Threat Spotlight

For the week of 28 Dec 2009
Threat 1

Malicious iPhone worm targets jail-broken phones

Threat Name:

Worm: iPh/Duh-A

Users at Risk:

Jail-broken iPhone users who have not changed the default root password ('alpine')

Also Known As:

  • Kaspersky: Net-Worm.IphoneOS.Ike.b
  • Microsoft: Worm:iPhoneOS/Ikee.B
  • Trend Micro: OSX_IKEE.A

Further Reading:

Since iPh/Duh-A can download additional code and commands, users are recommended to restore their iPhones from a last known-clean backup, or upgrade to the latest Apple firmware. In addition, please follow these instructions for removing worms.

About:

iPh/Duh-A is a multi-component worm that that targets jail-broken iPhones, which are iPhones running code not officially approved by Apple.

This worm can:

  • Communicate with a remote server (IP 92.61.38.16)
  • Download and install additional applications and malware

Any passwords on the iPhone that were previously set to 'alpine' will be changed to 'ohshit'.

iPh/Duh-A uses files with the following names:

  • duh
  • sshd
  • cydia.tgz
  • inst
  • syslog
  • rel

The worm also modifies the following configuration files:

  • com.apple.ksyslog.plist
  • com.apple.period.plist

It installs several non-malicious applications:

  • curl
  • adv-cmds
  • sqlite
Threat 2

Unpatched Adobe Reader users vulnerable to Trojan attack

Threat Name:

Trojan: Troj/PDFJs-DS

Users at Risk:

Windows users

Also Known As:

  • Avira: EXP/Pidief.xam
  • Kaspersky: Exploit.Win32.Pidief.cln
  • McAfee: Exploit-PDF-w
  • Microsoft: Exploit:Win32/Pidief.AM

Removal Instructions:

If you believe you've been infected, follow these instructions on how to remove Trojans.

About:

Troj/PDFJs-DS makes use of two exploits in Adobe Reader, CVE-2009-3459 and Collab.getIcon. This Trojan is the first example of malicious files using CVE-2009-3459 seen by SophosLabs.

When activated, Troj/PDFJs-DS installs files detected by Sophos as Mal/Generic-A Troj/Protux-Gen.

Adobe has since released updates for Adobe Reader and Adobe Acrobat. Users are advised to update as soon as possible.

Threat 3

Facebook Fan Check virus scare leads to malware

Threat Name:

Malware: Troj/FakeAV-ZT

Users at Risk:

Windows users searching for information on a Facebook virus hoax

Also Known As:

  • Kaspersky: Trojan-Downloader.Win32.FraudLoad.wqwz
  • AVIRA: TR/Dldr.FraudLoad.wqwz
  • McAfee: Generic FakeAlert!ci trojan
  • Microsoft: Infected: Trojan:Win32/FakeXPA

Further Reading:

Graham Cluley's blog: Facebook Fan Check virus scare leads to malware

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Troj/FakeAV-ZT is a fake anti-virus installer written in Delphi and packed with a polymorphic packer containing anti-emulator and anti-VM techniques. Troj/FakeAV-ZT is distributed using malicious websites promoted in search engine results for phrases like “Facebook Fan Check virus,” in other words, searches motivated by false rumors that the popular Facebook application “Fan Check” contained a virus. The malicious websites appearing in these searches contain Mal/FakeAvJs-A, which then distributes the Trojan.

Once it is active, Troj/FakeAV-ZT contacts Microsoft.com to check that it has an available internet connection and will then try to contact sites in China and the Netherlands. The Trojan also creates a registry entry:

HKLM\SOFTWARE\<32 char hexadecimal random key>

The Trojan then prevents the user from running the following security and analysis tools:

  • procexp
  • procmon
  • regmon
  • filemon
  • tcpview
  • unlocker
  • wireshark
  • vbox
  • httpanalyzer
  • hijackthis
  • ollydbg

Troj/FakeAV-ZT is also able to collect information about the infected computer, including system BIOS information, the user's version of Windows and registered license as well as CPU information.

The code of this Trojan is similar to that of another fake anti-virus product, known as "Personal Anti Virus," detected by Sophos as Troj/PAV-Gen.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy