Virus News

Trojan Download Biggest Threat

2009-04-15T17:15:56Z

Not the much publicised Conficker, nor the Easter Twitter Worm were affecting Irish computers most, but a Trojan!

ESET's ThreatSense.Net® statistical system, which analyses the global trends of virus infections, reported that while on a global scale Conficker was the most prevalent recent infection, with it being detected on nearly one in ten computers (especially rampant in Russia and Ukraine where it was detected in almost one in three computers), in Ireland it is a Trojan, officially labelled WMA/TrojanDownloader.GetCodec that is doing most of the infecting. Latest figures show that in Ireland it featured in approximately 6.5% of all virus detections (while globally it ranked fifth on ESET's threat list with 1.45% of detections).

Worms Infect Twitter

2009-04-13T09:36:28Z

This weekend has seen the popular social media site Twitter infected by several worms. Fortunately the technical team at Twitter were on the ball, were able to stop these attacks from progressing too far and have now plugged the vulnerabilities that these attacks exploited.

Both attacks used a technique known as “cross site scripting” (XSS). The perpetrators of the worms discovered that you could put Javascript code into the “Bio” section of a Twitter account. Anyone then visiting the home page of that account would activate the Javascript which would, in turn, infect the visitors account. Thus the worm was able to spread from one account to another.

Conficker Still Active

2009-04-11T17:14:52Z

The Conficker.C worm became active on April 7th – a week after the expected date for activity. Trend Micro report that at that time it downloaded an update that has changed its behaviour somewhat.

The new variant, Conficker.E (sometimes known as WORM_DOWNAD.E), now has a stop date or May 3rd encoded into it. However the likelihood is that even if the worm itself stops functioning on May 3rd any backdoor that exists as a result of the worm will be left open.

The worm has also been contacting known Waledac worm domains and downloading files from these. Downloads from these servers frequently result in spamming attacks or rogue spyware and virus alerts. The latter may be the real intention of Conficker as it gives cyber-criminals an avenue to monetize the worm’s deployment.

Latest AIB Phishing Attacks

2009-04-09T17:53:55Z

This week as seen two more phishing attacks against AIB customers.

The first was titled "Important Security Alert" and contained the following text:

Your access to Online Services has been suspended. Due to a miss-match access code between your Security information. To enable you continue accessing your online account it will only take you few minutes to verify your Identity. Follow the reference below and you will be guided to where you can gain an instant verification process.

which was followed by the link (DON'T click the link). The interesting thing about this link is that it's on a legitimate (supposedly) radio station website http://www.lemammouthbleu.com Well the site was up when I tried a couple of days ago; but it now "down for maintenance". Were they hacked?

Phish 2 this week was another "You have 1 New Security Notification!" type with just an instruction to log in and the link. I've had two of these this week with the link pointing to different dummy domains.

Just to reiterate the message: don't act on any emails that purport to come from your (or anybody's) bank.

ESET Top Performer Again!

2009-04-06T17:39:49Z

Virus Bulletin introduced its first VB100 award in 1998, and conducts several comparatives every year, rotating its platforms between Linux, Windows, Windows servers and Novell Netware. In order to display the VB100 logo, an antivirus product must meet two criteria:

Virus Status

2009-02-24T13:24:44Z

Here's the current virus activity status supplied to us by ESET. If you think your computer has a virus then don't delay give us a call now on 023 88 39496.

Conficker April Fools Joke?

2009-04-01T18:28:15Z

Despite the apparent lack of activity from the Conficker worm today, the 1st of April, this threat is definitely not an April Fools joke.

The worm has in its body an embedded command to trigger its activity on April 1st. This command has thus been activated, prompting the worm to start communication with a randomly-generated number of domains out of the estimated daily total of 50,000 where the worm checks for instructions.

New DHCP Server Malware

2009-03-18T23:23:15Z

The SANS Internet Storm Centre has reported a new version of the Flush.M DHCP server malware that first surfaced last December (2008). Whilst this won’t affect home users (unless you’re running a separate DHCP server) businesses may be at risk. The ISC state:

Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address.

More Phishing

2009-03-16T19:04:45Z

More phishing attempts in the news today. Firstly the Revenue Commissioners have issues the following warning about a phishing email that's asking for personal information:

The Revenue Commissioners have today (16/03/09) warned of the existence of a fraudulent email purporting to come from Revenue seeking personal information from taxpayers in connection with a tax refund. The email asks the recipient to submit personal details including date of birth and debit/credit card details. This email did not issue from Revenue.

Conficker.C Coming 1st April

2009-03-16T08:38:25Z

A new variant of the Conficker worm, named Conficker.C, is set to become active on the 1st April according to CA. This evolution of the worm has been stripped of a lot of it's replication tools; but these have been replaced by stronger capabilities for disabling anti-virus products and restricting access to websites related to virus removal as well as disabling Windows Security Centre and Windows Defender.