Virus Alert !

[QDO1]

Summary
This is also known as the Blackmal, My Wife, Kama Sutra, Grew and CME-24 virus.

Problem or Symptom
The Nyxem-E virus spreads as an email attachment with a variety of file names and subjects.
Once it infects your computer it tries to

• close and delete anti-virus software
• spread via email using your email address book
• copy itself to a local network (if present).

On the 3rd of each month the virus will overwrite any of the following types of files on your computer with the text "DATA Error {47 0F 94 93 F4 K5}".

• Oracle files (*.DMP)
• Word documents (*.DOC)
• Microsoft Access (*.MDB)
• Microsoft Access/Office (*.MDE)
• Adobe Acrobat (*.PDF)
• PowerPoint slideshow (*.PPS)
• PowerPoint (*.PPT)
• Photoshop (*.PSD)
• Compressed archives (*.RAR)
• Excel spreadsheets (*.XLS)
• Compressed archives (*.ZIP)

Solution(s)
All of the top Anti-virus companies have updated their software to be able to detect and remove this virus.

It is suggested that you update anti-virus software and carry out a full scan of your computer to ensure that you have not been effected as soon as possible.

Alternatively you can download a free scanning and removal tool from Symantec by clicking here.

[amoura_0]

Where in the world do u get all this information........ if a virus is out, i thought it would be sneaked in for a while... not everyone knowing about it already.....
anyway thanks for letting us know that eeven our PCs are terrorized by these viruses...

[QDO1]

Where in the world do u get all this information........ if a virus is out, i thought it would be sneaked in for a while... not everyone knowing about it already.....
anyway thanks for letting us know that eeven our PCs are terrorized by these viruses...

I do a lot of work on computer systems and support, so I am quite connected.

[Sean]

There aren't that many of them...but this one is making the rounds.

Also known as: Oompa-Loompa, OSX/Oomp-A, Leap.A, CME-4, MacOS/Leap, MacOS/Leap!tgz, OSX.Leap.A, OSX/Leap
Type: iChat worm and Mac OS X 10.4 virus
Description: The Leap.A (aka Oompa-Loompa) infects applications in Mac OS X 10.4 (Tiger) running on PowerPC processors. Upon infection, Leap.A (aka Oompa-Loompa) sends itself to the infected user's contacts via iChat.
The sent attachment is named latestpics.tgz. The extracted latestpics.tgz file contains latestpics, which appears to have a .jpg icon. In reality, the icon is being faked by a second, hidden file, named _latestpics.
Leap.A installs itself differently depending on the rights of the logged in user. If the user is logged in as an administrator, Leap.A installs itself to the /Library/InputManagers/ directory.
If the user is not logged in as admin and does not have root permissions, the Leap.A virus will install to the ~/Library/InputManagers/ directory.

In either case, the files installed/replaced are:
apphook/Info
apphook/apphook.bundle/Contents/Info.plist
apphook/apphook.bundle/Contents/MacOS/apphook
The Leap.A worm has also been dubbed Oompa-Loompa because it assigns the following extended attribute to application files it infects:
name: oompa
value: loompa

[hcjilson]

Thanks sean........haven't heard of this yet! h

[QDO1]

thats a first for a mac, and can be spread (in theory) by bluetooth too

[Sean]

Thanks sean........haven't heard of this yet! h

To quote you in another post in this thread............"I think i'll relax a bit today":) :D :)

[hcjilson]

You should......You've waited long enough to post something about a MAC virus :)

[Sean]

Trojan horse that opens a back door on the compromised computer. It may arrive as a malicious Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow vulnerability



Type: Trojan Horse
Infection Length: 106,496 bytes.



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Distribution -----> Ports: TCP ports 80 and 8080

[QDO1]

Trojan targets basic Java phones

From Russia without love

Ne'er-do-wells have created a Trojan that can infect mobiles phones running Java applications. RedBrowser-A infects not only smart phones, but any mobile phone capable of running Java (J2ME) applications, according to Russian anti-virus firm Kaspersky Lab.

The mobile malware poses as a program called RedBrowser that supposedly allows surfers to visit WAP sites without using a WAP connection. According to the blurb, this access is possible by sending and receiving free SMS messages. In reality, the Trojan sends text messages to premium rate numbers, costing users between $5 and $6 per SMS.

The Trojan is a Java application in the form of a JAR format archive, sometimes called "redbrowser.jar" that's 54,482 bytes in size. It can be downloaded to the victim handset either after downloading it onto a PC and subsequently transferring it onto a handset, or downloading it directly from a WAP site. Fortunately, however you get it, the malware is easily removed from the victim handset using standard utilities already installed on the telephone.

So far, Kaspersky Lab has only received one sample of RedBrowser, which targets subscribers of Beeline, MTS, and Megafon, Russia's largest mobile service providers. However, the appearance of the low-risk malware might encourage virus writers to develop similar programs. Mobile phone users in Russia and beyond are advised to resist any temptation to download and run unknown programs via the internet.

Kaspersky Lab senior technology consultant David Emm said: "This latest virus represents a natural progression for virus writers, who are constantly seeking to extend their reach by spreading infections via as many platforms as possible. One thing's for sure - RedBrowser may be the first of its kind, but it certainly won't be the last." ®

reference :http://www.channelregister.co.uk/200...rojan_malware/

[QDO1]

By John Leyden (The Register www.theregister.co.uk)
Published Wednesday 15th March 2006 17:18 GMT
Emails purporting to prove that the recently deceased former Yugoslav president Slobodan Milosevic was killed contain a malicious Trojan, called Dropper-FB (http://www.sophos.com/virusinfo/anal...ropperfb.html). Milosevic, whose trial on charges of genocide was nearing its conclusion, was found dead in his cell in the Netherlands on Saturday.

Prospective marks are invited to open emails with subject line "Slobodan Milosevic was killed" and open a file which claims to offer an "image" purporting to prove the war crimes suspect was done in. If this attached file (actually an 16.5KB executable, compressed in the UPX format) is opened, a Trojan is downloaded onto Windows PCs. Online security firm BlackSpider estimates that more than 800,000 emails containing the new Trojan-downloader were sent to UK businesses before the first anti-virus software firm updated their software early this morning.

Once an event - such as 2004's Asian Tsunami or the July 2005 terrorist bombings - dominate the news it's only a matter of time before virus writers release a topical item of malware. James Kay, chief technology officer of BlackSpider Technologies, said: "Virus writers are playing on morbid human interest and using a high profile incident to cause as much damage as they can to businesses."

Slobodan Milosevic joins a long line of public figures whose names has been harnessed to bait malware attacks. Malware posing as the death pics of both Osama bin Laden (the Small-AXR Trojan) and Saddam Hussein (the Bobax-H worm) have hit the net over recent months. Offers of racy pictures of Jennifer Lopez and Anna Kournikova, among others, have also been used to tempt the unwary. ®

[Sean]

W32.Rontokbro.Z@mm is a mass-mailing worm that lowers security settings
From: [SPOOFED]

Subject:
One of the following:


My Best Photo
Fotoku yg Paling Cantik

Message:
One of the following:


Hi,
I want to share my photo with you.
Wishing you all the best.
Regards,
Hi,
Aku lg iseng aja pengen kirim foto ke kamu.
Jangan lupain aku ya !.
Thanks,

Attachment:
Photo.zip

[Sean]

A worm that has distributed denial of service, back door and rootkit capabilities. The worm spreads by exploiting vulnerabilities through AOL instant messenger. It also lowers the security settings of the compromised computer.
Distribution is on TCP Ports 135, 445 and 1863

[Sean]

Virus with keylogging and back door capabilities. It may infect executable files by prepending its code to host files.
This email has the following characteristics:


Subject: Administrator

Attachment:

readme.tjc
TFTempCache.tjc

Uses keylogging capabilities to gather the following information from the compromised computer:


IP address, host name, and user names
Sensitive computer information, such as size of memory, local disks, the Windows version, and product key
RAS dialup accounts
Net Share passwords
Startup programs
WebMoney files


Temporarily stores any information it gathers in the following encrypted file:

%System%\TFTempCache

[Sean]

mass-mailing worm that uses its own SMTP engine to spread. The worm also tries to download and execute remote files.
Sends itself as an attachment to the email addresses it gathers. The email message has the following characteristics:


Type: Worm
Infection Length: 23,540 bytes


From:
[SPOOFED]

Subject:
The text of the subject is in Russian.

Message Body:
The text of the message is in Russian.

Attachment:
One of the following:


cool.cab
new.cab
me.cab
you.cab
Re.cab

[Sean]

mass-mailing worm that opens a back door on the compromised computer. It also lowers security settings and exploits remote vulnerabilities.

Sends itself to the email addresses that it finds or generates. The email has the following characteristics:

Subject:
One of the following:


[RANDOM]

Error

Status

Server Report

Mail Transaction Failed

Mail Delivery System

Hello

hello

Hi

hi

Message:
One of the following:


[BLANK]

[RANDOM]

Mail transaction failed. Partial message is available.

The message contains Unicode characters and has been sent as a binary attachment.

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

test

Attachment:
One of the following file names:


body

message

test

data

file

text

doc

readme

document

[Sean]

Macro virus that uses Excel formulas to infect files. The virus will run on both Windows and Macintosh operating systems.
Payload: Infects open Excel workbooks.

Modifies files: Adds a malicious macro to Excel workbooks........results in corrupt files.

[Sean]

A mass-mailing worm that opens a back door and sends emails to addresses gathered from the compromised computer.

Subject of email: Microsoft Customer Support.
Name of attachment: timesrv.exe
Size of attachment: 53,248 bytes
Time stamp of attachment: n/a
Ports: TCP port 9999

Message Body:

Hello Dear.

In programm maintenance of corporation Microsoft critical vulnerabilyty has been found in processing wmf files. Programmers Microsoft have let out critical updating for Windows 98/2000/XP. We urgently recommend you and to estabilish updating. One copy of updating packet in attach for this letter.

With best regards,
Microsoft Customer Support.

Attachment: timesrv.exe

[Sean]

JS/Yamanner@MM JS.Yamanner@m
E-mail worm Discovery Date 06/12/2006 Length Varies
There are reportedly two known variants of this threat. It appears to be under development/refinement......... and the initial variant contains a typo in the code.

This email worm attempts to spread by exploiting a vulnerability in Yahoo! Mail involving the automatic execution of Javascript. Yahoo is reportedly working on a fix ......and blocking most of these messages.

Messages containing the virus code may appear as follows:

Subject: New Graphic Site
Body: Note: forwarded message attached.

The email message body contains JavaScript designed to execute upon viewing the email message via Yahoo! Mail. Once running, the script harvests '@yahoo.com' and '@yahoogroups.com' email addresses from Yahoo! Mail folders, and then sends a copy of itself to those addresses. The script also sends a list of the harvested addresses to av3.net.

Symptoms
Viewing an email message as described via Yahoo! Mail may be an indication that an infection has occurred.

Method of Infection
This threat "auto-executes" by exploiting a vulnerability in the onload event handling of Yahoo! Mail. A specially crafted email message allows an attacker to execute script code that should not be allowed to execute. This threat exploits this vulnerability to launch a script that harvests email address and sends those recipients (BCC) the virus embedded in a new email message.

[Sean]

A vulnerability has been identified in Microsoft Excel, which could be exploited by attackers to take complete control of an affected system. This flaw is due to a memory corruption error when processing a malformed ".xls" document, which could be exploited by attackers to execute arbitrary commands by convincing a user to open a specially crafted Excel file.
Affected Products

Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Excel 2002
Microsoft Excel 2000
Microsoft Excel 2004 for Mac
Microsoft Excel v. X for Mac

[Sean]

Internet virus, which is capable of stealing bank information and other personal data.
A password stealing trojan, which apart from capturing bank account information, also attempts to steal a user’s login credentials for Orkut, which is an online community.

Aliases
Trojan-Spy.Win32.Banker.bkz - Kaspersky Trojan.Banker.Delf.69B45B06 - Bit Defender

PWS-Banker!1d2e uses Internet Explorer to load itself as a BHO (Browser Helper Object).

When a user tries to open Internet explorer for the first time, after being infected, a bogus message box is displayed about insufficient memory.

The user is then eventually redirected to the login page of orkut.com

Once logged in, apart from stealing the users login credentials, this malware posts an entry in the users’s scrapbook (similar to guestbook).

The URL in the scrap entry, points to a executable file hosted on a compromised website. The executable is a downloader which downloads this password stealer.


Method of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings.

[Sean]

A worm that drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.
The worm can spread over AIM instant messenging, opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting Server Service Vulnerability (MS06-040) and older vulnerabilities including a buffer overflow in the Workstation Service (MS03-049).

[Sean]

A heuristic detection for the Microsoft Internet Explorer Daxctle.OCX Spline Method Heap Buffer Overflow Vulnerability.
An attacker who exploits this vulnerability could perform a denial-of-service attack against a vulnerable version of Internet Explorer, or potentially execute arbitrary code with the privileges of the logged-on user. The exploit is triggered by viewing a specially-crafted HTML file.
Applies to: Internet Explorer 6, Internet Explorer 7

[Snitgirl]

phew, so glad I am a Mac User!

Thanks for keeping everyone up to date!

[Grubendol]

This is why I love Macs