Thursday, October 19, 2006

Troj/Lineag-E

Troj/Lineag-E is a password stealing Trojan for the Windows platform.
Side effects:
* Steals information
* Uses its own emailing engine
* Records keystrokes
* Installs itself in the Registry
* Leaves non-infected files on computer

Protection is available since 19 October 2006 09:33:58 (GMT).

tag: , ,

Troj/Haxdoor-DI

Troj/Haxdoor-DI is a backdoor Trojan for the Windows platform.

Troj/Haxdoor-DI includes functionality to:

- stealth its files, processes and registry entries
- inject its code into other processes

Sophos's anti-virus products include Behavioral Genotype™ Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against Troj/Haxdoor-DI (detected as Mal/Packer) since version 4.10.

Troj/Haxdoor-DI is a backdoor Trojan for the Windows platform.

Troj/Haxdoor-DI includes functionality to:

- stealth its files, processes and registry entries
- inject its code into other processes

Sophos's anti-virus products include Behavioral Genotype™ Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against Troj/Haxdoor-DI (detected as Mal/Packer) since version 4.10.
Protection (Sophos) is available since 19 October 2006 12:15:10 (GMT).

tag: , , ,

Sunday, October 15, 2006

Troj/Nebuler-K

By Sophos:

Troj/Nebuler-K is a Trojan for the Windows platform.

Troj/Nebuler-K gathers details relating to dialup services and sends collected information to a remote site via HTTP. The Trojan may inject code into other processes in an attempt to remain hidden.

When Troj/Nebuler-K is installed the following files are created:

\win32.dll

Where are random letters.

The following registry entries are created to run code exported by win32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win32
DllName
win32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win32
Startup
EvtStartup

Registry entries are created under:

HKCR\MezziaCodec.Chl\CLSID\
HKLM\SOFTWARE\Microsoft\MSSMGR\

Sophos Anti-Virus protection is available since: 15 October 2006 14:16:45 (GMT)

tag: , , , , , ,

Redbrowser.A on Java!

First J2ME trojan found.
Its name is: Redbrowser.A (Trojan-SMS.J2ME.RedBrowser.a). Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.

The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.
F-Secure Mobile Anti-Virus is capable of detecting and deleting the Redbrowser.A trojan. It is also possible to remove the Redbrowser.A trojan by uninstalling it with the Symbian application manager.

F-Secure Corporation

tag: , , , , , , , ,