Virus / Worm Warning

[Chil C]

All,
Hopefully you all know that I don't forward Hoax threats, and only inform people if I genuinely believe they are legit warnings.
Therefore, just to advise you that I picked this up from the computer press today.

Please ensure your AntiVirus and Internet Protections Systems are up to date.

Destructive worm activates on Friday

Kiss goodbye to Word, Excel and PowerPoint files
Iain Thomson, vnunet.com 30 Jan 2006

Antivirus firms are warning of a destructive Windows worm that will begin wiping files on infected PCs this Friday. 'Nyxem.e' has been spreading via infected emails and network shares.

On the third of each month the worm will activate 30 minutes after the computer is booted up and overwrite all files with the extensions DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP. Corrupted files contain the text 'DATA Error [47 0F 94 93 F4 F5]'.

The emails containing the malware use a variety of social engineering hooks to get the recipient to activate the worm, predominantly of a sexual nature.

Email headers include 'School girl fantasies gone bad' and 'Fwd: Crazy illegal Sex!', while the attachment, a 95KB PE EXE file written in Visual Basic, is usually labelled 'photo.pif' or 'word_document.uu'.

"This worm is not new but it continues to spread and has a damaging payload. We want to urge all computer users to update their antivirus protection before the first trigger date on 3 February," said David Emm, senior technology consultant at Kaspersky Labs UK.

Nyxem.e also tries to deactivate antivirus software and can disable the mouse and keyboard of infected machines to make it harder to delete.

The worm was first discovered on 16 January and has been variously named Blackworm, MyWife, Kama Sutra, Grew and CME-24.

[Danmum]

Thanks for the warning Chil, some serious checking of virus protection going on (obviously by DrT, not by me)

[MrsB]

I'm ultra-impressed because Chil C was ahead of Volvo IT in warning of this - a similar email came through this afternoon at work.  It mentioned Malware - I have no idea what that is, unless it's a modern variant of Tupperware.

[Chil C]

It is also in the Sun newspaper today, may also come under the name of Karma Sutra (what ever that is!!!)

[MrsB]

It is also in the Sun newspaper today, may also come under the name of Karma Sutra (what ever that is!!!)

I know what the Kama Sutra is, but what's the Sun newspaper??

[DrT]

I know what the Kama Sutra is, but what's the Sun newspaper??

its a dirtier version of the Karma Sutra!

I assume that this worm will only work if you have been silly enough to run one of the attachments that come with the email?

[Scooby Doo]

yep - I think that is correct!

It mentioned Malware - I have no idea what that is, unless it's a modern variant of Tupperware.

Thats the stuff - gotta be carefull of this Malware - you think you have just purchased a set of 600 nesting plastic boxes, you leave it in a cubroad, and before you know it the plastic boxed have mutated into a computer eating device - scary stuff!!

But seriously, Malware is malicious Software that is set to deliberately carry out the malicious / harmful intent of an attaker when run!

[MrsB]

Did this much-publicised virus/worm do any damage?  Or were people well enough informed?  I haven't heard any press reports about it.

[Scooby Doo]

Did this much-publicised virus/worm do any damage? Or were people well enough informed? I haven't heard any press reports about it.

I have not heard anything about it either! Ahh well, better safe than sorry!

[scout taxi]

On Wednesday of this week, on signing onto the internet, AOL put a header to all it's users, warning of this Friday 3rd virus. AOL are really quick at passing on this type of information.

[Chil C]

I also issued the warning on Mondayy!

2 days before AOL and The Sun !!

Am I good or what !

Am I in with the In Crowd !

[owain]

wtg Chil, well top

[Chil C]

A new one for anyone using AOL Messengerm, just to forewarn you!

Worm poses as Windows Genuine Advantage
Cuebot-K IM worm turns on unwary Microsoft users

Robert Jaques, vnunet.com 04 Jul 2006

IT security experts have warned of a worm that purports to be Microsoft's Windows Genuine Advantage (WGA) anti-piracy tool.

WGA has recently been branded as 'spyware' in that it collects unnecessary hardware and software data from users' PCs.

The Cuebot-K worm spreads via AOL Instant Messenger, registering itself as a new system driver service called 'wgavn'. It carries the display name 'Windows Genuine Advantage Validation Notification', and runs automatically during system startup.

Users who view the list of services are told that removing or stopping the service will result in 'system instability'.

Once in place the worm disables the Windows firewall, and opens a backdoor to infected computers which allows hackers to gain remote access, spy on users, and potentially launch distributed denial-of-service attacks.

"People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions," said Graham Cluley, senior technology consultant at Sophos.

"Technical Windows users would not be surprised to see WGA in their list of services, and may not realise that the worm is using that name as a cloak to hide the fact that it has infected the PC.

"If users heed the false warning about removing the program, and leave it running, they will present a backdoor to hackers that could allow them to gain control over the computer."

[Chil C]

While looking for something else, I found the following file lurking on my pc - rk.exe

Having done some investigation, I found several reports, but they all seemed to say the same thing! example follows below.

The most annoying thing is that I have running on my PC Windows Defender, Norton Antivirus & Worm, and NoAdware, but none of these have picked this up!

Have now had to buy anotehr piece of sotware that has done so, and removed this from my machine!

Pain in the neck!

****

Summary
     
NetSetter (MarketScore) is a proxy service which claims to increase the speed of your internet connection. It runs at startup to ensure all your web connections are routed through NetSetter's proxies. (You will not observe any significant speedup from using the service.)

Netsetter has changed its name to Marketscore and is no longer operating under or using the name Netsetter.

Alias
     Netsetter (previous name), ossproxy (program name), MarketScore (current name)
       ·
Category
     Trackware :  Any software which, subsequent to user permission being granted, uses a machine's internet connection to silently transmit personally identifiable information.

Adware:  Software that displays pop-up/pop-under advertisements when the primary user interface is not visible, or which do not appear to be associated with the product.

Variants
       MarketScore/Netsetter ·   MarketScore/NS ·   MarketScore/OS ·   MarketScore.com ·
 
Group
     Marketscore Inc
Vendor
     
    * MarketScore official distribution site
    * ComScore sell the information to other companies

Others By This Group
     Marketscore(Netsetter)· Marketscore Internet Accelerator·

Date of Origin
     Variants from January, 2004 to June, 2005
 
Distribution
     In the past PestPatrol observed MarketScore being installed through ActiveX at MarketScore's site, promoted by MarketScore affiliates. More recently though, Marketscore.com is the primary distribution mechanism and user must go through a lengthy setup process to retrieve MarketScore software.
 
Privacy Issues
     Yes. Every web connection you make, including 'secure' connections, goes through the proxies and is logged and analysed on behalf of MarketScore's customer companies.

Security Issues
     Unconfirmed. There is a 'required update' feature, but it is unknown whether this happens without consent from the user.

Stability Issues
     Won't work if you have to use a different proxy. Will kill your internet connection if you try to delete the csloa.dll component manually.

[Chil C]

and another ....

Email worm offers unhappy new year
Postcard attachment poses as a message from friends

An email worm that masquerades as a new year greeting to catch out workers returning to work is spreading quickly.

Messages containing files named 'postcard.exe' and 'postcard.zip' actually hide a mass-mailing worm called Dref-V, antivirus companies have warned.

"This started spreading on 30 December and accounted for a whopping 93.7 per cent of all infected email in the last two days of the year," Graham Cluley, senior technology consultant at Sophos, told vnunet.com. 

"The danger is that people returning to work today may be opening their email and launching attachments without taking proper care over their security."

The attachment affects Windows computers by downloading malicious software from the internet and turning off security software such as antivirus products.

Dref-V then looks for open mail proxies to send further spam emails and infect other computers.

However, Cluley said that the good news is that most antivirus products have been updated, although he warned that there might be a few companies which have been too laid back and are at risk today.