In April 2008, Following Security Alerts were given by CERT-IN:

 

Issue Date Security Alert Description

8 April, 2008

BANCORKUT WORM

Bancorkut is a mass mailing worm. It spreads when a user clicks upon the malicious link embedded within the email message body. The worm collects the confidential information such as username and passwords from the infected system and some websites to send the collected information to a remote server under attacker's control. These credentials are further used for performing illegal banking activities.

Typical e-mail contents are as follows :
From: Orkut Seu Profile foi Denunciado
Subject: empty
Body:
Motivo: Você está infectado(a) por algum Malware/Vírus.
Seu perfil está enviando mensagens ilí [REMOVED] rá apagado.
Orkut.com (c) 2008 - Google.com.br e seus fornecedores.
Todos os direitos reservados.

Upon execution, the Worm :
* Searches for email addresses in files with the following extensions:
.dbx, .wab, .mbx, .eml
* Attempts to steal email addresses from the contact list in MSN Messenger.
* Attempts to steal email addresses from the user account of the following social networking Web site:
www DOT orkut DOT com
* It also attempts to steal user passwords from the following Web site: www DOT terra DOT com
* Sends the gathered information to the following locations:
            [http://]maejoana DOT byethost13 DOT com
* It may then download files from the following locations on to the compromised computer: [http://]feliznatal DOT rbcmail DOT ru
* Downloads potentially malicious files from the following locations on to the compromised computer:
1) [http://]74 DOT 254 DOT 144 DOT 200
2) [http://]www DOt ecologia-domestica DOT org
3) [http://]outthegarage DOT com
4) http://]www DOT baixa DOT la

15 April, 2008

GOLDUN TROJAN

An information stealing Trojan called Goldun is spreading via email. It comes as an email attachment or as a malicious link inside the email body which pretends to appear from E-Gold online bank or from Yahoo Shopping. The “subject line” of the email entices users to open the attachment or visit the malicious link and install the Trojan on their system. Upon successful installation the Trojan opens a backdoor and steals confidential information such as usernames and passwords for financial accounts from the infected system and sends this information to the remote server which is under the control of the attacker. These stolen credentials are used for performing illegal online banking activities. Further the Trojan downloads additional malware onto the infected system. It has been observed that variants of this Trojan are spreading widely. The Trojan variant contains a hidden process that steals personal information for financial accounts. It then sends this data to a remote server located at some location.

Typical e-mail contents are as follows:
From: E-gold "IPod For Your" [email protected]
Subject: Attention! E-gold service pack MS Windows/Critical Error Track your order
Body:
Dear User,
Please read the following message carefully.
We notify that your order was approved and shipped to you via FedEx 2Day.
Service, track 792531968828.
The amount of $479.95 USD was recieved from your e-gold account.The details of transaction and specification of chosen product we send you in self-extracting compressed-zip file.
Read it carefully to make sure that there's no mistakes in characteristics of chosen product.
We appreciate your choice!

According to the rules, refund must be based on your original method of payment.
Any requests to refund using e-gold are not accepted, if the payment method was credit card.
IPod For Your, Yahoo Shopping.
Attachment: setup.zip (contains the file setup.exe)
MsWindowsUpdate.rar (contains the file
MsWindowsUpdate.exe)
OrderInfo69.exe

Upon execution, the Trojan variant :
* Monitors access to website “ www DOT e -gold DOT com “ and steals user's authentication information and adds the following strings in the address bar:
1) e-gold.com/acct/acct.asp
2) e-gold.com/acct/accountinfo.asp
3) e-gold.com/acct/login.html
* Attempts to contact the following URLs to download further malware.
1) http://udachufund.net/[Removed]/javascript/vlsi.jpg
2) http://awstats/icon/[Removed]/next.php

25 April, 2008 VUNDO TROJAN It is dropped by some dropper as a DLL component on user's system. It installs itself as browser helper object (BHO) and gets injected into Explorer DOT exe . After successful installation it generates popup ads for rogue antispyware installation on the infected system which may appear as visible or hidden window. The Trojan further downloads and executes malicious files by contacting malicious domain www DOT virtumonde DOT com . It also opens a backdoor on the infected system and listens to remote attacker commands.
Upon execution, the Trojan:
*
Copies itself to the Windows system folder using a random filename generated from random alphabetical characters.
* Drops several non-malicious data files to the Windows system folder. These file names will be the reverse order of the dropped DLL file name and have one of the following extensions:
.ini, .bak1, .bak2, .ini2, .tmp
*
The above said executable files are randomly generated by joining some of the following strings and appending .exe to the end:
abr, ac, acc, ad, anti, ap, as, av, bak, bas, bin, c, cab, cat, cmd, com,cr, db, disk, dll, dns, doc, dos, drv, dvd, eula, exp, fax, font, ftp,hard, iis, img, inet, info, ip, java, kb, key, lib, log, main, mc, mfc, mp3, ms, msvc, net, nut, odbc, ole, pc, play, ps, ras, reg, run, s, srv,svc, svr, sys, api, task, tcp, un, url, util, vb, vga, vss, w, wave, web,win, wms, xml
*
Stores a list of URLs in the file which, when visited, there will be no popups. This list contains popular search engines and domain names of ad servers, such as:
1)
yahoo.com
2) search.ebay.com
3) web.ask.com
4) www2.yesadvertising.com
5) banners.pennyweb.com
6) ads2.revenue.net,

 

SOLUTIONS:

 

Sl. No. Security Alert Countermeasures / Solutions

1

BANCORKUT WORM

Advice to users:
* Do not click upon the links provided in untrusted email messages.
* Block access to the malicious domains mentioned above at gateway.
* Search for the malicious files and processes created/initiated by Bancorkut Worm and delete the same.
* Search for the registry entries, made by the Bancorkut Worm as mentioned and delete the same.
* Enforce password policy to make it difficult to crack password files on compromised computers
* Keep up-to-date patches and fixes on the operating system and application software.
* Keep up-to-date Antivirus and Antispyware signatures.

2

GOLDUN TROJAN

Advice to users:
* Do not click upon the links provided in untrusted email messages.
* Block access to the malicious domains mentioned above at gateway.
* Search for the malicious files and processes created/initiated by Goldun Trojan and delete the same.
* Search for the registry entries, made by the Goldun Trojan as mentioned and delete the same.
* Keep up-to-date patches and fixes on the operating system and application software.
* Keep up-to-date Antivirus and Antispyware signatures.

3 VUNDO TROJAN
Advice to users:
* Search for the malicious files and processes created/initiated by the Trojan and delete the same.
* Search for the registry entries mentioned above made by the Trojan and delete the same.
* Remain cautious while visiting trusted / untrusted websites.
* Exercise caution while opening e-mail attachments received from unknown sources.
* Block access to the malicious domain mentioned above at gateway.
* Keep up-to-date patches and fixes on the operating system and application software.
*
Keep up-to-date Antivirus and Antispyware signatures.
References:
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan:Win32/Vundo.K
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan:Win32/Vundo.gen!D