McAfee AVERT Stinger 2.5.9

McAfee AVERT Stinger 2.5.9


Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.
This version of Stinger includes detection for all known variants, as of November 22, 2005:



BackDoor-AQJ
BackDoor-ALI
BackDoor-CEB
BackDoor-JZ
Bat/Mumu.worm
Downloader-DN.a
Exploit-DcomRpc
Exploit-LSASS
Exploit-MS04-011
HideWindow
IPCScan
IRC/Flood.ap.dr
IRC/Flood.bi.dr
IRC/Flood.cd
NTServiceLoader
ProcKill
PWS-Narod
PWS-Sincom.dll
W32/Anig.worm
W32/Bagle@MM
W32/Blaster.worm (Lovsan)
W32/Bropia.worm
W32/Bugbear@MM
W32/Deborm.worm.gen
W32/Doomjuice.worm
W32/Dumaru
W32/Elkern.cav
W32/Fizzer.gen@MM
W32/FunLove
W32/IRCbot.worm
W32/Klez
W32/Korgo.worm
W32/Lirva
W32/Lovgate
W32/Mimail
W32/MoFei.worm
W32/Mumu.b.worm
W32/MyDoom
W32/Nachi.worm
W32/Netsky
W32/Nimda
W32/Pate
W32/Polybot
W32/Sasser.worm
W32/Sdbot.worm.gen
W32/SirCam@MM
W32/Sober
W32/Sobig
W32/SQLSlammer.worm
W32/Swen@MM
W32/Yaha@MM
W32/Zafi
W32/Zindos.worm
W32/Zotob.worm


http://vil.nai.com/vil/stinger/

Windows AntiSpyware 1.0.701 now available

We have just released a beta refresh for Windows AntiSpyware (build 1.0.701) onto the download center. This build extends the Windows AntiSpyware (Beta) expiration date to July 31, 2006.


http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en


We will be turning on the software update notification early next week, but
you can download the latest beta refresh manually at :
http://www.microsoft.com/antispyware

For more information, please monitor the Microsoft anti-malware blog at
http://blogs.technet.com/antimalware

Thanks.


Mike Chan [MSFT]
Technical Product Manager (Windows Defender)
Microsoft Corporation

Sony rootkit signatures now available

According to Microsoft’s Anti-Malware team, definitions 5777 will detect WinNT/F4IRootkit (that’s their name for the rookit that have been shipped as part of hot “Sony’s XCP software”).  The Malicious Software Removal Tool will have the detection for this rootkit too and it will be released as scheduled – 2nd Tuesday next month. Read more below:
http://blogs.technet.com/antimalware/archive/2005/11/17/414741.aspx


More here: Sony XPC Rootkit – Key Info & list of 52 CDs


Courtesy MVP Harry Waldron:







One of my friends in the security field shared an excellent summary of the failed attempt by Sony BMG to better protect their music from Copyright violations. As an ethical individual, I respect the intellectual property rights of those in the music industry. The approach Sony used created harm and potential security issues for innocent loyal customers, who purchased their CDs in good faith.

The rootkit may have appeared to be a good technical solution on the drawing board for better protecting digital rights. However, they didn’t exercise risk management and plan well for things that could go wrong, including opening up the customer’s PC to emerging security risks based on new malware that takes advantage of the rootkit architecture.

The following provides an update for this issue with several related links:








Quote:
Sony/BMG has just recalled 52 music CDs, all of which came with software which will install “rootkit” spyware programs on your Windows computer. If you have any of these CDs and have played them on your Windows PCs, your computers may be infected with some truly nasty software. This problem does NOT affect Macs or Lunix computers and may not have affected you if you run a secure Windows setup. More than 500,000 computers are known to be infected worldwide.



List of 52 infected Sony CDs being recalled
http://cp.sonybmg.com/xcp/english/titles.html

More on Sony’s recall notice to replace these CDs at no charge to the owner
http://www.usatoday.com/tech/news/computersecurity/2005-11-14-sony-cds_x.htm

The Sony/BMG website has an uninstall program that is supposed to clean up the infection. HOWEVER, as of today, their uninstall program leaves your computer MORE VULNERABLE than before! Check with your anti-virus vendor to see if your AV can clean up this problem.

Microsoft is upgrading their Malicious Software Removal Tool, which is updated once a month. It will soon be updated to remove the XCP modifications that Sony/BMG put on your computer, but it’s not available currently. More information can be found at these sites:

Sony BMG’s copy-protection problems grow
http://securityfocus.com/news/11357

Mark’s Sysinternals Blog Victory!
http://www.sysinternals.com/blog/2005/11/victory.html

Sony’s DRM Rootkit: The Real Story
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html

Secunia Advisory
http://secunia.com/advisories/17408/

US CERT Advisory
http://www.us-cert.gov/current/current_activity.html#xcpdrm
http://www.kb.cert.org/vuls/id/312073

Security issues may surface using Sony’s XCP uninstall tools
http://secunia.com/advisories/17610/
http://www.frsirt.com/english/advisories/2005/2454
http://www.freedom-to-tinker.com/?p=927

Security issues may surface using Sony’s uninstall for SunnComm MediaMax (another DRM)
http://secunia.com/advisories/17639/
http://www.frsirt.com/english/advisories/2005/2493
http://www.freedom-to-tinker.com/?p=931

Rootkits could mean a complete rebuild for your PC
http://insight.zdnet.co.uk/0,39020415,39237277-4,00.htm








Quote:

How do we remove rootkits? — There is only one guaranteed way to remove a rootkit. You destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever. You can’t delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit’s primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing?



Key Advice for now: Please do not play CDs using your PC until this issue is fully addressed (or if you do play CDs not on the list, still be vigilant and cautious). It could require rebuilding your PC.

Ideas for Infected Users: If you are currently infected with the XCP software, some standalone tools and removers are available. Do not try to remove this manually unless you have complete directions and you are highly skilled as a computer technician. Your CD-ROM or PC may no longer work properly if you fail to remove the rootkit properly. I believe further “help is on the way“ and infected users might be better served to wait a little while longer until better tools are published.