Greetz to Panda AV team that had just made it’s ninth version of it’s (their) comand Line AV.

This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:

* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).

The new log format is as follows:
[Date];[Complete_path];[File_name_in_compressed];[Malware_name];[Detection_ID];[Action_taken];
[Sub_action];[Additional_information];[Status_ok_or_error];

Be sure to download the signature file available from their blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact Panda for a regular signature feed.

Download the new PAVCL 9.5.1.00 here.

Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.

This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).

Here are the half or more of the bulletins updates for MS (Sorry for not posting this ones, I forgot).

February MS Bulletins:

This month Microsoft has released 11 security bulletins (from MS08-03 to MS08-013). Six of them are rated as critical and five are Important. We recommend you to update your systems ASAP, as most of the vulnerabilities allow remote code execution.

These bulletins updates the following software: LSASS, DirectShow, Internet Explorer, Macrovision Driver, JScript, VBscript, Office Suite, Media File Formats, Message Queuing Service.

April MS Bulletins

Five critical and three important updates have been released (from MS08-018 to MS08-025). It’s time to start updating your system if you haven’t done it yet.

Critical updates affect these components: Microsoft Project, GDI, VBScript and JScript scripting engines, updated ActiveX Kill Bits and Internet Explorer. On the other hand, DNS Client, Windows Kernel and MIcrosoft Visio are patched with important updates.

Most of them allow remote code execution, so don’t forget to update your system asap.
You can find more information about the security bulletins by clicking the following link: MS08-April

July MS Bulletins

As always, every 2nd Tuesday of the month Microsoft publishes his security bulletins. This month only 4 have been published and all of them rated as important.

Below you can see a description of the bulletins released in July.

Microsoft Security Bulletin MS08-040

Microsoft Security Bulletin MS08-038

Microsoft Security Bulletin MS08-037

Microsoft Security Bulletin MS08-039

May MS Bulletins

Four new security bulletins have been published (from MS08-026 to MS08-029) as part of the usual launch of Microsoft updates.

It’s pretty clear that Beijing’s Olympic Games are a good chance for cybercrooks to infect users using the Games as a social engineering tool.

The Games had started some days ago, and we have just seen a new malware, Bck/PcClient.HV, that seems to be a PowerPoint about the Games, but it installs in the infected computers the files PcCortr.dll and 81.dll, that lower the system security level, enabling the file wuauct.exe copied by the malware in the system folder to remotely connect to a Chinese IP to send information about the infected computer.

To avoid any suspect, it shows 12 slides about the real Beijing Olympic Stadium:

Angelina naked!!!…. Angelina Jolie porno Video Free!!!…. Angelina Jolie And Madonna Compete For Adoption Of Jamie Lynn Spears Baby!!!!! Angelina Jolie And The *** Lover.-.. Angelina.. Angelinaaa….. Angelinaaaaaaaaaaaaaaaaaa!!!!!!!

You can also find messages with other fake news about any topic, but mainly about celebrities like Rihana, Pamela, Britney Spears,Obama, Bush but among them the most used is Angelina Jolie.

However, we have recently received another kind of spam. But I was surprised not to see Angelina Jolie neither Britney nor obama.. instead, I saw that it was a fake email coming from an airline company which attached had a flight electronic ticket…

This eletronic ticket is in fact a Banker Trojan,Trj/Sinowal.VQK, which is designed to steal confidential data…

Once again the Stormworm as in many other special dates reaches our mailboxes in order to infect our computers with malware. 

This time it is related to a very special day in the United States:

Independence Day firework broke all records

Amazing Independence Day show

Celebrating the Glory of our Nation

Celebrating 4th of July

Super 4th!

Etc…

This is what we will view in the web after clicking the link included in these emails: 

Evidently, as in many other occasions, it is not an embedded video, so while we are seeing this website, our browser will be trying to install W32/Nurech.BG.worm in our computer.

The cases we have seen up to now follow the same pattern, the links point to different websites whose IPs are located in the United States and a malicious file will be downloaded “http://xxx.xxx.xxx.xxx/fireworks.exe ”.

These last days, several false email messages in circulation which seemed to come from the UPS company. However, they are not related to with this company at all.

The aim of these emails is not to inform us of the impossibility to deliver a postal package, but to entice us to open the attached file to infect our computers (detected as Trj/Agent.JEN).

This malware is copied in the system, replacing the Windows Userinit.exe (this file is the one which runs explorer.exe, the interface of the system and other important processes), copying the legitimate file as userini.exe, so that the computer can work properly.

Additionally, it establishes a connection with a Russian domain, which has been used on some occassions by banker Trojans. From this domain it will redirect the request to a German domain in order to download a rootkit and a rogue antivirus, detected as Rootkit/Agent.JEP and Adware/AntivirusXP2008 respectively.

The following graph represents the evolution of this malware with regard to the samples received during the last days. Before being included in our signature file, it was already detected by our TruPrevent Technologies as a suspicious file.

Trj/Agent.JEN
MD5: 6B4EF50E3E21205685CEA919EBF93476

Rootkit/Agent.JEP
MD5: C65EBF59203CE3F05861398CC41A976A

Adware/AntivirusXP2008
MD5: EF6FFCC71B81B53328B63985B20C3871

We have already observed that malware creators use any event, “true or fake” news as a social engineering technique to deceive users and install malware in their systems. One of the latest tricks we have seen is the use of one detail mentioned in one of the Simpsons episode, more specifically in Season 14 / 14-8 / EABF03 / The Dad Who Knew Too Little.

In this episode, Homer Simpson reveals that his email address is “chunkylover53@aol.com”, and just as matter of interest, this address was actually registered by one of its producers, answering users as if he were Homer himself. For this reason, it is no wonder that many fans have added this address as a contact in their email service.

However, it seems that there are certain AOL accounts that are passing themselves off as the identity of Chunkylover53, in order to deceive users and make them follow a link to infect their computers with a malicious code which is being distributed with the following message via the instant messaging program AIM:

The malware has been detected as Bck/Turkojan.I, as it is a variant created with the Constructor/Turkojan mentioned previously in this post.

Sorry for long time no posting and approving your comments but I were in other things… This post is about a vgideo I made in another account of youtube, the video was called “Registry Deleting” about deleting all the registry entries I could in Windows Microsoft (C). I were afraid that the thing that happened to the virtual PC “Test PC” happened to my, Mark’s computer… So When I just deleted the half of the registry entries you could see some lags in the video just that I was cutting the video for checking the registry of Mark’s Computer (An old friend). You can check the video on http://www.youtube.com/watch?v=x9nWxsJTv8w. Don’t try that at your home computer thatv was released on a test pc… After that I deleted other registry entries I could and… I Deleted AUTOEXEC.bat and I Turned off the computer with The Virtual PC Option, not the Windows, because I also Deketed Rundll32.dll and .exe and I could press the start button nor volume… Well When I just Started it again this happened:

It is surprising how fast the cyber-crooks take advantage of any eye-catching news to distribute malware. Less than two days after the tragic event that took place in Tokyo “Tomohiro Kato - Akihabara Killer”, we detected an email that used this news as a bait to deceive users.

The email seemed to come from an address belonging to the RPP news (Radio Programas del Perú) in order to pass itself as a trustworthy source. However, you can check in the following URL, which makes reference to the official news published by RPP, that it is totally different to the news included in the malicious email message, where after a brief description of the event, users are enticed to download and see a video regarding this news. However, what they actually download and install in the system is the Trojan QHost.IH.

This malware is designed to modify the hosts file by adding four fake websites of a certain banking entity. This way, if users visit any of the websites included in the hosts file, they will not be redirected to the original one but to another imitating the original website.

Yeah it sounds familiar doesn’t it? Trojan, the answer is trojan. Read the information below…

Everybody knows that nowadays it is very easy to create malicious programs or new variants of malware generally with the help of programs like virus constructors, which are publicly released by real experts in creating malware.

As Panda mentioned in a previously published post, these “beginners” in creating malware use different antivirus scanners with which they test their creations until they are undetectable. 

In this case, one of these tools is Constructor/Turkojan, which offers new different functionalities with each version, currently the v4.0. Among the options offered, the following are included:

Remote Desktop / Webcam Streaming / Audio Streaming / Remote passwords / MSN Sniffer / Remote Shell / Advanced File Manager / Online & Offline keylogger / Information about remote computer / Etc

You may be wondering which benefits the author gains with this tool.  Obviously, there is a financial reason behind this. Almost all users who design this type of tools offer versions with different services, which include customized support depending on the sum of money paid.

This is a clear example that shows that cybercrooks are more are more professional and that there is a real organized business which looks for the profitability of their creations.

-Information by ma friends of Panda and obiously me =).

Well yeah, I have the trojan in my Test PC Currently running and I’m writting this in my Test PC. It seems very good unless the 4.0 free version seems to be in turkish only and it sucks, I’m currently putting the link for trojan in the MOD page only for Admins & Mods, when I get full version I’m gonna update post putting the link of trojan free version and full version in MOD Page. If I don’t find full version I’m gonna still put the free version trojan here so don’t fuck off xD.