What We’re Reading

Meta

W32/MsnPhoto.A.worm

We have found a new malware that uses instant messaging to deceive users. It arrives as an .exe file disguised as a .jpg. If you open it, you will get infected, and your msn contacts will receive some messages and a file called ”fotos_posse.zip“.


Here it is a picture of how the messages look like. For those of you who don’t know Spanish, here it is the translation “Hello”, “I hope you like the photographs” and the attachment.



It is been quite active, as you can see in the following evolution graphic of the messages received in the lab in the last 72 hours.



 

Posted under Malware Alerts

This post was written by Sergio Piñeiro on May 21, 2007

Tags: ,

Zunker that installs another Bot


One of the active servers of the Zunker we mentioned yesterday installs another bot.



Although the first Zunker we talked about was configured to only affect computers with German IPs, this one only affects computers with Russian IPs:


 



 


 


This Zunker installs another bot, which we detect as Bck/Barracuda.A. This bot allows DDoS attacks to be launched and turns affected computers into proxies.


The following image is displayed when we log in through the control panel:


 


  


In this screenshot, we can see that there are 14,788 bots, 647 of which were connected at that moment.


There are also 3866 proxies, 171 of which were connected at that moment.


For example, 12133 bots have been assigned for the attack with ID 661700916; this attack started on the 14th May and would end in three day’s time, on the 17th May.


 


In the screenshot below, we can see how the data to launch DDoS attacks is entered:



 


Selecting this option, we can see the proxies:


 

Posted under Malware Alerts

This post was written by Vicente Martinez on May 17, 2007

Tags:

More Zunkers!!!

Analyzing the pattern of the binary file installed by Zunker and comparing it with our samples, we have come across 32 similar files.



  


On the left, the graphical representation of the binary file belonging to the first Zunker we came across and on the right, the graphical representation of the new similar files we have found.


 



 


As you can notice, they are alike. If we compare these graphs with the ones belonging to other malware, such as Gaobot.AAF, we will see that they are very different from these ones.


 


Analyzing the similar files, we have come across 18 different servers where they were installed:



            - 6 of them are active at the present moment.


            - 4 of them contain files belonging to Zunker but they don’t seem to be working.


            - 8 of them are inactive.


 


Among the servers that are active, different versions of the bot can be found:


ZUnker 1.4.4-1b


ZUnker 1.4.4-1b-10003  


ZUnker 1.4.4b


ZUnker 1.4.5b   

Posted under Malware Alerts

This post was written by Vicente Martinez on May 16, 2007

Tags: ,

« Previous Entries
Next Entries »

Search

Special Savings

Panda Internet Security 2009

Categories

-->