Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report looks at the Nabload.DLU Trojan, the Renus2008 adware and the MSNworm.FZ worm.

Nabload.DLU passes itself off as a funny video to trick users while downloading another malicious code to the target computer in order to steal online banking details. The process is as follows:

The Trojan reaches the targeted computer as a greetings video. When the user opens the file, the Trojan loads a funny video from the Internet, while simultaneously downloading another malicious code: Banker.LRX. This malware is designed to steal login credentials for several online banking entities.

You can watch a video showing what the targeted user would see while being infected: http://www.youtube.com/watch?v=OaQhFhVX6yI

Nabload.DLU also modifies the Windows Registry in order to activate every time the user restarts the computer. This way, it ensures it is always active on the system.

Renus2008 is a fake antivirus type of adware. Once run, it shows a screen simulating a computer scan. The malicious code gives the possibility of performing a quick or an in-depth scan of the computer. Also, users can configure different aspects of the fake antivirus as if it was a real one (see image here: )


Once the fake scan finishes, a warning message is displayed indicating that some infected files have been found on the system. However, these files do not exist.

Users are offered the option to disinfect their computers through the "Remove Viruses" button on the scan screen. If they do so, a window is displayed inviting them to register and buy the paid version of the fake antivirus (see image here: )

"If the user buys the paid version, they are paying for a product that actually does nothing and which, in some cases can't even be downloaded", explains Luis Corrons, Technical Director of PandaLabs. "This is one more example of how cyber-crooks try to trick users in order to get their money".

MSNworm.FZ is a worm that spreads by using the instant messaging program MSN Messenger. It attaches itself to messages passing itself off as a picture file, and sends itself to the victim's contact list.

To trick users, once run it shows an error message indicating that the "picture can not be displayed".

The worm also modifies the Microsoft Internet Explorer home page and creates a key in the Windows Registry to ensure it is run every time the session is started.

More information about these and other malware is available in the Panda Security Encyclopedia
(http://www.pandasecurity.com/homeusers/security-info)

You can receive the Panda Security news automatically by adding this URL (http://feeds2.feedburner.com/pandasecurity) to your feed reader.

Finally, follow Panda Security's activity online on FriendFeed (http://friendfeed.com/pandasecurity), and the PandaLabs blog (www.pandalabs.com)

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Bankolimb.BX is a Trojan that monitors users' surfing habits and is activated when online banking pages are accessed, to steal passwords, credit card details, PINs, etc. It also steals passwords from the browser auto-fill service and from the Windows cache.

To do so, the malicious code registers as a BHO (Browser Helper Object). It is also designed to open a backdoor on the computer and connect to remote servers.

WinWebSecurity2008 is a fake antivirus type of adware. On running on the computer, it simulates the downloading of a security tool. Once on the computer, it pretends to scan the system, finding dozens of infections. It then offers the option of eliminating the supposed malware.

If users accept, the malicious code informs them they are not registered and redirects them to a Web page, in which they have to pay a sum of money to disinfect the computer.

In reality, none of this is true, as the infections detected and the security tool are fake.

The aim of this malicious code is to convince users they are infected and get them to buy the tool promoted by the adware, in short, the creators are out to profit financially.

You can find images of the product here:

BitTera.C is a malicious tool that is able to create hundreds of malicious codes and does not require programming knowledge.

BitTera.C allows malware creators to customize features: type, effects, encryption, polymorphism, etc. Among other malicious actions, it allows cyber-crooks to:

- Disable system features including the Registry, the Task
Manager, system recovery, security programs, the firewall, automatic updates, Messenger
- Hide the Start button, the system clock, desktop icons, etc.
- Close Internet Explorer every 10 seconds
- Switch the computer off every 5 minutes
- Format hard disks.

All these actions are available from a console by simply selecting the corresponding checkbox. For more information, go to the PandaLabs blog http://pandalabs.pandasecurity.com/archive/_2200_Constructing_2200_-bad-things_2E002E002E00_again.aspx

More information about these threats here:
http://www.pandasecurity.com/spain/homeusers/security-info/latest-threats/?sitepanda=particulares

You can receive the Panda Security news automatically by adding this URL
(http://feeds.feedburner.com/PandaSecurity) to your feed reader.

For up-to-date information about computer security, go to the Panda Security Twitter (http://twitter.com/Panda_Security) and the PandaLabs
blog (www.pandalabs.com)

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report provides information about the Bancos.TZ and SpyForms.BZ Trojans, and the p2pworm.AF worm.

Once run on computers, Bancos.TZ, displays an Internet Explorer window with special promotions from the Vodafone mobile phone company (see image here: http://www.flickr.com/photos/panda_security/3370049540/)
while it downloads malware from a URL. This malware steals users' bank details when they log on to the website of some specific banks. This information is later sent to the malware creator via email.

The Trojan also accesses the targeted users' Microsoft Outlook and MSN
contact list and sends them an email to infect them.

SpyForms.BZ is designed to steal instant messaging and email account
information. It also steals information sent through different
protocols:

* HTTP
* FTP
* POP3.
* IMAP
* ICQ

Finally, it steals information entered by users in online forms. All
this data is sent to the malware creator by connecting to a specific Web
page.

The p2pworm.AF changes the extension of files such as Explorer.exe,
Hh.exe and Regedit.exe to .hid. It also copies itself to the Windows
folder with the .exe extension.

To spread, it creates several copies of a malicious file in the
system32\hidrofobus folder with names of various games and programs. Then, it shares the file through the kazaa P2P file-sharing application to infect other users.

More information about these and other malware is available in the Panda Security Encyclopedia
(http://www.pandasecurity.com/homeusers/security-info)

You can receive the Panda Security news automatically by adding this URL (http://feeds2.feedburner.com/pandasecurity) to your feed reader.

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report provides information about a new variant of the dangerous Conficker worm, the MalwareDefender 2009 adware and the BadGorve.H Trojan.

The new variant of the Conficker worm (Conficker.D) that has appeared this week connects to numerous servers to update. Like other variants in this family, this worm uses the MS08-067 Microsoft Windows vulnerability to spread. Apart from allowing the worm to enter the computer, this vulnerability lets the attacker take several actions on the infected computer, even allowing control of the computer. This worm also spreads through USB devices, such as memory sticks and MP3 players.

This worm updates every day and downloads new versions of itself onto
the infected computer from Web pages that constantly change their URL to make it more difficult to block.

The Malwaredefender 2009 adware on the other hand, is a fake antivirus. On reaching computers, this adware, like most of its kind, simulates a malware scan to pass itself off as an antivirus. During the scan it supposedly detects several examples of (non-existent) malware in order to worry users (image: http://www.flickr.com/photos/panda_security/3348889715/).

It then invites them to buy the pay version of the fake antivirus to
eliminate the malware it claims to have detected, opening a registration
window (image: http://www.flickr.com/photos/panda_security/3348889711/).


On registering, users are redirected to a Web page to download the
Premium version of the fake antivirus: (image of the store here:
http://www.flickr.com/photos/panda_security/3348889717/)

Finally, the BadGorve.H Trojan is designed to eliminate files with
certain extensions (JPG and WMV among others) from specific directories on the infected computer, causing a significant loss of user
information.

More information about these and other malware is available in the Panda Security Encyclopedia
(http://www.pandasecurity.com/homeusers/security-info) and the PandaLabs blog (www.pandalabs.com)

You can receive the Panda Security news automatically by adding this URL (http://feeds2.feedburner.com/panda_security) to your feed reader.

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report looks at the Bancolimb.CH and Whizz.A
Trojans and the AntiSpyware3000 fake antivirus.

Bankolimb.CH is designed to obtain confidential user information such as passwords and user names. It also drops other malware on the infected computer. To do this, it adds itself to the list of programs allowed by the Microsoft Windows firewall. Then, it connects to a URL to download the Agent.KKI Trojan. This malware is created to take other malicious actions on the computer.

Whizz.A is a Trojan designed to hinder the computer's performance. It
shows a window with the title "System Error" and the message "Hallo du
Nase dein Pc ist schrott". Next, the computer starts beeping. Also, the
cursor moves on its own uncontrollably and the computer slows down
considerably. Finally, the Trojan covers the screen progressively with
red shading.

"This is a malicious code very similar to those that were in fashion
some years ago. It basically aims at disrupting the computer's
performance, something rather uncommon in recent times, as today's
cyber-crooks look for silent threats to profit financially through
password theft, etc.", explains Luis Corrons, Technical Director of
PandaLabs.

Finally, AntiSpyware3000 is an adware aimed at selling users a fake
antivirus. It is actually an update of another fake antivirus detected
as Antivirus XP Pro. Like all fake antiviruses, AntiSpyware3000 installs
on the computer trying to pass itself off as a security solution. Then,
it starts a spoof scan of the system, making the user believe it is
actually finding viruses on the computer, which is completely untrue. It
then offers users the option to eliminate the malware by buying a pay
version of the fake antivirus.

All these steps are shown in the images below:

Icon: http://www.flickr.com/photos/panda_security/3331976649/
False scan: http://www.flickr.com/photos/panda_security/3331976659/
Results: http://www.flickr.com/photos/panda_security/3331976655/
Store: http://www.flickr.com/photos/panda_security/3331976663/

"As we have already said, today's malware creators aim to profit from
their creations. Fake antiviruses are a clear example of this, as they
basically trick users into buying an antivirus to remove some
non-existent threats", explains Luis Corrons.

In this case, it is worth noticing the flaws found in the malicious
code's design, as for example, the fact that it classifies a threat as
critical and shortly after it reports it as easy-to-fix, as you can see
in this image: http://www.flickr.com/photos/panda_security/3331976651/

More information about these and other malware is available in the Panda Security Encyclopedia
(http://www.pandasecurity.com/homeusers/security-info)

You can receive the Panda Security news automatically by adding this URL (http://feeds2.feedburner.com/panda_security) to your feed reader.