Friday, July 02, 2004

New Spyware Resource at NetSense.info - Spyware Help

Quick update - I've added a new spyware removal resource to the Net Sense website.

There's 20 pages of tips on how to remove spyware and downloads of spyware remover tools.

Check it out if you need spyware removal help:

Spyware Removal

Hope this helps!

Thursday, July 01, 2004

Webber.P virus infects from compromised servers - Severe Damage

The Webber virus is hitting and is expected to hit hard. This IS the time to promote Panda Antivirus solutions.

What follows is a summary on this virus.

--------------------------------------------------------
Webber.PThreat Level: Moderate
Distribution: Low
Damage: Severe
--------------------------------------------------------
The Threat Level varies according to the Distribution and Damage levels


Common name: Webber.P
Technical name: Bck/Webber.P
Alias: Berbew.F, Backdoor.Padodor.gen, Backdoor.Berbew
Type: Backdoor

Effects:
It makes requests to different web sites located in Russia, without the user noticing and logs confidential information on the affected computer in a file.


Affected platforms: Windows XP/2000/NT
First appeared on: June 25, 2004
In circulation? Yes


Brief Description
Webber.P is a backdoor that allows to gain remote control over the affected computer through the TCP port 23232, in order to carry out actions that would compromise users confidentiality, or even impede normal work. In addition, Webber.P opens two TCP ports, in order to make the affected computer act as a proxy server. This backdoor sends confidential information to different web sites, as well as data stored in the cache of the browser Internet Explorer. Webber.P logs confidential information, such as the user name and the name of the affected computer, in a file.

Visible Symptoms
Webber.P is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

Effects
Webber.P has the following effects:

It allows to gain remote control over the affected computer through the TCP port 23232, in order to carry out actions that would compromise users confidentiality, or even impede normal work. It opens two TCP ports, in order to make the affected computer act as a proxy server. It sends confidential information to different web sites, as well as data stored in the cache of the browser Internet Explorer:

Infection strategy
Webber.P creates the following files in the Windows system directory:

Means of transmission
The following steps have been carried out in order to distribute Webber.P:

Thanks to an specific method that our experts are still studying, the configuration of web servers using IIS 5.0 (Internet Information Services) has been modified, in such a way that these servers now include a footnote in all the sites they host. That footnote includes a DLL file, which contains malicious JavaScript code. When a user visits any of these web sites, the JavaScript code redirects the browser to a different web site. That web site contains code for exploiting a vulnerability in Internet Explorer, which allows to download and execute files in the affected computers, without users noticing. The file downloaded is the one corresponding to Webber.P.

Wednesday, June 30, 2004

Instant-messaging virus costs a man his job

http://news.zdnet.co.uk/0,39020330,39159096,00.htm

Ingrid Marson
ZDNet UK
June 30, 2004, 09:05 BST

A virus can transmit previous IM conversations to a user's buddy list without his or her consent - and with disastrous consequences


Virus attacks are not yet frequent on instant-messaging applications, but the latest threat is likely to send a shiver down the spine of all IM users. A businessman whose computer had been infected by a virus found that his entire buddy list had been sent a record of all his IM conversations, said Derek O'Carroll, managing director of IM software vendor IMLogic on Tuesday.


O'Carroll was speaking at a panel discussion on the war against spam at a security event aligned with the Microsoft TechEd conference in Amsterdam. He said the businessman, a vice president at a US-based company, discovered that IM conversations stored by the application had been sent to colleagues on his buddy list, which included partners at the company.

He was fired because of negative comments he'd made about his colleagues in what he thought were private IM conversations. His computer had been infected with the virus after clicking on a URL received in an IM application, according to O'Carroll.

O'Carroll pointed out that various IM applications can keep a record of conversations although they can be set up so that they do not do this. He advised that companies implement content checking with instant messaging to prevent employees from making defamatory comments and to stop critical information from leaving the company.

The Radicati Group recently predicted that instant-messaging spam, dubbed 'spim', will increase dramatically during the next year. This increase in spim could result in an increased risk of security breaches such as these, because hyperlinks embedded in spim can provide a doorway through which viruses enter a corporate network.