For the week of
23 Jun 2011
Threat
1
Plankton malware invades Android Market
Threat Name:
Andr/Plankton-A
Users at Risk:
Android users
Also Known As:
Microsoft Trojan:AndroidOS/Plankton.A
Symantec Android.Tonclank
About:
Andr/Plankton-A is a backdoor Trojan that targets Android devices.
This Trojan is known to be distributed by a number of apps posted to Google’s Android Market, mostly targeting popular games series like Angry Birds.
The Trojan includes an application with the embedded malicious code called com.crazya~.ang~.bir~.rio~.unl~.apk, or similar, and a JAR file with custom code that is loaded by the Trojan once an application is launched.
When installed the Trojan provides unauthorized remote access to the intruder by running backdoor service that responds to the commands from a remote server. This allows the intruder to gain access to the user's sensitive data on the compromised device.
Threat
2
Windows worm spreads on IM
Threat Name:
W32/Tupym-C
Users at Risk:
Windows users
Also Known As:
Avira TR/Crypt.CFI.Gen
AVP Worm.Win32.AutoRun.fnc
K7 EmailWorm ( 0008b4a71 )
McAfee W32/Yahlover.worm.gen.c
Microsoft Worm:Win32/Tupym.A
Symantec W32.SillyFDC
About:
W32/Tupym-C is a worm for the Windows platform that spreads by sending itself through instant messages and email messages.
W32/Tupym-C copies itself to the following locations:
<WINDOWS>\system3_.exe
<SYSTEM>\system3_.exe
The worm also drops the following file:
<SYSTEM>\autorun.ini (detected as W32/AutoRun-AOA)
W32/Tupym-C attempts to disable security tools and other tools such as task manager and regedit by setting the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001
W32/Tupym-C sets the following registry entry to run at system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messenger
<SYSTEM>\system3_.exe
The worm also sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe system3_.exe
W32/Tupym-C also edits browser settings for Internet Explorer:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Default_Page_URL http://www.mydreamworld.50webs.com
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Default_Search_URL http://www.mydreamworld.50webs.com
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Search Page http://www.mydreamworld.50webs.com
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main Start Page http://www.mydreamworld.50webs.com
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main Start Page http://www.mydreamworld.50webs.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe system3_.exe
Threat
3
Trojan in delivery spam downloads scareware
Threat Name:
Troj/Agent-SCI
Users at Risk:
Windows users
Also Known As:
AVP Trojan-Downloader.Win32.Agent.guod
About:
Troj/Agent-SCI is a generic malware downloader for the Windows platform. This Trojan has been seen in spam messages claiming to be a notification for returned parcel or an error in the details of delivery. The message contains a zip file called Postal_Label_<random>.zip
On first execution, Troj/Agent-SCI will move itself to "<StartMenu>\Programs\Startup\dxdiag.exe" to run on Windows startup.
Troj/Agent-SCI will then use the generic Windows Host Process "<SystemRoot>\System32\svchost.exe" to execute its malicious code. By executing as "svchost.exe" it attempts to look like a legitimate Windows process.
Troj/Agent-SCI downloads various types of malware, but has been observed to download fake Windows security software.