Threat Spotlight

For the week of 08 Feb 2010
Threat 1

Almost a year later, Conficker still lurking

Threat Name:

Malware: Mal/Conficker-A

Users at Risk:

Windows users

Further Reading:

Listen to Paul Ducklin, Head of Technology for Asia Pacific, discuss the true threat from 2009's widespread Conficker virus with Patrick Gray, host of the ITRadio programme 'Risky Business'.

Please enable flash and javascript for the player to work

00:10:29 - 10 Feb 2009

Download the podcast

Conficker under the microscope

Paul Ducklin, Head of Technology for Asia Pacific, discusses the true threat from 2009's widespread Conficker virus - which spread via a variety of techniques including USB sticks - with Patrick Gray, host of the ITRadio programme 'Risky Business'.

Removal Instructions:

Our Conficker removal tool can clean Conficker if it is present on your machine.

About:

Conficker is alive and well. Approximately 6 million hosts on the internet are still infected with variants A & B and another 250,000 with variant C. Conficker-A exploits a buffer overflow flaw in the Windows Server service (MS 08-067) and infects your computer to join a botnet. Conficker-B adds the ability to spread using USB devices on computers with AutoPlay enabled and through the guessing of passwords on network shares.

After a successful exploit, Conficker-A consults a geographic IP database to check whether your computer is located in the Ukraine. If you are located in the Ukraine, Conficker-A decides to not infect you. This database is now pointing to the University of Bonn and always sends a response of Ukraine for location. This has greatly reduced the ability for Conficker-A to spread, but does not aid in cleanup of the existing infected machines, nor does it stop them from trying to infect new hosts.

To date Conficker's controllers remain a mystery. It is a large botnet by any measure yet has only been used for limited distribution of spam and malware. At one point it was distributing the Waled Trojan, which has a history of both sending spam and being a general purpose botnet in and of itself.

Threat 2

E-mail threat turns your computer into a spam machine

Threat Name:

Trojan: Troj/BredoZp-X

Users at Risk:

Windows users

Further Reading:

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

BredoZp-X was the most prominent attachment seen in emails this week at SophosLabs. Like the previously covered BredoZp-L it depends on social engineering to deliver its payload. The emails are trying to trick you into running the attachment by portraying themselves as photos.

Like other Bredo Trojans, it turns your computer into a spamming machine.

Threat 3

Anti-virus scanner? Nope, it's a Trojan

Threat Name:

Trojan: Troj/Agent-MJJ

Users at Risk:

Windows users

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Troj/Agent-MJJ is a Fake Antivirus Trojan for the Windows platform and includes the functionality to run automatically and access the internet and communicate with a remote server via HTTP.

Troj/Agent-MJJ runs only on machines with active internet connections and is protected with rogue packers to evade AV Detection. Besides running itself, the malware also starts <System>\regsvr32.exe process.

When run Troj/Agent-MJJ displays fake Antivirus scan Window titled as 'AntiVirus Soft' and displays bogus threats on the system.

When Installed, Troj/Agent-MJJ attempts to kill any anti-virus processes used for malware analysis/cleanup.

The Trojan installs using randomly generated file names such as bsvtrb.exe, odjqsftav.exe, oulxfa.exe etc.

In order to run automatically after a reboot autostart registry entries are added:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random value>
<User>\Local Settings\Application Data\<random value>\<Filename>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random value>
<User>\Local Settings\Application Data\<random name>\<Filename>

Like other fake anti-virus Trojans we have seen, this variant adds itself to a startup key associated with the currently logged-in user. This appears to be a method to evade protections provided by Windows User Account Control (UAC).

Troj/Agent-MJJ contacts the following sites, which are also used to sell the associated fake anti-virus:

live-soft.net/
livesoftcore.com/

In addition to the standard detection provided for Troj/Agent-MJJ, the proactive HIPS technology in Sophos Endpoint Security can prevent installation and running of this malware. HIPS/ProcMod-004 is triggered by this malware attempting to run.

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information