Lavasoft News - November 2007

New Targets in Detection (October 2007)

Adware.Adssite	Adware.Adssite is adware that often comes bundled with other adware. It runs a process at all times and causes pop-ups even when the user is not surfing the Internet.
Adware.Rond	Adware.Rond is an adware application which is installed without the user's consent or knowledge. The application launches pop-up advertisements and can intrude on normal browsing activity by redirecting search queries.
Awola	Awola is rogue anti-spyware that tricks the user into buying the commercial version. Awola's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
FakeAlert AntispyStorm	FakeAlert AntispyStorm contains files that are dropped on the infected machine just to trigger hits in rogue applications. FakeAlert AntispyStorm will also give fake alarms about infections.
Hacktool.XpCracker	Hacktool.XpCracker is a tool that can be used to guess users’ login passwords on XP systems.
MalwareMonitor	MalwareMonitor is rogue anti-spyware and a clone of SpyShredder; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
MalWarrior	MalWarrior is rogue anti-spyware that tricks the user into buying the commercial version. MalWarrior's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
RaptorDefence	RaptorDefence is rogue anti-spyware that tricks the user into buying the commercial version. RaptorDefence's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
SafeStrip	SafeStrip is rogue anti-spyware that tricks the user into buying the commercial version. SafeStrips's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
SmartFixer	SmartFixer is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
Spy-Kill	Spy-Kill is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
SpywareLocker	SpywareLocker is rogue anti-spyware and a clone of MalwareStopper; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
SystemDefender	SystemDefender is rogue anti-spyware that tricks the user into buying the commercial version. SystemDefender's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
Trojan.BAT.KillFiles	Trojan.BAT.KillFiles may drop a trigger executable file in the system folder which will start with help of a number of bash scripts. The result is that Windows restarts automatically and the user’s desktop may be full of unwanted files. The malware applies this procedure every time the user logs in the OS.
VirusRanger	VirusRanger is rogue anti-spyware that tricks the user into buying the commercial version. VirusRanger's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
WebSpyShield	WebSpyShield is rogue anti-spyware that tricks the user into buying the commercial version. WebSpyShield's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.
Win32.Adware.Rabio	Win32.Adware.Rabio installs without showing any EULA and runs in stealth. It also displays advertisements.
Win32.Backdoor.EggDrop	Win32.Backdoor.EggDrop copies itself to the system folder. The malware is running as a process in stealth, constantly trying to open TCP ports on the compromised computer.
Win32.Backdoor.Nepoe	Win32.Backdoor.Nepoe is an application that gives its author unauthorized access to your computer. It copies itself to the system32 directory and is running as a process in stealth, constantly trying to open up TCP ports.
Win32.BadJoke.DeleteWindows	Win32.BadJoke.DeleteWindows is an executable file which simulates the removal of the Windows directory.
Win32.Trojan.Bankpatch	Win32.Trojan.Bankpatch is a Trojan that can steal confidential information from an infected computer. Specific Windows DLL files, wininet.dll and kernel32.dll, may also be modified by this Trojan that runs as a hidden process on the infected machine.
Win32.Trojan.Conycspa	Win32.Trojan.Conycspa is a Trojan Horse program that opens several ports on the infected computer. Once installed it generates excessive network traffic. It may also download other malware and compromise system security.
Win32.Trojan.Tibs	Win32.Trojan.Tibs is a Trojan Horse program that runs in stealth and opens ports on the infected computer, leaving it open for a remote attacker. It compromises system security and may come with rootkit capabilities.
XPAntivirus	XPAntivirus is rogue anti-spyware that tricks the user into buying the commercial version. XPAntivirus's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped-up from files and processes installed by Trojans that scare/trick the user into clicking yes.

TAI - Threat Analysis Index
The Lavasoft Threat Analysis Index (TAI) system is based on a 10-point scale, with 1 representing the lowest threat and 10 representing the highest. The behavior of the program has more influence when assigning TAI points than the actual technical aspects of the malware. In other words, if the malware secretly attaches without the computer user's full understanding and approval, then it will automatically be given higher TAI points. A minimum TAI value of 3 is required before the malware is put into detection. Read more on the Lavasoft Security Center here.

Threat Analysis (TA) Index

Home

By the Numbers

78%
Percentage of consumer PCs in the U.S. that are not protected (defined as having up-to-date anti-virus, anti-spyware, and a correctly configured firewall)

93%
Percentage of PC users who believe they are protected

Source: National Cyber Security Alliance and McAfee Inc. study

Term of the Month
Rogue security software masquerades as a helpful security program, but uses malware or malicious tools to advertise or compel users to pay for the removal of non-existent spyware. Rogue software makers often use social engineering to trick consumers into buying their fraudulent anti-spyware or anti-virus products.

Source: wikipedia.org

Tech Tips
You have anti-spyware, anti-virus, and a firewall, so your computer must be secure, right? Wrong. Unless this software is enabled, updated, and properly configured, you are not protected from online threats. According to a recent industry survey, consumers overestimate PC safety – see our "By the Numbers" section for the stats. Make sure to maintain your security software; check that your security applications are both enabled and configured correctly. Keep in mind, the security software that was included with your PC when you purchased it may be a trial version that will expire if you fail to buy a subscription.

Privacy Toolbox Lands Editor's Choice

Lavasoft Privacy Toolbox was selected as an Editor’s Choice product by Military Embedded Systems magazine for its September/October 2007 issue.

Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Sweden

www.lavasoft.com
editor@lavasoft.com