Lavasoft News - October 2007

New Targets in Detection (September 2007)

Adware.SearchEssistant	Adware.SearchEssistant is a toolbar which hijacks the browser and monitors searches in the address field. It displays the result based on this search, to give the user options to visit similar sites. Adware.SearchEssistant contains no EULA or privacy policy and is installed on all user accounts. The user has to remove the toolbar manually because the application does not have an uninstaller.
Adware.SogouToolbar	Adware.SogouToolbar is an adware program that installs a toolbar and modifies the Internet Explorer home page. The searches made via the toolbar search function are stored in a file within the programs folder in Program Files. This adware runs a process p2psvr.exe, Sogou PXP Streaming Service, in the background and keeps a TCP port open even when Internet Explorer is not running. Adware.SogouToolbar installs on all user accounts.
Adware.Tagasaurus	Adware.Tagasaurus is an application where the user can search using the most popular search engines. It also drops unwanted files on the system and does not display any EULA or privacy policy. A process operates in stealth all the time and starts up automatically after restarting the computer.
AntiSpywareShield	AntiSpywareShield is rogue anti-spyware and clone of SpyShredder; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
AntiSpyStorm	AntiSpyStorm is rogue anti-spyware and clone of SpyAway; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
AntiVirGear	AntiVirGear is rogue anti-spyware and clone of SpyDawn; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
BearShareMediabar	BearShareMediabar is a simple search bar which displays neither EULA nor privacy policy during the installation phase. It also automatically installs itself on all user accounts.
Construction.MyWorm	Construction.MyWorm is a program where the user is able to create worms and then spread them via the Internet.
ContrWare	ContrWare is rogue anti-spyware that tricks the user into buying the commercial version. ContrWare's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes sometimes installed by Trojans that scare / trick the user into clicking yes.
CryptDrive	CryptDrive is a rogue application that tricks the user into buying the commercial version. CryptDrive's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare / trick the user into clicking yes.
ErrClean	ErrClean is a rogue anti-spyware and clone of ProtectingTools; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
Hacktool.MSNDecripter	Hacktool.MSNDecripter is a program that will decrypt a stored MSN Messenger password.
MyCleanerPC	MyCleanerPC is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
OSBodyguard	OSBodyguard is a rogue anti-spyware that tricks the user into buying the commercial version. OSBodyguard's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare / trick the user into clicking yes.
PCCleaner2007	PCCleaner2007 is rogue anti-spyware and clone of DriveCleaner; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
PCPrivacyTool	PCPrivacyTools is rogue anti-spyware that tricks the user into buying the commercial version. PCPrivacyTool's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare / trick the user into clicking yes.
ProtectingTool	ProtectingTool is rogue anti-spyware that tricks the user into buying the commercial version. ProtectingTool's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare / trick the user into clicking yes.
SecurePCCleaner	SecurePCCleaner is rogue anti-spyware and clone of PCPrivacyTool; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
SpyHazard	SpyHazard is rogue anti-spyware and clone of SpyLocked; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
SpywareBot	SpywareBot is rogue anti-spyware; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
SpywareSecure	SpywareSecure is rogue anti-spyware that tricks the user into buying the commercial version. SpywareSecure's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare / trick the user into clicking yes.
Toolbar.BZ	Toolbar.BZ is a toolbar where the user has the option to search and zoom in the browser. Trojans may be dropped in the Toolbar.BZ folder in program files. It contains no EULA and privacy policy and is installed on all user accounts, giving no clue to the user of its functionality.
VirusLocker	VirusLocker is rogue anti-spyware and clone of VirusProtectPro; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
WinXDefender	WinXDefender is rogue anti-spyware; it may give exaggerated threat reports on the compromised computer, and then ask the user to purchase a registered version to remove those reported threats.
Win32.Backdoor.Codbot	Win32.Backdoor.Codbot opens up a backdoor on the infected system that allows remote access to the infected computer.
Win32.Hoax.Renos	Win32.Hoax.Renos is an application that may show fake security warnings. This application may also trick a user into downloading rogue anti-spyware applications or download this kind of software automatically in the background.
Win32.TrojanDownloader.Bagle	Win32.TrojanDownloader.Bagle is the download element from the Bagle worm family. It downloads files and executes them on the victim's PC.
Win32.Trojan.Morphine	Win32.Trojan.Morphine may install a Browser Helper Object in stealth. The installed dll compromises system security hooking to internet explorer and running whenever iexplore.exe is active. Win32.Trojan.Morphine can also install other malware that can spy on the affected system user. This malware is packed with the Morphine packer.
Win32.TrojanProxy.Bobax	Win32.TrojanProxy.Bobax opens up the infected machine to be used as a proxy server.
Win32.TrojanProxy.Jaber	Win32.TrojanProxy.Jaber puts itself between winsock and the IP stack to manipulate the traffic. It drops an LSP file in the system folder which makes it possible to take control of ingoing and outgoing traffic. The purpose is to spam other users with e-mails.
Win32.Virus.Detnat	Win32.Virus.Detnat is a worm/virus that spreads through shared network folders. It will infect executable files. If infected, you will need an anti-virus program to clear the infection.
Win32.Virus.Elkern	Win32.Virus.Elkern is a virus that will infect executable files on the disc. It is known to be dropped by Win32.Worm.Klez. If infected, you will need to run an anti-virus program to clear the infection.
Win32.Virus.Jeefo	Win32.Virus.Jeefo will try to infect executable files on the drive. If infected, you will need to run an anti-virus program to clear the infection.
Win32.Virus.Kriz	Win32.Virus.Kriz is a virus that infects selected executable files. If infected, you will need to run an anti-virus program to clear the infection.
Win32.Virus.Magistr	Win32.Virus.Magistr is a virus that will infect executable files on the disc. It will try to spread itself by copying itself to shared folders on the network and as e-mail attachments. If infected, you will need to run an anti-virus program to clear the infection.
Win32.Virus.Nimda	Win32.Virus.Nimda is a virus/worm that spreads through shared folders on the network and as an e-mail attachment. It will also harvest the infected machine for new addresses. Once it reaches a new system it will try to infect all .EXE and HTML files on that system.
Win32.Virus.Parite	Win32.Virus.Parite is a polymorphic and memory resident virus. This virus propagates by infecting .EXE and .SCR files. It can also spread via network shares and mapped network drives.
Win32.Virus.Runonce	Win32.Virus.Runonce is a virus/worm that spreads as an e-mail attachment. It will infect .EXE and HTML files. If infected, you will need to run an anti-virus program to clear the infection.
Win32.Virus.Tenga	Win32.Virus.Tenga is a virus that will infect all executable files on the drive. It will then try to download and install a Trojan on the infected system.
Win32.Virus.Valla	Win32.Virus.Valla is a virus that infects selected executable files. If infected, you will need to run an anti-virus program to clear the infection.
Win32.Virus.Virut	Win32.Virus.Virut is a virus that infects executable files. It also opens a backdoor on the infected computer allowing a connection to a predefined server.
Win32.Worm.Allaple	Win32.Worm.Allaple is a polymorphic worm that performs dictionary and Denial of Service attacks.
Win32.Worm.Autorun	Win32.Worm.Autorun installs as a hidden service on the infected machine. This service is set to start automatically. The worm may attempt to propagate via creating copies of itself to hard drives and other removable devices, such as flash or USB. The worm may also download and install additional malware and open a backdoor on the infected machine.
Win32.Worm.Bagz	Win32.Worm.Bagz is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.Banwarum	Win32.Worm.Banwarum spreads through e-mail messages to addresses found in the compromised computer. The worm may also open a backdoor on the infected computer.
Win32.Worm.Blaster	Win32.Worm.Blaster is a worm that uses a security vulnerability in DCOM Remote Procedure Call in unpatched Windows systems. When installed, the worm starts port-scanning to search for other vulnerable systems on the network.
Win32.Worm.Bofra	Win32.Worm.Bofra is a worm that spreads through infected e-mails. It will also harvest the infected machine for new addresses. It may also try to open up an IRC backdoor on the infected system.
Win32.Worm.Brontok	Win32.Worm.Brontok is a worm that tricks the user to execute the file by having a folder icon. The worm copies itself to several places on the system and the new files are running as processes in stealth. It also disables the command prompt, registry tools and task manager.
Win32.Worm.Bugbear	Win32.Worm.Bugbear is a worm that spreads through e-mail and network shares. It may also open a backdoor or function as a keylogger on the infected computer.
Win32.Worm.Delf	Win32.Worm.Delf is a worm and a file infector that spreads over network drives and shared folders. The infected computer may slow down due to the multiple network threads created.
Win32.Worm.Eyeveg	Win32.Worm.Eyeveg is a worm that spreads through shared network folders and e-mail attachments. It will also harvest the infected machine for more e-mail addresses.
Win32.Worm.Feebs	Win32.Worm.Feebs is a worm that spreads via e-mail to addresses that it finds on the infected system. This worm may use rootkit functionality to hide its presence on the affected computer.
Win32.Worm.Heck	Win32.Worm.Heck is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.Kipis	Win32.Worm.Kipis is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.Klez	Win32.Worm.Klez is a worm that copies itself to the shared folders on the Network and uses the SMTP protocol to send outgoing messages.
Win32.Worm.Korgo	Win32.Worm.Korgo strives to exploit the LSASS Buffer Vulnerability on unpatched Microsoft Windows systems. It listens to random ports and spreads with a random filename. The worm allows an attacker to take control of the infected system by acting as a remote access server.
Win32.Worm.LockSky	Win32.Worm.LockSky copies itself to the System32 folder on the system and uses the SMTP protocol to send outgoing messages. It also drops a dll file which hooks itself into winlogon.exe.
Win32.Worm.LovGate	Win32.Worm.LovGate is a self replicating worm. It copies itself to several places on the system and uses the SMTP protocol to send outgoing messages. The new copies have RAR or ZIP format and are executed every time Windows restarts. It also tries to disable anti-virus applications from running.
Win32.Worm.Mabutu	Win32.Worm.Mabutu is a mass mailing worm that spreads as an attachment in infected messages. A backdoor is part of the worm's payload.
Win32.Worm.Maslan	Win32.Worm.Maslan will try to spread itself using e-mails. It will scan the infected machine for e-mail addresses. Win32.Worm.Maslan also opens up an IRC backdoor on the infected system.
Win32.Worm.Mimail	Win32.Worm.Mimail is a worm that spreads itself through e-mail attachments. Once it infects a machine, it will harvest that machine for new addresses to spread to.
Win32.Worm.Minusi	Win32.Worm.Minusi is a worm that spreads as an e-mail attachment. It will use e-mail addresses from Outlook. It will also try to terminate selected processes and stop them from running.
Win32.Worm.MoonLight	Win32.Worm.MoonLight is a worm that tricks the user to execute the file by having a folder icon. The worm replicates itself to several places on the system and runs processes in stealth. It also targets the Image File Execution Options key in the registry, to run instead of legitimate applications.
Win32.Worm.Mytob	Win32.Worm.Mytob is a worm that spreads by forwarding itself to all the e-mail addresses harvested from an infected computer. It also has the ability to open a backdoor on the compromised machine.
Win32.Worm.MyWife	Win32.Worm.MyWife may appear as executable zip archives. The worm copies itself to several places on the system and uses the SMTP protocol to send outgoing messages. It also tries to disable anti-vrius applications from running.
Win32.Worm.Netsky	Win32.Worm.Netsky is a worm which spreads itself over a user's system. It may use a text file icon to mask itself as a harmless file. It uses SMTP protocol to spread the worm via the Internet.
Win32.Worm.Nugache	Win32.Worm.Nugache is a worm that spreads as an e-mail attachment. It will also try to open up an IRC backdoor.
Win32.Worm.OpaServ	Win32.Worm.OpaServ is a worm that copies itself across open network shares. It also tries to connect to opasoft.com, but this domain has shut down. The worm runs as a process in stealth and starts automatically during startup.
Win32.Worm.Plexus	Win32.Worm.Plexus is a worm that spreads through file-sharing networks and through e-mail attachments. It is also known to exploit a Windows DCOM vulnerability.
Win32.Worm.Puce	Win32.Worm.Puce is a worm that spreads through peer-to-peer file sharing networks.
Win32.Worm.Reatle	Win32.Worm.Reatle is a self-replicating worm. It copies itself to several places on the system and uses SMTP protocol to send outgoing messages. The worm may appear as a file with a Word icon to make it look harmless. It also disables registry tools and task manager to prevent the user from removing the infection manually.
Win32.Worm.Rontokbro	Win32.Worm.Rontokbro is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.Scano	Win32.Worm.Scano is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.SillyFDC	Win32.Worm.SillyFDC is a worm that will try to copy itself to shared folders on the network and removable media. It may also try to download additional malware.
Win32.Worm.Sircam	Win32.Worm.Sircam is a worm that uses the SMTP protocol to send outgoing messages. It is known to be spread as an e-mail attachment.
Win32.Worm.Skipi	Win32.Worm.Skipi is a worm that spreads as a linked attachment in Skype. It will also modify the Hosts File. When opening the attachment, a bitmap picture of soap bubbles will be displayed.
Win32.Worm.Sobig	Win32.Worm.Sobig is a worm that spreads through shared folders on the network and as an e-mail attachment.
Win32.Worm.Sohanad	Win32.Worm.Sohanad is a worm that spreads through shared folders on the network and as an e-mail attachment.
Win32.Worm.TellSky	Win32.Worm.TellSky is a worm that tricks the user to execute the file by using a folder icon. The worm copies itself to the system32 folder and runs as a process in stealth. It also disables the command prompt, registry tools and task manager.
Win32.Worm.Traxg	Win32.Worm.Traxg is a worm that tricks the user to execute the file by using a folder icon. It sends itself to e-mail addresses that the user has in his/her address book in Microsoft Outlook. The worm spreads itself to %windir% and hides file extensions to make the user believe it is a normal folder.
WIn32.Worm.VB	Win32.Worm.VB is a worm written in Visual Basic. It normally spreads through shared folders on the network or as an e-mail attachment.
Win32.Worm.Womble	Win32.Worm.Womble is a self-replicated worm. It copies itself to several places on the system and uses SMTP protocol to send outgoing messages.
Win32.Worm.Wukill	Win32.Worm.Wukill is a worm that spreads through shared folders on the network and as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.Yaha	Win32.Worm.Yaha is a worm that spreads through shared folders on the network and as an e-mail attachment. It will also harvest the infected machine for new addresses.
Win32.Worm.Zafi	Win32.Worm.Zafi is a worm that spreads through shared folders on the network and as an e-mail attachment. It will also harvest the infected machine for new addresses.
Worm.OneShot AntiVirus	Worm.OneShot AntiVirus is an application that makes users believe they have legitimate virus protection. After installation, DOS windows pop-up all over the desktop and force Windows to restart. The application drops unwanted files, and drastically limits the user’s ability to use the system. OneShot AntiVirus blocks the start menu, and disables task manager and registry tools.

TAI - Threat Analysis Index
The Lavasoft Threat Analysis Index (TAI) system is based on a 10-point scale, with 1 representing the lowest threat and 10 representing the highest. The behavior of the program has more influence when assigning TAI points than the actual technical aspects of the malware. In other words, if the malware secretly attaches without the computer user's full understanding and approval, then it will automatically be given higher TAI points. A minimum TAI value of 3 is required before the malware is put into detection. Read more on the Lavasoft Security Center here.

Threat Analysis (TA) Index

Home

Stats
When it comes to the using the Web, nothing is quite like content. Internet users spend more time online viewing news or entertainment content than on sending e-mail, shopping or searching for information. A study conducted by Nielsen/ NetRatings logged a 37 percent rise in the amount of time spent viewing online videos and news. Overall, nearly half of time spent online in 2007, 47 percent, is made up of viewing content. The study sites the explosion of web content, like social networking sites, along with an increase in online speeds as factors in the increase.

Source: Reuters

Term of the Month
The Hosts File is a file stored on your computer that is used to look up the Internet Protocol (IP) address of a device connected to a computer network. Some spyware changes your Hosts File in order to redirect you from a site you intended to visit to sites that the spyware company wants you to see.

Source: Anti-Spyware Coalition Glossary

Tech Tips
You already know the paid versions of Lavasoft’s anti-spyware software have vital real-time protection to relieve the burden of constant malware attacks. But Ad-Aware 2007 Plus and Pro versions also include built-in privacy and security tools, for example, the Hosts File Editor. You can use the Hosts File Editor to take control of your Web navigation by blocking advertisement sites, reversing browser hijack entries, assisting with parental controls, and creating navigation shortcuts. To use the Hosts File Editor in Ad-Aware 2007, from the “Tools and Plug-ins” tab, select “Tools” and then click “Hosts File Editor.” New users can find more specific directions in the Ad-Aware 2007 Product Manual.

Helpful Homepage

Creating strong online passwords is one piece of the security equation. If you are wondering just how secure that password you have created really is, Lavasoft News has come across a website you can use to rate passwords, to help you learn how to create better ones. Try out the “Password Strength Meter” on Securitystats.com. Remember, even though the site will not store the passwords you enter, test a password similar to one you might use (not your real password), as the site advises.

Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Sweden

www.lavasoft.com
editor@lavasoft.com