Half a million computers have been infected with Downloader-UA.h trojan since the beginning of May which has prompted McAfee to declare the latest Trojan threat the most significant malware threat since 2005. This has also been verified by other anti-virus vendors as a security risk.

It consists of a malicious MPEG or MP3 file which has been propagated through P2P networking sites and has inflicted major damage.

It uses different file sizes, different languages and different formats to fool individuals into running the software, and any attempt to play the file will result in ads being served to the infected computer.

File sizes vary as do the file names. Here are some of the samples file names:

preview-t-3545425-changing times earth wind .mp3
preview-t-3545425-girls aloud st trinnians.mp3
preview-t-3545425-heartbroken fast t2 ft jodie.mp3
t-3545425-dx vs randi orton 2007.mpg
t-3545425-para sayo freestyle.mp3
t-3545425-peanut butter jelly amende.mp3
t-3545425-stare at sun thrice.mp3

Any user attempting to load one of these MP3 and MPG files will not get the music/video they were hoping for, but get directed to download a file named PLAY_MP3.exe

If users agree to download and run PLAY_MP3.exe an End User License Agreement is displayed (EULA). Users accepting the terms of the EULA will have ‘FBrowsingAdvisor’ and ‘SurfingEnhancer’ installed as well as PlayMP3.exe which is a browser control

Download and install these two free programs:

Ad-Aware 2008 7.1.0.4 beta

a-squared Free

Turn off system restore - right click My Computer and select Properties, click the System restore Tab and tick the checkbox ‘Turn off System Restore on all drives’.

Reboot into Safe mode - keep tapping the F8 key and using the up and down arrows highlight Safe Mode then press ‘Enter’.

Run the two applications as well as any other anti-spyware, anti-trojan or anti-virus software you may have.

Empty the virus vaults and recycle bin. Restart in normal mode. Turn System Restore back on.

© Free PC Security 2008

Technorati Tags: Downloader-UA.h trojan, Malicious MPEG, Technology, PC Security, Free PC Security, Malicious MP3

There are many malicious fake anti-malware applications.

Frequently this rogue software uses intentional false positives to convince the user that their system has been compromised and then demands money to remove these false threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue program.

It also leads to annoying popups reminding the user that their system has been compromised or the registry has ‘x’ number of problems even after removing the program. 

To remove the remaining files download Malwarebytes’ Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Once installation is complete, ensure a checkmark is placed next to the following:
Update Malwarebytes’ Anti-Malware
Launch Malwarebytes’ Anti-Malware
Then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform quick scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. The rogue applications should now be gone.
 
I would also recommend the use of a Registry Cleaner and Ccleaner to optimise your system along with an anti-spyware application.

© Free PC Security 2008

Details have been released of a new Trojan  called Orkut.AT. At present this uses the Orkut social network to spread.

This is how it appears:

Initially, a profile appears in the user’s scrapbook which contains an image from a YouTube video of Giselle, a contestant in the Brazilian edition of the Big Brother reality TV show.  This is the bait to entice users to click the link.

Once clicked a message is displayed informing the user that the video cannot be played as it is missing a codec and  alink is provided to download the correct codec.

If users try to download the codec they will be downloading the Orkut.AT trojan to their computer, and very cleverly the trojan redirects users to a web page where thay will find the video.

Social networks are used by millions of people globally and they create their own communities online which is why the cyber-crooks are now turning their attention to them to spread their malicious programs.  For them it is an easy way to reach millions of people in a very short time period.

All computer users should ensure that they have up to date anti-virus and all patches installed.

As a precaution, do NOT click any links received though social networks, even though they might seem to come from reliable sources. Play safe and type them directly into the browser’s address bar.

Related posts:
Trojan and Worm remover
WinPatrol Freeware
LinkscannerLite

© Free PC Security 2008

From: BlueMountain.Com ufp@btconnect.com

Subject: You’ve received a postcard from a School mate! 

Hi. School mate has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card’s direct www address below while you are connected to the Internet:

http://67.167.155.14/?e3ca036e47840d8e117868911e6c3

Or copy and paste it into your browser’s “Location” box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Webmaster,

BlueMountain.Com

At present there are millions of these being mass mailed on a daily basis, from ’schoolmates’, ‘friends’, ‘family members’, ‘your mate’ and many more.

Ensure that your Anti-Virus  is up to date, and all system security patches have been downloaded. 

NO Greeting Card company will ever ask you to DOWNLOAD anything, ecards are viewed online through a link in an email, but the links contained in these ‘cards’ prompt you to download.

In this particular case, if you click the link you are PROMPTED to DOWNLOAD or informed that your DOWNLOAD will start shortly. 

It is important that you just delete these mails, many contain a Trojan Script…..but they will not zero your drive or boot sector as the rumours are saying.

As with all emails, if you don’t know the sender DELETE it.

Related post:
eCard Virus / Postcard Alert

How to ruin your PC

Fighting off Viruses

What is a rootkit?

A rootkit is not an exploit — it’s the code or program an attacker leaves behind after a successful exploit. The rootkit then allows the hacker to hide his or her activity on a computer, and it permits access to the computer in the future. To accomplish its goal, a rootkit will modify the execution flow of the operating system or manipulate the data set that the operating system relies on.

Windows operating systems support programs or processes running in two different modes: user mode and kernel mode. Traditional Windows rootkits such as SubSeven and NetBus operate in user mode.

Also known as backdoors or Trojans, user-mode rootkits run as a separate application or within an existing application. They have the same level of system privileges as any other application running on the compromised machine. Since these rootkits operate in user mode, applications such as antivirus scanners can detect the rootkit’s existence if they have a signature file.

A kernel-mode rootkit is remarkably different — and much more powerful and elusive. Kernel-mode rootkits have total control over the operating system and can corrupt the entire system.

By design, kernel-mode rootkits control the operating system’s Application Program Interface (API). The rootkit sits between the operating system and the user programs, choosing what those programs can see and do.

In addition, it uses this position to hide itself from detection. If an application such as an antivirus scanner tries to list the contents of a directory containing the rootkit’s files, the rootkit will suppress the filename from the list. It can also hide or control any process on the rooted system.

Rootkit detection

Methods to detect rootkits fall into two categories: Signature-based and heuristic/behavior-based detection.

Signature-based detection: As its name implies, this method scans the file system for a sequence of bytes that comprise a “fingerprint” that’s unique to a particular rootkit. However, the rootkit’s tendency to hide files by interrupting the execution path of the detection software can limit the success of signature-based detection.

Heuristic/behavioral-based detection: This method works by identifying deviations in normal operating system patterns or behaviors. For example, this method could detect a rootkit by determining that a system with 200-GB hard drive that reports 160 GB of files has only 15 GB of free space available.

Rootkits are hard to detect. But there are programs – including a free one from Grisoft which I have covered in another post.