Wednesday, July 07, 2004

New Adware Resource at NetSense.info - Adware Removal Help

Quick update - I've added a new adware removal resource to the Net Sense website.

There's 30 pages of tips on how to remove adware and downloads of adware remover tools.

Check it out if you need adware removal help:

Adware Removal

Hope this helps!

Download.Ject Trojan - Threat Level: Severe

Overview: Zone Labs has identified a new delivery mechanism for a previously-known malicious Trojan Horse, referred to as Download.Ject, which is spreading rapidly across the Internet. The Download.Ject Trojan has been rated "High Risk." Computer users should apply the recommended actions listed below to protect their systems.

This exploit only works against computer systems using Internet Explorer to browse the Internet. Computer users running other web browsers will not be impacted. At this time, Microsoft has not provided an Internet Explorer patch to prevent compromise.

Date Published: June 25, 2004
Date Last Revised: June 25, 2004

Impact: Download.Ject attempts to:

Install malicious software on computers
Capture usernames, passwords, and credit card information
Send the captured information to a server on the Internet
Description: Download.Ject Download.Ject compromises system integrity through a multi step process:

A vulnerable IIS web server is compromised and malicious JavaScript code is appended to the web pages. IIS servers vulnerable to MS04-011 are the apparent target.
Vulnerable Internet Explorer web browsers that view the compromised website will execute the malicious JavaScript code.
The JavaScript code will install several malicious files on the client system.
Upon execution, the Trojan horse creates the following files:
[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
The worm also attempts to connect to the malicious server at:

217.107.218.147
Zone Labs Products

Zone Labs Integrity™

The firewall built into Integrity will proactively prevent the infection. "Program Control" will alert the computer user if the malicious application attempts to access the network; Program Events Reports can also be used to audit and identify Trojan horse activity.

Currently, Microsoft has not provided an Internet Explorer patch to prevent compromise.

To verify and assure endpoint protection, Integrity administrators can monitor the Program Events Report for processes named:

[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
Recommended Actions for Zone Labs Integrity: Within Policy Studio | Classic Firewall Rules | Add Rule, add the following rules:

Source Addresses: Any
Destination Address: 217.107.218.147
Destination port: TCP, Src: Any, Dest: Any
This will rule will prevent infection of Integrity protected endpoints. This rule can be implemented to mitigate Trojan horse infection.

Monitor the Integrity Program Events Report for processes named:

[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
Monitor events within the Integrity Firewall Events Report to identify infected hosts making connection attempts to:

o 217.107.218.147
Update antivirus products to provide the most up-to-date protection.

ZoneAlarm®, ZoneAlarm® Pro, ZoneAlarm® Security Suite

Customers using ZoneAlarm Security Suite are protected from this Trojan horse. The antivirus feature will identify the malicious application and prevent it from compromising the system.

The firewall built into all versions of ZoneAlarm will proactively prevent the infection. "Program Control" will alert the computer user if the malicious application attempts to access the network. When prompted, Zone Labs users can select "No" to deny the malicious application access and prevent further compromise by this Trojan horse.

Computer users will receive a "New Program Alert" if this Trojan horse infects their system and attempts connect to the Internet. When prompted, Zone Labs users can select "No" to deny this application network access.

Recommended Actions:

Monitor Program Control alerts for processes named:

[6_character_random_name]32.exe
[8_character_random_name].exe
Surf.dat
Do not allow processes to connect outbound to:

217.107.218.147
Update antivirus products to provide the most up-to-date protection.

Related Resources:

What You Should Know About Download.Ject:
http://www.microsoft.com/security/incident/download_ject.mspx


Win32.Webber:
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=35848


js.toofer:
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=39438


Zone Labs Enterprise Documentation Center:
http://www.zonelabs.com/store/support/enterprise/documentation/index.jsp


Increase Your Browsing and E-Mail Safety:
http://www.microsoft.com/security/incident/settings.mspx


Computer Associates Threat Information Center:
http://www3.ca.com/threatinfo/

Tuesday, July 06, 2004

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, July 2 2004 - This week's report on viruses and intruders will focus
on three backdoor Trojans -Webber.S, Webber.P and Agent.E-, two Trojans
-Bankhook.A and Scob.A-, and three new Korgo variants.

Webber.S and Webber.P are two backdoor Trojans that allow malicious users to
access remote computers, steal confidential information and send it to
several websites. These two variants differ in their means of distribution.

Webber.P spreads by modifying the configuration of web servers that use IIS
5.0 (Internet Information Services). As a result, these servers will include
malicious JavaScript code -detected by Panda Software as Exploit/DialogArg-
in the pages they host. This code exploits an Internet Explorer
vulnerability to allow Webber.P to be downloaded and run on the computer,
without the user's consent.

Webber.S is also distributed when users visit certain web pages which
include a malicious JavaScript code. Due to a vulnerability in Internet
Explorer, this code allows Webber.S to be downloaded and run in the
computer, without the user realizing.

Webber.P opens two TCP ports in order to make the affected computer act as a
proxy server.

The third backdoor Trojan in today's report is Agent.E, which installs
itself on affected computer when users visit certain web sites. This
malicious code creates a dinamic link library in the targeted computer,
which takes control of certain features of the browser Internet Explorer.
Agent.E allows the following actions to be carried out: obtain information
from the system, access files belonging to several applications, use objects
for communication, etc.

The Trojan Bankhook.A installs itself on the affected computer by exploiting
the MhtRedir Internet Explorer vulnerability. Bankhook.A modifies the
affected computer's Windows Registry in order to ensure it is run every time
the Internet Explorer is launched.

Bankhook.A searches the HTTPS traffic generated in the affected computer for
text strings related to different online banks. If successful, Bankhook.A
steals confidential information (user names, passwords, account numbers,
credit card numbers, etc.) and sends it to a remote computer though a
script.

The second Trojan in today's report is Scob.A, which only affects Windows
XP/2000/NT computers that act as web servers, provided that they have IIS
(Internet Information Services) v5.0 installed. Scob.A modifies the
application settings so that malicious code (Exploit/DialogArg) is included
in all the files provided from those servers.

We are going to finish this week's report with variants U, V and W of Korgo.
All these malicious code exploit the Windows LSASS vulnerability to spread
automatically to computers via the Internet. Even though these malicious
code affect all Windows platforms, they can only spread automatically to
Windows XP/2000 computers. All these Korgo variants connect to several
websites and try to download files from them. They also send information on
the country in which the affected computer is located to those websites.

Korgo.U, Korgo.V and Korgo.W go memory resident and, unlike other malicious
codes that exploit the LSASS vulnerability to affect computers, they do not
display an error message with a countdown clock or restart the affected
computer.

For further information about these and other computer threats, visit Panda
Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia

Additional information

- Backdoor Trojan: this is a program that enters the computer and creates a
backdoor through which it is possible to control the affected system without
the user realizing.

- Internet Information Server( IIS): this is a Microsoft server designed for
publishing and maintaining web pages and portals.

- Dynamic Link Library (DLL): a special type of file with the extension DLL.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.com/virus_info/glossary/default.aspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.