Kittycard.exe is now of one the filename use by this Storm Worm. Email received today: The new filename is Kittycard.exe: Half of malware scanners via VirusTotal.com will detect it while half did not: For you… to read: The Storm Worm: http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html Just How Bad Is the Storm Worm: http://blog.washingtonpost.com/securityfix/2007/10/the_storm_worm_maelstrom_or_te.html My previous blog entries on Kitty (Storm Worm) : 2 more Kitty, Kitty Detection Improving, Norton blocked Kitty, Kitty Kitty
Symantec wrote: the PDF file will download ldr.exe file F-Secure reports: The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more components. So I grab both .exe files (ms2.exe and ldr.exe) and uploaded it to Virustotal.com. The AVs should protect and detect users from it if it failed to detect and block the malicious PDF file. Scan results: Only 50% of malware scanners will detect the ms2.exe as malicious. 71.88% of malware scanners will detect the ldr.exe as malicious. Screenshots of the result at http://www.dozleng.com/updates/index.php?showtopic=16119
If you haven’t update your Adobe Reader to v8.1.1, you better to do it NOW. The vulnerability is being exploited now and yup, it’s in the wild because I received copies already. Screenshots at http://www.dozleng.com/updates/index.php?showtopic=16119 Adobe fixed the security issue by releasing v8.1.1. See their advisory here and please update NOW. Microsoft updated their security advisory on the above due to increased of threat level. Read the write-up of Symantec on what they detected and blocked in the email I received : Bloodhound.Exploit.163 – Bloodhound.Exploit.163 is a heuristic detection for PDF files attempting to exploit the Adobe Acrobat Mailto Unspecified … Continue reading In the wild: Malicious PDF files; Which AV will detect it?
This is not new since this is ‘common’ issue with redirection and being use by spammer but geez, can’t this company do something to stop the redirection to succeed? Same SPAM emails received today: That’s AOL, Yahoo and Google. Guys, you should do something to kill this “False redirection” and it will sure help in killing one method of spammers is using. I know we can disable the automatic redirection in the browser but that will kill the features that many are using. Example: 1. Search function in the browser 2. Downloading a file that is redirected by good … Continue reading Spammer’s trick: Redirection. Can’t Google, Yahoo and AOL kill the false one?
I received similar email last week where 15 out of 32 malware scanners will detect or trigger an alert if found or being downloaded in the system. Today, I got 2 more kitty greetings. Result is 10 out of 32 scanners will detect or trigger an alert: Preview of emails: Whenever I send file to VirusTotal.com I always let them distribute the sample to AV companies so they can add it to their detection. Let’s hope those will be detected soon as it is out-there. Users need to make sure they are patched, they have the security tool configured … Continue reading 2 more kitty (storm worm) gone undetected by many scanner
Symantec and Websense have warned Skype users of a new worm that spreads itself via Skype text messages. Dubbed Chatosky by Symantec, the cycle starts with a Skype user receiving a message offering a file called sp.exe. According to Websense’s preliminary analysis, when that file is run it installs a password-stealing Trojan and propagates itself via Skype. The malware also tries to connect to a now-disabled remote server to collect additional code. Websense says the original infections appear to be in the Asia Pacific region, especially Korea. CA’s, Sophos’ and McAfee’s security sites had no information about this worm at … Continue reading Skype Worm Breaks Out in APAC
Date: December 15, 2006 Severity: High Systems Affected:Symantec AntiVirus 10.0.x for Windows (all versions)Symantec AntiVirus 10.1.x for Windows (all versions)Symantec Client Security 3.0.x for Windows (all versions)Symantec Client Security 3.1.x for Windows (all versions) Overview:The eEye Research honeypot network has recently detected a new worm that is actively exploiting a remote Symantec vulnerability originally discovered by eEye Research on May 24, 2006 and patched by Symantec on June 12, 2006. This vulnerability has been publicly exploited as early as November 30, but this is the first example of a worm leveraging this vulnerability for self-propagation. Generally, patch processes are not … Continue reading Worm Alert: Big Yellow; Worm hits computers via Symantec Corp.’s antivirus program
Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach of combining multiple evasion techniques to remain undetected by commonly used rootkit detectors, such as Rootkit Revealer, IceSword, and BlackLight. To obtain a “deep dive” on how Rustock works and why it is currently able to defeat so many security vendors, please visit Symantec’s Handling Today’s Tough Security Threats Web site. Once on the site, please look for the … Continue reading Rustock: Deep Dive
Websense Security Labs has received reports that a variant of Google phishing attacks are increasing in sophistication. Details at http://www.websense.com/securitylabs/alerts/alert.php?AlertID=545
One earlier and now there’s 2nd … it’s at Daniweb‘s forum (Thanks to Microsoft MVP Robear Dyer for the link). The bad file is faking Microsoft’s Windows Genuine Advantage Notification and Validation Tools. As you can see on earlier (the first report).. there is a service name called “Windows Genuine Advantage Validation Notification” and the offending filename is wgavn.exe. Again, there is no Windows services for the legitimate Windows Genuine Advantage (WGA) tool by Microsoft. Also, the names of the legitimate tools are: Windows Genuine Advantage Validation Tool Windows Genuine Advantage Notification Tool Note that the Validation Tool don’t have Notification … Continue reading Argh! 2nd instance of fake Windows Genuine Advantage Notification