News Archive November-December 2005
31-12 A Happy New Year to all of you allready in the year 2006, and best wishes to all of those still in 2005, like myself. Some more news about the tracking cookies mentiond 29-12. As it turns out the White House.gov website also uses cookies, implemented by a third party, namely Webtrends. The usage of cookies isn't prohibited, d'oh (!), but the usage of cookies on offical government websites is, unless they're needed for the normal functioning of the site (let users log in and out for example).
VIRUSWARNING! Especially for Dutch users. A 'Christmas Greeting' picture sent via MSN contains a dangerous worm which installs a keylooger. That way all the data you enter an be monitored, like creditcard numbers, passwords etc. Raise the MSN security options to the max and don't DON"T click on the link. when you've been infected go here
29-12 Fully patched windows XP and 2003 systems can be exploited via a new vulnerability by
- Visiting malicious websites
- Opening malicious WMF files in Windows Picture and Fax Viewer
- Previewing malicious WMF files using Windows Explorer
There is currently no patcha vailable so be very carefull when opening WMF files. Luckily WMF files (a picture format) are very uncommon to encounter. So when you receive an email/attachment containing a WMF file don't open it but ask the sender to convert the file to another format like GIF or JPEG. That way you can be sure the file is not containing any malicious code. Full article
Other security news for Thursday 29 December 2005:
The NSA used, until tuesday, persistent cookies to track and trace visitors surfing activities. The cookies were placed on the computers of all visitors and had an expiry date somewhere in the year 2035. This heavy breach of privacy has stopped after a complaint. the NSA said 'it was all a mistake' but somehow that doesnt convince me... full article
20-12 Finally, after almost a year of struggling a removal tool had to be supplied by the creator of the msnfunmaker virus. You can get the removal tool here
02-12 Firefox 1.5 was released yesterday, go get it here or get firefox with the google toolbar integrated
29-11 Viruswarning! A virus, Mitglieder.GB is spreading fast, very fast. Panda issued a code Orange warning. The virus is sent as a mail attachemnt in a .zipfile. It shows this image when it's run
The virus attempts to download a file from one of the following addresses:
http://202.4<blocked>.38
http://209.1<blocked>8.203
http://25<blocked>dr.org
http://65.1<blocked>95.73
http://75<blocked>55.ru
http://80.14<blocked>3.41
http://abte<blocked>fety.com
http://ace<blocked>rum.pl
http://ada<blocked>nue.net
http://adop<blocked>nada.ca
http://adv<blocked>cgroup.com
http://agenci<blocked>dinternet.com
http://aha<blocked>afe24.com
http://aib<blocked>ea.org
http://aik<blocked>an.com
http://al<blocked>bg.net
http://ale<blocked>rligi.ch
http://alfa<blocked>ssic.sk
http://all<blocked>oni.it
http://alli<blocked>.com.au
http://amer<blocked>ergyco.com
http://ame<blocked>meryka.com
http://am<blocked>ra.com
http://anali<blocked>sultoria.com
http://av2<blocked>.comex.ru
http://cal<blocked>rco.com
http://cco <blocked>omadrid.org
http://charl <blocked>ckerpage.de
http://drin<blocked>ter.ru
http://ele<blocked>ltek.com
http://furd<blocked>oba.info
http://ke<blocked>er.kz
http://mij<blocked>gdo.net
http://ok<blocked>ns.co.jp
http://ph<blocked>g.org
http://s8<blocked>u.edu.tw
http://saca<blocked>dark.net
http://tem<blocked>e.nease.net
http://tk<blocked>mi.net
http://vir<blocked>3.kei.pl
http://www.8i<blocked>tlan.hu
http://www.a2<blocked>tings.com
http://www.aba<blocked>tis.hu
http://www.ad<blocked>nt-np.ru
http://www.agro<blocked>styka.artneo.pl
http://www.ame<blocked>rising.com
http://www.bar<blocked>rwery.pl
http://www.bm<blocked>depot.com
http://www.etw<blocked>ode.de
http://www.le<blocked>.co.il
http://www.rew<blocked>st.com
http://www.tim<blocked>trol.com.pl
http://www.u<blocked>u.pl
Infection:
Mitglieder.GB creates the file ANTI_TROJ.EXE or HLOADER_EXE.EXE in the Windows system directory. This file is a copy of the Trojan.
Mitglieder.GB creates the following entries in the Windows Registry:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
anti_troj = %sysdir%\ anti_troj.exe or auto__hloader__key"="%WINDIR%\system32\hloader_exe.exe" - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
anti_troj = %sysdir%\ anti_troj.exe or "auto__hloader__key"="%WINDIR%\system32\hloader_exe.exe"
where %sysdir% is the Windows system directory.
By creating these entries, Mitglieder.GB ensures that it is run whenever Windows is started. - HKEY_CURRENT_USER\ Software\ FirstRRRun
It creates this entry as infection mark, in order to check if Mitglieder.GB has previously affected the computer.
Spreading:
Mitglieder.GB has been massively sent in an email message with the following characteristics:
- Subject: it can be any of the following, among others:
Roberte
Sydney
Rebecka
Daniel - Message: it can be any of the following, among others:
FOTO-2
FOTO-4
VIP-foto
Foto land - Attached files:
A file with a random name and a ZIP extension.
To remove the virus go here
Source: Panda F-Prot
23-11 Sober.X update. The virus is not recognized anymore as w.32/sober-gen but is named sober.x. To remove the virus update your virusscanner, boot to safemode and let the scanner scan all your drives/files. To manually remove the virus or read more info go here
22-11 Viruswarning! A variant of the Sober virus is spreading extremely quickly. The high rise in virustraffic was reported today by Sophos. 61% of all infection reports at Sophos today, were related to this virus. " The new version of the Sober worm arrives as an email attachment, with the following message body:
Dear Sir/Madam,
We have logged your IP-address on more than 30 illegal Websites.
Important: Please answer our questions! The list of questions are attached.
Yours faithfully,
Steven Allison
Federal Bureau of Investigation-FBI-
935 Pennsylvania Avenue, NW , Room 3220
Washington , DC 20535
Phone: (202) 324-30000
(Sometimes the emails claim to come from the same investigator, but at the CIA.)
If the attached file is run, the worm scans the user's hard drive for other email addresses, in its search for other computers to infect. " Source: Sophos and the FBI
When you receive the above email, or a similar email DON'T open the attachment, delete the mail and forget about it. When you've been infected, or think you are go here or use the removal tool
20-11 Some little info for you surfers out there. In my logs a lot of visitors appear using a browser with a hotbar. This is precisely whtat this site is about, removing that junk. I'll give a few examples of those browserd id's.
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar
- etc.
Below is your browser identification. If any of those 'strange' bars show up it's a good idea to go to the 'help I think I'm infected' section
---------------------------------------------your browserid below------------------------------------------
CCBot/1.0 (+http://www.commoncrawl.org/bot.html)
---------------------------------------------your browserid above------------------------------------------
13-11 Due to a servercrash a few hours ago, most of the topics in the forum were lost posted after yesterday afternoon. I'll try to restore everything as good as possible
The site is up and running. Some parts are still under construction and the site as a whole will continuously be under construction since new viruses and new software appear regularly. For more news see the forum. You can join the forum and post a comment to my updateposts in the 'news' section. There you can check the box next to 'notify me when a reply is posted' and you'll get a mail when there's news.
If you have any info you think belongs on this site, a personal review of a program, virus information, surfing tips, or have additions, found dead links etc. Please contact the webmaster.