NEWS FROM THE LAB - April 2007
 

 

Monday, April 30, 2007

 
Update on the Estonian DDoS attacks Posted by Mikko @ 06:57 GMT

Several of the Government websites we monitored over the weekend are still down in Estonia.

Some sites are up but are in "light-weight" mode. For example, the site of the Estonian Police has been changed to one text-only page.

Here are the Netcraft availability stats on the Estonian Government official home www.valitsus.ee. Not a pretty sight.

Valitsus

As the real-world riots seemed to have calmed down by now, hopefully the net attacks will too.

 
 

 
 
EGold indicted for money laundering and illegal money transmitting Posted by Jarno @ 06:54 GMT

Digital currency company E-gold has been indicted by the U.S. Department of Justice for suspected money laundering and illegal money transmitting. This is interesting as we have seen E-Gold, Webmoney, Western Union, Fethard and other similar services being used by online criminals for quite a long time.

For example, here's a snippet from the Iframecash web site – this gang has been known to use exploits (such as WMF and ANI) to drop drive-by-installs to innocent bystanders' machines.

E-Gold

We have no information whether E-gold staff has been aware of misuse of their services, or whether they have been able to do anything to prevent misuse. But we sure have seen lots of criminals using E-gold.

Link: US Department of Justice press release.

 
 

 
 
Saturday, April 28, 2007

 
Unrest in Estonia Posted by Mikko @ 13:51 GMT

For the past couple of days, there's been unrest and rioting in Estonia.

Quoting CNN: "Police arrested 600 people and 96 were injured in a second night of clashes in Estonia's capital over the removal of a disputed World War Two Red Army monument … Russia has reacted furiously to the moving of the monument … Estonia has said the monument had become a public order menace as a focus for Estonian and Russian nationalists."

We're now seeing large attacks against websites run by the Estonian government. Some of the sites are unreachable. Others are up, but do not allow any traffic from foreign IP addresses.

Here's the status as we saw it on Saturday at 15:00 GMT:

www.peaminister.ee (Website of the prime minister): unreachable
www.reform.ee (Party of the prime minister): reachable
www.agri.ee (Ministry of Agriculture): reachable
www.kul.ee (Ministry of Culture): reachable
www.mod.gov.ee (Ministry of Defence): reachable
www.mkm.ee (Ministry of Economic Affairs and Communications): unreachable
www.fin.ee (Ministry of Finance): reachable
www.sisemin.gov.ee (Ministry of Internal Affairs): unreachable
www.just.ee (Ministry of Justice): reachable
www.sm.ee (Ministry of Social Affairs): reachable
www.envir.ee (Ministry of the Environment): reachable
www.vm.ee (Ministry of Foreign Affairs): unreachable
www.pol.ee (Estonian Police): reachable
www.valitsus.ee (Estonian Government): unreachable
www.riigikogu.ee (Estonian Parliament): unreachable

Estonian Sites

 
 

 
 
Friday, April 27, 2007

 
New blog from F-Secure Posted by Mikko @ 14:28 GMT

F-Secure Linux Blog

News from the Lab, the blog you're reading now, was started in January 2004. Now we have a second blog to offer you. This one is coming from our Linux Team and is called F-Secure Linux Blog.

As you would expect, the blog is also available as an RSS feed.

F-Secure has pretty much always had a strong support for Linux platforms and we today ship both server and client security software for Linux platforms. Our Rescue boot-up CDs also run on Linux (link to ISO).

The aim of the blog is to write about things relevant to our Linux geeks ‐ which might often be interesting to other Linux geeks as well.

P.S. Linus Torvalds used to bicycle by our office every now and then when he was still living in Finland…

 
 

 
 
Wednesday, April 25, 2007

 
Podcast Posted by Mikko @ 20:04 GMT

ITConversations

I've been a big fan of ITConversations podcasts for a number of years so I'm really proud to announce that I'm featured today on their site.

You can download an hour long recording from here.

Here's a direct link to the MP3.

Thanks to Phil Windley and Scott Lemon for doing the show with me. Next time, let's do it over Skype to get better audio quality.

Mikko

 

 
 

 
 
The mystery deepens Posted by Mikko @ 06:13 GMT

Continuing with the Question of the Day that we've been pondering on for the last couple of posts… things get even more interesting.

It turns out some users are not seeing the weird behavior of Google but they are instead getting sensible results.

Compare this screenshot, sent in by Jean W, to the one in the previous weblog post:

GG2

Alexander S theorized that this difference might be the result of hitting different Google data centers and some of them are somehow out-of-sync.

We did get a fairly good solution from Paul J, who rationalized why Google would sometimes show that a search would only have 4 or 5 results when it really has much more:

  The difference is that first 5 have the search string text in the page,
  whereas the remaining search results have it linked from the page
  
  Results 1 - 10 of about 5 for allintext: 13123390. (0.14 seconds)
  
  Results 1 - 10 of about 0 for allinanchor: 13123390. (0.15 seconds)

 
 

 
 
Tuesday, April 24, 2007

 
No answer for the question of the day Posted by Mikko @ 17:49 GMT

We got quite a few answers to our question of the day but no conclusive answer.

The mystery is why Google gives such contradictory information when you search for the keyword "13123390".

Google says there are only five hits, but it's displaying the first ten of them?

GG0

And there are five more pages of this… so obviously there are more than five hits.

GG1

We did get lots of good guesses on what might be going on, including:

"The string in question, 13123390, is the same in decoded and encoded form. When search engines and web-indexing apps run across this text, it knocks things out of whack due to the identical nature of the decoded/encoded string."

"Results that are 'similar' were removed from the list...Why Didn't this Happen Immediately: Theory: In order to NOT process a complete list with a large set of results, Google performs "look aheads" to analyze the data. This look ahead is performed based on the page you are on. This "look ahead" only analyzes a couple pages immediately proceeding the initial page. Since you usually find what you are looking for in the first few pages, this means that Google doesn't have to perform a massive operation to eliminate duplicate/similar results."

"The distributed google index keeps track of many things, one which is the probabilistic frequency of search terms and words (or numbers) in their index. The search results page uses these figures to give hunch estimates on the search result relevancy, while the actual results are gathered from the full index. Hence, for some terms the figures don't seem to match. Seemingly irrational numbers are good for demonstrating it. Personalized results and/or link spamming prevention algorithms may
play their part in this as well. And of course, for some things, censorship."

"I'm going to take a wild guess and say that 4 is the average of 1, 3, 1, 2, 3, 3, 9, and 0."

Anyone else?

 
 

 
 
Monday, April 23, 2007

 
Question of the day Posted by Mikko @ 16:33 GMT

Here we go again.

Make a Google search for "13123390".

How many results do you get?

Are you sure?

Explain what's happening.

Answers on a self-addressed envelope to Weblog at F-Secure.com

 
 

 
 
Friday, April 20, 2007

 
Military Targets Posted by Sean @ 08:07 GMT

In our recent examination of Banker Keyloggers and Phishing sites we're noticing a growing trend. "Military" banks.

The image below is an example taken from a site that hosts a Man-in-the-Middle Phishing Kit.

Man-In-The-Middle Kit BOAM

Among the usual suspects is Bank of America Military.

BOA Military Phishing

Why target banks that cater to U.S. military personnel? Our guess is with the increased deployment of U.S. Military personnel around the world, they've become an interesting target for the bad guys. If you're away from home – you'll do your banking online.

 
 

 
 
Global Financial Crime Congress Posted by Patrik @ 07:09 GMT

Greetings from Bangkok where Interpol and the United Nation's Office on Drugs and Crime is hosting a Congress about Financial Crime.

Interpol UNOCD.jpg


The lineup of speakers is excellent and we've been hearing some very interesting presentations about, for example, how Western Union and Visa are handling fraud, on the take down of Shadowcrew, and how the bad guys are laundering money. Myself, I gave a presentation about how botnets are becoming more advanced and going kernel-mode.

Interpol UN Financial 2007


Special thanks to the interpretors, it can't be easy to translate words such as botnets, kernel, ring-0, and Command & Control in real-time.

Signing off,
Patrik
 
 

 
 
Thursday, April 19, 2007

 
SMS phishing on the rise in SE Asia? Posted by Esz @ 09:30 GMT

It seems that SMS phishing scams have come closer to home. As it turns out, apparently lots of people here in our Kuala Lumpur office received similar text messages during the week.

Below is the message that we received on our mobile phones:

SMS Phishing

Translation:
"Announcement from PETRONAS MLSY. CONGRATULATIONS your phone number has won a prize of RM 11000. (About US$3,200) Please contact the following number at 0062858853982xx tomorrow morning at 8.00am. Thank you".

The SMS message was received at 12:15am on 16/4/2007. This looks pretty odd – why would Petronas Malaysiam, a national Oil and Gas company in Malaysia, want to send an SMS at this time?

From the phone numbers that we got from the SMS, we know that they belong to the Indonesian mobile network Indosat and therefore the phisher is located somewhere in Indonesia. This was further confirmed when the phisher spoke to us in Malay with a clearly Indonesian accent.

Apparently, this is not the first time these numbers have been used in a SMS phishing attack – the first reported attack using this number was on the 23rd of March 2007.

We decided to call the listed number and play along with the phisher to find out more about the phishing scheme. The original conversation was in the Malay language. Here is a translated transcript:

   Phisher: Hello.
   Us: Hello.
   Phisher: What is your name?
   Us: My name is Devinder.
   Phisher: What's your phone number?
   Us: My number is xxxxxxx.
   Phisher: Congratulations, we have chosen your number to win RM 11000.
   What is your bank account number?

(Line got disconnected at this point.)
(Next call.)

   Phisher: Hello Mr.Devinder?
   Us: The line was disconnected just now…
   Phisher: In order for us to transfer the RM 11000, we need your bank account number.
   Us: I am using Maybank.
   Phisher: Do you have an account in any other bank other than Maybank?
   Us: I have Maybank only.
   Phisher: You can't use Maybank because we have another winner who is using Maybank.
   You need to have an account in one of these banks – RHB, Affin Bank, Bank Simpanan Nasional, Eon Bank and Public Bank.
   Us: I have an account in Bank Simpanan too.
   Phisher: Do you have an ATM card? We will not be able to give you the money if you don't have an ATM card.
   Do you have any friend who has an ATM card for an account in any of the [mentioned] banks?
   Us: Yes, my friend has a Giro ATM from Bank Simpanan and we can give you the number. The number is xxxx.
   Phisher: Is this the number on the card?
   Us: Yes
   Phisher: Is it an ATM card?
   Us: Yes it is an ATM card.
   Phisher: How much money do you have in that account?
   Us: I have around one thousand Ringgit.
   Phisher: Now go and check your balance from an ATM machine.
   It will be RM 12000 now.
   Us: How are you going to send the money? Are you going to send a check?
   Phisher: I am going to send a check to you. Please go to the ATM machine to insert the check in the ATM machine.
   Us: What is your name?
   Phisher: Mohammed Paisol.
   Phisher: Go to the ATM machine now and call us from there.
   Us: Ok. I will do that. Bye

(After a short time we tried calling again.)

   Us: I am now at the ATM machine now.
   Phisher: What is your name?
   Us: Devinder.
   Phisher: Why did you call again?
   Us: Because just now you told me to go to the ATM machine.
   Phisher: So are you at the ATM now?
   Us: Yes.
   Phisher: Are you familiar with the ATM machine?
   Us: Yes I'm use to using it.
   Phisher: Please put your card in.
   Us: Ok the card is in.
   Phisher: What did the display say on the screen?
   Us: The screen says to choose either English or Bahasa Melayu.
   Phisher: Please choose Bahasa Melayu.
   Us: Ok I have chosen it.
   Phisher: Key in your pin number.
   Phisher: You have to be at the ATM! I know that you are not at the ATM now!
   Us: No, I'm at the ATM now.
   Phisher: No! You are not at the ATM now!
   Us: I'm at the ATM.
   Phisher: Have you insert the card in?
   Us: Yes.
   Phisher: Take the card out!
   Us: Ok, it's out.
   Phisher: It's ok. It's obvious you don't deserve the money. Thank you!!

The phisher hung up abruptly right after that.

We are still in the process of getting the latest information on this phisher. After two days passed, we invited our PR Manager to call the phisher using a mobile phone and found out that the phisher was receiving calls from another mobile phone and was on voice mail. The voice mail box was apparently full. As a result of this we had to abort the call.

So, everyone out there, be prudent when you receive this kind of SMS on your mobile phones.

Here are the WAV files in Malay language:
Part One 2584k — Part Two 8193k — Part Three 7214k
MP3 File Format:
Part One 939k &mdash Part Two 2974k — Part Three 2619k

 
 

 
 
Warezov Back in Action? Posted by Francis @ 05:42 GMT

It's been awhile since the last attack of the Warezov gang. But it seems now they're back in action.

Here's a sample screenshot of the e-mail of the new Warezov that is being spammed:

Warezov.NF E-mail

The zip file attachment contains an executable file that uses a text file icon as a decoy:

Warezov.NF Attachment

Once the malware has executed, it will pop-up the following message box:

Warezov.NF Error

This executable file is a downloader for its other components. The link is encrypted with a simple XOR.

Warezov.NF Download

For system administrators, you may want block network traffic from the following malicious link:

http://linktunhdesa.com/h[REMOVED]2.exe

Our detection for this variant is Email-Worm:W32/Warezov.NF and it is included since database update 2007-04-19_02.

 
 

 
 
Wednesday, April 18, 2007

 
Answer of the day Posted by Sean @ 16:10 GMT

There were a good number of responses to yesterday's post that correctly provided the what

Weblog Reader Ville was one of some that also provided the why.

   The answer is really simple, right?

   d41d8cd98f00b204e9800998ecf8427e = 0 byte MD5 hash
   da39a3ee5e6b4b0d3255bfef95601890afd80709 = 0 byte SHA1 hash

   Both appear not only in numerous tutorials on the web concerning these two
   hashing algorithms, but also, and more importantly, in places where these
   hash functions are used for file integrity. Since an empty file will result
   in these hashes, any place that lists hashes for files will often feature these
   two particular strings.

   Thus, while being a seemingly random string of letters, their appearance
   on the web is common due to these two popular hashing algorithms.


We'll be sending Ville, and a few other randomly selected responses, a set of our laptop stickers.

This is not the wireless access point you're looking for.
Photo – Matt L. of Australia

 
 

 
 
Tuesday, April 17, 2007

 
Question of the day Posted by Mikko @ 19:10 GMT

Question of the day: How come you get over 160,000 hits when you search Google for "d41d8cd98f00b204e9800998ecf8427e"?

164000

Pretty much the same thing for "da39a3ee5e6b4b0d3255bfef95601890afd80709".

Answers on a self-addressed envelope to Weblog at F-Secure.com

Update: 18 April @ 9:57 GMT
Thanks to everyone that has already sent in an answer to our question of the day, the response was overwhelming. We have enough…

 
 

 
 
Monday, April 16, 2007

 
Another Skype Worm Posted by Francis @ 03:16 GMT

Yup! There is another Skype worm on the loose and our detection for it is IM-Worm:W32/Pykse.A. It spreads by sending a message with a malware link to all online friends in Skype's contact list using the Skype API.

The message is randomly chosen from the following list:

Skype message

Before sending the message, it will set the infected Skype user's status to DND (Do Not Disturb). As a side effect, it will not actively notify the user of calls or messages as shown in the warning message below:

Skype away

Once the link is clicked, it will redirect and download the malware file:

Skype download

Once you have downloaded and executed the file from the link, it will show you a picture of a lightly dressed woman, to avoid suspicion:

Skype girl

So what's the motive behind this worm?

It seems that it is promoting the following websites:

   http://aras.lookingat.us/index.htm
   http://asilas.my-php.net/index.html
   http://bobodada.3-hosting.net/index.html
   http://bobos45.bebto.com/index.html
   http://gogo442.hatesit.com/index.html
   http://jackdaniels.110mb.com/index.html
   http://timboss.1majorhost.com/index.html
   http://zozole.php0h.com/index.html

These websites all look the same. Here's a sample screenshot:

Skype link

The following site is also visited:

   http://aras.allfreehost.net/cal[REMOVED]nt.php

This is most probably a counter to find out how many users are infected. This could also be a way for the malware writer to quantify his profit. Who knows, malware nowadays are mostly driven and motivated financially.

Signing off Skype,
Francis

 
 

 
 
Friday, April 13, 2007

 
Video - Rock Phish Posted by Sean @ 13:42 GMT

We have another phishing related demo for you today. This time it's a Rock Phish Kit in action. Rock Phish allows nontechnical individuals to create and carry out phishing attacks.

Rock Phish Demo

Demo (XviD – 8201k)
Demo (SWF – 2821k)
The video is also available via our YouTube Channel.

 
 

 
 
Zhelatin, Zipped, Zecurity? Posted by Ian @ 02:19 GMT

Earlier today, several e-mails with love themed subjects were seen in the wild. While some of the subjects are a rehash of previously used subjects such as Sending You My Love, The Dance of Love, and When I'm With You, others are new:

   A Dream is a Wish
   A Is For Attitude
   Eternal Love
   Eternity of Your Love
   Falling In Love with You
   Hugging My Pillow
   Inside My Heart
   Kisses Through E-mail
   Our Journey
   Sent with Love
   When Love Comes Knocking
   You're In My Thoughts
   You're the One

Zhelatin.CT

The e-mail messages themselves have no text, instead, they have attached executables with romantic sounding filenames. These include:

   Love Card.exe
   Love Postcard.exe
   Greeting Card.exe
   Postcard.exe

All files are detected as Email-Worm.Win32.Zhelatin.ct.

A second run occurred after a few hours. This time, the subjects were security related.

Subjects include:

   ATTN!
   Spyware Alert!
   Virus Alert!
   Worm Alert!
   Worm Detected!

Furthermore, the message body is an image file which advises the receiver to patch their systems. Also included within the image is a password in order to extract the attachment.

Zhelatin.CT

Something new to the Zhelatin family is the use of a password protected Zip archive as an attachment. The filenames vary but they have the following format:

   patch-[4 to 5 random numerical characters].zip
   hotfix-[4 to 5 random numerical characters].zip

The executable contained within the Zip archive has the same name as that of the archive but with an EXE extension.

Executables are also detected as Email-Worm.Win32.Zhelatin.ct while the Zip archives are detected as
Password-protected-EXE. Latest detections are included in update 2007-04-13_01.

 
 

 
 
Wednesday, April 11, 2007

 
Weblog Q&A Posted by Sean @ 17:11 GMT

First Question:
Do You have a virus lab in the USA or Canada?

We do have lab facilities in San Jose, California if needed. Currently our shifts are handled in Malaysia and Finland.


Second Question:
Does the weblog team just cover those who analyze malware or does it cover those involved in researching and developing new products, and those involved in producing the software? … Is it true that you have to be a heavy rock musician or heavy rock fan to work in the labs?!

The weblog team members work in the Response and Research Labs – our product software is developed and designed by other teams within F-Secure. The internal components of some of those products may be the results of research. So some things are born here, but then they are in the hands of other teams.

Do you have to be a Heavy Rock fan? No. But it certainly doesn't hurt.


Third Question:
There have been multiple questions regarding our RSS and we want to update the feed, but before we do, we'd like to poll you on what software you use:

FS0411Poll

Our March 1st Poll is still open for any that would like to submit questions. We still have some from March left to answer, but welcome more in the meantime.

 
 

 
 
Tuesday, April 10, 2007

 
April's Security Update Posted by Francis @ 19:01 GMT

Microsoft's Updates for April are now available.

April Updates

Included are five critical updates for vulnerabilities in Universal Plug and Play, Windows CSRSS, Microsoft Content Management Server, and Microsoft Agent that could allow remote code execution. This month's security update also includes the earlier patch (MS07-017) for the ANI vulnerability. Please make sure to patch your systems to avoid attacks, which exploits on these vulnerabilities.

 
 

 
 
Sunday, April 8, 2007

 
Fear of war exploited in an email scam Posted by Jusu @ 21:31 GMT

A large amount of malicious e-mail has been sent with subjects suggesting a missile strike on civilian targets in Iran:

   "USA Just Have Started World War III"
   "Missle Strike: The USA kills more then 20000 Iranian citizens"
   "Israel Just Have Started World War III"
   "USA Missile Strike: Iran War just have started"

A malicious executable with "video.exe", "movie.exe", et cetera is attached.

The files are detected at the moment with update 2007-04-08_02 as:
Email-Worm.Win32.Zhelatin.cq.

 
 

 
 
Thursday, April 5, 2007

 
iPod virus Posted by Mikko @ 20:27 GMT

We got a sample submission earlier today… a file called Oslo.zip.

The person who submitted it is actually a celebrity: you all know him:

Oslo

What Oslo.zip contained was a virus for Apple's iPod.

However, this virus is able replicate only on iPods that are running the iPod Linux operating system. It does not work on normal iPods that are running the default iPod operating system.

iPod Linux is a uCLinux-based software distribution targeted specifically to run on Apple iPods. It enables the iPod to run a variety of third party software, such as games.

So it's a proof-of-concept virus for a rare operating system, and it's not going to become a real-world problem. However, it does show that the computer underground is actively studying new platforms such as portable devices.

And it really is theoretical. After we got the sample, we installed iPod Linux on some iPods we had at hand, but we couldn't get the malware to operate correctly no matter what we tried. However, our friends at Kaspersky did get it working. Pictures and more information available on their blog.

P.S. Also see this.

 
 

 
 
Greetings from HITBSecConf Dublin Dubai Posted by Mikko @ 10:43 GMT

We used to have to worry about the criminals that were close to us

Mikko here. Excellent conference going on in Dubai. The organizers have managed to collect an excellent speaker lineup from all over the world (USA, India, Germany, Singapore, South Africa, Malaysia, Finland…).

Rolls

The beginning was a bit unusual: all guests were asked to stand up when the guest of honour, His Excellency Mr. Mohammed Nasser Al Ghanim arrived to deliver the welcome address. Afterwards me and Lance Spitzner were invited to have a private chat with him. Learned interesting stuff: for example, United Arab Emirates has just set up their own CERT (aeCERT).

Two independent researchers, Vipin and Nitin Kumar from India had an interesting demo with a proof-of-concept rootkit that loaded from the boot sector during boot up process. Similar to the eEye Bootroot technique… except this one also worked under Windows Vista!

Remember Mark Weber Tobias? We blogged about his research into security locks in October 2004 while we were conducting our own hands-on testing against laptop locks. He was at the conference, demoing bump key attacks against different locks live. Impressive. Don't lend your keys to this guy.

Tareq Saade from Microsoft made an interesting note regarding the malware situation in Middle East. As many countries are centrally filtering questionable content (offending sites, porn, et cetera) for all citizens, this has actually helped the malware situation somewhat. Access to some spyware web sites is blocked, preventing tons of infections that would otherwise happen. It would actually be a good idea to use this functionality to filter dangerous sites (exploits, phishing, et cetera) more aggressively.

Signing off,
Mikko

P.S. Thanks to biatch0 for the conference photo. I took the Rolls photo from a local parking lot.

 
 

 
 
Tuesday, April 3, 2007

 
ANI Patch now Released! Posted by Elda @ 19:19 GMT

Microsoft's Patch for the ANI vulnerability is now out.

MS ANI Patch

As discussed in our previous post, this update was earlier to the usual second Tuesday monthly Security Release because of the alarming increase of Malware and sites exploiting the ANI vulnerability. Please make sure you install this security update right now!

Update: When you install the patch and have a computer with a Realtek Audio card you might get an error message reading "Rthdcpl.exe - Illegal System DLL Relocation". Microsoft has released a hotfix for this so if you have this problem, you can download the fix here.

 
 

 
 
Warezov Returns Posted by Ian @ 06:37 GMT

Hot on the heels of the new ANI exploit is a new Warezov sample.

No variations were seen from the e-mail samples received and they all look like this:

Warezov.MG

The attachment is a ZIP file that contains an executable file. The filename is in the form of Update-KB[random numbers]-x86.exe and is detected as Trojan-Downloader:W32/Warezov.KG.

It downloads a file from the following link:
http://buheradesunme.com/[removed].exe

This new file is the worm component and is detected as Email-Worm:W32/Warezov.MG.

Detections have been included since update 2007-04-03_02.

 
 

 
 
Monday, April 2, 2007

 
Microsoft to release update for ANI vulnerability on Tuesday Posted by Patrik @ 04:13 GMT

Microsoft has announced that it will release an update for the ANI vulnerability on Tuesday the 3rd of April. This is a week early as they usually release security patches on every second Tuesday of the month but as there is an increasing activity of sites and malware using the ANI vulnerability, they decided to release it early.

MS ANI Update


You might wonder how they were able to get the update out so quickly considering it was first used in exploits late last week. The issue of the ANI vulnerability was actually brought to Microsoft's attention back in December 2006 according to their their Security Response Blog and they've been investigating and working on a fix since then.

Until Microsoft has released the update, you can count on us to continue adding detection for known versions of the ANI exploit and worms.
 
 

 
 
Sunday, April 1, 2007

 
ANI worm Posted by Mikko @ 08:40 GMT

ANI Code

Chinese Internet Security Response Team is reporting on a new worm using the ANI exploit to spread.

This is real and we've confirmed it: however, we've only received six customer reports so far.

We detect the main worm file as Trojan-Downloader.Win32.Agent.bkp and the files downloaded by the worm mostly as different variants of Trojan-PSW.Win32.OnLineGames.

The worm tries to locate all HTML files from the system and modifies them to insert a script that loads an ANI file from macr.microfsot.com. When such web page's files are viewed or uploaded to a web server, they will spread the infection further.

In addition to spreading via the ANI exploit, it also tries to spread via USB stick and other removable media.

An easy way to confirm an infection is the existence of tool.exe and autorun.inf in the root of every drive, or sysload3.exe dropped to the SYSTEM32 folder. Sysadmins can monitor their outgoing e-mail to spot this. Mails sent to addresses like 578392461@qq.com, 47823@qq.com, or 3876195@qq.com would indicate an infection.

For more information, see our description.

 
 

 
 
Virus:Wii/Fun.A Posted by Sean @ 06:05 GMT

Helsinki Lab Infected via Nintendo Wii

December 8th, 2006 was the Nintendo Wii's European launch date. Three Helsinki Lab members were infected that day and two more soon followed. Kamil's Wii was immediately tested in the lab, and frankly, productivity just might have taken a hit. Wii is very infectious. Good thing it was a Friday.

Today there are now at least eight people working in or directly adjacent to the Helsinki Lab that have become infected by Wii. No telling just how many infections exist within the entire building. There's even a dedicated Wii in the Response Lab itself…

Here's some video evidence of what this thing does to people.

Careful review of the Wii's log files reveal that there are now several Tennis "Pros" and that the Wii is powered up several times a week following the Helsinki shift. It seems that we're firmly in its grip. But at least we're able to contain it to the end-of-the-day.

Helsinki Lab's Wii

So we might as well make the best of it! If you're a game developer and want some beta testers – contact us via the Weblog's e-mail address. Tennis. We want more Tennis especially. And we're quite willing to assist accessory makers as well. Cheers!