Antivirus and Security Software from Sophos

Sophos blogs

Threat Spotlight for the week ending November 13, 2009

Read this week's Threat Spotlight

Malicious email attachment hides spying malware
Trojan: Troj/Zbot-JS

Virus Spyware
Also known as:
  • Avira: TR/Spy.ZBot.dyt.8
  • Kaspersky: Trojan-Spy.Win32.Zbot.gen
  • McAfee: Artemis!34A6E21CDEC4
  • Microsoft: PWS:Win32/Zbot.Gen!R
  • Trend Micro: Trend: TROJ_ZBOT.BWC
Who is at risk?: Windows users
How to get rid of it: If you've received an alert for a virus or spyware, then follow the instructions for removing the Trojan.

About this threat:

Troj/Zbot-JS is a member of the Zbot family of malware, also known as Zeus. It is aggressively spammed out in multiple campaigns with various social engineering lures.

The spammers behind this scheme use fake password reset emails such as:

Subject: Myspace Password Reset Confirmation
Because of the measures taken to provide safety to our clients, your
password has been changed. You can find your new password in attached
document.

The also employs fake delivery notices, similar to those seen recently in fake anti-virus scams:

Thank you for setting the order No.8794354
Thank you for ordering at our online store. Your order: Sony VAIO
VPC-X11Z1E/X, was sent at your address. The tracking number of your
postal parcel is indicated in the document attached to this letter.
Please, print out the postal label for receiving the parcel.

In both cases, the file attached to the email message is a zip file that contains a malicious program.

When run, Troj/Zbot-JS copies itself to the Windows system directory as sdra64.exe. It changes a registry entry to make sure the file is run when Windows starts:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Usually this registry data is set to C:\WINDOWS\system32\userinit.exe, but now the Trojan will add its own name, changing the data to:

C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32\sdra64.exe

When active, Troj/Zbot-JS opens a random high-numbered TCP port for listening. Members of the Zbot malware family typically allow a remote attacker to take control of a computer and subsequently spy on its activity. Zbot Trojans are often associated with online banking theft.

Users of the HIPS runtime behavior analysis features of Sophos Endpoint Security have additional protection against Troj/Zbot-JS. When this Trojan attempts to install itself, it triggers the HIPS rule HIPS/FileMod-001.

Application modifies your default search engine
Potentially Unwanted Application: Make The Web Better

Virus Spyware
Also known as:
  • FastBrowserURLDownload.exe
  • FastBrowserSearchProtection.exe
How to get rid of it: Please follow these instructions on how to remove Potentially Unwanted Applications (PUAs).

About this threat:

Make The Web Better is a potentially unwanted application (PUA) from Fast Browser Search.

This application creates an icon in the system tray, which allows the user to change search settings. It gives the option to make Fast Browser Search the default search engine or to switch to another search provider.

Make The Web Better may update itself from: http://updater.fastbrowsersearch.com/.

In order to create the system tray icon and change the user's default settings, this application makes a number of changes to the user's registry.

First, upon installation, the application creates the file <Root>\mtwb.dat.

It then changes search settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\

The PUA also sets the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\DisplayName
Fast Browser Search

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{19F2B849-4ADE-4d4b-85F9-C31C643DBDE9}\URL
http://fastbrowsersearch.com/results/results.aspx?q={searchTerms}&c=web&s=DSP&v=9

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\Tabs
http://www.fastbrowsersearch.com/new-tab/?v=9&tid=0

Additionally, it creates these registry entries:

HKCU\Software\FBSearch\ProgramPath
c:\
0x00000000

HKCU\Software\FBSearch\Disable

Password-stealing worm targets online gamers
Worm: W32/Taterf-C

Virus Spyware
Also known as:
  • Avira: TR/OnlineGam.105329
  • Kaspersky: Trojan-GameThief.Win32.Magania.bhfk
  • McAfee: Generic PWS.ak
  • Microsoft: Worm:Win32/Taterf.B
  • Symantec: Win32.Gammima.AG
  • Trend: WORM_GAMETHI.FHO
Who is at risk?: Windows users
How to get rid of it: If you believe you've been infected, then follow these instructions for removing the worm.

About this threat:

W32/Taterf-C is a password-stealing worm that targets online game players. When installed, W32/Taterf-C will run automatically, copy itself to the <WINDOWS>\system32 folder and then create files in that folder. From that point, it can then steal confidential information and disable other software—including anti-virus, firewall and security related applications.

W32/Taterf-C spreads by copying itself to mapped and removable drives and creating an autorun.inf file, which will cause Windows to run the copy of the worm automatically when a user accesses the drive.

Upon installation, the worm creates these files:

<System>\dllcache\cdaudio.sys
<System>\nmdfgds0.dll
<System>\olhrwef.exe

W32/Taterf-C also creates this registry entry to run olhrwef.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
cdoosoft
<System>\olhrwef.exe

This worm also attempts to download and install additional malware from ngjk34.net.

Threat Spotlight archive:

For the week of: November 6, 2009

For the week of: October 30, 2009

For the week of: October 23, 2009

For the week of: October 8, 2009

For the week of: October 2, 2009

For the week of: September 21, 2009

For the week of: September 18, 2009

For the week of: September 7, 2009