Maier, executive director of TRUSTe. "Sandi will help us build our expertise in the important intersection between online trust, privacy and security."

Sandi has been a Microsoft Most Valued Professional (MVP) since 1999, specializing in Internet Explorer and Internet Security as it pertains to business and consumers. She also has an array of published work and is the author of www.msmvps.com/spywaresucks (a Web site dedicated to teaching Internet users about the latest risks to their online safety and how to stay safe when surfing the Web); www.ie-vista.com (dedicated to providing technical support to users of IE7 and IE8); and http://inetexplorer.mvps.org (dedicated to providing technical support to users of IE6 and earlier).

About TRUSTe
TRUSTe helps millions of consumers identify trustworthy online organizations through its Web Privacy Seal, Email Privacy Seal and Trusted Download Programs. TRUSTe ensures online privacy and protects confidential user information on more than 2,400 Web sites and many of the most highly trafficked, including Yahoo, AOL, Microsoft, Disney, eBay, Intuit, and Facebook. Independent research shows that when a TRUSTe web seal is present, visitors and customers are more likely to share personal information, register at higher rates and spend more money. To learn more about internet privacy visit www.truste.org.

Media Contact:
Carolyn Hodge
TRUSTe
(415) 520-3415
chodge@truste.org

 

 

 

 12 June 2008 - Mickyj.com



 

 

 

 

 

 

 

 

    

 

     ( )

 

 

 

 

                                                             This page was written and designed by Michael Jenkin 2008 © (Best viewed at 1024 x 768)