1. Win32/PSW.OnLineGames
This is a family of Trojans with keylogging and (sometimes) rootkit capabilities which
gather information relating to online games and credentials for participating.
Characteristically, the information is sent to a remote intruder’s PC.
What does this mean for the End User?
This represents a return to the top spot for this class of threat, which has been at number
one or number two (alternating with INF/Autorun) for many months now.
However, it’s also important that participants in MMORPGs (Massively Multi-player
Online Role Playing Games) like Lineage and World of Warcraft, as well as “metaverses”
like Second Life, continue to be aware of the range of other threats ranged against them.
We are not just referring here to harassment nuisances like griefing and pointless quasiviral
attacks like grey goo, but phishing and other scams that can result in financial loss
in the real world.
2. INF/Autorun
This detection label is used to describe a variety of malware using the file autorun.inf as a
way of compromising a PC. This file contains information on programs meant to run
automatically when removable media (often USB flash drives and similar devices) are
accessed by a Windows PC user.
What does this mean for the End User?
Removable devices are useful and very popular: of course, malware authors are well
aware of this, as INF/Autorun’s persistent appearances at number one or number two in
these statistics clearly indicate. Here’s why popularity is sometimes a problem.
The default Autorun setting in Windows will automatically run a program listed in the
autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always
the program’s primary distribution mechanism, malware authors are always ready to
build in a little extra “value” by including an additional infection technique.
While using this mechanism can make it easy to spot for a scanner that uses this
heuristic, it’s better, to disable the Autorun function by default, rather than to rely on antivirus to detect it in every case. Microsoft Security Advisory (967940) “Update for Windows Autorun”, published February 24, 2009, is a further attempt by Microsoft to address the issue
(http://www.microsoft.com/technet/security/advisory/967940.mspx): see also
http://support.microsoft.com/kb/967715.
3. Win32/Conficker.AA
Win32/Conficker.AA is a worm that spreads via shared folders and on removable media.
It connects to remote machines in attempt to exploit the Server Service vulnerability.
What does this mean for the End User?
Make sure your anti-virus has effective detection for Conficker variants. It is important to ensure that your systems are updated with the Microsoft patch, which has been
available since the end of October, so as to avoid other threats using the same
vulnerability. Information on the vulnerability itself is available
http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.
Note that Conficker uses the autorun facility misused by members of the INF/Autorun
family.
4. Win32/Conficker.A
The Win32/Conflicker threat is a network worm that propagates by exploiting a recent
vulnerability in the Windows operating system. The vulnerability is present in the RPC
sub system and can be remotely exploited by an attacker. The attacker can perform his
attack without valid user credentials.
Win32/Conflicker loads a DLL through the svchost process. This threat contacts web
servers with pre-computed domain names to download additional malicious
components.
What does this mean for the End User?
It is important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available at http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx.
There is an exhaustive analysis available at http://mtc.sri.com/conficker.
5. Win32/TrojanDownloader.Swizzor.NBF
The Win32/TrojanDownloader.Swizzor malware family is commonly used to download
and install other malicious components on an infected computer. The Swizzor malware has been seen installing multiple adware components on infected hosts. Some variants of the Swizzor family will not execute on systems using the Russian language
What does this mean for the End User?
There is often no clear distinction between out and out malware and other nuisances such as adware, and malware is frequently used to promote advertising. Whereas virus authors used to do what they did without commercial gain, whether from misguidance, mischief or malice, contemporary malware authors are more often driven by profit.
6. WMA/TrojanDownloader.GetCodec
Win32/GetCodec.A is a type of malware that modifies media files. This Trojan converts all
audio files found on a computer to the WMA format and adds a field to the header that
includes a URL pointing the user to a new codec, claiming that the codec has to be
downloaded so that the media file can be read. WMA/TrojanDownloader.GetCodec.Gen
is a downloader closely related to Wimad.N which facilitates infection by GetCodec
variants like Win32/GetCodec.A.
What does this mean for the End User?
Passing off a malicious file as a new video codec is a long-standing social engineering
technique exploited by many malware authors and distributors. The victim is tricked into
running malicious code he believes will do something useful or interesting. While there’s
no simple, universal test to indicate whether what appears to be a new codec is a
genuine enhancement or a Trojan horse of some sort, I would encourage you to be
cautious and skeptical: about any unsolicited invitation to download a new utility. Even if
the utility seems to come from a trusted site, it pays to verify as best you can that it’s genuine.
7. Win32/Adware.TencentAd
The Win32/Adware.TencentAd threat family is used to display advertisements on
infected computers.
This Adware seems to be targeting computers in Asia and is often installed by drive-by
download attacks.
What does this mean for the End User?
The proportion of drive-by downloads to user-launched infections is probably
overestimated. Social engineering, by which the victim is tricked into executing
malware, is successful time and time again. By contrast, malware that relies on
vulnerabilities in the system to infect without the victim’s intervention tends to decline
in effectiveness as more potential victims learn to patch vulnerable systems, and the
number of exploitable vulnerabilities is finite. Good patch management (by individuals
as well as businesses) lessens the risk further.
8. Win32/Toolbar.MywebSearch
This is a Potentially Unwanted Application (PUA). In this case, it’s a toolbar which
includes a search function that directs searches through MyWebSearch.com.
What does this mean for the End User?
Anti-malware companies are sometimes reluctant to flag PUAs as out-and-out malware,
and PUA detection is often an option rather than a scanner default, because some
adware and spyware can be considered legitimate, especially if it mentions (even in the
small print of its EULA or End User Licensing Agreement) the behavior that makes it
potentially unwanted. It always pays to read the small print.
9. Win32/Adware.Virtumonde
This detection represents a family of Trojan applications used to deliver advertisements
to users’ PCs. Among other actions, Virtumonde may open multiple windows while
running, which contain unwanted advertising material, and it can be very difficult to
automate removal completely. Adware is still a big profit generator for malware
distributors.
What does this mean for the End User?
Virtumonde has become a particularly difficult problem for vendors and customers alike,
far more than its classification as “adware” might suggest.
Tags: spyware, virus, malware, threats, exploits, windows, critical updates, patches