Top Threats
- W32/Elkern.C
- TR/Crypt.CFI.Gen
- Worm/Mytob.AT
- Worm/Mytob.U
- Worm/Mytob.AP
Subscribe to Blog
Archives
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Categories
- Beta Testing (1)
- Comment (8)
- Definition File Updates (290)
- EULA (1)
- How to (1)
- Phishing (1)
- Rogues (11)
- Security Alert (15)
- Uncategorized (2)
- Zlob (3)
Lavasoft Research Blog
New Rogue: Antivirus Plus
by Anders on December 11th, 2008 in Rogues, Security Alert.
Recently we came across this rogue, Antivirus Plus. What makes this one different from others was that it was distributed directly as a fake video codec. They have now removed the fake alert step in between.
AntivirusTrigger is a new rogue anti-spyware application and a clone of VirusTrigger. It will give exaggerated threat reports on the compromised computer then ask the user to purchase a registered version to remove the reported threats.
Scam Alert: UPS Delivery Failure
by Andy on December 3rd, 2008 in Security Alert.
Have you made any recent purchases to be delivered by the postal service? With the holiday season upon us, chances are good that you have. If so, there’s a common spam scam that may try to catch you off guard in order to infect your system with malware. Here’s an example of a subject line and e-mail message to be on the lookout for this holiday shopping season, and beyond –
Subject: [NO-REPLY] UPS Tracking Number 21263130
Unfortunately we were not able to deliver postal package you sent on Sept the 18 in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your UPS
The e-mail appears to come from ‘United Postal Service’ or ‘Post Office’, and the subject of the message usually quotes a bogus UPS tracking number. The message contains a zipped file that purports to be an invoice document from UPS, and invites the recipient to open the attached document and print it out. When you unzip the attached file, it unpacks the file UPS_letter.doc.exe, or something similar.
This malware uses a very simple, yet effective, technique to look like a legitimate file. It masquerades as a Word document by using two tricks shown in the image, below -
1. A ‘Word’ icon is used.
2. The file has, or appears to have, the extension for Word documents, ‘.doc’.
For all intents and purposes, the file looks like a regular Word document – the unsuspecting victim will double-click on the file. This is when the malware actually runs. These files have been typically categorized as “Win32.Worm.Autorun” by Lavasoft researchers.
The file itself is not really a Word document, but a Windows executable file, or program. The malware author is banking on the fact that the user’s operating system is configured to hide extensions for known file types. This means that file types (like .exe, .pdf, .doc and so on) are not shown at the end of the file name. In this case, the file type is ‘.exe’ which is a ‘known file type’. That means ‘.exe’ is not shown at the end of the file name and the victim will see the filename ‘UPS_letter.doc’.
However, if you have uncheck ‘Hide extensions for known file types’, the ‘.exe’ part will become visible, proving that the file is not a Word document, but a Windows executable file - see the image to the left.
Configure Windows to show known file extensions, and gain the upper hand over these types of scams, by following these steps.
1. Open Windows Explorer
2. Click on the ‘Tools’ menu item
3. Click on ‘Folder Options’ item
4. Click on ‘View’
5. Uncheck ‘Hide extensions for known file types’