Archive for August, 2008
Panda AV Command Line 9.5.1
Posted in Uncategorized with tags msbasic, PANDA on August 13, 2008 by msbasicGreetz to Panda AV team that had just made it’s ninth version of it’s (their) comand Line AV.
This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:
* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).
The new log format is as follows:
[Date];[Complete_path];[File_name_in_compressed];[Malware_name];[Detection_ID];[Action_taken];
[Sub_action];[Additional_information];[Status_ok_or_error];
Be sure to download the signature file available from their blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact Panda for a regular signature feed.
Download the new PAVCL 9.5.1.00 here.
Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.
This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).
Microsoft Updates for half year…
Posted in Information with tags Microsoft, msbasic, Rulez! on August 13, 2008 by msbasicHere are the half or more of the bulletins updates for MS (Sorry for not posting this ones, I forgot).
February MS Bulletins:
This month Microsoft has released 11 security bulletins (from MS08-03 to MS08-013). Six of them are rated as critical and five are Important. We recommend you to update your systems ASAP, as most of the vulnerabilities allow remote code execution.
These bulletins updates the following software: LSASS, DirectShow, Internet Explorer, Macrovision Driver, JScript, VBscript, Office Suite, Media File Formats, Message Queuing Service.
April MS Bulletins
Five critical and three important updates have been released (from MS08-018 to MS08-025). It’s time to start updating your system if you haven’t done it yet.
Critical updates affect these components: Microsoft Project, GDI, VBScript and JScript scripting engines, updated ActiveX Kill Bits and Internet Explorer. On the other hand, DNS Client, Windows Kernel and MIcrosoft Visio are patched with important updates.
Most of them allow remote code execution, so don’t forget to update your system asap.
You can find more information about the security bulletins by clicking the following link: MS08-April
July MS Bulletins
As always, every 2nd Tuesday of the month Microsoft publishes his security bulletins. This month only 4 have been published and all of them rated as important.
Below you can see a description of the bulletins released in July.
Microsoft Security Bulletin MS08-040
Microsoft Security Bulletin MS08-038
Microsoft Security Bulletin MS08-037
Microsoft Security Bulletin MS08-039
May MS Bulletins
Four new security bulletins have been published (from MS08-026 to MS08-029) as part of the usual launch of Microsoft updates.
We recommend you to update your systems as soon as possible, as according to Microsoft’s classification three of the bulletins are rated as “critical”, while the last one is rated as “moderate”.
You can find more information about the security bulletins by clicking the following links:
MS08-026: An update for Microsoft Word which solves two vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file.
MS08-027: An update for Microsoft Publisher which solves a vulnerability that could be exploited in order to execute arbitrary code if a user opens a malicious Publisher file.
MS08-028: An update to solve a remote code execution vulnerability in Microsoft Jet Database Engine.
MS08-029: A security update in order to match two vulnerabilities in the Microsoft Malware Engine, which could allow a remote attacker to cause a denial of service if a specially crafted is scanned.
March MS Bulletins
As usual, every second Tuesday Microsoft published security updates for its products. On 11th March, Microsoft published four updates (from MS08-014 to MS08-017), all of them rated as critical and affecting Microsoft Office suite.
We recommend you to update your systems as soon as possible, as all this flaws could allow remote code execution to be run.
You can find more information about the security bulletins by clicking the following links:
MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution.
MS08-015: Vulnerability in Microsoft Outlook Could Allow Remote Code Execution.
MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution.
MS08-017: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution.
August MS Bulletins
Eleven new security bulletins have been published (from MS08-041 to MS08-051) as part of the usual launch of Microsoft updates.
We recommend you to update your system as soon as possible, as according to Microsoft’s classification six of the bulletins are rated as “critical”, while the others are rated as “important”.
You can find more information about the security bulletins by clicking the following links:
- MS08-041 – Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access.
- MS08-042 – Vulnerability in Microsoft Word.
- MS08-043 – Vulnerabilities in Microsoft Excel.
- MS08-044 – Vulnerabilities in Microsoft Office Filters.
- MS08-045 – Cumulative Security Update for Internet Explorer.
- MS08-046 – Vulnerability in Microsoft Windows Image Color Management System.
- MS08-047 – Vulnerability in IPsec Policy Processing.
- MS08-048 – Security Update for Outlook Express and Windows Mail.
- MS08-049 – Vulnerabilities in Event System.
- MS08-050 – Vulnerability in Windows Messenger.
- MS08-051 – Vulnerabilities in Microsoft PowerPoint.
Posted in Virus info on August 12, 2008 by msbasic
It’s pretty clear that Beijing’s Olympic Games are a good chance for cybercrooks to infect users using the Games as a social engineering tool.
The Games had started some days ago, and we have just seen a new malware, Bck/PcClient.HV, that seems to be a PowerPoint about the Games, but it installs in the infected computers the files PcCortr.dll and 81.dll, that lower the system security level, enabling the file wuauct.exe copied by the malware in the system folder to remotely connect to a Chinese IP to send information about the infected computer.
To avoid any suspect, it shows 12 slides about the real Beijing Olympic Stadium:
Some Fun…?
Posted in Virus info with tags . on August 12, 2008 by msbasicAngelina naked!!!…. Angelina Jolie porno Video Free!!!…. Angelina Jolie And Madonna Compete For Adoption Of Jamie Lynn Spears Baby!!!!! Angelina Jolie And The *** Lover.-.. Angelina.. Angelinaaa….. Angelinaaaaaaaaaaaaaaaaaa!!!!!!!
You can also find messages with other fake news about any topic, but mainly about celebrities like Rihana, Pamela, Britney Spears,Obama, Bush but among them the most used is Angelina Jolie.
However, we have recently received another kind of spam. But I was surprised not to see Angelina Jolie neither Britney nor obama.. instead, I saw that it was a fake email coming from an airline company which attached had a flight electronic ticket…
This eletronic ticket is in fact a Banker Trojan,Trj/Sinowal.VQK, which is designed to steal confidential data…
Independence Day’s Worm (Since 1 Month)
Posted in Virus info with tags Independence Day on August 12, 2008 by msbasicOnce again the Stormworm as in many other special dates reaches our mailboxes in order to infect our computers with malware.
This time it is related to a very special day in the United States:
Independence Day firework broke all records
Amazing Independence Day show
Celebrating the Glory of our Nation
Celebrating 4th of July
Super 4th!
Etc…
This is what we will view in the web after clicking the link included in these emails:
Evidently, as in many other occasions, it is not an embedded video, so while we are seeing this website, our browser will be trying to install W32/Nurech.BG.worm in our computer.
The cases we have seen up to now follow the same pattern, the links point to different websites whose IPs are located in the United States and a malicious file will be downloaded “http://xxx.xxx.xxx.xxx/fireworks.exe ”.
Fake UPS Mail
Posted in Uncategorized on August 12, 2008 by msbasicThese last days, several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.
The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).
This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.
Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.
The following graph represents the evolution of this malware with regard to the samples received during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.
Trj/Agent.JEN
MD5: 6B4EF50E3E21205685CEA919EBF93476
Rootkit/Agent.JEP
MD5: C65EBF59203CE3F05861398CC41A976A
Adware/AntivirusXP2008
MD5: EF6FFCC71B81B53328B63985B20C3871
The Secret Simpsons Chapter…
Posted in Virus info with tags ChunkyLOver Malware, Homer on August 12, 2008 by msbasicWe have already observed that malware creators use any event, “true or fake” news as a social engineering technique to deceive users and install malware in their systems. One of the latest tricks we have seen is the use of one detail mentioned in one of the Simpsons episode, more specifically in Season 14 / 14-8 / EABF03 / The Dad Who Knew Too Little.
In this episode, Homer Simpson reveals that his email address is “chunkylover53@aol.com”, and just as matter of interest, this address was actually registered by one of its producers, answering users as if he were Homer himself. For this reason, it is no wonder that many fans have added this address as a contact in their email service.
However, it seems that there are certain AOL accounts that are passing themselves off as the identity of Chunkylover53, in order to deceive users and make them follow a link to infect their computers with a malicious code which is being distributed with the following message via the instant messaging program AIM:
The malware has been detected as Bck/Turkojan.I, as it is a variant created with the Constructor/Turkojan mentioned previously in this post.
Windows Registry Deleting =)
Posted in Broadcast & Videos with tags Alex, Delete, Dusaster, Mark, msbasic, Registry, UnixrAnge, Windows on August 12, 2008 by msbasicSorry for long time no posting and approving your comments but I were in other things… This post is about a vgideo I made in another account of youtube, the video was called “Registry Deleting” about deleting all the registry entries I could in Windows Microsoft (C). I were afraid that the thing that happened to the virtual PC “Test PC” happened to my, Mark’s computer… So When I just deleted the half of the registry entries you could see some lags in the video just that I was cutting the video for checking the registry of Mark’s Computer (An old friend). You can check the video on http://www.youtube.com/watch?v=x9nWxsJTv8w. Don’t try that at your home computer thatv was released on a test pc… After that I deleted other registry entries I could and… I Deleted AUTOEXEC.bat and I Turned off the computer with The Virtual PC Option, not the Windows, because I also Deketed Rundll32.dll and .exe and I could press the start button nor volume… Well When I just Started it again this happened:
