PandaLabs Trojan Warning – FakeWindows.A, and UrlDistract.A

Courtesy of Panda Security: This week’s PandaLabs report looks at two new Trojans (FakeWindows.A, and UrlDistract.A), that try to trick users in order to steal their data.

FakeWindows.A is a Trojan that resembles a Windows XP activation process.

This malware can reach computers through email, or can be downloaded from a malicious Web page.

It tries to get users to believe that the operating system is requesting their data to activate the account.

In addition to personal data, the Trojan also requests bank details. On entering them, the program displays an error screen indicating it was impossible to
connect to the server. Consequently, in addition to making data theft
easier, users’ computers are blocked.

The UrlDistract.A Trojan, reaches computers through emails with an icon that resembles a video. When run, the Trojan silently steals users’ information, while it distracts them by opening a YouTube video called “Little Superstar” where an actor dances to the music.

The Trojan then connects to an address in Atlanta, and sends all the data
stolen from the computer.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Panda Security – Auto Industry Top Spam Target

Many of us tend to think of Spam as an “oh, well” problem. But is it? Not if you’re part of the auto industry it isn’t!

According to a study just released by Panda Security, only 0.11 percent of mail received by businesses in the auto industry is legitimate, and other high level industries don’t fare much better.

If you think Spam is relatively harmless; read the following report and then consider the enormous waste of resources involved in Spam distribution, and the risks to your Internet safety.

Courtesy of Panda Security:

Panda Security, the Cloud Security Company, today revealed the results of its three-month long study from July to September 2009 on the prevalence of spam across a range of industries.

Investigating 11 sectors, including automotive, insurance, banking, tourism, construction, food and others, Panda analyzed the email traffic generated by 867 companies in 22 countries throughout the U.S. and Europe and found that the automotive industry is the top recipient of spam and email-borne malware. In total, more than 503 million messages were analyzed.

The overall aim of the study was to compare the prevalence of spam and malware across different business sectors. Following automotive, the electronics sector and government institutions rounded out the top three recipients of spam and email-borne malware with ratios of 99.89, 99.78 and 99.60 percent, respectively.

This ratio represents the percentage of spam or malicious messages in relation to all email received. Consequently, this means that just 0.11 percent of mail received by businesses in the motor industry is legitimate (similarly 0.22 percent in the electronics sector, and 0.40 percent in government institutions).

Interestingly, the banking sector, predicted by many to be a prime target, featured near the bottom of the ranking with a ratio of 92.48 percent. The education and tourism sectors close the ranking with figures of 87.98 and 87.22 percent.

There was, however, no considerable difference in the subject fields of the spam received across the various sectors. The majority, more than 68 percent, were related to pharmaceutical products. This was followed by advertisements for replica products with 18 percent, and messages with sexually explicit content at 11 percent.

Banker Trojans were responsible for approximately 70 percent of all malware detections. These were followed by adware/spyware at 22 percent, with the remainder accounted for by viruses, worms, etc.

According to Luis Corrons, Technical Director of PandaLabs, “We were curious to see if spam and email-borne malware affected all companies equally, or whether there were factors that influenced the likelihood of them being targeted. We were surprised to find significant differences – up to 12 percent – in the ratio of junk mail received between different business sectors.”

To help businesses be better suited and prepared for the threat of malware and prevalent spam, Panda Security has launched an education and training campaign called, ‘Time For Your Business’. This site helps businesses identify their current security issues and asks questions so they can customize solutions that are best suited to their needs.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SafeFighter Fake Antivirus – PandaLabs Takes a Look

Courtesy of Panda Security.

PandaLabs’ report this week focuses on two Trojans, and a new fake antivirus.

SafeFighter is a new fake antivirus.

Like other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist. If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction. This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.

Removal help for this nasty is further on in this article.

Spammer.ANT is a Trojan that passes itself off as a Microsoft program.

Once run, it copies itself to the system and loads itself to memory under the name reader_s.exe. It then carries out remote connections and spams users, trying to get them to believe the messages received are from an online store.

It has a compressed file attachment with an executable called open.exe. When opened, AntivirusPro2010 is installed on the computer (a fake security solution we have discussed in the past).

The other Trojan in this report is Sinowal.WOE.

It reaches computers through email, and passes itself off as a Microsoft Word document. Once installed, it collects as much information as it can from the infected user.

Additionally, when the user opens the browser, the Trojan connects to a server where Sinowal.WOE stores the victim’s information, and downloads the AntivirusPro2010 fake security solution.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

SafeFighter and AntivirusPro 2010 Removal:

If you have become infected by AntivirusPro 2010, SafeFighter, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Click here to download free SUPERAntiSpyware to remove AntiVirusPro 2010.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

AntivirusPro 2010 – PandaLabs Takes a Look

Courtesy of Panda Security.

PandaLabs’ report this week focuses on two banker Trojans and a fake antivirus.

This week, Panda Security takes a look at AntivirusPro 2010. Once the user is infected with this malware a warning appears informing the user that the computer is infected.

Soon after, a false scan is run.

The scan results claim that the PC is full of malware, and frequent pop-ups are
displayed. This fake antivirus tries to get users to register and for what it
claims is an ‘antivirus service’.

Since this antivirus is a fake antivirus, users end up paying for a product that does not exist, as well as revealing their bank details to cyber-crooks.

Removal help for this nasty is further on in this article.

Trj/Nabload.DNU is a banker Trojan designed to download several Trojans that steal the bank details entered by users on their systems. When the file is run, an image is displayed on the screen, so users do not see the malware being downloaded.

While a video related to the image is displayed on the screen, the Trojan attempts to download the other banker malware from a URL.

Banker Trojan, Trj/SilentBanker.D, modifies users’ bank transfer details, so that cyber-crooks receive the transfer instead of the intended recipient.

When being run, it is deletes itself and it appears that there have been no modifications to the system. It does not display messages or infection warnings on the computer. Once the computer is infected, it connects to several Windows APIs and uses them to fulfill its designed purpose.

While the Trojan intercepts bank transfers and modifies the details, users are displayed a false Web page that resembles the original, with the details they have entered. On confirming the operation, users are unwittingly sending the money to the cyber-crook’s account.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

AntivirusPro 2010 Removal:

If you have become infected by AntivirusPro 2010, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Click here to download free SUPERAntiSpyware to remove AntiVirusPro 2010.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Alpha Antivirus – PandaLabs Takes a Look

Courtesy of Panda Security.

PandaLabs’ report this week focuses on a worm, a fake antivirus, a Trojan and a traditional virus.

The new fake antivirus we are looking at this week is called Alpha Antivirus. Like many of its kind, it tries to fool users by displaying fake infections, false remote connections, or non-existent vulnerabilities.

It then encourages users to buy a fake security suite. Since this antivirus is a
fake antivirus, users end up paying for a product that does not exist, as well as revealing their bank details to cyber-crooks.

Removal help for this nasty is further on in this article.

JokR.A is a script worm which leaves a visible indication of infection for users to see. In order to spread, this malware copies itself under the name Th3_jOkEr.vbs together with the autorun.inf file (hidden) to all drives and the Windows folder.

This way, it runs whenever users access these drives. It also copies itself to removable drives to increase its chances of propagation. This malware makes a series of entries in the registry, to ensure it runs on every system start-up,
displaying the following warning: “Thanks for your participation”,  “My
virus is now on your computer, so thank you for your the participation
with your friends 🙂 !)”.

It also inserts the following text in the Internet Explorer header: “Hacked By Yassine [Th3_jOkEr] …:::… Fuck You …:::…” It’s difficult to see in the following image, but the IE header has been changed.

Finally, we want to mention a Trojan and a virus associated with an email with the subject Convocatoria en la Audiencia (Summons to the Central Criminal Court). This message has an attached file which looks like a pdf file, but in reality it has the “scr” extension.

On opening the file which supposedly contains the summons, users are taken to the official website of the Spanish National Police, while another connection is made to a page from where it downloads and installs the Banker.LYI Trojan and
the Induc.A virus.

Banker.LYI is a banker Trojan that targets a specific Spanish bank. This Trojan steals the bank details entered by users, and uses the Outlook address book to redistribute the same message among all the infected user’s contacts.

Induc.A is a virus written in Delphi. The first thing the virus does is search for versions of the Borland Delphi compiler (4,5,6 or 7) installed on the computer. If it finds a version, the virus inserts a code to infect all the files compiled with these versions.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

Alpha Antivirus Removal:

If you have become infected by Alpha Antivirus, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Windows Police Pro – PandaLabs Takes a Look

Courtesy of Panda Security.

This week’s PandaLabs report looks at a worm, a program for creating Trojans, and a new fake antivirus.

Windows Police Pro is a new example of rogueware.

As is typical of these fake antivirus programs, it tries to convince users that their systems are infected, being hacked, or contain vulnerabilities. Users that fall for the ruse are taken to a screen in which they are asked to enter their credit card details. This way, in addition to paying for a disinfection, they will never receive, they have also handed over confidential information to cyber-crooks.

Removal help for this nasty is further on in this article.

Vobfus.A is a worm that spreads through USB drives and shared folders. The first action it takes when run is to make a series of copies of itself in several directories and connect to certain Japanese Web pages, from which it downloads files related to adware.

When a USB device is connected, the worm creates a series of shortcuts through which the infected file – which is hidden – is run. It also creates an autorun file on the USB drive in order to spread. One interesting thing about this malicious code is that is makes certain modifications to the registry, installing language packets that allow the operating system to recognize characters in Chinese and Japanese.

Thanks to this, the worm can redirect the Internet browser to pages in Chinese, interpreting them and downloading files. It also creates a key in the registry to ensure it is run every time the system is started up.

KeyLogger.FT is a program for building keylogger Trojans.

These programs capture keystrokes and then send the information to an email account, with details about where the information has been entered. The Trojan builder lets users include features such as automatic activation on system restarts, or uninstallation on a certain date. It also includes the option to disable the Task Manager on the infected PC, or close it as soon as it is opened.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

Windows Police Pro Removal:

If you have become infected by WinPolicePro, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Personal Guard 2009 – PandaLabs Takes a Look

Courtesy of Panda Security.

This week’s PandaLabs report looks at a rogue antivirus, a backdoor Trojan and a program for creating Trojans.

Personal Guard 2009 is a new sample of the infamous rogue antivirus programs. On reaching computers, it runs a spoof hard disk scan.

These malicious codes typically display fake infections when running the scan, but Personal Guard 2009 does not show any infections during the first scan. Instead, the file goes hard disk resident and later on displays pop-ups in the toolbar warning about possible malicious items. During the second scan it shows fake viruses.

From then on it follows the standard procedure; tempting users into buying a fake security program in order to profit directly as well as stealing any data entered by the user.

WinVNC.A is a backdoor Trojan distributed via email. It uses the subject of swine flu as a lure, and talks about a potential conspiracy of pharmaceutical laboratories, tricking users into opening a PowerPoint presentation (“POS.exe”) where “the big secret” is revealed.

On running the attached file, the Trojan is downloaded to the computer without the user’s knowledge, while the presentation is displayed. This malicious code is especially designed to steal confidential information from the user and send it to its creator.

Finally, PassThief.A is a program designed to create password-stealing Trojans.

The information stolen by the Trojan is sent to an email account specified
by the program user. The directory where the Trojan will be installed can be selected, and whether it should run during the first or fourth operating system restart.

The Trojan will have the same icon as the task manager and will function on WIN9x/WINME, as it steals the passwords of the pwl files in the operating systems. These pwl files contain passwords for accessing protected resources, session start, phone access to networks, etc.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you become infected by Personal Guard 2009, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Panda Security – RegistryDoktor2009 and Proof Defender2009 Warning!

Courtesy of Panda Security.

This week’s PandaLabs report looks at a banker Trojan, and two new examples of fake antivirus programs.

Banbra.GJT is a new variant of the well-known Banbra family of Trojans. This Trojan is designed to steal users’ banking details. Once the file is run, an error message is displayed.  The Trojan, however, proceeds with the infection process and displays a video on the screen.

Meanwhile, a Trojan called Banbra.DQQ is downloaded in the background.
This Trojan steals users’ credentials when they connect to bank
websites.

Scareware:

RegistryDoktor2009 is the first of the two fake antiviruses that we will cover today.

Like all malicious programs of this kind, RegistryDoktor2009 tries to trick users by showing a series of false infection warnings. Then, it prompts them to buy “security” software to resolve these infections.

In reality however, users will be paying for a fake product that does nothing. So, besides losing their money, they will be unprotected and utterly vulnerable to
any threat.

Finally, Proof Defender2009 works very similarly to RegistryDoktor2009.

It tries to trick users into believing they are infected and offers them fake security software. In this case, users can choose to pay with their credit cards or with a PayPal account. The result is the same as in the previous case, but in this
case, the malware can also steal the credit card data entered by the targeted user.

More information about these and other malicious codes is available in the Panda Security Encyclopedia.

You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you become infected by this, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

Additional precautions you can take to protect your computer system:

When surfing the web: Stop. Think. Click

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer.

Install a personal firewall on the computer.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all email attachments

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SmartVirusEliminator – Panda Security Takes a Look

Courtesy of Panda Security.

This week’s PandaLabs report looks at the SmartVirusEliminator adware, and the MSNWorm.GU worm.

The SmartVirusEliminator adware displays the following window while being downloaded.

Then, once it is downloaded and installed, it opens a window similar to the Windows security window.

This adware tries to pass itself off as a legitimate antivirus. To do so, it scans the computer and displays fake warnings to convince users they are infected. To disinfect the computer from the threats “detected” by the fake antivirus, users must purchase it by providing their bank details, which is the malware’s ultimate objective.

The MSNWorm.GU worm uses the popular MSN Messenger application to spread. It infects systems silently without any visible symptoms. However, a characteristic icon is displayed.

MSNWorm.GU worm modifies the Windows registry so that it launches on every system start-up, and goes memory resident. It also copies itself to C:\WINDOWS\system32\wupdate.exe.

While users chat through an instant messaging application (e.g. MSN Messenger), they receive a message from one of their contacts (which doesn’t raise suspicion), with a link to download a file. If the user clicks the link, the worm installs on the system and the infection begins.

First, the worm connects to a server to check whether there are any up-to-date versions of itself which will then be downloaded to the computer. If there are not, it makes a copy of itself in the system path.

It then creates a series of traces to this copy, or to the updated version of itself. One of the traces aims at ensuring the worm is launched on every system start-up.

The worm has bot features, which allows it to open a connection to communicate with its creator waiting for commands. Finally, the file stays memory resident, awaiting a new connection to another instant messaging application in order to spread.

More information about these and other malicious codes is available in the Panda Security Encyclopedia.

You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you become infected by this, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

Additional precautions you can take to protect your computer system:

When surfing the web: Stop. Think. Click

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer.

Install a personal firewall on the computer.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all email attachments

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SaveSoldier Fake Antivirus – Panda Security Takes a Look

Courtesy of Panda Security.

This week’s PandaLabs report discusses the SaveSoldier fake antivirus and the Ramson.G worm.

The first malware we’re looking at this week is another example of malicious programs that pass themselves off as legitimate software applications in order to steal users’ money by tricking them into believing that they will eliminate (non-existent) threats.

This fake antivirus is designed to collect personal and bank details provided by users when they buy it. This malware scans the system searching for infected software –

and displays an interface which resembles the interface of a typical antivirus program –

It then asks users to buy and install certain software to resolve problems caused by the malicious software supposedly detected on the computer.

When the fake antivirus ‘detects’ infected files, it prompts the user to enter a code they will receive when they buy the antivirus pack.

To do so, users are redirected to a page where they can purchase the software using a credit card.

It also displays several warnings informing about malware problems, registry errors, etc.

The second example of malware in this report is the Ramson.G worm, which appears on screen with the icon of an executable file and constantly launches the Windows taskkill utility to eliminate processes, passing a series of commands.

When the computer is restarted, a message in Russian is displayed

and a code to access the system is requested. Once the code is entered, it displays another message and restarts the system.

It spreads through mapped, shared and removable drives. It uses its autorun.inf configuration file for malware to self execute through these drives.

More information about these and other malicious codes is available in the Panda Security Encyclopedia.

You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you become infected by this, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

Additional precautions you can take to protect your computer system:

When surfing the web: Stop. Think. Click

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer.

Install a personal firewall on the computer.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all email attachments

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.