For the week of
04 Jan 2010
Threat
1
Stubborn Internet Explorer toolbar hard to remove
Threat Name:
Potentially unwanted application: Widgi Toolbar
Users at Risk:
Internet Explorer users on Windows
Removal Instructions:
If you've received an alert for a blocked PUA or adware and decide that the application is not suitable for your workplace, then follow the instructions for removing PUAs.
About:
The worm also modifies the following configuration files:
- com.apple.ksyslog.plist
- com.apple.period.plist
Widgi Toolbar is a browser helper object bundled with some freeware applications. It registers itself as a toolbar named WidgiToolbarIE.
The freeware installation may have the Widgi Toolbar optional but the option to decline the toolbar install may be convoluted or hidden.
Widgi Toolbar creates the following registry keys:
HKCR/CLSID/C089D5FC-CFE2-4BCD-A522-2981448227CE
HKLM/Software/Microsoft/Internet Explorer/Toolbar/C089D5FC-CFE2-4BCD-A522-2981448227CE
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects/C089D5FC-CFE2-4BCD-A522-2981448227CE
Widgi Toolbar redirects 404 page not found and DNS error pages to another website. It also resets the default browser search page.
Threat
2
Christmas card email attachment really a malware attack
Threat Name:
Trojan: Troj/CryptBx-ZP
Users at Risk:
Windows users
Also Known As:
- Kaspersky: Trojan.Win32.Buzus.cvcz
- McAfee: Generic.dx!kxt
- Microsoft: Worm:Win32/Prolaco.gen!C
- Trend Micro: WORM_PROLACO.AQP
About:
Troj/CryptBx-ZP is an example of the many different malware that use fake greetings to spread during the holidays. Hackers attach the malware to a fake Christmas card greeting email. The file attached to the email, named Christmas Card.zip, contains malware detected by Sophos as Mal/CryptBox-A. When users extract the attachment and click on the fake Christmas card executable, the malware runs in the background.
Threat
3
Fake browser plug-in exploits holiday cheer
Threat Name:
Trojan: Troj/Dropr-CL
Users at Risk:
Windows users
Also Known As:
- Kaspersky: Trojan-Downloader.Win32.Piker.bcd
- Microsoft: Trojan:Win32/Oficla.E
- Trend Micro: TROJ_PIKER.BX
About:
Troj/Dropr-CL is another piece of malware exploiting the friendly spirit of the holidays. This threat uses the strategy of an infected website delivering a fake browser plug-in.
When run, Troj/Dropr-CL creates following files:
%SystemRoot%\system32\fimp.elo (detected as Mal/Sasfis-D)
—and adjusts the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"
The Trojan also adds "rundll32.exe fimp.elo pufxcp" to the entry, which allows the malware to be activated every time Windows restarts.