PCBugSquad

Description:

WORM_KOOBFACE.AZ is a worm that targets social media sites. It does this by monitoring the cookies on your computer that contain login information to various social sites.  When login information is found it will login to your account and start sending messages to your friends and contacts on the site.  For example, if you use Facebook, it will login to your account and send all your friends messages about a video they should see. These messages will contain links to the infection that will further infect the person who visits the link.

The social sites that this infection monitors are:

• facebook.com
• hi5.com
• friendster.com
• myyearbook.com
• myspace.com
• bebo.com
• tagged.com
• netlog.com
• fubar.com
• livejournal.com

Once infected, the worm will create the file C:\Windows\freddy35.exe.  This file is the main program that sends infected messages to your friends. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysftray2″ = “%WinDir%\freddy35.exe”

Manual Removal Instructions for WORM_KOOBFACE.AZ

End these processes if they exist:
Learn how to end processes

freddy35.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\freddy35.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysftray2″

Description:

The W32/Autorun-AAG worm is an infection that spreads through removable media devices such as flash drives, usb drives, and external hard drives.  A user becomes infected when they insert an infected device in the computer.  Once the device is inserted, your computer will autoplay the device and the infection will now spread to your computer.

During the infection process a file called olhrwef.exe will be created in your C:\Windows folder. This file will automatically start when you login into Windows. It will also create the C:\Windows\System32\nmdfgds0.dll file and add a autorun.inf file to every removable device on your computer. It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft” = “%System%\olhrwef.exe”

Manual Removal Instructions for W32/Autorun-AAG

End these processes if they exist:
Learn how to end processes

olhrwef.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\olhrwef.exe
C:\Windows\System32\nmdfgds0.dll
Autorun.inf from the root of all of your removable media devices

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”cdoosoft”

ANG Antivirus 09 is a rogue anti-spyware program from the same developers as Antivirus 2010. This program displays false positive scan results to trick you into purchasing the software. ANG Antivirus 09 also displays fake security alerts from your Windows taskbar and from within Internet Explorer to attempt to trick you into thinking you are infected.

Description:

The W32.Ackantta.B@mm worm is an infection that spreads itself by copying itself to removable drives, shared folders, and by mass-mailing all of the email contacts it can find on your computer.  This infection is typically installed when a user opens up the attachment in an email that this infection sent from another machine.  The subject of these emails may be:

Job offer from Coca Cola!
Thank you for your application
You have got a new E-Card from your friend!
You have received A Hallmark E-Card!

The attachment names are:

copy of your CV.zip
e-card.zip
job-application-form.zip
postcard.zip

This attachment looks like a snowman:

If a user runs the attachment, it will open up an image that looks like a Christmas postcard.  It will then create the C:\Windows\System32\javale.exe and C:\Windows\System32\javame1.1.exe  files.  It will then create the follow registry key to start itself automatically:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”

The worm will also modify the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” = “.zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav”

The worm then connects to the the http://whatismyip.com/automation/n09230945.asp url in order to determine its IP address.  It will then connect to another url to potentially download more malware such as Vundo.

Manual Removal Instructions for W32.Ackantta.B@mm

End these processes if they exist:
Learn how to end processes

javale.exe
javame1.1.exe

Delete these files if they exist:
Lean how to remove files

C:\Windows\System32\javale.exe
C:\Windows\System32\javame1.1.exe

Remove these Registry keys if they exist:
Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″

Spyware Fighter is a new rogue anti-spyware program from the same developers as Rapid Antivirus and originates from Russia.  This program uses false positives, misleading advertisements, and fake alerts to scam you into purchasing their software.  We advise you to stay away from Spyware Fighter and install it immediately if you find it on your computer.  Most of all do not purchase the program as the program has no beneficial function.

We will update this guide when more information is available about this program.

VirusRemover2009 is a rogue anti-spyware program from the same developers as VirusRemover 2008. This version of VirusRemover contains additional files not contained in the original. It is unknown what these additional files do, but as the rest of the program is considered malware, the rest can’t be good. When running this program will display false infections on your computer. These infections can’t be removed unless you purchase the software.

To uninstall a program in Windows please perform the instructions for the particular version of Windows listed below.

How to uninstall a program in Windows XP

1. Click on the Start button
2. Select Control Panel
3. Once in the Control Panel, click on the Add or Remove Programs control panel icon.
4. A list of all the programs install on your machine will appear. Click on the program you would like to remove and then click on the Remove button.
5. The program will now begin to uninstall.  Please follow the prompts to uninstall the program.
6. When the program has finished uninstalling you can close the control panel windows.

How to uninstall a program in Windows Vista & Windows 7

1. Click on the Start button.
2. Select Control Panel.
3. Once in the Control Panel, under the Programs category, click on the Uninstall Program option.
4. A list of all the programs install on your computer will appear. Click on the program you wish to remove and then click on the Uninstall button on the menu bar above the list.
5. The program will now begin to uninstall.  Please follow the prompts to uninstall the program.
6. When the program has finished uninstalling you can close the control panel windows.

Your program will now be uninstalled.

OS Protection is a rogue anti-spyware program is a rogue anti-spyware program that is same as Spyware Protect 2009. This rogue uses false positives and Trojans to advertise itself. When running, it will also spam your desktop with fake warnings and alerts stating that you should purchase the program. As this program is considered malware, we suggest you remove it immediately. …

Microsoft has released a beta version of their Microsoft Malware Protection Center.  The beta center provides information on the latest updates for their malware removal technologies, a threat index, as well new malware analysis that they perform.  For anyone who wants to stay on top of what Microsoft anti-malware team is up to, I suggest you visit and bookmark this site.

Microsoft Malware Protection Center

Though I have not been posting to the blog as much as I would have liked to when I started it, I have been keeping track of whats been goin on at some of the reputable security sites.  This evening I ran across an interesting article at BleepingComputer about a new rogue named Anti-Virus-1.  This particular rogue seems like a nasty one and uses some pretty tricky tactics to make you think it’s legit.  Definitely an interesting read:

How to remove Anti-virus-1 (Removal Guide)

and

Learning how to remove Anti-virus-1 teaches us some new tricks