Just two days ago I wrote a blog about a team effort to fight agains badwares through www.stopBADware.org now it’s our turn, the Security companies, to team up.

McAfee, Symantec, ICSA Labs ,Thompson Cyber Security Labs and of course Trend Micro has formed an alliance to standardize the naming and testing methodologies to be used on spyware. The testing methodologies and practices which will serve as a guideline can be viewed at http://www.spywaretesting.org/metadot/index.pl.

The alliance is rapidly gaining attention and other security companies are beginning to express their thoughts of joining in.

This is an important step for the security companies which shows their maturity. After all we all have one goal in mind. And that is to protect customers from spywares, adwares or any other warez which could do harm.

A collection of information on WORM_GREW from various sources:

What are the other names of WORM_GREW?

Based on Securiteam’s FAQ’s, here are the list of detections:

• Authentium W32/Kapser.A@mm
  
• AntiVir Worm/KillAV.GR
  
• Avast! Win32:VB-CD [Wrm]
  
• AVG Worm/Generic.FX
  
• BitDefender Win32.Worm.P2P.ABM
  
• ClamAV Worm.VB-8
  
• Command W32/Kapser.A@mm (exact)
  
• Dr Web Win32.HLLM.Generic.391
  
• eSafe Win32.VB.bi
  
• eTrust-INO Win32/Blackmal.F!Worm
  
• eTrust-VET Win32/Blackmal.F
  
• Ewido Worm.VB.bi
  
• F-Prot W32/Kapser.A@mm (exact)
  
• F-Secure Email-Worm.Win32.Nyxem.e
  
• Fortinet W32/Grew.A!wm
  
• Ikarus Email-Worm.Win32.VB.BI
  
• Kaspersky Email-Worm.Win32.Nyxem.e
  
• McAfee W32/MyWife.d@MM (McAfee has an “E” variant)
  
• Nod32 Win32/VB.NEI worm
  
• Norman W32/Small.KI (W32/Small.KI@mm)
  
• Panda W32/Tearec.A.worm (W32/MyWife.E.Worm)
  
• QuickHeal I-Worm.Nyxem.e
  
• Sophos W32/Nyxem-D
  
• Symantec W32.Blackmal.E@mm
  
• Trend Micro WORM_GREW.A (Worm_BLUEWORM.E)
  
• VBA32 Email-Worm.Win32.VB.bi
  
• VirusBuster Worm.P2P.VB.CIL

• DMP
  
• DOC
  
• MDB
  
• MDE
  
• PDF
  
• PPS
  
• PPT
  
• PSD
  
• RAR
  
• XLS
  
• ZIP

It overwrites the said files with the following string: DATA Error [47 0F 94 93 F4 K5]

How do I know if I’m infected?
Check out the virus description on WORM_GREW.A, or better yet, download and execute DCE.
And Microsoft also features a virus description as well as a removal tool.
And oh, do a system scan.

I heard there are millions of infected systems. Is this true?
Actually, no. Not millions. Joe Stewart of LURHQ has released some very interesting analysis and statistics on this worm based on the infection counter (the worm updates a counter on some website). Based on their statistics, the count is much closer to 300,000. India seems to be the most infected country, followed by Peru. And from LURHQ’s Q&A:

Q: Peru? Are you sure?
A: Yes, we have resolved the hostnames and they belong primarily to a single Peruvian ISP. We can only speculate that someone with a large list of customers at that ISP became infected and most of the users received the attachment.
So there.

Sources

• ISC Summary
  
• LURHQ
  
• SecuriTeam’s TISF Blackworm Task Force (very detailed FAQ)
  
• Microsoft’s Virus description/Removal Tool
  
• WORM_GREW.A

First there was C/C++, then there was Visual C++. Of course, with Visual C++, Visual Basic comes to mind as well. Drag-drop-drag-drop and your application is finished. That’s what the guys at ImmunitySec did. They created a drag-drop exploitation platform which they aptly named, VisualSploit.

Another Breplibot malware is being spammed via email this night and Trend Micro will be detecting it as BKDR_BREPLIBOT.H. Our email honeypot intercepted a few sample mails with different subject and body encouraging the recipient to open the attachment. Check out the Advisories page for other details of the spammed email. Click on the following:

• BKDR_BREPLIBOT.H Advisory

It is also noted that some of the emails mentions of two URLs, one is www.TotalBusiness.com and the other is www.Guardian.com. These web sites are totally legitimate. www.TotalBusiness.com is all about business, how to start one, finance a business, market your business and etc. Meanwhile, www.Guardian.com is all about glass products. However, these two sites seems not aware of this spam emails using their legitimate web site which may contribute in the social engineering being used by the malicious attacker.

It is advised that users are well educated about spam emails and the attachments. Attachments from unsolicited emails coming from known or unknown contacts can be malwares. This attachment can be archived as a Zip or a Rar file and inside of the archive is an executable binary file with a file extension of nay of the following; scr, exe, pif, and etc. Users are also advised to always update their pattern files regularly. =)

We just received three malicious SIS files and are being analyzed by the Service Team for detection. It is said that one of the SIS files has a batch file Trojan that kills AV services. The following are the detection for the said files:

• FExplorer 1.16-FULL.sis : SYMBOS_FONTAL.J
  
• Image Manager – BiNPDa.sis : SYMBOS_FONTAL.K
  
• Anti Virus from F-Secure.sis : SYMBOS_SKULLS.H

Published Virus Report:

• SYMBOS_SKULLS.H
  
• SYMBOS_FONTAL.J
  
• SYMBOS_FONTAL.K

Developers of WinAmp has just released WinAmp version 5.13 to fix the reported flaw involving its playlist files. This vulnerability was discussed in a previous blog, Winamp 5.12 0-day. So WinAmp users out there, you should update your winamp player to avoid possible attacks from the said vulnerability. Just follow the link provided below:

• http://www.winamp.com/player/

Winamp has just released their 5.12 version last December 9, 2005, and now a new exploit for the new version is out. FR-SIRT already released and advisory(as well as the PoC) and yes, it works. As described in the attack vector: “make a html page containing an iframe linking to the .pls file.”

The author also released a link to a site which utilized the iframe, and here are some notes:

• On visiting the link via FireFox, a dialog box asks you whether you want to download, or open the file.
  
• On IE, however, the PoC is automatically executed without any warning.

I therefore conclude, if you have the vulnerable version of Winamp (and no patched version yet), use FireFox when browsing the web. No reports of this ITW yet.

A new variant of the ransom-ware-send-money-to-decrypt-your-files was discovered sometime last week by Kaspersky (and yes, we have the file as well and is now being processed by the service team). From the Kaspersky blog: “The new variant of GPCode was widely spammed throughout the Russian segement of the Internet”, and yes, we do lack coverage in terms of malware acquisition in Russia. Hmmmmm… Perhaps a Russian expedition is in order? heheehehe. Anyway, we’ll post updates later (detection/VR).

Update(JJ, 30 January 2006 21:41:49)

Virus Report here: TROJ_PGPCODER.C.

Harvard Law School’s Berkman Center, Consumers Union WebWatch, and Oxford University with internet giant Google, Lenovo and Sun Microsystems have teamed up in an effort to fight Badwares, their own term for either spyware, adware or malware roaming around the internet.

According to their site, www.StopBadware.org is a “Neighborhood Watch” campaign aimed at fighting badware. Seeking and providing reliable information about downloadable applications so that users will be more informed about what they download on their computers.

The site comes in a complete package including a webblog, FAQ, reports, and a way for users to submit their own story about Badwares.

We are currently receiving email messages in the email honeypot which uses PBS, Payroll & Business Services Ltd, for its social engineering technique. The email informs the recipient that the “Fake” PBS Company received an error from the recipient’s bank. Further, it encourages the recipient to open the attachment for other details on the transaction. However, the attachment is a binary file with an EXE file extension, to be detected as TROJ_DLOADER.BMX. This Trojan downloads a Trojan spyware malware which will also be detected as TSPY_CASGRAB.K.

Other details of the email can be found in our Advisories page. Click on the following link:

• TROJ_DLOADER.BMX Advisory

Meanwhile, the link www.pbs.uk.com is a legitimate site. PBS posted an urgent notice for its customers about the said spammed email

“If you have received an email which appears to have been sent by PBS (UK) Ltd, with regard to a bill payment for the amount of Ã?£755.00, please ignore this email.”

Follow the following link for PBS’ notice.

• http://www.pbs.uk.com/spam_message.aspx

Users are advised to be aware on spam messages, and also not to open attachments from unsolicited emails of known or unknown contacts. Lastly, please update your pattern files regularly. =)