PWS-LegMir.gen.k.dll passwword stealer virus
Wednesday, February 27, 2008
Overview -
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.
Characteristics -
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.
The following antivirus applications are detected and terminated:
* KAV (Kaspersky)
* RAV (Rising)
* AVP (Kaspersky)
* KAVSVC (Kaspersky)
Symptoms -
Unexpected termination of previously mentioned antivirus applications.
Method of Infection
Method of Infection -
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.
Characteristics -
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.
The following antivirus applications are detected and terminated:
* KAV (Kaspersky)
* RAV (Rising)
* AVP (Kaspersky)
* KAVSVC (Kaspersky)
Symptoms -
Unexpected termination of previously mentioned antivirus applications.
Method of Infection
Method of Infection -
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k.
Removal -
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
WORM_NUWAR.AR Malware Email Virus
Thursday, February 14, 2008
To get a one glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
javascript:void(0)
Publish Post
Malware Overview
This worm arrives as attachment to email messages spammed by another malware or a malicious user.
It drops files detected by Trend Micro as TROJ_PEACOMM.BK.
It propagates by sending email messages containing a link, which redirects users to a malicious Web site where a copy of itself can be downloaded.
W32/Nujama.worm!p2p Peer To Peer Worm Virus.Win32.VB.cy W32.Nujama W32/Nujama-A
Tuesday, February 12, 2008
Overview -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
Aliases
* Virus.Win32.VB.cy
* W32.Nujama
* W32/Nujama-A
Characteristics
Characteristics -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
* Upon execution, it creates a copy of itself into the Windows system directory:
%Windir%\system32\SystemMonitor.exe, %Windir%\system32\ptsnoop.exe, %Windir%\system32\InfoVersion.exe, %Windir%\system32\commpu.exe, %Windir%\system32\call of duty.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
* Creates the following registry key to hook at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmon: "%Windir%\system32\SystemMonitor.exe"
* Modifies the following registry keys so that a user cannot view hidden files and file extensions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = "1"
* Drops the following files:
%Windir%\Web\Desktop.ini
%Windir%\Web\Folder.htt
%Windir%\system\oeminfo.ini
* Copies itself into the root folder of all drives(including removable drives and network drives) with filename as as Datos de %Computer_Name%.exe
* Copies itself to all the subfolders of these drives with filename as %sub_folder%.exe
(For instance, it copies itself as WINDOWS.exe in the folder c:\WINDOWS and copies itself as system.exe into the folder c:\WINDOWS\system)
Symptoms -
* created registry key as described above
* created f iles as described above
Method of Infection -
The worm may propagate via Peer-to-Peer Networks, network shares and removable drives.
Removal -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
Aliases
* Virus.Win32.VB.cy
* W32.Nujama
* W32/Nujama-A
Characteristics
Characteristics -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
* Upon execution, it creates a copy of itself into the Windows system directory:
%Windir%\system32\SystemMonitor.exe, %Windir%\system32\ptsnoop.exe, %Windir%\system32\InfoVersion.exe, %Windir%\system32\commpu.exe, %Windir%\system32\call of duty.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
* Creates the following registry key to hook at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmon: "%Windir%\system32\SystemMonitor.exe"
* Modifies the following registry keys so that a user cannot view hidden files and file extensions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = "1"
* Drops the following files:
%Windir%\Web\Desktop.ini
%Windir%\Web\Folder.htt
%Windir%\system\oeminfo.ini
* Copies itself into the root folder of all drives(including removable drives and network drives) with filename as as Datos de %Computer_Name%.exe
* Copies itself to all the subfolders of these drives with filename as %sub_folder%.exe
(For instance, it copies itself as WINDOWS.exe in the folder c:\WINDOWS and copies itself as system.exe into the folder c:\WINDOWS\system)
Symptoms -
* created registry key as described above
* created f iles as described above
Method of Infection -
The worm may propagate via Peer-to-Peer Networks, network shares and removable drives.
Removal -
JS/Exploit-YahooGrid datagrid.dll mediagridax.dll buffer overflow vulnerability
Tuesday, February 5, 2008
Overview -
JS/Exploit-YahooGrid is a generic detection for YMPDataGrid (datagrid.dll) and YMGMediaGridAx (mediagridax.dll) ActiveX controls buffer overflow vulnerability in Yahoo! Music Jukebox and Yahoo! Messenger.
The buffer overflow vulnerabilities occurs while supplying a long string to the AddImage, AddButton or AddBitmap functions. This vulnerability could be exploited by a malicious user to cause remote code execution.
Symptoms -
This detection is sufficiently generic, such that it can cover a number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system changes that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.
Additionally some exploits simply cause Internet Explorer to crash and nothing more.
Method of Infection -
This threat could be delivered via an email message, IM or an infectious web page.
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
JS/Exploit-YahooGrid is a generic detection for YMPDataGrid (datagrid.dll) and YMGMediaGridAx (mediagridax.dll) ActiveX controls buffer overflow vulnerability in Yahoo! Music Jukebox and Yahoo! Messenger.
The buffer overflow vulnerabilities occurs while supplying a long string to the AddImage, AddButton or AddBitmap functions. This vulnerability could be exploited by a malicious user to cause remote code execution.
Symptoms -
This detection is sufficiently generic, such that it can cover a number of threats that contain the exploit code. Therefore, it is not possible to describe specific symptoms or details about system changes that can occur from this threat. However, simply seeing this detection does not mean that any exploit code was run at all as such exploit code could only run on a vulnerable system.
Additionally some exploits simply cause Internet Explorer to crash and nothing more.
Method of Infection -
This threat could be delivered via an email message, IM or an infectious web page.
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
W32/Tufik virus which infects .exe files
Overview -
W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.
Characteristics
Characteristics -
W32/Tufik is virus which infects .exe files.
Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.
It creates the process alg.exe.
It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
It creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"
The virus infects.exe files by prepending itself.
It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.
Symptoms
Symptoms -
-registry keys added by the virus as described above
-processes created by the virus as described above
Method of Infection
Method of Infection -
W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.
W32/Tufik is virus which infects .exe files. It downloads files from a malicious url.
Characteristics
Characteristics -
W32/Tufik is virus which infects .exe files.
Upon execution, it copies itself to %WinDir%\alg.exe, then kills itself.
It creates the process alg.exe.
It connects a remote URL to download updated variants of itself and additional malware. The downloaded file is saved as %WinDir%\svchost.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
It creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\lsass="%WinDir%\alg.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\svchost="%WinDir%\svchost.exe"
The virus infects.exe files by prepending itself.
It can proprogate via network shares or removable drives by infecting the .exe files in the shared folders or in the removable drives.
Symptoms
Symptoms -
-registry keys added by the virus as described above
-processes created by the virus as described above
Method of Infection
Method of Infection -
W32/Tufik is a virus that infects PE and spreads over floppy drive and other removable devices and network shares. It can also be downloaded through another malware or variant.
