imageXX.zip, MSN worm variant

Posted by admin on October 14, 2008
Worm / No Comments

MSN variant of the worm is still updating daily.

We now have a new one. The file name is “imageXX.zip” (XX is random digital, as image41.zip). In the. Zip, is a. Com file “imageXX.JPG-www.photosmart.com” (XX is random digital, as image41.JPG-www.photosmart.com). Make sure these files.

The collection of this variant through the mail. Zip to your contact list in MSN:
msn variant worm

Filename: imageXX.zip (imageXX.JPG-www.photosmart.com)
Size: 60,928 bytes
MD5 hash: b18cc1ed9eac567af78e58f769b2e813
Detection: Trojan-Downloader.Win32.Injecter.n (Kaspersky)
Details:

(1) Drop the zip file and copy in the following folder.

%System%\nvsvc64.exe
%temp%\XX.exe
%temp%\imageXX.zip (XX is random digitals, for example, “image41.zip”)

(2) Adds the following registry keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“nVidia Display Driver” = “nvsvc64.exe”

(3) Sends out the messages.

This picture isnt you… right?
Wow i think i found your pic on myspace!
hah I think I found an old pic of us!
haha lets hope your parents dont see this picture of you :D
hey did i ever show you this picture of me?
is it ok if I add this pic to my new slideshow?
can i up some of these pics of ya to my myspace profile?
you care if i put this pictuer of you in my new album?
sry about the messup i fixed the pic! Try it one more time pz
is this pic tooo sexy for photobucket??
wow I just dyed my hair… You will never believe the color it is now. lol And dont laugh
my crazy sister wants u to see these pics for some reason… take a look
OMFG!!!!!!!! :D
wow! look at this old picture i found….
wanna see this pic of my Boobs?
Can i put this pic of you into my new myspace album?
Take a look at the new pics already! :p
I cant believe they wanted me to upload this picture to facebook lol. Its terrible. Like my outfit tho?
Lmfao hey im sending my new pictures! Check em out!
I’ve been editing some pics you should def see em loL! accept :)
Can you believe somone actually wears this size bra? I could use it for a Tent.
haha, this guy up my street just slammed his $90k car into a telephone pole! I got a pic of it with my cellphone
dude i just got these pictures off my digital for you! Gimme a moment to find em and send
Wanna see my pics before i send em to facebook?
do you think this picture is too kinky for Myspace?
OMG just accept please its only some pics!!
Hey accept my pictures, i got a bunch from when i was like a toddler :X
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
Hey just finished new myspace album! :) theres a few kinky ones in there!
OMG, i found ur pic on cuteornot.com! Check it out!!!
Have you seen me Naked Yet :D
ok, I DO NOT like my new hair color.. but people on facebook do. what do you think? And no laughing! lol
hey you got a myspace album? anyways heres my new myspace album :) accept k?
do I look dumb in this picture? I want to put it on myspace.
hey man accept my pics. :( i just edited it to look maad funny..
Dude i found your picture on hotornot.com! Take a look!

How to remove?

STEP 1
Delete registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“nVidia Display Driver” = “nvsvc64.exe”

STEP 2
Restart WINDOWS

STEP 3
Delete virus files:

%System%\nvsvc64.exe
%temp%\imageXX.zip
%temp%\XX.exe

Getting the related stuff for this post

Tags: , , ,

the new Fake SSL certificates

Posted by admin on October 09, 2008
Virus / No Comments

The banks use the online cryptographic protocols for exchanging information over the network, hackers and do not hesitate to adapt to this technology. A new case is wrong Secure Sockets Layer (SSL) certificates again shown at the end of the phishing threat, we saw last April and May (see our blog on forged digital certificates, phishing skirt, and an attack similar to Merrill Lynch) .

This time, is the site of Open Business Banking has been strengthened by the malware authors with Rock Phish Kit. The wrong side in the screenshot shows that some banks are in the Community Bank account:

sslcertificate

Following the example of cases of phishing or malware, calls this site Spoofée customers a new security certificate. The website always shows the options for users of Windows and Mac users, but users arrive a. EXE, the execution of malware routines in their systems, their security, for secure online transactions, such as the security certificates do .

sslcertificate
However, another certificate attacking seems even today, this time from Standard Bank. The wrong side (even with a rock phish URL) asks the user to download a 128-bit certificate update. In the file. Exe files have been downloaded, even malicious.

sslcertificate

Trend Micro detects the downloaded files as two TROJ_SMALL.MJZ and TROJ_AGENT.ARNU, respectively. TROJ_SMALL.MJZ loads spyware detected as TSPY_PAPRAS.AR. TROJ_AGENT.ARNU downloads Possible_Crypt time, malware, a similar behavior shows the change in the DNS directories.

The attacker areas are now blocked by the Trend Micro Smart Protection Network. In addition, this technology detects the malicious executable on the desktop and offers solutions aimed at their elimination.

Getting the related stuff for this post

How to Remove vundo Variant,NewJuan,WinFixer,Virtumonde

Posted by admin on June 26, 2008
PUP, Trojan / No Comments

Lots of people have inflected The Vundo family of Trojans which will bring popups that usually advertise rogue antispyware programs.Users are normally targeted by false positives, and warning of infection an example of this could be popups alerting users they are infected with a blackworm virus.

Nowadays,the vundo Variant,NewJuan/VM,Virtumonde and winfixer are the same scam above.

Symptons from a Hijackthis log:

Below is an example of a Vundo infection, though there are many different random filenames.

O2 - BHO: (no name) - {AB6BFAD6-3AAC-46E9-98E6-BD56DE7ED97c} - C:\WINDOWS\system32\wluaivlv.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\ssqpmkk.dll
O2 - BHO: (no name) - {EF9A7BD4-4B5D-4481-9A58-06B5030B4B56} - C:\WINDOWS\system32\vtsqp.dll

O20 - Winlogon Notify: ssqpmkk - C:\WINDOWS\SYSTEM32\ssqpmkk.dll
O20 - Winlogon Notify: vtsqp - C:\WINDOWS\system32\vtsqp.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll

more random dll files that caused by vundo variant or Virtumonde:
jkkjj.dll
vtsqp.dll
ssqpq.dll
Virtumonde.dll
AWVVU.DLL
DDCCC.DLL

How To Remove Those Vundo variant,Virtumonde,NewJuan??

An easy way is using specialised tools,just like Vundo Fix,or VirtumundoBegone

Simply Download it ,and Scan for Vundo,then get rid of Vundo variant.

If the infection is still present and you can’t remove Vundo variant ,it may be that you have a new variant that the tools cannot yet remove, or you have a stubborn infection.

Now let me help you to remove the Vundo variant Manually !

1.download SREng:
http://www.kztechs.com/sreng/sreng2.zip

2.Extract it to the Desktop
Double click SREng.exe to run it

3. Select: Smart Scan
Then, click the [Scan] button
When finished, click on the [Save Reports] button

4. Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.com

I would be glad to help you to removal it.

Getting the related stuff for this post

Tags: , , , , , , , , , , ,


 Powered by Max Banner Ads