k4l0n62.sys.vbs (autorun/VBS) virus (a.k.a W32.SillyDC, W32.SillyFDC by Symantec)

1. Introduction

This virus goes by various monickers. It is recognised by some Indonesian text "wahai anak2 ..." appearing in the Internet Explorer window title as shown in a sample screenshot below:

The following procedure describes how we cleaned up the effects of this virus. Our PCs are installed with Symantec Anti-virus Corporate Edition which detected and the virus files, but did not revert the Internet Explorer window title to its default. This procedure may not be true for all circumstances. You should check with your anti-virus solution providers.

Useful Ref: http://virscan.org/report/0f14e9dd1094b56b076606eed159362c.html

2. Registry entries affected

Windows Registry key for IE Window Title
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title key = Wahai anak2 Triakti... Belajarlah yang rajin. Jangan ngebokep mulu...

In some cases, there was also an entry in the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Key value was Ageia pointing to recycle.vbs in C:\Windows\System32, but recycle.vbs already removed by SAVCE.

3. Key files dropped by virus

k4l0n62.sys.vbs (can be deposited anywhere in user's folders)
recycle.vbs (normally found in C:\Windows\System32)

4. Actions taken

a. booted up and scanned PC with Avira, Avast, Spybot S&D from UBCD v3.50
In some instances, trojans were reported on Temporary IE files, and removed by Avira. None reported the k4l0n62.sys.vbs or its alias.

b. In some instances, k4l0n62.sys.vbs files were found on PC but with ZERO bytes.
booted up PC normally, updated Symantec AV Corp Edition's virus signatures, and ran a full scan. No virus was reported.

c. Reviewed Threat History in SAVCE. Found several reports of W32.SillyDC & W32.SillyFDC infections from external drives & C: that were cleaned.

d. Configured Scheduled Full Scan in SAVCE to take place at 12pm daily.

e. Verified that Windows Registry configured to disable Autorun as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf - value set to @SYS:DoesNotExist

f. Deleted HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main - Window Title key so that IE displays default title in window.

g. Searched and ensure k4l0n62.sys.vbs and recycle.vbs are not found on PC.

h. Scanned external drives with SAVCE to ensure W32.SillyDC/FDC & other malware not found.

Check out that TinyURL before clicking on it

While URL shortening services takes away the need to post an ultra-long URL link, it also serves up a security blind spot in that you don't know where the shortened URL will lead to.

Thankfully, for TinyURL which is the default URL shortening service used on Twitter, you can configure it to show you what lies behind a TinyURL link before being directed to the actual URL referenced. Here's how:

1. Go to www.tinyurl.com.
2. Click Preview Feature.
3. Click "Click here to enable previews"as shown below.


Now when you click on a TinyURL link, you will be shown a preview similar to the following:

You can then decide whether it's safe to go to the actual URL.

Have fun:)

Thomas

Countering Downadup/Conficker worm

Much has been written about the spread of the Downadup worm (aka Conficker) reaching epidemic status in mere weeks. It's estimated that 9 million PCs may have been infected by this fast-spreading worm as of last week, which uses 3 different distribution channels:

1. It infects Windows 2000/XP/Vista not patched with Microsoft security update KB958644 which was released in Oct last year.
2. It tries to crack a PC's administrator password using brute force attacks, and once that is done, it exploits the PC to infect it and spread the worm further
3. It tries to infect PCs via autorun feature in Windows when removable storage devices such as USB drives and cameras are plugged into a PC. Autorun is a feature in Windows which automatically loads a specified program when the storage device is opened via Windows Explorer.

Computerworld has written a comprehensive FAQ in the link above. Read that to be on the same page as security vendors in terms of what has been understood about this worm. It must be mentioned that researchers are still in the learning mode about this worm and what damage it intends to inflict when infected PCs received instructions from control servers.

In the mean time, what should you do?

1. Ensure your PC's patched with KB958644. If not, you are encouraged to patch it and also run the Jan 09 edition of Microsoft's Malicious Software Removal Tool.
2. Change your administrator password to something a lot more complex.
3. Disable Autorun feature in Windows. The proper way to do this has been documented by US-CERT in this technote. In a nutshell, do this:

a. Click on this link, select Download, and save the file as "autorun.reg" in a folder of your choice. This creates a registry document for importing into your Windows registry. The registry file contains the following text:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"

b. Import this registry file into your Windows registry as follows:

i. Log in as the administrator of your PC. This will not work with Power User or plain User accounts.

ii. Navigate to the file location where autorun.reg created above resides

iii. Double-click the file to import it into the Windows registry

Note: if you are not logged in as administrator, you may import into your registry as follows if you are using Windows XP or 2000. For Vista users, you can only import by logging in as your PC's administrator and using the above procedure as it requires an elevation of privileges.

- Click Start - Run

- Type cmd and click OK to open a command prompt

- Type runas /user:<your admin user> "regedit /s <folder where autorun is saved>\autorun.reg" and press ENTER.

Replace the values in <> with that which is applicable in your PC. Eg. runas /user:myadmin "regedit /s c:\data\autorun.reg"

May God bless you.

Antivirus on the go - ClamWin on CD

I have been searching for a neat CD-based antivirus scanner that's easy to carry around to scan and clean infected PCs. Came across ClamWin (v o.93 as of this post) which seems to fit my needs. Creating a portable CD for ClamWin is easy; using it is not so straightforward.

1. Ref to http://www.clamwin.com/content/view/118/89/ on instructions to create the CD. You may use the manual method or the pre-built files from Portableapps.com. For Portableapps, refer to http://portableapps.com/support/clamwin_portable#cd

2. Both manual and the pre-built files methods from portableapps.com prompt for virus definitions database upon starting. It appears that copying of files to CD somehow alters the File Locations in the preferences.

3. To use ClamWin, when you are prompted that virus definitions database is not found and if you want to download, select No. Then, go to Tools-Preferences-File Locations and set all to reference the drive letter for the CDROM drive.

For ClamWinPortable, the locations are:
D:\ClamWinPortable\App\clamwin\bin for the first 2 locations, and D:\ClamWinPortable\Data\db for the virus definition location.

For the manual method, the locations are:
D:\ClamWin\bin for the first 2 locations, and
D:\ClamWin\db for the virus definition location.

Note: If you are prompted that ClamAV is not configured and whether you want to, select Yes. Then fill in the file locations above, and also the locations for the Reports (use the default that shows up in the prompt).

The other vulnerability besides WMF

Be sure to patch a critical vulnerability as outlined in Microsoft Security Bulletin MS06-002. In layman terms, this vulnerability allows programs and commands to be run on your PC if you happen to visit a website designed to exploit this vulnerability or if you open a specially crafted email.

As highlighted before in an earlier post, be sure not to log in as Administrator in your day-to-day use of the PC. This will limit the maximum damage that can be inflicted by such vulnerabilities.

Category: c4e1_scty

Latest: Microsoft patch for WMF image vulnerability just released

Check out the patch from Microsoft for the vulnerability I wrote about in a previous post. If you have de-registered Shimgvw.dll, be sure to re-register it as described in the same post above before you apply the update.

For those who are keen to know what this vulnerability is all about, check out this interview with Ilfak Guilfanov, one of the first to come up with a fix for this vulnerability. I am not endorsing this fix as it lacks support from Microsoft, but the interview sheds light on how the vulnerability can be exploited as well as touches on Data Execution Prevention, which is another layer of protection that can be enabled on XP with SP2.

Category: c4e1_scty

Watch out for Microsoft WMF Patch

Hold your breath...Microsoft is finally issuing a patch for the WMF vulnerability which I wrote about here. According to just-updated Microsoft Security Advisory, the patch will be released on Tuesday, January 10, 2006.

If you have not turned on Automatic Updates on your Win XP/2000, please do so. Many exploits of this vulnerability have surfaced in the wild.

PS. For those who have followed the suggestion from Microsoft to de-register Shimgvw.dll, remember to re-register it before applying the patch. Procecure to re-register as follows:

Click Start, click Run, type “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.

Category: c4e1_scty

Beware of Windows Metafile exploit (WMF)

A recently discovered vulnerability with Windows Metafile (WMF) data format is gaining traction in being exploited to target unsuspecting users. An artcle in eWeek warns of adware makers exploiting banner ads to download adware into PCs visiting sites showing these banners.

For the layman, what this means is that you should:

• avoid opening, viewing or saving file attachments (received via email, Instant Messaging, or from Web) ending with WMF, JPG, TIF, PNG, etc. WMF files named with other extensions can just as well unload malicious codes which can in turn execute commands on your workstations. In general, avoid clicking on unsolicited and untrusted links.
• avoid browsing unknown, new, or untrusted websites as web page loaded with specially crafted WMF file can exploit this vulnerability as well.
• It has been reported that this affects Internet Explorer as well as Firebox, and Windows machines with the latest security updates.
• Don't be too happy relying on updated signatures from Anti-virus software providers as this vulnerability can be exploited by malicious codes faster than AV providers can update signatures to identify and block them.

For technical details on this vulnerability, please refer to this note from SecurityFocus.
Microsoft has issued an advisory but apart from informing you, no patch/solution is provided. IMHO, a solution will have to come in the form of a security update for IE and Windows to block this exploit.

category:c4e1_scty

Maximum Internet Safety with Microsoft Internet Explorer

With all the online threats such as viruses, spyware, adware & phishing scams lurking somewhere on the internet, you want to stay clear from them as much as you can. What can you do to ensure a safe and worry-free internet surfing experience? Here are some tips to keep you safe, if you are using Microsoft Internet Explorer (v6 or later) like me.

1. Ensure that your IE is updated with all critical & important security patches. If you are using Microsoft Windows XP or 2000, ensure that Automatic Updates under Control Panel is set to Automatic (Recommended) and not turned off. To verify that you have the latest patches installed, go to Add or Remove Programs under Control Panel, ensure Show Updates box is checked, then compare most recently updated patches with that on Microsoft's current Security Bulletin at http://www.microsoft.com/technet/security/current.aspx

2. Set maximum security to Restricted Sites zone on IE (the easiest way to do this is to click Tools-Internet Options-Security-Restricted Sites-Custom Level-Reset to High, then disable everything except Pop-up blocker, set Software Channel Permission - High Safety) and add restricted sites to it. You can add a huge pool of restricted sites to IE via SpyAD. Or if you prefer to review restricted sites and customize them before adding to IE, you can use a freeware ZonedOut to import sites from http://www.mvps.org/winhelp2002/hosts.htm. If you would like a ready-made text list based on the list at MVPS.org for importing into ZonedOut, get it here.

3. For Internet zone security, using Custom Level, reset to High, then set Scripting - Active Scripting AND Scripting of Java Applets to Prompt if desired.

4. Ensure that you have resident anti-virus and anti-spyware scanning in place. If you are a Home User looking for a free anti-virus & anti-spyware solution, I use AVG Anti-virus (get it here http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5), and Microsoft Anti-Spyware (beta) (get it from www.microsoft.com). Aside from resident scanning, ensure that you schedule a complete system scan at least once a week.

5. Ensure that you have a firewall software for your internet connection. If you are a Home User looking for a free software firewall, I use ZoneAlarm (get it here http://download.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_61_737_000_en.exe). I set most programs to prompt for access to the internet, including Outlook Express. If you are new to this software, you can drop me a note, and I will answer you as soon as I can.

6. If you prefer to use Windows Firewall, then ensure that you turn it on from Control Panel, and be selective about what exceptions you allow. A firewall is useless if it permits all kinds of access from the Internet.

7. Ensure that you update all internet-based applications with the latest patches, such as Java Runtime Environment, Flash/Shockwave Players, all media players (Windows, Real, QuickTime). A good place to get news on security updates is Secunia Advisories at http://secunia.com/

category:c4e1_tips

Best Home Computing Practices

Human beings are the weakest link in today's IT Age. No matter how well-fortified your PC is, a leaked password or a thoughtless software installation can still do much harm. Hence, think about how you DO PC daily. The following best practices can help you enjoy a better experience with your Windows-based PC.

1. Be selective about what links you click on the web, in email, or those received via Instant Messaging client (such as Yahoo!, MSN Chat and ICQ), even those from trusted sources. Some links are exploited by viruses or phishers to exploit security vulnerabilities to compromise your PC. Always check with senders on links received in emails/instant messaging chat sessions, when in doubt.
2. Don't respond to every email or instant message requesting you to click on links to update profiles, especially user ID and passwords. Update your profile directly on the organization's website if you must.
3. Don't click on links without a domain name (eg. http://203.xxx.xxx.xxx). These privately hosted servers may contain virus codes waiting to be unleashed on unsuspecting visitors.
4. Don't launch file attachments received in email or found on websites, without first detaching them to a folder, and then scanning them with anti-virus and anti-spyware (updated with latest engines and signatures). If any spyware or virus is found, delete the file and avoid opening them, ever.
5. Be selective about what information you send over the web. Do not send private information over normal http connections. If you must transact or submit private information, use only sites that support SSL connections (or https protocol), and only do such business with reputable organizations. Check internet forums for scams related to any suspected organizations.
6. Be selective about what software you install on your system. Shareware or freeware may come with adware, spyware or other malicious software. Do a check with other users in forums before installing any software. Make it a practice to create a System Restore point before installing any software (including drivers) or updating any Windows registry settings. You can do this from Programs-Accessories-System Tools-System Restore & select to create a restore point.
7. Always use a Windows account that's below the Administrator for day to day use, including internet surfing. Using an administrator account for all activities allows a virus or malicious code to wreak maximum havoc on your system. With a Power/Limited User account, your are already limiting the potential damage caused by any malicious code.
8. Finally, data backup is a good practice that's still relevant. I backup all my mails and critical data files to CD monthly. You may backup to thumb drives and have it scheduled automatically. You may also use free webmail services such as Gmail or Yahoo to store date files (recommended to be encrypted or ZIPped with password before uploading; or avoid storing private and confidential data altogether). Or if you are willing to pay, there are online storage services that you can subscribe to. No matter what, ensure that your PC's recovery CD is always within reach for the last resort of having to re-install a crashed PC.

category:c4e1_security, c4e1_tips