Posted on 25 January 2009
What is Win32/FakeAlert.MX
Win32/FakeAlert.MX is a trojan that downloads and executes arbitrary files. It can block certain security websites and redirect user search queries to malware-related websites.
How Win32/FakeAlert.MX propagates
Win32/FakeAlert.MX checks whether the following Internet browser executables exist on the system, in order to customize replies received from the web servers:
It also monitors and may manipulate “GoogleDesktop.exe” results.
It checks for Internet connectivity by attempting to access www.microsoft.com. If unsuccessful, the trojan does not continue with its payload.
Win32/FakeAlert.MX is also known as
Clbd LB (CA Anti-Spyware), TrojanDropper:Win32/Alureon.J (MS OneCare), Rootkit.Win32.Clbd.lb (Kaspersky), Backdoor.Tidserv (Symantec)
Posted on 25 January 2009
What is Win32/Malas.C
Win32/Malas.C is a network worm that propagates through mapped network drives and peer-to-peer networks.
How Win32/Malas.C propagates and spreads
There are generally two ways adopted by Win32/Malas.C for infecting computers and spreading itself.
Via Network Drives
The worm spreads via mapped network drives by searching for any logical drive and attempting to drop the following files there:
Via Peer-to-Peer Networks
To propagate via peer-to-peer (P2P) network shares, Win32/Malas.C searches for the following directories relating to popular P2P programs:
%Program Files%\Kazaa Lite\My Shared Folder\
%Program Files%\Kazaa\My Shared Folder\
%Program Files%\Icq\Shared Files\
%Program Files%\KMD\My Shared Folder\
Win32/Malas.C is also known as:
W32/Bindo.worm (McAfee), INF/Malas.C, Worm:Win32/Malas.gen (MS OneCare), P2P-Worm.Win32.Malas.h (Kaspersky), WORM_MALAS.I (Trend), W32/Malas-B (Sophos), W32.SillyFDC (Symantec)
Posted on 24 January 2009
What is Win32/Fruspam.E
Win32/Fruspam.E is a mass-mailing worm that has the capability to send spam email through its own SMTP engine. It also targets systems running servers with IIS.
The virus Win32/Fruspam.E tries to obtain the IP address of the affected system by sending a HTTP request to whatismyip.com. Additionally, it connects to whois.apnic.net to determine the details of the IP address such as country, description, address and other details.
Method of Distribution of Win32/Fruspam.E
There are two methods by which Win32/Fruspam.E generally propagates to your system.
Via Email: Win32/Fruspam propagates via email. It downloads images from two legitimate websites and uses the images to construct the spam email.
Fruspam scans the system and harvests target email addresses from files on the affected machine. It communicates these email addresses to a remote SMTP server and attempts to use the server for sending the spam emails. It performs DNS MX (mail exchanger) queries to find an appropriate mail server for each domain it tries to send itself to. If it cannot find the DNS server, it attempts to guess the correct one for each domain, by different methods.
Via File Replacement: If the compromised system runs a web server with IIS (Internet Information Services), Win32/Fruspam.E attempts to modify or replace the legitimate IIS file at %Root%\inetpub\wwwroot\index.htm with its own .htm file.