Panda AV Command Line 9.5.1

Greetz to Panda AV team that had just made it’s ninth version of it’s (their) comand Line AV.

This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:

* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).

The new log format is as follows:
[Date];[Complete_path];[File_name_in_compressed];[Malware_name];[Detection_ID];[Action_taken];
[Sub_action];[Additional_information];[Status_ok_or_error];

Be sure to download the signature file available from their blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact Panda for a regular signature feed.

Download the new PAVCL 9.5.1.00 here.

Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.

This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).

Fake UPS Mail

These last days, several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.

The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

The following graph represents the evolution of this malware with regard to the samples received during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.

Trj/Agent.JEN
MD5: 6B4EF50E3E21205685CEA919EBF93476

Rootkit/Agent.JEP
MD5: C65EBF59203CE3F05861398CC41A976A

Adware/AntivirusXP2008
MD5: EF6FFCC71B81B53328B63985B20C3871

Akihabara distributing malware too?

It is surprising how fast the cyber-crooks take advantage of any eye-catching news to distribute malware. Less than two days after the tragic event that took place in Tokyo “Tomohiro Kato - Akihabara Killer”, we detected an email that used this news as a bait to deceive users.

The email seemed to come from an address belonging to the RPP news (Radio Programas del Perú) in order to pass itself as a trustworthy source. However, you can check in the following URL, which makes reference to the official news published by RPP, that it is totally different to the news included in the malicious email message, where after a brief description of the event, users are enticed to download and see a video regarding this news. However, what they actually download and install in the system is the Trojan QHost.IH.

This malware is designed to modify the hosts file by adding four fake websites of a certain banking entity. This way, if users visit any of the websites included in the hosts file, they will not be redirected to the original one but to another imitating the original website.