Saturday, May 15, 2004

AIM Virus Removal

AIM virus removal instructions - how to remove viruses infecting your AIM (AOL Instant Messenger) Profile.

AIM Profile Virus

There are several types of AIM viruses spreading through AOL Instant Messenger Profiles. They usually display a website link with a message encouraging the reader to click on it.

If you have an AIM virus, you may see messages in your profile like:

"Whoa....look what I found, click here".
"I can't believe I found 'yourScreenName' Picture here".
"check this out: http://www.wgutv.com/osama_capture.php?JVFD"
"Check this cam im gettin from bestbuy piC"

If you click on a link that points to one of these sites, your AIM client is forced to install an unwanted browser plugin. Once the plugin is installed, your AIM profile is overwritten with a link to the website and a message to click on it, and your browser’s home page is reset.

Download all our best tips in a free 5-page report:

Click here to download as a Zip file Online Security (62kb)

Click here to download as a PDF file Online Security PDF (66kb)

What these AIM viruses actually do

These viruses do some nasty stuff. Not all of these may apply to every computer infected, but generally they will do the following:

Download spyware and porn to your computer.
Change email already received to ads.
Turn your computer into a spam mail relay.
Download and install other viruses.
Damage networking components in your operating system.
Auto-update, and reinstall the removed portions of itself.
Constantly reset a browser’s homepage.
Constantly overwrite your IM profile with a link to the virus site.
Increase the frequency of pop-up ads.

Preventative Measures
The best way to prevent your computer from being infected by one of these viruses is simple. Do not click on website links in AOL user profiles or visit unknown websites.

Antivirus software usually won't prevent your computer from being infected by these types of viruses.

The only preventative measure that works is IM Secure by Zone Labs. It's a firewall for your IM client by the #1 personal firewall company. Click the link if you want to try it free for 30 days.

To avoid AIM virus infection, don't click on website links in instant messages, even those from your friends and family, or you may end up infected with an AIM virus.

Be wary. Send back a quick IM saying "tell me more". If it's a virus that went to their entire buddy list, you'll be giving them a heads up.

AIM Profile Virus Removal
Manual Removal Instructions:
Press the CTRL, ALT, and DEL keys at the same time to bring up the task manager.


Click on the processes tab (windows 2000/XP), and find 'b.exe', 'bbb.exe' or 'av.exe' and kill the process.


Go to C:Windows and delete 'b.exe' and 'bbb.exe' or 'av.exe' (or do a search for the virus: click Start > Search > look up each virus individually) Delete these files when you find them.


Click Start, then click on Run, type in "Msconfig" in the box and press ENTER.. When the box comes up, click on the "startup" tab and look for "b.exe", "bbb.exe" or "av.exe" listed (possibly listed under"antivirus") then uncheck the box to the left. (Windows 98/XP only)


Clear your profile (or make a new one) and restart.


When the msconfig box comes up after restart just check the box telling it not to come up again.


AIM Virus Removal - Automated

How to automatically remove an AOL Profile Virus

Run the RSA AOL Profile Fix Tool.

Open & run the fix tool.
Choose to open the file, NOT save.

If you are running Windows 95/98/ME, you need to be in Safe Mode.
Save the above file to a disk and run it from safe mode.


Edit Your AIM Profile
Change your profile back to what you want. Make sure you delete the link from your AIM profile or your friends will get infected!


Fix other AOL IM viruses
A bright young college student at Elon University by the name of Jay Loden is doing a great job of providing free tools to fix all the different IM viruses that keep popping up.

Besides the AIM profile virus, there are always variations:

AIM Osama virus
AIM Saddam virus
AIM Best Buy virus
AIM b1Ld0 virus
AIM virus of the week...

You can access Jay Loden's AIM virus fix information here: AIM Virus

Jay's AIM virus remover is here: AIM Virus Remover


Prevent AOL IM virus from returning

Install, Update, and Run SpyBot

Spybot Search & Destroy is a free software program that detects and removes spyware, adware, and malware from your PC.

Spybot is considered the defacto standard in protecting yourself from garbage being dumped onto your computer by hoaxes, scammers, and hackers.

You can read our full review here: Spybot

You can download it here: Spybot download

Once you've installed Spybot, be sure to update it, and then run it.

After you've cleaned all the garbage off your PC, then click the "Immunize" button to protect yourself from similar nonsense in the future.

Add more protection to your computer
Besides running spybot, you should follow our advice and put in place a multi-layered defense consisting of:

Spam filter
Antivirus software
Spyware blocker
Personal firewall

Each of these pages has tons of info on free tools to protect your computer.

If you don't have time to read those pages now, then download our free ebook. It's got all the best tips in a safe PDF format. All the free tools are hotlinked in the various sections.

Take care and save yourself some grief by being safe online. The world doesn't need any more AIM virus infections!








Friday, May 14, 2004

Sasser.F Makes its Appearance

- Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 14, 2004 - This week's report on viruses and intrusions will
deal with five worms -Sasser.F, Cycle.A, Bagle.AC, Sober.G and Wallon.A-,
and Qhost.gen.

Sasser.F spreads via the Internet by exploiting the LSASS vulnerability. In
the computers it infects, this worm causes a buffer overflow in the
LSASS.EXE program, restarts the computer and displays a message on screen.
Like previous variants of Sasser, variant F spreads automatically across
Windows XP/2000 computers. It also works in the rest of the Windows
operating systems, if the file carrying this worm is run by a malicious
user.

Like the malicious code mentioned above, Cycle.A also spreads via the
Internet by exploiting the LSASS vulnerability and causes affected computers
to restart. It also ends the processes of the Blaster, Sasser.A, Sasser.B,
Sasser.C and Sasser.D worms and launches Denial of Service attacks (DoS)
against several websites when the system date is any other than May 1 to 18,
inclusive.

The third worm in today's report is Bagle.AC, which ends the processes of
several IT security applications, such as antivirus and firewall programs,
and of several worms. It also tries to connect, through port 14441, to
various websites that house a PHP script in order to notify the virus author
that the computer has been infected.

Sober.G is a worm that spreads via e-mail. This message can be written in
English or German, depending on the domain in the user's e-mail address. It
looks for e-mail addresses in files with certain extensions on the affected
computer, and sends itself out to the addresses it finds using its own SMTP
engine.

The fifth worm is Wallon.A, which installs itself on computers by exploiting
the Exploit/MIE.CHM vulnerability. To do this, it uses the following
propagation routine: the user receives an e-mail containing a link to a
certain website, if the user accesses the web page, Wallon.A will be
downloaded to the computer.

Wallon.A collects all of the addresses in the Windows Address Book and sends
them to an e-mail address. This worm also changes the home page of Internet
Explorer and if the Windows Address Book does not contain any addresses, it
displays an error message on screen.

We are going to finish this week's report with Qhost.gen, a generic
detection routine for HOSTS files modified by several malware, including
variants of the Gaobot worm. This file contains a series of lines that are
the first lines used by Windows to translate names to IP addresses (before
other services like WINS or DNS).

The HOSTS files are modified by this malware so that a list of web address
is associated to the IP address 127.0.0.1, making the addresses included in
this list inaccessible. These web pages are usually those of security
software manufacturers, such as anti-malware solutions. For this reason,
users of computers affected by Qhost.gen will not be able to access these
pages and obtain information, update their solution, etc.

For further information about these and other computer threats, visit Panda
Software's Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

Thursday, May 13, 2004

Sasser.F Appears after Sasser Creator Arrested

- Other hackers pick up where the Sasser author
left off: variant F appears -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 11 2004 - PandaLabs has detected the appearance of the new
Sasser.F worm. This variant is very similar to the original worm, as it only
includes a few small differences, such as the format in which it is packed.

The date that Sasser.F was created appears as April 30, the same day the
first Sasser worm emerged. "It seems that an inexperienced hacker has
created Sasser.F by slightly modifying the code of the original worm.
Another possibility is that the author of Sasser did not work alone, and
that another person is releasing these previously created variants. However,
studying the evolution of Sasser, the fact that variant F does not include
any new features confirms that it is the work of a different person," says
Luis Corrons, head of PandaLabs.

It is highly probable that new variants of Sasser and Cycle, or new viruses
that exploit the LSASS vulnerability will appear. "In order to avoid falling
victim to these viruses, the first thing users must do is install the
patches released by Microsoft to fix the LSASS vulnerability. Given that a
large number of viruses that exploit this flaw are in circulation -and that
more could appear - computers are extremely vulnerable to infection,"
explains Corrons.

In order to avoid falling victim to Sasser.F or any of its variants, Panda
Software advises users to take precautions, keep their antivirus software
updated and to apply the Microsoft patch, -which can be downloaded from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx- as
computer will continue to be infected by this virus until the vulnerability
has been fixed. Panda Software has made the updates necessary to detect and
disinfect this new worm available to clients.

More information about these and other IT threats is available from:
http://www.pandasoftware.com/virus_info/encyclopedia/

Panda Software's online support center also offers help to users at:
http://www.pandasoftware.com/support/

Panda Software clients can update their antivirus through the applications
installed on their computers.

Users can also scan and disinfect their computers using Panda ActiveScan,
the free, online scanner available from: http://www.pandasoftware.com.

Tuesday, May 11, 2004

Hey everyone,

Didn't take long - New Sasser copycat virus debuts:

- Sasser creator copycats:
a new worm has been discovered, Cycle.A -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 10 2004 - The arrest of the alleged creator of the Sasser worms
has not been accompanied by a lull in the momentum of computer viruses.
PandaLabs has detected the appearance of a new worm, Cycle.A
(W32/Cycle.A.worm) which -like Sasser and its variants- exploits the LSASS
vulnerability affecting some Windows versions in order to infect computers
through the Internet.

The scenario has changed, however, as indicated by the text found inside the
virus code. In this text, the virus creator -alias Cyclone- claims to be
Iranian and refers to the social and political situation in his country. The
entire content of this message can be read in Panda Software's Virus
Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/.

Cycle.A tries to enter computers through communications port TCP45 in order
to check if the system is vulnerable. If it is, the worm causes the affected
computer to download a copy of itself called CYCLONE.EXE. However, this will
only take place if the application TFTP.EXE is installed on the system.

Additionally, and regardless of whether the worm has managed to copy itself
to the targeted computer, the attempt by the virus to enter the system
causes a failure in the application LSASS.EXE which makes the computer
restart every 60 seconds.

According to Luis Corrons, head of PandaLabs, "It was to be expected that
sooner or later some other unscrupulous individual created a new virus that
exploited the LSASS vulnerability. The real problem lies in the fact that
the necessary code to exploit this security hole is in possession of many
people who can incorporate it into their creations. Therefore, it is very
likely that new variants of Sasser and Cycle, as well as other malicious
codes that can act like them, will appear in the future."

Meanwhile, the members of the Sasser worm family -which was joined yesterday
by Sasser.E- continue to cause incidents on computers worldwide. In fact,
Sasser.B continues to be one of the viruses most frequently detected by
Panda ActiveScan, Panda Software's free online scanner.

In order to prevent your computer from falling victim to Cycle.A, Sasser and
its variants, or any other worm that exploits the LSASS vulnerability, it is
necessary to install the Microsoft patch available from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Panda
Software also advises users to tighten security measures, ensure that they
have a fully updated antivirus installed and keep themselves informed of any
new viruses that could appear. Panda Software has made the updates necessary
to its products available to clients.

More information about these and other IT threats is available in Panda
Software's Virus Encyclopedia, at
http://www.pandasoftware.com/virus_info/encyclopedia/

Panda Software's online support center
(http://www.pandasoftware.com/support/) also offers help to users.

In addition, the users can scan their computers on line for free with the
ActiveScan solution, available in the company web page
http://www.pandasoftware.com.


Ciao...

Monday, May 10, 2004

Hi there!

Sasser virus creator got busted - New vesrion Sasser.E released

Details:

- A new variant of the Sasser virus spreads
rapidly throughout the world -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 09 2004 - PandaLabs has detected the appearance of Sasser.E, a
new variant of the Sasser worm virus which, according to data gathered by
Panda Software international technical support network, it's affecting
computers all over the world.

The appearance of the Sasser.E worm comes just after the announcement of the
arrest of the presumed creator of the virus. According to Luis Corrons,
Head of PandaLabs, "This fact confirms our fears that he is not the only
person programming the Sasser and Netsky worms, but rather it is an
organized group of delinquents. This seems to indicate that there is a kind
of cyber war being waged among the creators of the Bagle, Mydoom, Netsky and
Sasser worms, and it will continue to cause many more variants of the
virus."

The intention of these "underground" groups is still unknown. "However",
adds Luis Corrons, "It's possible that they are trying to attract attention
about viral codes while at the same time carry out other types of acts that
will translate into personal economic gains, such as stealing bank data in
order to commit fraud. The psychological profile could mean that they are
looking for fame, but the risks they are taking clearly outweigh the fame
they could attain since these acts undoubtedly lead to prison terms. But it
is unquestionably the conduct of a competent megalomaniac."

Sasser.E is just the latest in a string of variants A, B, C, D which the
epidemic has caused in just a few days. Just like the others, Sasser.E
exploits a security gap of Microsoft Windows known as LSASS, published in
the bulletin MSO4-011.

Sasser.E searches the Internet for vulnerable computers to attack. Once that
is done, it creates a copy of itself to the Windows directory under the file
name LSASSS.EXE. The results leads to a systems error which forces the
infected computer to reboot every 60 seconds.
In addition, and in contrast to its predecessors, Sasser.E has been
programmed to erase from the system variants of the Bagle worm.

Due to the fast-spreading nature of the variants, companies and businesses
should take preventive steps before the renewal of the workweek on Monday
morning.

In order to prevent to system from becoming a victim of Sasser.E or any of
its variants, it is necessary to install the patch which Microsoft offers to
correct the security flaw LSASS, and which can be downloaded from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx, update
your antivirus protection and sep abreast of any new variants. Panda
Software has made the updates necessary to its products available to
clients.

Panda Software's online support center
(http://www.pandasoftware.com/support/) also offers help to users.

Panda Software clients can update their antivirus through the applications
installed on their computers.

In addition, the users can scan their computers on line for free with the
ActiveScan solution, available in the company web page
http://www.pandasoftware.com

More information about these and other IT threats is available from
http://www.pandasoftware.com/virus_info/encyclopedia/


Ciao...

Sunday, May 09, 2004

Howdy,

More details on how the Sasser.D worm spreads:

If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.

Note: Infected systems should install the Microsoft update to be protected from the exploit used by this worm. See:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


This variant of W32/Sasser.worm functions in a similar fashion as the original variant, with the following exceptions.

This variant spreads with the filename SKYNETAVE.EXE (16,384 bytes)
It sends ICMP echo packets to discover potential victims
It creates a remote shell on TCP Port 9995 rather than 9996
This self-executing worm spread by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)]

Unlike many recent worms, this virus does not spread via email. No user intervention is required to become infected or propagate the virus further. The worm works by instructing vulnerable systems to download and execute the viral code.

Note: Infected systems should install the Microsoft update to be protected from the exploit used by this worm. See:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


Indications of Infection

The virus copies itself to the Windows directory as SKYNETAVE.EXE and creates a registry run key to load itself at startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\Run "skynetave.exe" = %WinDir%\skynetave.exe
As the worm scans random IP addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9995.

A file named win2.log is created on the root of the C: drive. This file contains an IP address together with the number of machines infected.

Copies of the worm are created in the Windows System directory as #_up.exe. (Where '#' represents a string 4 or 5 digits.)

Examples

c:\WINDOWS\system32\26347_up.exe
c:\WINDOWS\system32\5157_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such a system will reboot after the crash occurs.


Method of Infection

This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.

The propagation mechanism is akin to that for previous variants:

the worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE.

It creates a remote shell on TCP port 9995.

Next it creates an FTP script named cmd.ftp on the remote host and executes it. The specified DATs contain detection for this FTP script as W32/Sasser.worm!ftp . Via the FTP script, the FTP.EXE application is used to retrieve the worm from the infected machine (port 5554) to the remote host. The worm is then executed.

Ththe FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as mentioned above) from the infected host.

The infected host accepts this FTP traffic on TCP port 5554.

The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The worm scans public ranges like 10.0.0.0 and 192.168.0.0 only if they are part of the local subnet. The destination port is TCP 445.



Removal Instructions


Infected systems should install the Microsoft update to be protected from the exploit used by this worm. See:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Additional Windows ME/XP removal considerations

McAfee Stinger
Stinger has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the file SKYNETAVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
Edit the registry
Delete the "SKYNETAVE.EXE" value from
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\CurrentVersion\Run
Reboot the system into Default Mode


Aliases

W32.Sasser.D (Symantec), W32/Sasser-D (Sophos), W32/Sasser.D (F-Prot), WORM_SASSER.D (Trend)


Ciao...