Phishing - Spyware Style!
Tuesday, November 11th, 2008We are seeing more locally installed phishing pages from the fake presidential e-mails. Always remember - check the site BEFORE entering your user information!
Archive for November, 2008
Spam : Scandal: Obama Resignation Letter
Tuesday, November 11th, 2008The political onslaught continues. We are seeing lots of users in our diagnostic systems infected with the payload from these threats.
McCain Lawyer Impeach Obama!
McCain has reached an agreement with the Obama lawyers that makes Obama resignation effective November 11.
Barack Obama can lost President’s Chair.
McCain video report 10 November:
Clicking the link to view the story yields a news looking site where you are required to install the latest “Adobe Flash Player” to watch the movie - of course this leads to the infection.
Registry Modifications
HKCR\CLSID\{32C620D6-CC10-4e6a-9715-BACACD5B0E61}
InprocServer32#sxmg4.dll
ProgID#MS
TypeLib#{C8691316-2034-4350-9A66-6AE2FD9EE257}
HKCR\CLSID\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
InProcServer32#sxmg4.dll
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PSYCHE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PSYCHEENQUEUE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#WebProxy
HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc
HKLM\SYSTEM\CurrentControlSet\Services\new_drv
HKLM\SYSTEM\CurrentControlSet\Services\psyche
HKLM\SYSTEM\CurrentControlSet\Services\PsycheEnqueue
File System Additions
%SYSTEMROOT%\system32\adult.txt [MD5:204481C0F1DF8BFB088549A9853E9A2C]
%SYSTEMROOT%\system32\CbEvtSvc.exe [MD5:BC86CD17838D88329CD44115C7546B1A]
%SYSTEMROOT%\system32\finance.txt [MD5:72504008E24620145E6139396C3FF2DA]
%SYSTEMROOT%\system32\lt.res [MD5:22AFC809719809C75A7C024878857B30]
%SYSTEMROOT%\system32\other.txt [MD5:62F6BE80059453CC5315AFCD3050E7F2]
%SYSTEMROOT%\system32\pharma.txt [MD5:4919CBEBB282FA70CB5D87CD8879CE7F]
%SYSTEMROOT%\system32\sft.res [MD5:D56D080C00DFA0E49411559F020AD7A5]
%SYSTEMROOT%\system32\sxmg4.dll [MD5:D6FDC0F17947E9D78E9AEA2DBC3C9E81]
Click here to download SUPERAntiSpyware to Remove this infection.
Threat Update : FakeAlert-IEBT/IEBR
Tuesday, November 11th, 2008Toolbar Registry Entry
HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR
{8710DF42-3171-4A3B-9079-3F7D7101552B}
Associated File Item(s)
C:\PROGRAM FILES\APPLICATIONS\IEBR.DLL
%PROGRAMFILES%\APPLICATIONS\IEBR.DLL
C:\PROGRAM FILES\APPLICATIONS\IEBT.DLL
%PROGRAMFILES\APPLICATIONS\IEBT.DLL
Click here to download SUPERAntiSpyware and remove this threat
Spam : Barack Obama Sex Scandal
Monday, November 10th, 2008We are seeing an lots more Barack Obama E-Mails. Clicking the links in these will of course lead to an infection. Do not unzip the attachement!
Sample Barack Obama Sex Scandal E-Mail :
Barak Obama p0rn video, file attached, watch him
Registry Modifications
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VBAGZ
HKLM\SYSTEM\CurrentControlSet\Services\vbagz
Click here to download SUPERAntiSpyware to Remove this infection.
New Rogue : SecureFileShredder
Sunday, November 9th, 2008SecureFileShredder is yet another new/updated rogue - we have updated our definitions to detect and remove all traces of this rogue. Being distributed through the spam and keygen sites.
SecureFileShredder WebSite - DO NOT INSTALL
SecureFileShredder Application
Associated File Items
%PROGRAMFILES%\SecureFileShredder
%PROGRAMFILES%\SecureFileShredder\ExpBtn.dll [MD5:4C0AE76052D36C303885D97AE7680259]
%PROGRAMFILES%\SecureFileShredder\ExtSFS.dll [MD5:C2288C9B4997CA684F4522AF3A1E1FF2]
%PROGRAMFILES%\SecureFileShredder\FileMonitor.exe [MD5:B796AB758734A939F9C2DDA213084BB6]
%PROGRAMFILES%\SecureFileShredder\FileShredder.exe [MD5:DED319AE57BDCFCD7D6CCE1A33B464C7]
%PROGRAMFILES%\SecureFileShredder\FileShredder.ico [MD5:7B99696CD8DD31397357DF4316B4CC09]
%PROGRAMFILES%\SecureFileShredder\FileShredder.xml [MD5:30D357DE962073755FF0479D5A37308F]
%PROGRAMFILES%\SecureFileShredder\FShellEx.dll [MD5:6835BEB60D6B6C01531018ECFFA2BB53]
%PROGRAMFILES%\SecureFileShredder\new.log
%PROGRAMFILES%\SecureFileShredder\SafeOper.dll [MD5:995A614F222C05177B3780B096BDD035]
%PROGRAMFILES%\SecureFileShredder\securefileshredder.url [MD5:212D424A9FC6327535042D5AB7622C13]
%PROGRAMFILES%\SecureFileShredder\unins000.dat [MD5:6D251102555331BC23FA9145E097EAD2]
%PROGRAMFILES%\SecureFileShredder\unins000.exe [MD5:8807C751A835B77C3759997B78613C88]
Click here to download SUPERAntiSpyware to Remove SecureFileShredder
New Rogue : UltraAntiVirus2009
Wednesday, November 5th, 2008UltraAntiVirus2009 is another new/updated rogue - we have updated our definitions to detect and remove all traces of this rogue. Being distributed through the “Recovery KEYS to your account” spam being distributed today.
Associated Files and Folders
%PROGRAMFILES%\UltraAV
%PROGRAMFILES%\UltraAV\UltraAV.cpl
%PROGRAMFILES%\UltraAV\UltraAV.exe
%PROGRAMFILES%\UltraAV\UltraAV.ooo
%PROGRAMFILES%\UltraAV\UltraAV0.dat
%PROGRAMFILES%\UltraAV\UltraAV1.dat
%PROGRAMFILES%\UltraAV\Uninstall.exe
Installer Application
Release_UNREG.exe
Click here to download SUPERAntiSpyware to Remove UltraAntiVirus2009
Warning Spam : Barack Obama Infection E-Mails
Wednesday, November 5th, 2008We are seeing an lots of Barack Obama E-Mails. Clicking the links in these will of course lead to an infection. Always pay attention to what you are opening!
Sample Barack Obama E-Mail :
Spam Barack Obama E-Mail Text
Barack Obama Elected 44th President of United States
Barack Obama, unknown to most Americans just four years ago, will become the 44th president and the first African-American president of the United States.
Watch His amazing speech at November 5!
Proceed to the election results news page>>
2008 American Government Official Website
This site delivers information about current U.S. Foreign policy and about American life and culture.
Threat Update : VirusResponseLab 2009
Tuesday, November 4th, 2008Browser Helper Object Registry Entry
WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS
{2B394226-862F-4AA4-AA53-988E24F50841}
Associated File Item(s)
C:\PROGRAM FILES\VIRSLAB\VIRSLABWARNING.DLL
MD5 Hash
09B1278D292C797963A5901FAF075C82
Threat Update : Zlob/FakeAlert
Tuesday, November 4th, 2008Shared Task Scheduler Registry Entry
\WINDOWS\CURRENTVERSION\EXPLORER\SHAREDTASKSCHEDULER
{D54F12F7-4D76-4C39-A096-E51EF5D33F2B}
Associated File Item(s)
C:\WINDOWS\SYSTEM32\QFRMWMQ
MD5 Hash
E53F06C8E8C072213E98238C3B03DB1D
Click here to download SUPERAntiSpyware and remove this threat
Threat Update : New FakeAlert
Monday, November 3rd, 2008Browser Helper Object Registry Entry
{BC354443-937D-498B-A792-B6E388CDFCE6}
Associated File Item(s)
c:\windows\system32\LOIFSA.DLL
Click here to download SUPERAntiSpyware and remove this threat