Update: Sobig’s 9/11

By | November 24, 2011
0 Comment
 Here’s some more evidence that the Sobig worms may be part of something more sinister: Central Command, a provider of PC anti-virus software and services, says its latest incarnation, Sobig.F, “is estimated to have infected millions of systems worldwide and may draw on them to be part of a cyber army focusing a digital assault against major online services”.
 
Here’s how it may work: When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attackers choice. The pre-configured conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7PM) and 22:00 (10PM) UTC time. When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a backdoor hacker program. Backdoors can allow someone with malicious intent to gain full control of the infected computer.
 
“The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself,” said Steven Sundermeier, VP Products and Services at Central Command, Inc. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS).”
 
This may not happen, like the LovSan worm’s planned attack on Microsoft. But to make sure you’re safe check you’ve not got the Sobig worm aboard and if you have, remove it.

Update: Microsoft May Stop Footing Pussies

By | November 24, 2011
0 Comment
 Security Wire Digest, published by Information Security Magazine, reports that Microsoft may stop pussyfooting around on updates to its Windows operating system. In the wake of the worm that ripped through networks worldwide by exploiting a vulnerability for which a patch had been released more than three weeks before, the company is considering several plans to beef up security in its products which may automatically install patches on PCs.
 
 
Privacy advocates will have a problem with this, but it’s logical. Most folk don’t update properly, or even know they’re supposed to, although I wonder whether it may leave Microsoft vulnerable legally. It’s tantamount to saying ‘what we’re selling you isn’t safe unless you let us keep patching it.’

News: Another Reason To Dump MSN Messenger?

By | November 24, 2011
0 Comment
 Microsoft look like they’re going their own way again. An article by IDG says it’s making changes to its MSN instant messaging (IM) service that will lock out users of third-party software that uses the service as well as users of older versions of Microsoft’s own Messenger client.
 
 
Users have to upgrade to the latest versions of MSN or Windows Messenger by Oct. 15 or they will no longer be able to log on, Microsoft spokesman Sean Sundwall said. This will lock out, at least for a while, users of IM software such as Trillian, Imici and Odigo that allow users to consolidate multiple IM accounts in one client.

Update: Manually Extracting Worms

By | November 24, 2011
0 Comment
 Here are some tips for manually removing the Sobig.F worm, from Global Hauri, which sells something called a ViRobot Expert to filter unwanted emails caused by this virus (sorry, I haven’t tidied up the somewhat eccentric language):
 
 
To repair the virus, install anti-virus software and update to the latest definitions. Once the antivirus update is complete, scan the whole HDD to remove the Sobig.F virus. It is possible to remove the virus manually by searching the virus on the system. Here are the steps to get rid of the critical file called “win32ppr.exe” from infected
systems:
 
1.  Unplug from the network out of your computer.
2.  Boot the computer, then hit F8 Function key above numeric key until it goes through options to choose ‘safe mode’
3.  Wait until boot process completed with ‘safe mode’
4.  Open Task Manager to press simultaneously three keys (Ctrl+Alt+Del) and select ‘Process’ tab.
5.  Find and Highlight ‘winppr32.exe’ from Process tab.
6.  To kill ‘winppr32.exe,’ click ‘End Process’ button in the bottom of Process tab window.
7.  Go to ‘Start’ at button lower left corner of Microsoft Window, select ‘Search’ button.  (It looks slightly different from OS versions between NT, Win2000, and XP)  Choose ‘All files and Folders’ and type ‘winppr32.exe’, and then search it thru the entire Hard Disk Drive.  (If you have more then one Hard Disk Drive, select both)
8.  Delete all ‘winppr32.exe’ from the search window.
9.  Reboot in normal mode and plug to the network (It will not reboot itself since deleting all ‘msblast.exe.)
10. Install Anti-Virus and update the latest anti-virus definition.

News: Sobig Is, Well, So Big

By | November 24, 2011
0 Comment
 MessageLabs, the email security company, says it has so far intercepted over one million copies of Sobig.F, a variation of an earlier virus that was doing the rounds some time back, since it was first detected on 18th August, in the first 24 hours.  This makes Sobig.F the fastest growing virus ever, surpassing the infamous LoveBug and Kournikova viruses. 
 
Sobig is a mass-emailing virus that can spoof the sender?s address, fooling the user into believing the email is from a legitimate source and then opening the email. The email often contains the following header: “Subject: Re:details” and the text ?Please see the attached file for details?. The attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pifm document_Fall.pif, application.pif, docment_9446.pif.
 
Once the virus has got on to your machine, it connects to a website and downloads a backdoor Trojan, leaving your computer vulnerable to security breaches by hackers or other viruses. The virus is set to deactivate on September the 10th. The virus is spreading at such a rate it is expected to continue to stay at high-level status for the short term.
 
The scary bit: it seems to be a serial virus. Alex Shipp, Senior Anti Virus Technologist at MessageLabs, says:
“The virus writer?s use of an inbuilt expiry date on Sobig indicates that he is committed to inventing new and improved versions. Each variant released so far has exceeded the previous one in growth.”