Social Icons

Friday, May 11, 2012

Malware Information - You must know

Your guide to Antivirus Software, common malware, security vulnerabilities that lead to infection, and other computer-related threats.

TDSS aka TDL: A Botnet Framework

New renditions of the TDSS / TDL bot have some saying it's virtually indestructible. Certainly TDSS / TDL does present some unique challenges, as seen in this overview.

System Fix (aka SystemFix)

Though classified as scareware, System Fix may also download and install the TDSS rootkit, leading to even further malware infections on affected computers.

MACDefender aka Mac Protector: Scareware for Mac

MACDefender is a scareware program designed to trick Mac users. Usually, MACDefender is delivered via the Web, often via tainted search engine results. While scareware has long plagued Windows users, it's a relatively new threat for Mac users.

Website Compromises at UNC Chapel Hill

Web pages across UNC Chapel Hill sites are compromised.

Blackhole Exploit Kit

The Blackhole exploit kit is a framework for delivering exploits via compromised or third-party websites. Most notable for its sophisticated Traffic Direction Script (TDS), the Blackhole exploit kit enables attackers to configure rules that enforce custom responses.

Bugs, Mice, and Antivirus

What you've learned from real life pest control can also be applied to antivirus software protection.

BlackHole RAT

BlackHole is a remote administration tool (RAT) that, used maliciously, can also serve as a remote access trojan. The BlackHole RAT can be used on either Mac OS X or Windows computers, and enables a remote attacker to perform potentially malicious actions on the victim's computer.

StarLogger Keylogger

StarLogger is commercial monitoring software that records keystrokes and captures screenshots. Captured data is sent via email to designated recipients. On March 30, 2011, it was reported that Samsung installed the StarLogger keylogger on laptops sold through retail stores.

Common Botnets

A botnet is a collection of compromised (infected) computers under the collective control of remote attackers. The malware on the infected computer is known as a bot, a type of backdoor or remote access trojan (RAT). Here is a collection of the most common botnets.

Asprox Botnet

The Asprox botnet was originally a botnet used primarily to deliver phishing scams. In 2008, the Asprox botnet began employing the bots to discover and use SQL injection on vulnerable Active Server pages on weakly configured websites.

Gumblar Botnet

Gumblar, known in Japan as Geno, is a unique botnet - it not only creates a botnet of compromised PCs, it also backdoors compromised websites enabling continued remote access and manipulation.

Stuxnet, Winsta.exe, and Cover-ups

Stuxnet is - without dispute - the most important malware in history. It would be nice if for once the industry (including vendors and journalists) would put their self-interests on hold, would stop trying to save face, and would instead delve into the truth of Stuxnet so at least we have the real facts.

Koobface Botnet

Koobface spreads through social networking sites, most prevalently through Facebook. Generally, Koobface relies on social engineering in order to spread. The Koobface message is designed to trick recipients into clicking through to a fraudulent website and either (a) enter their Facebook (or other social networking) credentials or to accept the installation of malware disguised as a video codec o…

Zeus Botnet

Zeus, often spelled ZeuS, is a crimeware botnet typically engaged in data theft. Zeus is also often referred to as Zbot. Zeus is not a single botnet nor a single trojan, but rather refers to an entire family of trojans and their respective botnets.

Storm Botnet

The Storm bot is a backdoor component that allows remote surreptitious access to infected systems. The Storm-infected computers (collectively, the Storm botnet) are outfitted with a spam relay component (to send spam through infected computers) and a peer networking component (to enable the remote attackers to communicate with the bot infected computers).

Mariposa Botnet

Mariposa is Spanish for butterly. In computer lingo, Mariposa is a botnet created by the Butterfly bot kit. Mariposa is typically spread via instant messaging, peer-to-peer file sharing networks and as an autorun worm.


Waledec, also spelled Waledac, is the name of a botnet used to relay malicious spam. The Waledec distributed spam often consists of fraudulent greeting cards and breaking news events.

CDC / H1N1 Vaccination Scam Infects Victims

Attackers are sending email disguised as correspondence from the Centers for Disease Control (CDC). The email claims an H1N1 vaccination registration is required. Those who comply with the request won't be registering with the CDC - instead they will be infecting their computer with a version of the Banker trojan

Remove SecurityTool Scareware

securitytool scareware rogue scanner process explorer safe mode registry editor securitytool rogue scareware regedit blocked task manager security tool

Fear-Based Reporting: Have You Been a Victim?

Fear sells. Whether intentional or otherwise, this can sometimes work to the advantage of the media and the disadvantage of consumers. Have you ever been influenced by fear-based reporting, only to find out later that the reports were wrong?

Conficker: More Conflict than Worm

Barely a week after the 60 Minutes April Fools' Conficker doomsday update failed to materialize, the closely watched Conflicker.C did finally manage an update. And in an ironic twist, the worm itself debunks much of the hype surrounding it.

PowerPoint Zero Day Vulnerability In-the-Wild

Microsoft has released Security Advisory 969136 warning of a newly discovered zero day PowerPoint vulnerability. The flaw impacts PowerPoint versions found in Windows versions of Office 2000, 2002, 2003, and Office 2004 for Mac.

60 Minutes, Conficker, and April's Fool

Is the Conficker worm set to detonate some evil payload on April 1st? According to 60 Minutes, it seems so. Here's the non-FUD behind the Conficker worm.

Downadup.AL aka Conficker.B Worm

Downadup.AL aka Conficker.B is a network worm that spreads via autorun, dictionary attacks on weakly protected network shares, and by exploiting the vulnerabilities described in MS08-067. The worm disables services related to automatic updates, error reporting, the Windows Security Center service, and the Windows Defender service. To prevent access to protection and removal tools, the worm also b…

Autorun Worms: How to Remove Autorun Malware

Autorun worms spread from USB/thumb drives as well as fixed and mapped drives. Autorun worms typically drop or download additional malware, usually backdoors and password stealers. Here's how to remove an autorun worm.

Sality Virus

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web.

Winthb 'Virus' Tied to Backdoor Trojans

A family of backdoor and autorun trojans are working together to plague users. One symptom that may appear - the drive volume name and icon may be changed. The more insiduous aspects of the infection are far more silent and may be overlooked when users attempt manual removal.

A Storm of Scary Email

In recent weeks, a rash of spam has been sent that bear much resemblance to the all-too-familiar tactics of the Storm botnet.

Most Damaging Malware

All malware is bad, but some types of malware do more damage than others. That damage can range from loss of files or total loss of security. This list (in no particular order) provides an overview of the most damaging types of malware.

Easily Remove the MonaRonaDona 'Virus'

The MonaRonaDona 'virus' is a self-advertised 'virus' that isn't even a virus at all. It's a non-replicating program (i.e., a Trojan) that loads when Windows is started, changing the Internet Explorer title bar to read MonaRonaDona and displaying a message which blocks access to your legitimate running programs.

What is JS/Psyme (and How to Get Rid of It)

Many users have experienced repeated warnings of infection by Psyme each time they open their browser. Depending on the antivirus in use, the name given in the warning may be any of the following: Downloader.Psyme (Symantec), Troj/Psyme (Sophos), Trojan.VBS.KillAV (Kaspersky), TrojanDownloader.VBS.Psyme (CA),Trojan.Downloader.JS.Psyme (Kaspersky), VBS/Petch.A (F-Prot), VBS/Psyme (McAfee)

What is the Storm Worm?

The so-called Storm worm is actually not a worm, but rather a family of Trojans that typically include a backdoor, SMTP relay, P2P communications, email harvester, downloader, and often a rootkit.

U.Z.A. O/S Eliminator Worm

The so-called "U.Z.A. O/S Eliminator" worm appears to have originated in Maldives sometime in late July or early August 2007. The worm exploits the autorun feature, enabling it to spread from removable USB/thumb drives to other computers.

Freedom / Outlaw Worm

The Freedom 'virus' is a worm that infects local and USB drives, disables access to Task Manager, Registry Editor and other system utilities, and may try to delete MP3 files found on infected systems. Here's how to clean it.

Trojan.MeSpam Makes You the Spammer

Instead of relying on bots to do the dirty work, Trojan.MeSpam makes you the culprit. Once infected, every forum post you make, every webmail you send, and every blog comment you leave will also deposit a link pointing to a nefarious website.

Rinbot Worm Prompts Repeated Denials

Is Rinbot the little worm that isn't? Or is it simply the worm that no one wants to acknowledge exists? Here's a timeline of this "non-threat".

Storm Worm

The Storm worm spreads via email, using a variety of subject lines and message text that may masquerade as news articles or other current events.

Skype Chatosky Worm: Friend or Foe?

Thanks to the Chatosky worm, I uncovered some things about the Skype service that I might not otherwise have known.

Qspace Javascript Worm Targets MySpace Users

MySpace users are yet again a victim of another targeted attack. Dubbed JS_QSPACE.A by antivirus vendor Trend Micro and JS.Qspace by Symantec, the Javascript worm exploits a cross-site scripting (XSS) vulnerability embedded in a malicious Quicktime .MOV file.

Rontokbro aka Brontok Worm

A mass-mailing email worm that also spreads via USB and thumb drives, the Rontokbro worm - also know as Brontok - takes a multifacted approach to defy detection and removal.

Stration Email Worm

Stration is a mass-mailing email worm that attempts to download a file from a remote server. The worm may inject itself into certain running processes, potentially causing it to bypass firewalls or other security software.

Stration Worm

Stration is a mass-mailing email worm that may attempt to download files from a remote server.


There's a lot of misinformation being disseminated around the recently discovered VML vulnerability. Here's an attempt to address those misconceptions and alleviate some of the fears.

Zero-Day VML Vulnerability Impacts IE, Windows

A zero-day vulnerability in the Windows implementation of Vector Markup Language (VML) impacts all supported versions of Internet Explorer, all supported versions of Microsoft Windows 2003, Windows XP, and Windows 2000, and recent versions of Outlook and Outlook Express.

Are You in a Botnet?

With 12 million infected systems under their control, botnet operators are controlling a population rougly the size of Guatemala. In fact, the number of infected systems would place it at about 70 out of 230 sovereign states and territories worldwide.

Popular Antivirus Apps *Do* Work

The more a story gets told, the more the original story gets changed by each new storyteller. Sometimes, the story gets so far removed from the original, that the entire intent of the story is lost and new intent construed. Such is the case with the story of antivirus effectiveness, which was recently put through the spin cycle, wrung out, and reformed by Charlie White, editor of the Gizmodo gadget blog.

McAfee Downplays Security Flaws

Vulnerability researchers at eEye Digital uncovered serious flaws in McAfee security products that could allow attackers to gain remote control of affected systems.

Yahoo worm: JS/Yamanner

An early-morning report on a security mailing list led to the discovery of Yamanner, a mass-mailing email worm that impacted Yahoo webmail users.

Gamblers Lose Big with Free Tool

Every successful gambler knows how to handle a certain amount of risk, and how to minimize their losses. But a free tool that promised to help gamblers get the most out of the game turned out to be a Trojan that scammed them out of their winnings.

Hoot Worm Preys on Company

It seems a disgruntled employee targeted their enterprise with a worm that causes pictures of a rather odd looking owl to print on nearly 40 printers specific to the targeted firm.

Nugache Worm

Nugache is a worm that may spread via email, IM, or P2P networks.

Ransomware: Trojans demand money from victims

Having your computer infected with a virus or other malicious software is upsetting enough. But over the past year, a new type of attack promises to be even more disconcerting. Dubbed ransomware, this new attack infects the system, encrypts the files, and then demands payment from its victims.

QuickBatch Trojan Targets the Blind

There is no such thing as a good virus, but some viruses are more despicable than others. Case in point, the newly discovered W32/QuickBatch.G!tr Trojan that specifically targets members of the blind community.

Bagle worm variant warns: 'Lawsuit Against You'

Bagle worm variant that spreads via email and fileshares/P2P networks warns of 'Lawsuit Against You'

Nyxem aka Blackmal worm

Discovered on January 17, 2006, the Nyxem worm has a dangerous payload that executes on the 3rd of each month, overwriting files with specific extensions.

2005: Top Ten Malware Events

Here's the best and worst of 2005 from a malware perspective.

2003: Year of the Black Sheep

It seems appropriate that the Chinese dubbed 2003 as the Year of the Black Sheep. Among other things, the sheep is a symbol of untidiness - and from a virus standpoint, the year was indeed a mess.

2002: Virus Writers Contribute to SPAM

The year 2002 ushered in a new era of malicious marketing code

2001: Year of the Virus

Detecting email-borne viruses every 18 seconds, MessageLabs calls 2001 The Year of the Virus

WMF Image Handling Exploit

A serious vulnerability in Windows Fax and Picture Viewer can allow remote attackers to use .WMF image files to gain control of your system.

Sober.X Worm Description

Sober.X is a mass-mailing email worm that sends itself in either English or German depending on the recipient's domain. In addition to mass-mailing, Sober.X terminates processes related to various antivirus and security programs.

Sober.U Worm

Sober.U arrives in an email message that may be in either German or English language, depending on the recipient's domain.

Sober.T Worm

Sober.T arrives in an email message that may be in either German or English language, depending on the recipient's domain.

sober.s Worm

sober.s arrives in an email message that may be in either German or English language, depending on the recipient's domain.

Sober.R Worm

Sober.R arrives in an email message that may be in either German or English language, depending on the recipient's domain.

Sony Stinx Trojan

The Sony Stinx Trojan exploits the Sony DRM cloaking technology (aka rootkit) installed by music CDs published by Sony after March 2005. This allows the malware to be hidden from view - effectively masking its presence even from most antivirus scanners. The Sony Stinx Trojan installs an IRC Backdoor Trojan that allows remote access to compromised PCs, downloads other malware, and disables the Windows XP firewall.

Slapper worm gets facelift: Linux Lupper worm, aka Plupi and Lupii

The Linux Slapper worm has been given a facelift and this time BBS admins and web bloggers are the target. The new worm has been given a half dozen new names, including Linux/Lupper worm Linux.Plupi, Backdoor.Linux.Smal, ELF_LUPPER.A and Exploit.Linux.Lupii.

Sony President Defends Rootkit

the President of Sony BMG's Global Digital Business, Thomas Hesse, defends Sony's installation of a rootkit by declaring, "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

Sony Rootkit Strikes Sour Note

If you've purchased a Sony-labeled music CD since March 2005 and used it on your PC, chances are it installed a rootkit that can be easily exploited by virus writers.

Alleged Botnet Creators Arrested

Dutch police have announced the arrests of the alleged author of W32.Toxbot and two alleged accomplices.

First Sony PSP Trojan

PSP.Brick impacts the Sony PSP game console, flashing critical system files and rendering the console unbootable. The newly discovered PSP.Brick isn't technically a virus - it's a Trojan. But the news surrounding PSP.Brick could be described as a polymorphic virus - it spreads fast and the story changes with each reporter it infects.

IM Worms Pose Signficant Threat

Since January 1, 2005, at least 358 descriptions have been published for specific IM threats.

Kelvir Instant Messenger (IM) worm

The most prevalent IM worm is Kelvir family of worms that target MSN Messenger users.

Agent.AD Trojan nabs headlines from London attacks

Just hours after BBC published a news report titled "London attackers 'meant to kill'", the Agent.AD Trojan email stole the headline and part of the copy, using it as a ruse to entice victims into opening its infected attachment.

AIM worm impersonates iTunes app

IM worms continue to expand their repertoire of social engineering tricks. W32/Olameg-net, a.k.a. Opanki.Y and AIM/Megalo, installs itself to the Windows System directory as itunes.exe, presumably trying to disguise itself as the popular Apple iTunes application.

Michael Jackson suicide spam a Trojan

Malware authors eager to capitalize on the Michael Jackson trial have been sending booby-trapped spam messages claiming the pop-singer has attempted suicide.

Mytob.BI worm

Discovered May 31, 2005, Mytob.BI is a mass-mailing email worm that compromises system security by terminating processes related to various antivirus software, disabling the XP SP2 firewall, and modifying the HOSTS file to prevent access to antivirus updates and certain other websites.


Discovered May 30, 2005, Mytob.AR is a mass-mailing email worm that compromises system security by terminating processes related to various antivirus software, disabling the XP SP2 firewall, and modifying the HOSTS file to prevent access to antivirus updates and certain other websites.

Prevent the Mytob worm

The Mytob variants are mass-mailing email worms that compromise system security by terminating processes related to various antivirus software and modifiying the Registry to disable the XP SP2 firewall.

Sober.P turns to spam

The Sober.P worm has morphed into a spam Trojan, sending politically-charged messages from infected systems.

Sober hangover begins

The Sober.P worm abruptly stopped its mass-mailing at midnight GMT on May 9th, presumably entering its second stage of infection.

Firefox flaws rated extremely critical

Firefox flaws rated extremely critical

Sober.P worm threatens

Discovered May 2, 2005, Sober.P (also known as Sober.O) is a mass-mailing email that sends itself in either German or English language, depending on the intended recipient's domain.

Crog IM worm

The Crog worm edits the system registry to lower security settings, modifies the HOSTS file to redirect access to various security sites and shuts down processes associated with various security software.

Kelvir IM worms

Three new IM worms, Kelvir.A, Kelvir.B, and Kelvir.C were discovered by antivirus vendors on March 6th and 7th, 2005.

Bagle.BE worm

Discovered on March 1, 2005 in conjunction with several mass-spammed Bagle-like Trojans, Bagle.BE arrives in an email with a blank subject line


Troj/BagleDl-L is a Trojan, not a worm, and does not contain mass-mailing capabilities. However, Troj/BagleDl-L was mass-spammed via email during the morning of March 1st, 2005.

Bagle.AZ worm

Like Bagle.AY, Bagle.AZ is a mass mailing email and P2P filesharing worm with downloader capabilites.

Bagle.AY worm

Bagle.AY is a mass mailing email and P2P filesharing worm with backdoor and downloader capabilites. As with previous variants and most modern email worms, the worm uses its own SMTP engine to spread via email and the From address is spoofed.

MyDoom.AM hijacks HOSTS

MyDoom.AM is a mass-mailing email and P2P filesharing worm that modifies the HOSTS file to prevent infected users from accessing certain antivirus vendor sites.

Lovgate.W worm

A mass-mailing email and filesharing worm, Lovgate.W also contains backdoor capabilities

A stocking full of coal: Multiple flaws in Windows could lead to compromise

Ever wonder what Bill Gates gets for Christmas? This year, the Chinese security firm VenusTech delivered three new Windows exploits just in time for the holidays.

Zafi.D worm spreads Christmas fear

A new variant of the Zafi worm, dubbed Zafi.D, sends itself as a Christmas greeting - in a variety of languages depending on the recipient's domain.

MakeLOVEnotSPAM mask worn byTrojan

Dubbed TrojanDropper.FakeSpamFighter and Troj/Mdrop-IT, the Trojan masquerades as the Lycos infamous MakeLOVEnotSPAM screensaver

Sober.I worm

Sober.I is a mass-mailing email worm that sends itself in both German and English, depending on the infected users' operating system language. Sober.I uses is own SMTP engine to send itself to email address found on infected systems, spoofing the From address.

Bofra.A worm exploits SHDOCVW.DLL flaw

Bofra.A worm exploits SHDOCVW.DLL flaw

Klez Help Center

The Klez virus uses a variety of techniques to fool and aggravate users

Homepage Virus

Also known as Homepage, this e-mail worm was discovered in the wild on May 8th, 2001

IRCsome McVeigh Video a RAT

Alleged movie of Timothy McVeigh execution really the Subseven remote access Trojan.

Sobig.E worm

The Sobig.E worm spreads via email. The Sobig.E worm attachment is a ZIP file.

Virus Encyclopedia

From your guide, an encyclopedia of virus and hoax descriptions. Includes PC, Macintosh, Unix, Active Content, and Wireless infectors.

AntiVirus Research Center

Timely and searchable information concerning viruses currently in-the-wild and even those that are not.

AVP's VirusList

So comprehensive, it might be somewhat difficult to navigate. Well worth the effort, AVP delivers the definitive virus encyclopedia.

Hoaxes and Myths

Though not a virus, hoaxes and myths can still cause downtime and loss of productivity due to unwarranted panic. Rob Rosenberger maintains a plethora of information concerning these non-threatening threats.

Computer Virus Info

From F-Secure, an alphabetized database of virus descriptions. Search by exact name or keyword.

Panda Virus Descriptions

From the makers of Panda Antivirus, an encyclopedia searchable by name, category or family. The database is prefaced by an introduction to computer viruses and a handy glossary of terms.

The WildList

Compiled from various reporting agencies and individuals. Listing all viruses actually causing active infections worldwide, the wildlist is updated monthly.

Virus Analyses

One very long list of just some of the viruses detected by Sophos.

Virus Information Library

The McAfee AVERT Virus Information Library includes detailed information on viruses as well as popular hoaxes and myths.

WildList Virus Descriptions

F-Secure simplifies the WildList by linking descriptions to the names of the viruses reported to be in the wild. Updated monthly.


Bredolab is a downloader trojan that is used by attackers to distribute a wide range of malware, often scareware but also including variants of Zeus/Zbot backdoor trojans.

Stuxnet Worm

Stuxnet is a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities (i.e. power plants, water treatment facilities, gas lines, etc).

How does the Stuxnet worm spread?

Stuxnet is a computer worm that targets the types of industrial control systems (ICS) that are commonly used in infrastructure supporting facilities (i.e. power plants, water treatment facilities, gas lines, etc). Often, these devices are not network or Internet connected. So how does Stuxnet get to these devices?

Is Stuxnet Really Targeting Iran?

There has been no shortage of claims that Iran was the intended target of the Stuxnet worm. But the reality is, these claims are completely unfounded. Here are a few of the true facts behind Stuxnet.

Stuxnet: The Unglamorous Truths About the Stuxnet Worm

The Stuxnet worm targets industrial control systems - the types of systems that control nuclear power plants, water treatment facilities, and other critical infrastructure. The serious nature of the Stuxnet worm had led to no end of speculation, finger-pointing, and ultimately to confusion about what exactly the Stuxnet worm is all about.



  1. very informative post for me as I am always looking for new content that can help me and my knowledge grow better.



About free web page counters

Add to Google Reader or Homepage

Subscribe in Bloglines

blogger widgets Free Backlinks

Pinoy Link Exchange ExactSeek: Relevant Web Search Web Directory


Twitter Widgets Facebook Widgets View Khilven Laudo's profile on LinkedIn


Blogger news

Page Viewers