Friday, May 23, 2008

Will summer break bring the normal malware influx?

Summer break is just around the corner and I started to ask myself if we would notice the normal influx of malware we used to see from students out on break in the not too distant past.

With large crime-ware groups operating most of the malware we see and hear about daily, it seems like we forgot about the so called “script kiddies” who used to bring so much burden to the anti-malware world at this time of year.

Last summer it seems like the script kiddies had dropped off the face of the planet, but maybe they were just over shadowed by all the hype and media attention that the RBN and Storm were drawing last year. I personally think that this was the case, they weren’t gone we just didn’t hear anything about them because they weren’t the huge impact they had been in the past. With thousands of new malwares being seen daily would the few extra hundred a week (or month) be really that noticeable in the overall picture.

I guess only time will tell, but look out for new malware to come out this summer!

Sunday, May 11, 2008

Mass File Injection - Redirecting to DNSChanger Download

Mike from's team has discovered a mass file injection attack going around injecting the 2 urls below into sites running any version of phpbb forum software


The 2 urls point to a javascript redirect script that automatically redirect visitors to a fake codec download site. These fake codecs are known as DNSChanger. Anyone running phpbb should check out their servers.

At the time of this writing over 400,000 hits are shown in Google when you search for the urls.

If anyone has any information as to how the scripts are being injected or which exploit is being used please contact me at dnelson(shift+2)
Antivirus Version Last Update Result
AntiVir 2008.05.11 DR/Dldr.DNSChanger.Gen
AVG 2008.05.11 DNSChanger.AE
ClamAV 0.92.1 2008.05.11 Trojan.Dropper-6806
F-Secure 6.70.13260.0 2008.05.12
Ikarus T3. 2008.05.12
Kaspersky 2008.05.12
Norman 5.80.02 2008.05.09 Vundo.gen171.dropper
Prevx1 V2 2008.05.12 Cloaked Malware
Sophos 4.29.0 2008.05.11 Troj/Zlobar-Fam
TheHacker 2008.05.11 Trojan/DNSChanger.chg
Webwasher-Gateway 6.6.2 2008.05.11

Sunday, May 4, 2008

New Storm Moving In – Presumably for Mother’s Day

One of our researchers at has found indications of a new storm worm variant moving in.

At the time of this posting we have not had any reports of spam from the botnet using the 3 domains that were found in the research, but the files are definitely there and the domains are fast fluxing as per the normal method. We can only presume they are gearing up for a mother’s day storm campaign to raise their numbers.

The three domains we have found to this point are: (visit at your own risk), and

The file load.exe on execution copies itself to %windir%\libor.exe and drops the standard peers.ini as gogora.config. Libor.exe is then added to the run key in the registry to allow execution every reboot.

So not to add to the problem I personally only ran the exe with an internet connection for about 1 minute and it contacted ~1700 other infected boxes. Other research done by members of indicates approximately 100,000 or more which are still infected (number was taken by methods other than running the file).

This proves contrary to’s article that Microsoft had killed the storm worm.

The article had already been strongly disputed by researchers.

Storm worm is alive and well, it may be smaller then when it first came onto the scene, but it seems when their numbers dwindle they come back with another holiday targeted mail campaign and boost the numbers back up. The storm group isn’t going anywhere as far as I can tell.

Jeremy over at has posted some more info here.

Monday, February 25, 2008

postcard.gif.exe - 63e8fe1363431d2e56f38141a35278d3

* name: postcard.gif.exe
* size: 878374
* md5.: 63e8fe1363431d2e56f38141a35278d3

AntiVir found [HIDDENEXT/Worm.Gen]
Authentium 4.93.8/20080226 found [could be infected with an unknown virus]
Avast 4.7.1098.0/20080225 found [IRC:Zapchast-D]
AVG found [IRC/BackDoor.Flood]
BitDefender 7.2/20080226 found [Backdoor.Zapchast.Z]
ClamAV 0.92.1/20080226 found [Trojan.IRCBot-96]
DrWeb found [Win32.Parite.2]
eSafe found [Win32.IRC.Zapchast]
Ewido 4.0/20080225 found [Backdoor.Zapchast.z]
F-Prot found [W32/Heuristic-300!Eldorado]
F-Secure 6.70.13260.0/20080226 found [Backdoor.IRC.Zapchast]
Fortinet found [REG/Zapchast.4D53!tr.bdr]
Ikarus T3.1.1.20/20080226 found [Backdoor.IRC.Zapchast]
Kaspersky found [Backdoor.IRC.Zapchast]
McAfee 5237/20080225 found [IRC/Generic Flooder]
Microsoft 1.3204/20080226 found [Backdoor:IRC/Zapchast.AN]
NOD32v2 2901/20080225 found [IRC/Zapchast.Z]
Norman 5.80.02/20080225 found [Pinfi.A.dropper]
Rising found [Win32.Parite.b]
Sophos 4.27.0/20080226 found [Mal/Zapchas-C]
Sunbelt 3.0.893.0/20080223 found [Trojan.Zapchas.F]
Symantec 10/20080226 found [IRC Trojan]
TheHacker found [Adware/2Search]
VBA32 found [Trojan.IRC.Zapchast.H]
VirusBuster 4.3.26:9/20080225 found [IRC.Zapchast.AQ]
Webwasher-Gateway 6.6.2/20080225 found [Virus.HIDDENEXT/Worm.Gen]

ekvgsnw.dll - 39bfebf001bfdd44830076e378958c4a

* name: ekvgsnw.dll
* size: 84451
* md5.: 39bfebf001bfdd44830076e378958c4a

AntiVir found [ADSPY/AdSpy.Gen]
AVG found [Downloader.Zlob.SE]
Microsoft 1.3204/20080226 found [Adware:Win32/Vapsup]
Prevx1 V2/20080226 found [KAVKOP:Trojan-A]
Sophos 4.27.0/20080226 found [Mal/Zlob-I]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.AdSpy.Gen]

dgtxrdfrmw.dll - 9432a1b6b11bf5247291e68763b25938

* name: dgtxrdfrmw.dll
* size: 108190
* md5.: 9432a1b6b11bf5247291e68763b25938

AVG found [Downloader.Zlob.AAQ]
Microsoft 1.3204/20080226 found [Trojan:Win32/Zlob.ZWY]
Prevx1 V2/20080226 found [Downloader.Zlob]
VBA32 found [suspected of Downloader.Zlob.8]

bxlrvps.dll - 8120d45ce090c65fd864ac8f48cf87cf

* name: bxlrvps.dll
* size: 108451
* md5.: 8120d45ce090c65fd864ac8f48cf87cf

AntiVir found [ADSPY/Agent.PB]
Avast 4.7.1098.0/20080225 found [Win32:Agent-LTS]
AVG found [Downloader.Zlob.AAS]
Prevx1 V2/20080226 found [Generic.Malware]
VBA32 found [suspected of Downloader.Zlob.5]
Webwasher-Gateway 6.6.2/20080225 found [Ad-Spyware.Agent.PB]