PC-Armor Computer Security News Blog

Nasty Trojan causes Task Manager and Registry Editor to stop working

I received a call from a friend over the weekend asking for help to rid his neighbor’s computer of a nasty Trojan.  Apparently, he had been working on the problem for days and didn’t know what else he could do, so I took a look and it was indeed a nasty infection.  The computer had McAfee and Norton security products installed, but they apparently didn’t help prevent the infection, so we removed them and installed CounterSpy and F-Secure.

What happened was the Trojan hijacked the desktop and changed it to a Bright Red background with a warning stating that the computer was infected with a malicious program and provided a link to for the user to click to purchase a program that would clean the computer.  Obviously, this was not a legitimate link, so I copied the link location to notepad and it pointed to hxxp://antispyspider.us/69.  DO NOT GO TO THIS LINK, IT IS VERY BAD!  Some other things this infection did was change the IP address and subnet mask; disabled the Task Manager and Registry Editor; and caused Internet Explorer to launch every couple of minutes to connect to the malicious site.  There was also a service that was added to the computer and it launched when Windows XP started.

The steps we used to try and defeat this nasty infection included:

- Running “msconfig” to disable all programs from starting
- Disabled the “Service” that was installed
- Turned off the System Restore feature, since we didn’t want anything malicious to be included in a restore
- Installed and ran CounterSpy, which found many malicious files, registry entries, and cookies.  We removed everything successfully

But we could not kill the Trojan, so I googled “AntiSpySpider” and found a very good web page showing how to kill this critter and if you need the instructions, you can get them from:

http://www.bleepingcomputer.com/malware-removal/antispyspider

The fix includes running a program to restore the registry editor, as well as a file to restore the task manager.  The instructions do a great job showing the victim how to remove this threat, so if you are one of the unfortunate souls, try this fix.  Then if you get it removed, you might consider running CounterSpy and F-Secure Internet Security; both of these programs have been quite dependable protecting our computers, as well as people we know.

The latest Security Alerts

As Christmas approaches, everyone needs to be very cautious, especially when deciding to view eCards. F-Secure reported on their blog today that email Inboxes are receiving eCards from what appears to be “123Greetings.com”, when in fact, is pointing to an http://IP Address with an executable file that installs a backdoor on the unsuspecting victim’s computer after they land on the malicious site. You can read the story at:

http://www.f-secure.com/weblog/archives/00001327.html

UPDATE: F-Secure just released new information about another Christmas Card scam that will infect computers if the user clicks the link to download and install a malicious Flash player. You can read the story here:

http://www.f-secure.com/weblog/archives/00001330.html

Following up the the QuickTime vulnerability, the SANS Internet Storm Center has an updated list of malicious websites exploiting the vulnerability and you can read it at:

http://isc.sans.org/diary.html?storyid=3713

Be vigilant and careful; it will only get worse as we approach year end.

Serious Apple QuickTime Vulnerability

SearchSecurity.com reported that exploit code is now available to malicious individuals who wish to hijack vulnerable computers. The criminals must trick the end user to visit a malicious web site or open an infected QTL File for the attack to be successful. You can read the article here:

As the article states, until Apple releases a patch for this problem, everyone would be well-advised to block outgoing traffic over port TCP 554 on their firewalls. Think twice before watching videos and visiting sites with which you are unfamiliar!

UPDATE: It appears there are many suggestions to work around this vulnerability until a patch is released, including blocking UDP ports 6970-6999.  You can read the details on the US-CERT site at: http://www.kb.cert.org/vuls/id/659761

Be very careful before you open .FLAC Audio Files!

US-CERT and eEye Digital Security have released a warning about a serious vulnerability with FLAC audio files that could result in remote code execution capable of installing Trojans and other malware!  The systems that are currently affected include:

• America Online
• Cog
• dBpoweramp
• FLAC
• Foobar2000
• jetAudio
• PhatBox
• Yahoo

You can read the US-CERT advisory at:

http://www.kb.cert.org/vuls/id/544656

The eEye Digital Security can be found at:

http://research.eeye.com/html/advisories/published/AD20071115.html

The estimated date for an update to patch the vulnerabilities, according to eEye Digital Security, will be around December 26, 2007. 

Be very careful before you decide to open any .FLAC files attached to an email!

Pop-up Ads may be infecting your computer!

Eweek ran a security article on November 12 about DoubleClick and how they are ramping up efforts to combat malicious software that has infected many of their online advertisements.

Apparently, many DoubleClick ads found on popular and well-known websites like CNN and the Economist have been popping up informing the visitor that their computer is infected with viruses and that by downloading and installing the [rogue] security software, they would be able to remove the infections.

According to the article, the malicious ads were Trojans that would continuously pop up warnings until the end user paid for the bogus program.  You can read the article at:

http://www.eweek.com/article2/0%2C1895%2C2215635%2C00.asp

I have not experienced any such pop-ups, partly because I configured my browsers and security software to block pop-up advertising.  The other reason I may have avoided these malicious programs is that I filtered out “DoubleClick” on my Router/Firewall a couple of years ago; therefore, whenever I visit pages with advertising by DoubleClick on any website…the ad is replaced with a message stating that the website was blocked by my firewall.

Anytime you come across advertisements or web sites you do not want anyone on your network to open; simply add the name of the site to your perimeter firewall web content filtering rules.  When you filter out unwanted sites, they simply will never open!

Cheers!

Critical Microsoft Update Scam

Heads Up!  If you receive an email claiming to be a Critical Security Update for Microsoft Windows…DELETE IT IMMEDIATELY!  As F-Secure reported on their Weblog today, there is an attachment named “update.zip” and it is a malicious attachment with a Trojan Downloader packaged inside.  You can read the article at:

http://www.f-secure.com/weblog/archives/00001308.html

Anytime you need to check for a Microsoft Security update, simply click the “Start” button and then click the “Windows Update” menu from the “Start Menu“.  This will open the Official Microsoft Windows update site where you can quickly check to see if you need any updates.

This applies to any other software you have installed.  Most programs have an update feature built in to their programs whereby you click an update button or menu to check for updates.

Remember, you should not open unsolicited emails or attachments, and under no circumstances, should you ever click on any link inside of an unsolicited email!

Beware of the Dancing Skeleton

Well, the cybercriminals are busy, busy, busy…according to the F-Secure Weblog from today, the latest Storm site, The Dancing Skeleton, is poised and ready to infect unpatched and unsuspecting victims with the latest threat, “Halloween.exe“.  Check out F-Secure’s blog at:

http://www.f-secure.com/weblog/archives/00001304.html

Recent history has shown us that cybercriminals launch new attacks during holidays, sporting events like the NFL season kickoff, and newsworthy events.  Just remember, don’t click links  pointing to an IP address and always be wary of other tricks.

Be safe and have a Happy Halloween!

Malicious PDF File Outbreak Today

There are a Couple of things worth mentioning today: The malicious Psycho Kitty eCard is still circulating, because I received one today with the subject of:

Subject: You have yet to open your ecard.

The body of the email reads, “Someone sent you this Psycho Kitty card. It is Hilarious!” and of course, there is a link the criminals want you to click that points to an IP Address.

The other notable news from today is about a PDF Malware Spam outbreak throughout the Internet.  My F-Secure Anti-virus program has a nice little feature called “Security News” and during high levels of malicious activity, a balloon will pop up by the system clock with a warning to the consumer.

Today, the balloon popped up with an F-Secure Level 2 Security Alert and it read,

“Malicious PDF files being spammed out in volume. The files have “report” themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.“

As usual, F-Secure protects against this threat; but other Anti-virus program may not, so please be aware that malicious PDF files are currently being spammed and you need to be extra cautious before opening them.

Also, Make sure you have the latest version of Adobe Acrobat and Acrobat Reader, because Adobe recently released security patches to address a critical vulnerability that if exploited, could have given the attacker complete control of the infected system.

To learn more about the latest PDF Threat, visit the F-Secure advisory at:

http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

Or the SANS advisory at:

http://www.f-secure.com/weblog/archives/00001303.html

Stay safe out there…cyberspace is a hostile place!

Subject: Football Fan Essentials

Lately, anytime something “newsworthy” crops up, the spammers and phishers jump all over the story and as many people know, today is the NFL’s opening day.  Well, it didn’t take long for malicious e-mails to start surfacing, in fact, I received one this morning with the subject line of “Football Fan Essentials”.

In this particular e-mail, the bait is an “Online Game Tracker” and by clicking a link pointing to “http://IP address”, the victim is led to believe they will be able to follow the scores of the football games throughout the day.  However, the unsuspecting victim will most likely become infected with a variant of the Storm Worm.

As usual, when I saw this, I did my homework and checked out the SANS Internet Storm Center Diary for any late-breaking news about this latest threat and sure enough, they were on top of it.  Here is the story:

http://isc.sans.org/diary.html?storyid=3361

F-Secure also posted a warning on their Blog at: http://www.f-secure.com/weblog/

Anyone who reads security news blogs and articles understands that it is never a good idea to click on any link containing an IP Address and this link is no different.  Don’t take the bait…just delete the e-mail!

And the threats keep evolving…

SearchSecurity.com published a very good article by Noah Schiffman titled, “Building malware defenses: From rootkits to bootkits” and it is a warning to everyone that they need to lock down physical access to their computers because of the latest threat…bootkits.  The article can be found here:

Before I read this article, I thought Rootkits were the most threatening form of compromise; but after reading this article, I think bootkits have just moved into first place.  Why?  Bootkits infect computers during the boot process, before the operating system loads and this means that detection is virtually impossible.

The good news is that you can protect your computer against this type of infection by:

- Configuring the BIOS to disable any boot devices other than the hard disk
- Use strong and complex BIOS password, which would be required to successfully boot the computer
- Limit physical access to your computer AND the motherboard by locking the case to prevent access to the interior of the case
- And if you really wish to lock it down, you could disable the USB and Firewire ports in the BIOS; but that could really hinder your computer’s functionality.

Check the article out…you’ll be amazed at the damage a bootkit is capable of causing!