Rogue Fake Codecs on the Rise

Panda Labs has been talking about Adware/VideoPlay and they are seeing a lot of variants on this.   They even play a game, find the difference in the installation screen:

Now as you can see this look to be the same agreement in all those difference installation.  Some things to consider Never install any software from a website that you don’t know Nothing about about.

Panda Labs also talks about these new variants in regards to what they do:

This file spreads by making copies of itself in the removable drives and it also creates an autorun.inf in order to be run when they are accessed. This file collects the data stored in the browsers, such as cookies, passwords, profiles, email accounts, etc, and connects to a remote address to send the information.
[Via Panda Labs Blog]

[ad#ad2-right]As you can see this makes you have very little security with your system.  I talk about Identity theft, and why you should always worry about your identity.   This however will make your passwords less secure and maybe even compromise you system to the point of having a data breach.   You need to be careful when you come by this, some fake codecs have been know to be scareware.  In which, the fake codecs installs a Trojan to tell you have a virus and try to make you buy a fake program to get rid of the Virus.  In one of my recent posts about Codecs and Facebook, I talked about the K-Lite Mega Codec Pack and how that will prevent you from installing these sociable links from friends and family.  The nice thing about this pack is it install all the really good codecs that you might come across on the web.  If you have this installed and there’s a website that says you need a special codec, you’d know that it is either a fake codec or the author who made the video doesn’t standardize.   In which case you will be more willing to leave that site without installing that codec.

If you follow these steps and also consider installing an Anti-virus and Firewall, you will be in a much better shape then when you first started out. Remember only you can prevent from getting a virus. You should also consider doing the registry edit that will prevent Autorun. As you can tell these new variants also are spread through USB and other removable media. This is the other way these programs are using to infect other systems.

You won’t make money from W32:Sality.ao

People should be cautious of the making money because there is a variant out there trying to leverage the users into thinking they can make money.

McAfee Says “W32/Sality.ao is a parasitic virus that infects Win32 PE executable files. It infects files (*.exe and *.scr files) on the local, network and removable drives by overwriting code in the entry point of the original file and saving the overwritten code in its virus body. It then appends the virus body to the host file.”

Aliases for this Virus is:

  • Virus.Win32.Sality.y (Ikarus)

  • W32/Sality.AE (Norman)

  • W32/Sality.AH (Panda)

  • W32/Sality.AK (F-Prot)

  • Win32.KUKU.a (Rising)

  • Win32/Sality.AA (VET)

These links should help people understand it it.   You can visit my Malware Resources to help remove this virus.  Something to consider before removing this is to disable your restore points.

Remember there’s no easy to make money, the only real way is to work hard.  According to my research the Anti-virus companies have ways to remove this virus and as long as you update your database.

Internet Security Companies Warn about Patch Tuesday and Valentines Day.

With Tomorrow being released some very highly rated Remote Code Execution to become Zero day in very short time. Some researchers are speculating about more viruses will be released in conjunction to Valentines day. According to this one post it will be likely to be E-cards being sent to try to lure you into downloading Malware.
[ad#ad2-right]

Various security vendors, including CA Inc, MX Logic Inc., Trend Micro Inc., and Panda Security, have issued alerts about new Valentine’s Day-themed spam campaigns that try to dupe users into installing the Waledec bot.

Researchers note that many websites which are affiliated to Waledac e-card scam have been recently updated with content based on the Valentine’s Day theme.

Web sites distribute Trojan files which are commonly named love.exe; onlyyou.exe; you.exe; youandme.exe; and meandyou.exe and the list is not exhaustive.
[Via Express Buzz]

So which ones will likely be the exploits they will use? I have a few theories on that and One of them is the INTERNET EXPLORER vulnerability that will be patched and will try to get you to launch the link and will most likely try to launch it in Internet explorer, That would be my guess.    It seems to be Internet Explorer 7 and Below which will be patched so if you want to try out the IE 8 Beta,  You should be safe on that.  Although the best bet is to prevent users from clicking links in emails and also warning them not to open any attachments they are not expecting.    I’d also have the AutoPatcher ready to install the lastest patches for this Tuesday and schedule a time this week to update all the possible systems involved with the Databases.  Although this isn’t one that tries to steal your data it is however a chance the writers to look at what you have and you know how that can be call a data breach.   So if your the IT for the department I’d suggest sending out warnings so they can keep from being caught with their pants down.   I’d also suggest having Anti-Virus and free Firewall installed on all the major systems and it wouldn’t hurt to have the installed on minor systems if at all possible.

Valentine’s Day Brings More Malware!

Panda Labs talks about this new technique where it tries to install W32/Waledac.C.worm under the thought of someone special. It sends out email to people hoping to click links such as:

    [ad#ad2-right]

  • hxxp://goodnewsreview.com
  • hxxp://worldnewseye.com
  • hxxp://www.spacemynews.com
  • hxxp://www.worldnewsdot.com
  • hxxp://www.worldtracknews.com
  • hxxp://www.wapcitynews.com
  • hxxp://linkworldnews.com
  • hxxp://goodnewsdigital.com
  • hxxp://waleprojekt.com
  • hxxp://expowale.com
  • hxxp://topwale.com
  • hxxp://waleonline.com
  • hxxp://goodnewsdigital.com
  • hxxp://wapcitynews.com
  • hxxp://bestgoodnews.com
  • hxxp://spacemynews.com
  • hxxp://linkworldnews.com

Once your at the site,  clicking on the hearts you would then download an file that is the worm!!  SO here are some things to remember.

If you don’t know the person, then it’s probably spam.   If you know the person you need to ask them before you run the program.   You also need to scan any downloads before you run them.  Go to my Malware Page and get a free Anti-virus and Firewall.  For the likely possibility this worm seems to search the computer and harvest email addresses, you should also warn the person who email you the link to let them know that they are infected.

Blasting the Downadup.b/Conflicker back to the Stone-age!

It has been talked about the last few days where there is a worm hitting the computers who haven’t done the Microsoft Update MS08-067 which was release out of cycle and still have some systems has not been patched.  It has also been reported that it is spreading around the internet really quickly.   According to Computer World:

[ad#ad2-right]The worm, which was first reported by Panda and other security companies on Dec. 31, 2008, exploits a vulnerability in the Windows Server service that’s part of all currently supported versions of Microsoft’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.


[via Computer World]

It seems Microsoft has scolded people who haven’t patched for the October emergency update. Accusing users of playing “Russian Roulette”  and scolding them for not promptly updating their system to remove the vulnerability.

Symantec Blogged about this security of this program and how it was a variant of Downadup.b.  It also talks about how they are seeing an even more increase on this worm that was supposed to be patched by people who use Windows 2000 Server.

[ad#ad2-left]F-secure did a post about Downadup/Conflicker and how they took an Preemptive domain block list for this worm.   They have also seen an increase in this worm and they are trying to prevent this worm from gaining ground.   Talking about this being a network worm, in more ways then one.  Some have even seen it being sent through USB drives.   If you have a system you want to protect you should stop autorun.

Here are some links to better help you get this worm off your system:

In order to remove this worm, you must do a complete system scan with any of the free virus scanning programs.  You’ll need to update your virus database before you do the scan.  You may even want to try the free virus scanners tha are online to get rid of this worm.   These should help you get rid of this worm, but you must remember to install the update or you will get the worm again.  The MS08-067 Patch should be installed as soon as possible you can find the patch here.