Symantec – Page 2 – Paul's Tech Talk

Alarming results are coming from the Conflicker Worm

PaulJanuary 22, 2009

[ad#digg-right]Today I’ve been doing research because I surprised how many people have searched for the Conflicker Worm/Virus and I wanted to point just how bad this is getting. I was looking on Twitter about this some more and here is what I found out:

Over a million conflicker hosts: Are you responsible for any of them? (http: //tinyurl.com/awpeep

[Via twitter Hevnsnt]

Now I went there and he seemed to of added “)” to the URL so I took that out and here’s the URL to check this out. I went there and saw all these IP(Internet Protocols) and it claims that it is over a MILLION. I don’t know if it is true because I stopped the list of IP’s due to the size of list.

I also wanted to talk about the rate at which people are finding this site due to the conflicker virus/worm infecting their systems. As you can see it is steadily increasing as more and more people are trying to find out how to get rid of this very pesky infestation. See below for some good resources to get this annoyance.

I went back to twitter and some other places to find out what people are saying about this virus and I found this interesting comment:

Conflicker Virus has locked out my work account again…. slightly upsetting it keeps trying to break my account password

[via Twitter twitpaul]

[ad#ad2-right]According to one blog post, they seem to think this is a test worm trying the waters out to see how well it works. I tend to agree with this blog post because of the unlikely hood of just infecting systems for fun. I also think they are going to use this worm/virus for a Botnet. There have been several post about this being a possible Botnet setup. Acording to Computeworld, They claim this is building a Botnet and I tend to wonder if this was a bad deployment or if they are just reading to start this up after so many computers are infected.

I don’t know what to call the Conflicker a Virus or a Worm. So I’ve decided to just use both. I’ve been telling people to patch there system as soon as possible. I’d also tell people that you need a good AV and a Good Firewall. Although this sometimes won’t prevent you from getting a virus you will undoubtedly need to disable Auto run. Here are some good resources to better help you get this virus off your system:

F-secure Downadup Removal Tool

Symantec 32.Downadup Removal Tool

Bit Defender Removal Tool

Malware Resource

As you can see there are several different options to help remove this virus and I thought I would list them here. I have heard how hard this virus is to remove and I want to help people remove this virus. Some other things to consider is disabling your restore points before you remove the worm, or it will just come back.

Removing Win32/Bagle.HE worm

PaulDecember 15, 200815 Replies

Here is another virus that seems to be spreading lately. From the looks of it, it sees to be another email worm. Here is what eset says:

Aliases

Email-Worm.Win32.Bagle.gt (Kaspersky), W32/Bagle.gen (McAfee), Trojan.Tooso!gen (Symantec)

[ad#ad2-right]Win32/Bagle.HE is a worm that spreads via e-mail. The size of its executable is 40565 B .

When executed the worm copies itself in the following locations:

Documents and Settings\All Users\Application Data\hidn\
hldrrr.exe

Documents and Settings\All Users\Application Data\hidn\
hidn2.exe

In order to be executed on every system start, the worm sets the following Registry entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drv_st_key

[ad#ad2-left]It seems to have a manual removal process, Unless you pay for the other software but according to the 411 on PC Security:

Win32/Bagle.HE worm is a “threat” that appears in security scans by fake antispyware WinDefender 2008.

The danger of Win32/Bagle.HE worm is supposed to scare you into wasting $49.95 on WinDefender 2008.

Unless you like getting ripped off, don’t download the software the Win32/Bagle.HE worm popup links to. You’re not really infected with Win32/Bagle.HE worm — you’re infected with scamware that you need to remove.

I’ll show you how to get rid of Win32/Bagle.HE worm and WinDefender 2008, for free.

[via 411 on PC Security]

According to this site you can remove it by doing some steps. I think Kaspersky has an easier way to remove it and it looks like most anti-virus software will remove this. You need to remember that only you can prevent this from the future. You should also update your windows update and make sure your system is up to date.

Figuring out the Email-Worm Win32.Zafi.b

PaulDecember 13, 2008

This is another just I just saw on the web and wanted to talk about what this little Worm does and what it’s known Aliases:

Email-Worm.Win32.Zafi.b (Kaspersky Lab) is also known as: I-Worm.Zafi.b (Kaspersky Lab), W32/Zafi.b@MM (McAfee), W32.Erkez.B@mm (Symantec), Win32.Hazafi.30720 (Doctor Web), W32/Zafi-B (Sophos), Win32/Zafi.B@mm (RAV), PE_ZAFI.B (Trend Micro), Worm/Zafi.B (H+BEDV), W32/Zafi.B@mm (FRISK), Win32:Zafi-B (ALWIL), I-Worm/Zafi.B (Grisoft), Win32.Zafi.B@mm (SOFTWIN), Worm.Zafi.B (ClamAV), W32/Zafi.B.worm (Panda), Win32/Zafi.B (Eset)

[ad#ad2-left]This worm spreads via the Internet as an attachment to infected messages, and also via local and file-sharing networks.
It is written in Assembler, and packed using FSG. It is 12800 bytes in packed form, and 33292 in unpacked form.

This Worm seems to be running through email and file sharing sites, One thing it tries to do is stop the process and deletes:
fvprotect.exe
winlogon.exe
jammer2nd.exe
services.exe

It attempts to detect antivirus program files on the computer and overwrite them with a copy of itself.

[ad#ad2-right]It also attempts to conduct DoS attacks on the following sites:

www.2f.hu
www.parlament.hu
www.virusbuster.hu
www.virushirado.hu

This seems to be a very big virus and can be removed with the use of Kapersky Virus removal tool for free for this type of virus. In order to prevent this virus in the future the user has to remember about not getting opening unknown documents or emails and not running any unkown program from an unknown file sharing. Also remember you need to have an anti-virus and also a firewall to protect yourself in the future.

trojan.zlob removal tricks!!

PaulDecember 6, 2008

[ad#ad2-right]

Aliases:
Trojan-Downloader.Win32.Zlob.qyl (Kaspersky)
Trojan-Downloader.Win32.Zlob.qzs (Kaspersky)
Trojan-Downloader.Win32.Zlob.qzn (Kaspersky)
Trojan.Zlob.CPP (BitDefender)
Puper (McAfee)
SystemDefender (Symantec)

Trojan:Win32/Zlob.G is a component of Win32/Zlob that downloads rogue security programs, adware, and additional Win32/Zlob components.

[Via Windows Live OneCare]

[ad#ad2-left]This one just popped up today on my radar it seems to be a very low threat on everyone’s radar according to my sources say “Trojan.Zlob.G is a Trojan horse that may download and execute remote files and redirect the Internet Explorer home page and search page.” So to remove this little Trojan you would want to download one an Anti-virus and firewall. Once you install the software the program should fix the problem for you. This one seems to be really easy to fix. So Please read my post on how to better protect your self if you want to prevent this in the future.

Spying on Spyware.ISpynow!!

PaulNovember 29, 2008

[ad#digg-right]This is another Virus that is going around and thought I’d tell you about it:

Spyware.ISpyNow monitors files, network traffic, and keystrokes. This Spyware gives the person who installed it a Web-based interface with summaries of logged information on the host computer.

[Via Symantec]

[ad#ad2-left]Now this one isn’t to hard to figure out what happened. You have to manually install it on your system to get infected. Symantec has a great way on uninstalling this annoyance. I also suggest checking out my other program list just in case you don’t want to buy Symantec Anti-Virus programs. Some other things to check out is:

Avg detected Trojan Horse Generic 12.htc? – This has a great article on how to use HiJackthis program and how to make sure you no longer have the virus.

Some Important programs to prevent yourself from having viruses and Malware!! — This article gives you some other programs to use other than Symantec. You have a wide variety of choices on Anti-virus programs and Firewall Choices. You also have some choices on Spyware removal programs.

This is just the beginning in getting your system clean. You have to keep all you programs up to date and one way I do that is with Appsnap. This little program keeps you programs up to date from Virus to Firewall. I hope this helps people prevent and control spyware.