IObit Europe Laboratory NEWS - read more

[martino]

WARNING!
Following the remote wipe attack on some Samsung Mobile devices via a USSD code embedded in URL links with the “tel” prefix, QR codes and NFC-enabled cards, a new vulnerability in Android OS could affect millions of users.The new USSD attack can change a SIM PIN and brute force a PUK lock, rendering the card unusable.

--> IObit Europe Team
--> IObit Malware Fighter Team

[martino]

WARNING

A trojan on Facebook

The trojan sends a message in the name of a friend on facebook and the friend has sent nothing and knows nothing about it.

the message on facebook as follows:

ahaahahahahhahaahhhhahhaahhaahaaaaaahaaahhahaahhha aaaahahaaahaaaaaahhaaha
www.mediafire
. com /? 9ff5r1p6cwt4ksi

Please not click and delete immediately.

--> IObit Europe Team
--> IObit Malware Fighter Team
--> IObit Europe LAB Team

[martino]

In October 2012, we saw a new QUERVAR variant with a new structure, different from the previously detected variants but with the same infection routines. These included infecting .EXE and Microsoft Excel and Word files and then renaming them with a .SCR extension. However, the newer variants came with a new payload: downloading ransomware and ZACCESS variants.

The new QUERVAR variants are detected as PE_QUERVAR.E-O. PE_QUERVAR.E-O accesses the following malicious files below to download ransomware variants detected as TROJ_RANSOM.CMY and HTML_RANSOM.CMY, and the ZACCESS variant TROJ_SIREFEF.SZP.

http://{BLOCKED}ewidea1.ru/1.php?000102E0&pin=16FB2534B0B2D6E3
http://www.{BLOCKED}coservisi.com/test/php/way.php?000076A8&pin=16FB2534B0B2D6E3
http://{BLOCKED}y90.com/c/osnovnoj2.exe?00022F68 – detected as TROJ_RANSOM.CMY
http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/get.php?id=2 – detected as HTML_RANSOM.CMY
http://{BLOCKED}lhgkjl.un {BLOCKED}ilesexchnges.su/landings/first/US/NL_files/buttons.css
http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/jquery.min.js
http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/FBI.png
http://{BLOCKED}lhgkjl.{BLOCKED}ilesexchnges.su/landings/first/US/NL_files/keyboard.js
http://{BLOCKED}lil.ru/33797470/2a06754.50664748/3052832ace10d474336096b36fbd49f05f190.exe?{random characters} – detected as TROJ_SIREFEF.SZP

IObit IMF and IObit ASC Ultimate users need not worry as they are protected via the Browser Guard and Network Guard. In particular, file reputation services blocks and deletes related malicious files, while the web reputation services blocks access to the sites where PE_QUERVAR.E-O downloads its malicious payload.

--> IObit Europe LAB Team
--> IObit Malware Fighter Team
--> IObit Europe Team

[martino]

NEWS
Without verifying its legitimacy, users who may be anticipating a WebEx conference are at risk of downloading variants of a notorious info stealing malware. Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC). The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are lead to a malicious ...

--> IObit Europe LABS Team
--> IObit Malware Fighter Team

[martino]

News
We’re currently investigating several file infectors that have affected several countries, particularly Australia.
Identified as:

PE_XPAJ.C, PE_XPAJ.C-1, PE_XPAJ.C-2, and PE_XPAJ.C-O. Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:

{BLOCKED}.{BLOCKED}.162.208:35516 {BLOCKED}.{BLOCKED}.152.218:35516 {BLOCKED}.{BLOCKED}.71.249:35516 {BLOCKED}.{BLOCKED}.60.108:35516 {BLOCKED}.{BLOCKED}.123.153:35516 {BLOCKED}.{BLOCKED}.132.25:35516 {BLOCKED}.{BLOCKED}.16.5:389 {BLOCKED}.{BLOCKED}.0.1:1056 {BLOCKED}.{BLOCKED}.16.9 {BLOCKED}.{BLOCKED}.16.10 {BLOCKED}.{BLOCKED}.183.224:35516 {BLOCKED}.{BLOCKED}.0.1:1070 {BLOCKED}.{BLOCKED}.16.12:389 {BLOCKED}.{BLOCKED}.4.250:80 {BLOCKED}.{BLOCKED}.204.90:80 {BLOCKED}.{BLOCKED}.0.1:1043 {BLOCKED}biok.info {BLOCKED}c.com {BLOCKED}v.com {BLOCKED}tss.info {BLOCKED}ifhrf.net {BLOCKED}kowab.ru {BLOCKED}elertiong.com {BLOCKED}xw.ru {BLOCKED}naf.ru {BLOCKED}ppsfm.org {BLOCKED}r.info {BLOCKED}j.info {BLOCKED}bkxfn.biz {BLOCKED}hpte.com {BLOCKED}e.ru {BLOCKED}fbxrzn.com {BLOCKED}etobob.biz {BLOCKED}mullpy.info {BLOCKED}th.info {BLOCKED}medescriptor.com {BLOCKED}sncki.info {BLOCKED}hyjku.net {BLOCKED}mpyzh.net, {BLOCKED}hez.com, {BLOCKED}knddy.com {BLOCKED}vaweonearch.com, {BLOCKED}qyhqtb.org {BLOCKED}gnfvhz.ru {BLOCKED}l.ru {BLOCKED}cut.biz {BLOCKED}pq.info {BLOCKED}o.net {BLOCKED}eucnd.biz {BLOCKED}e.bluefirems.com.au

The infected file (detected as PE_XPAJ variants) is capable of downloading its mother file and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. ...

--> IMF/ASCU Team
--> IObit Europe LABS (Laboratory) Team
--> IObit Europe Team

[martino]

FACEBOOK SECURITY ALERT....
If you get a chat from a friend and it reads....

hey, go to album67 dot com and search for "YOURNAME HERE" then click on the first photo.. I bet you didn't remember that, eh?

1. DO NOTE GOTO THE LINK YOU WILL BE INFECTED
2. Tell your friend his/her computer is infected and must be cleaned right away
3. Change your FB password if you suspect you are infected right away.... bad guys have full account access to your profile now
4. Get Advanced System Care w/ AntiVirus...
5. Virus scan your entire system
6. Run Deep Care - repair
7. Reboot
8. During the next 24/48 hrs keep in touch w/ friends on FB make sure they no longer are getting these messages from you
if problems persist contact a professional technician

--> IMF/ASCU Team

[martino]

Virus and Trojan Information

W32/Mydoom.o@MM!CB4BF14684BD Trojan Low 25.10.2012

Ransom!gw!95169F0738CA Trojan Low 25.10.2012

Generic.gl!B73D3212DF6E Trojan Low 25.10.2012

W32/Expiro.gen.n!DB6957E1F258 Virus Low 25.10.2012

PWS-OnlineGames.a.dr!CA6559944F9F Trojan Low 25.10.2012
(Trojan/Password Stealer) !

Generic.dx!8BD479BD2D18 Trojan Low 25.10.2012

[martino]

Malware Information

PWS-Banker!56D48148ADF2 / Trojan / 27.10.2012

Trojan / Password Stealer

--> cheers . . .

[Melvin_Deal]

Quote:

Originally Posted by martino

Malware Information

PWS-Banker!56D48148ADF2 / Trojan / 27.10.2012

Trojan / Password Stealer

--> cheers . . .

Hi martino... what else do you wish to be read??? You do understand that this is a restricted section of the forum dedicated to cleansing of machines so there are very few that can post here. So a suggestion here to read more would mean that you are providing additional information to be read. The title of your post is:

Quote:

Malware Information . . . read more . . .

Please advise what is to be read! Otherwise the information is not useful to the majority of users that visit this support forum. It is necessary on this forum to post information that will be supportful to all members and visitors as best as possible (as the search engine bots are crawling everywhere here linking user searches here).

The information provided in the body of your post does not reveal the source of the information, nor the usefullness (how is a member or visitor to apply this information or test its validity??), thus the value of the post is severely diminished!!

Posts even in this section, as it is public, should be clear in their applicability and context to solving a particular issue.

Perhaps you should become familiar with the Iobit forums more?


Sincerely,
-Mel
Live long and prosper!

[martino]

Tunneling
Tunneling is a virus technique designed to prevent anti-virus applications from working correctly. Anti-virus programs work by intercepting the operating system before it can execute a virus. Tunneling viruses try to intercept the actions before the anti-virus software can detect the malicious code. New anti-virus programs can recognize many viruses with tunneling behavior.

cheers