検索:

YM Phising Site

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0

There is a new Yahoo phising site spotted located at
http://www.geocities.com/myphotos30021. It spoofs the Yahoo!Photos site.
Below is a snapshot of the site. Just click the picture for a fuller view.

The site has already been submitted to Web Blocking Team.

続きを読む
Tags: スミッシング

Update Wi-Fi Worms?!?

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0


As of time of writing, no security firm or individual has been able to confirm the credibility of the report. The security community awaitedly asking for the binaries of the much hyped worm to further prove to the public that they really exists but even the individual (Vlad) who claims that his machine has been infected can not provide one.

Vlad had even posted a TCPDump of the said activity of the Wi-Fi worm but what is noticeable upon skimming through the log is the fact that there is no 802.11 traffic that can be extracted from the log because all are Ethernet traffic.

I guess this issue has been so much a hyped just to get the attention of some individuals/firms. I’d say he has succeeded even this early because even people from Internet Storm Center has devoted time to do some passive analysis on the area.

But, nobody has been able to provide consistent and real proofs.
As of time of writing, no security firm or individual has been able to confirm the credibility of the report. The security community awaitedly asking for the binaries of the much hyped worm to further prove to the public that they really exists but even the individual (Vlad) who claims that his machine has been infected can not provide one.

続きを読む
Tags: スミッシング

New Symbian Malware attempts to infect Windows

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0


This new symbian malware is similar to other symbian malware in the sense that it overwrites normal files in the system in order to destroy them. However, it has a particularly interesting characteristic where it attempts to spread infection to a computer running in Windows OS. This is because this malware drops these 4 files into the E: directory (which is the memory card):


fsb.exe – BKDR_BERBEW.Q
buburuz.ICO – Icon file for the memory card
autorun.inf – file used to automatically execute fsb.exe
SYSTEM.exe – WORM_WUKILL.B


Thus, when the memory card is inserted into a Windows computer, the file autorun.inf will attempt to execute fsb.exe. Also, the file SYSTEM.exe may not have an automatic startup routine, but since it has the icon of a folder, this could be executed by an unsuspecting user who wants to open this “folder”.

Note: This malware will be detected as SYMBOS_CARDTRP.A


Dropped Files

  • E:DOCUME~1BimLOCALS~1TempMKS0CARIBE.SIS – already detected as SymbOS_CABIR.A
  • E:SYSTEM.exe – already detected as WORM_WUKILL.B
  • E:fsb.exe – already detected as BKDR_BERBEW.Q
  • E:SystemAppsWILDSKINWILDSKIN.App
  • C:SystemAppsWALLETAVMGMTWALLETAVMGMT.App
  • C:SystemAppsVoicerecorderVoicerecorder.app
  • C:SystemAppsVoiceRecVoiceRec.app
  • C:SystemAppsVMVm.app
  • C:SystemAppsVideorecorderVideoRecorder.app
  • C:SystemAppsVCommandVCommand.app
  • E:SystemAppsUVSMStyleUVSMStyle.App
  • E:SystemAppsUltraMP3UltraMP3.App
  • C:SystemAppsTodoTodo.app
  • E:SystemAppsSystemExplorerSystemExplorer.App
  • C:SystemAppssSaversSaver.App
  • C:SystemAppsSpeedDialSpeeddial.app
  • E:SystemAppsSounderSounder.App
  • C:SystemAppsSnakeExSnakeEx.app
  • E:SystemAppsSmsMachineSmsMachine.App
  • E:SystemAppsSmartMovieSmartMovie.App
  • E:SystemAppsSmartAnswerSmartAnswer.App
  • C:SystemAppsSimDirSimDir.app
  • E:SystemAppsScreenCapScreenCap.app
  • C:SystemAppsSatUiSatui.app
  • E:SystemAppsRingMasterRingMaster.App
  • C:SystemAppsRealPlayerRealPlayer.app
  • E:SystemAppsRallyProContestRallyProContest.App
  • E:SystemAppsPVPlayerPVPlayer.App
  • C:SystemAppsPslnPSLN.app
  • C:SystemAppsProfileAppProfileApp.app
  • C:SystemAppsPinboardPinboard.app
  • E:SystemAppsPhotoSMSPhotoSMS.App
  • E:SystemAppsPhotoSafePhotoSafe.App
  • E:SystemAppsPhotographerPhotographer.app
  • E:SystemAppsPhotoEditorPhotoEditor.app
  • C:SystemAppsPhotoAlbumPhotoAlbum.app
  • E:SystemAppsphotoacutephotoacute.App
  • C:SystemAppsPhoneBookPhoneBook.app
  • !:SystemAppsPhoneFREAKPHONE_CAPTION.RSC
  • !:SystemAppsPhoneFREAKPHONE.RSC
  • E:SystemAppsPhoneFREAKPHONE.APP
  • E:SystemAppsPhoneFreakPhone.aif
  • C:SystemAppsNSmlDSSyncNSmlDSSync.app
  • C:SystemAppsNotepadNotepad.app
  • C:SystemAppsMusicPlayerMusicPlayer.app
  • E:SystemAppsMp3PlayerMp3Player.App
  • E:SystemAppsMp3GoMp3Go.App
  • C:SystemAppsmmpmmp.App
  • C:SystemAppsMMCAppMMCApp.app
  • C:SystemAppsMixPixMixPix.app
  • C:SystemAppsMidpUiMidpUi.app
  • E:SystemAppsMIDIEDMIDIED.App
  • !:SystemAppsMenuFreakMenu_caption.rsc
  • !:SystemAppsMenuFREAKMENU.RSC
  • !:SystemAppsMenuFREAKMENU.APP
  • E:SystemAppsMenuFreakMenu.aif
  • C:SystemAppsMediaplayerMediaPlayer.app
  • C:SystemAppsMediaGalleryMediaGallery.app
  • C:SystemAppsMCEMCE.app
  • C:SystemAppsLogsLogs.app
  • E:SystemAppslogoManlogoMan.app
  • E:SystemAppsLauncherLauncher.app
  • E:SystemAppsKPCaMainKPCaMain.App
  • E:SystemAppsJellyJelly.App
  • E:SystemAppsirremoteirRemote.App
  • C:SystemAppsIrAppIrApp.app
  • E:SystemAppsHantroCPHantroCP.App
  • E:SystemAppsHairHair.App
  • C:SystemAppsGSGS.app
  • E:SystemAppsFSCallerFSCaller.App
  • C:SystemAppsFMRadioFMRadio.app
  • C:SystemAppsFileManagerFileManager.app
  • E:SystemAppsFExplorerFExplorer.App
  • C:SystemAppsFdnFDN.app
  • C:SystemAppsFaxModemUiFaxModemUi.app
  • E:SystemAppsFaceWarpFaceWarp.App
  • E:SystemAppsextendedrecorderextendedrecorder.App
  • E:SystemAppsETIPlayerETIPlayer.App
  • E:SystemAppsETIMovieAlbumETIMovieAlbum.App
  • E:SystemAppsETICamcorderETICamcorder.App
  • C:SystemAppsCSHelpCSHelp.app
  • C:SystemAppsConverterConverter.app
  • C:SystemAppsConnectionMonitorUiConnectionMonitorUi.app
  • C:SystemAppsComposerComposer.app
  • C:SystemAppsClockAppClockApp.app
  • E:SystemAppsCFCF.app
  • E:SystemAppscamerafxCameraFX.App
  • C:SystemAppsCameraCamera.app
  • C:SystemAppsCamcorderCamcorder.app
  • E:SystemAppsCamcoderCamcoder.App
  • E:SystemAppsCallManagerCallManager.App
  • E:SystemAppscallcheatercallcheater.app
  • C:SystemAppsCalendarCalendar.app
  • C:SystemAppsCalcSoftCalcSoft.app
  • C:SystemAppsBrowserBrowser.app
  • E:SystemAppsBlueJackXBlueJackX.App
  • E:SystemAppsBlackListBlackList.App
  • C:SystemAppsAppMngrAppMngr.app
  • C:SystemAppsAppCtrlAppCtrl.app
  • E:SystemAppsAnswRecAnswRec.App
  • E:SystemAppsAD7650AD7650.App
  • C:SystemAppsAboutAbout.app
  • E:buburuz.ICO
  • E:autorun.inf
  • PopUp0.txt



Update
Previously, we have come to define an example of a “blended threat” as a Windows worm that either spreads via multiple propagation vectors such as email, IM, network shares and application vulnerabilities and/or a worm that has capabilities of other malwares such as file-infectors, backdoor trojans or even spywares.

Now, we may see a slightly new encounter of another implementation of what a “blended threat” is or could be in the near future – a mobile malware that has the capability to affect the Windows platform!… Ergo, let the battlecry linger on – Let’s continue to be vigilant!

As Raimund Genes, Trend Micro Chief Technologist Anti-Malware has said. “As mobile threats continue to evolve, it’s likely that we will see further attacks similar to this, but utilizing more robust propagation techniques and therefore carrying a higher potential for infection.”

続きを読む
Tags: スミッシング

Some Bits About UPolyX

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0


You must have heard that there are a number of new variants of the long lived WORM_BAGLE. Well, that’s because of UPolyX.

UPolyX is not new, in fact its first version UPolyX v0.1 has been around since 2004. By searching through the net, it has four (4) versions in existence.

UPolyX is basically a scrambler. It specifically needs a UPX packed input file to produce an output file. Through its polymorphic decrypter engine, it can produce a number of different output files even on one input file. That’s why we are receiving a number of WORM_BAGLE variants from time to time.

The latest version of the scrambler which is, UPolyX v0.5, has added some permutation module to further improve its polymorphism.

The scrambler also implements an Executable Trash Generator or ETG that places trash (dummy instructions) in between the polymorphic decryptor and the code itself. ETG can be configured to control the number of bytes of trash to generate. ETG 1.00 is the only version known in the public and has been around since March 2000.

From the characteristics mentioned above, it seems like the authors primary purpose is to defeat the decryptor emulation techniques of various Anti-Virus engines.

Using this technology of the UPolyX, a detected malware can still be relived and get into the wild again.

So far as what I have noticed, the type of samples that we received are based on this principle:

Detected Malware + UPX + UPolyX (polymorphic decrypter + Executable Trash Generator) = New Undetected Malware


What if some worm authors decided to embed UPolyX’s technology? Hmm.. oh well, we might have a hard time to tell which variant of the worm is in the wild!
But, that’s just one of the possibilities, some may come along the way and that’s another story.:=)

続きを読む
Tags: スミッシング

Bagle Author Hacks Russian Website

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0



From some time now, we have been checking the download site of the WORM_BAGLE.DA for changes in the uploaded file. When I checked the main site of the download url, which is http://{blocked}i.ru, I discovered that the site was a website for a LEGITIMATE Russian Company.

The author/s of the Bagle Malware just hacked the website and put the malware file on the http://{blocked}i.ru/img/ as 2.jpg, disguising itself as a jpg file of the legitimate website.

This may have been done by the malware author/s to avoid getting caught, since the site will not be traced to them.

続きを読む
Tags: スミッシング

WORM_BAGLE meets UPolyX

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0



Again we are experiencing a storm of TROJ_BAGLES coming in. The attachment of the TROJ_BAGLE being 19_09.exe.

As I said in my previous blog we were downloading the files from the urls used by bagle. To my surprise a new sample of the WORM_BAGLE was downloaded in this site http://{blocked}/img/2.jpg! Curiousity kicked in and im in hyper mode…


After some googling, I confirmed that the packer used in this WORM_BAGLE variant (UpolyX) is a polymorphic UPX scrambler. There you go Polymorphic!


After a while I downloaded again the file from the same url. Guess what I now have a new WORM_BAGLE variant.

So this may mean two things



  • 1. From time to time a batch file maybe automatically replacing the uploaded file in http://{blocked}/img/2.jpg with a repacked version of the file. And since its packer is UpolyX, it has now changed appearance.
  • 2. The malware writer may manually repack his WORM_BAGLE and manually change the file uploaded in the said site.

Either way the packer which is UpolyX is one of the reasons, why there are so many variants floating around.

Another thing, the filename of the trojan mass mailled by WORM_BAGLE also changes.

The ones we are currently receiving have the filename 19_09.exe while the one I downloaded from the site has a trojan with this filename 20_09.exe. Anyone see a pattern?

The batch file I mentioned in number one may also be responsible for autorenaming the trojan with the current date.

  • 19_09.exe – September 19
  • 20_09.exe – September 20


Update
So after downloading the files, heres what I got…



  • Four (4) variations of WORM_BAGLE.DA (Undetected)
  • Four (4) variations of TROJ_BAGLE.DA (3 Detected and 1 Undetected)
  • One (1) TROJ_DLOADER.ACT (Undetected)


Each TROJ_BAGLE.DA is already embedded in the WORM_BAGLE.DA 4 different worms also carries 4 different trojans.

MD5 Hash of files located below



  • 2B855271E01342FD7ED6E0A2A6042947 2.jpg – WORM_BAGLE.DA
  • 33E8E59AA5773978E4E9AA1B0DB28A4E 20_09.exe – DETECTED AS TROJ_BAGLE.DA
  • 07BE19293429F833C284A1D96448E8DE 2.jpg – WORM_BAGLE.DA
  • AAD4A3C6E090E2687320F19E4F3F8034 19_09.exe – TROJ_BAGLE.DA
  • 8F2CF4AAE13C4F8588E92B97D522CD1C 2.jpg – WORM_BAGLE.DA
  • 555573598640743DDE5C2DF992E5CBE3 02.exe – DETECTED AS TROJ_BAGLE.DA
  • 9E6F3B0BA3D101CED7A3B0861B69865E 2.jpg – WORM_BAGLE.DA
  • 2E5E131E4D5A6500B94F68D1C11FFCC5 09.exe – DETECTED AS TROJ_BAGLE.DA
  • 609883018B90A6F4D36641F4D7F482F3 osa6.gif – TROJ_DLOADER.ACT


Note: By different, what I mean is the hex view(different because of the UpolyX packer). The behavior of the four files are the same.

続きを読む
Tags: スミッシング

MYTOB Installs Adware

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0

A new batch of Mytob link emails is currently spreading. It uses the same technique as the one posted a while back.

The link which is found on the emails spread by Mytob downloads a file named Confirmation.pif.

This file is actually a Self Extracting Rar archive file containing a malware package.
Some files included are the WORM_MYTOB that spreads the email and a BOT malware.

According to a report made by Mark Toshack of MessageLabs, this new Mytob also installs an adware from http://{blocked}.matcash.com. It is said that the author gets $0.15 each each time the adware program is installed.


続きを読む
Tags: スミッシング

About WORM_BAGLE Links

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0


Just an additional info for WORM_BAGLE.DA.

After the bagle storm yesterday, we were still receiving reports that new bagle variants were being seen. So we decided to again download the links found on the WORM_BAGLE, TROJ_BAGLE and TROJ_DLOADER. I didnt find a new bagle variant, although i’m still downloading from the links, what I found out is a completely different thing.

On WORM_BAGLE.DA download links, there are 8 download links which connects to a web.php, 2 links were already down while the other 6 were downloaded successfully.

http://{blocked}/web.php

Inside the file web.php, are the email addresses used by WORM_BAGLE in its FROM FIELD. This may also be the reason why I couldnt simulate the E-Mail propagation of the worm since I tested it on an environment without internet connection. Each download link contains a different domain and name.

On one web.php



  • tom@atomate.com
  • tom@atomco.com
  • tom@atomcreation.com
  • tom@atomdigitaldesign.co.uk
  • tom@atomic.com.au
  • tom@atomic4.com
  • tom@atomicamps.com
  • tom@atomicblender.com
  • tom@atomicdesign.tv
  • tom@atomicdesigninc.com
  • tom@atomicdog.com
  • tom@atomicmarketing.com
  • tom@atomicspatula.com
  • …


and on another



  • shkim301@korea.com
  • shkim303@ktsolution.co.kr
  • shkim303@ktsolutions.co.kr
  • shkim304@hanmail.net
  • shkim304@samsung.co.kr
  • shkim3057@hanmail.net
  • shkim30@daewoo.com
  • shkim30@famecs.co.kr
  • shkim30@hanmail.net
  • …


yet on another



  • kathleen@kent.net
  • kathleen@kenwoodcc.net
  • kathleen@keogh.net.au
  • kathleen@kephart.net
  • kathleen@keplers.com
  • kathleen@keromail.com
  • kathleen@kerraisle.com
  • kathleen@kerstondesignteam.com
  • kathleen@kertzmanweil.com
  • …
Also WORM_BAGLE.DA downloads a file from this link http://{blocked}/sss.php and saves it as re_file.exe. However the link is still down as of the moment.

続きを読む
Tags: スミッシング

VIRUS Hitches A Ride With WORM

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0



Lately we have been finding some malwares wherein a fast spreading WORM like REATLE is carrying a VIRUS in its body.

I dont know if this is something old or new, but all I can think of is that this technique of WORM with a VIRUS maybe used by some malware authors to increase the infection rate of their viruses. Please see below



  • A WORM is created by malware author
  • Malware Author infects the WORM with a VIRUS
  • WORM is spread carrying with it the VIRUS
  • Upon execution of the WORM, the VIRUS also infects other files in the system.


This way the VIRUS carried by the WORM can infect more files while getting a free ride accross the networks via its WORM where it can again infect other files.

続きを読む

A New Exploit for Mozilla Browsers

  • 投稿日:2005年9月27日
  • 執筆:ウイルス解析担当者
0

Berend-Jan Wever, aka “Skylined”, released an exploit code for the IDN host name heap buffer overrun vulnerability in Mozilla browsers. Mozilla browsers include (Firefox, Mozilla, and Netscape). You can find the source code of the exploit here.


http://www.milw0rm.com/id.php?id=1224

These two lines are worth noticing in the exploit code.


One sploit to rule them all, One sploit to find them,
One sploit to bring them all and to port 28876 bind them.

If succesful, the exploit will set up a listening port at 28876. The exploit was tested to work in Firefox 1.0.6.

Skylined is previously known for his InternetExploiter series of exploits against MS IE and the Alpha 2 alphanumeric shellcode encoder, among others.

Firefox fix

Firefox 1.0.7 has been released to address this vulnerability, and is now available for download at the Mozilla Foundation homepage. MozillaZine also issued a security bulletin announcing the release of the Firefox fix. To quote the bulletin


“The Mozilla Foundation previously issued a patch for Firefox 1.0.6 that protected users against the IDN link buffer overflow flaw at the expense of removing support for IDNs. Firefox 1.0.7 has a more permanent solution that does not involve disabling IDN functionality and any users who installed the patch will find that IDN support is restored when they upgrade.”

続きを読む
Tags: スミッシング
Page 215 of 216 « ‹ 214215216 ›


  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2019 Trend Micro Incorporated. All rights reserved.