Kama Sutra Worm Set to Explode Make Sure You Are Clean

As I mentioned earlier this week the Kama Sutra worm is set to explode and by the most conservative estimates 300 - 400,000 users worldwide are going to lose all their documents ands important data. Approximately 30 minutes after starting the machine the worm will begin to overwrite existing document, PowerPoint, access, jpg, and other file types.

Microsoft has updated http://safety.live.com to detect and remove this worm, so take a moment and scan your system to make sure you are clean. If you prefer to download a tool to remove this virus then grab the symantec one from this website:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

Ultimately even if you know beyond a shadow of a doubt you are clear of this worm you should back your document files, and archives up just to be sure. If something happens these files will be corrupted beyond recovery and that could cause many problems for both business and personal computer users. So take a moment update your anti-virus scan your computer, or use the free tools above in any case it is better to be safe then sorry.

Kamasutra Worm Manual Removal

To remove kamsutra worm/nyxem manually:

Using my SSQKit kill the following processes (double click each to autofind and add to the delete queue)

movies.exe
new winzip file.exe
rundll16.exe
scanregw.exe
update.exe
winzip.exe
winzip_tmp.exe
zipped files.exe
[randomname].exe 'This will be a randomly named exe ie. waflksdfsdj.exe

Next copy the following and paste in notepad and save as killkw.reg

REGEDIT 4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScanRegistry]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"WebView"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]
"FullPath"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\096EFC40-6ABF-11CF-850C-08002B30345D]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\190B7910-992A-11CF-8AFA-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\2C49F800-C2DD-11CF-9AD6-0080C7E7B78D]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\4250E830-6AC2-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\4D553650-6ABE-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\556C75F1-EFBC-11CF-B9F3-00A0247033C4]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\57CBF9E0-6AA7-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\5F54E750-CE26-11CF-8E43-00A0C911005A]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\6FB38640-6AC7-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\72E67120-5959-11CF-91F6-C2863C385E30]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\78E1BDD1-9941-11CF-9756-00AA00C00908]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\7C35CA30-D112-11CF-8E72-00A0C90F26F8]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\899B3E80-6AC6-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\9E799BF1-8817-11CF-958F-0020AFC28C3B]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\B1EFCCF0-6AC1-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\BC96F860-9928-11CF-8AFA-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\DC4D7920-6AC8-11CF-8ADB-00AA00C00905]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\E32E2733-1BC5-11D0-B8C3-00A0C90DCA10]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses\F4FC596D-DFFE-11CF-9551-00AA00A3DC45]

Finally using the ssqkit find and delete the following files from the

%systemroot%\system32 folder on most systems it will be c:\windows\system32\

movies.exe, new winzip file.exe, scanregw.exe, update.exe, winzip.exe, winzip_tmp.exe, zipped files.exe, [randomname].exe, sample.zip

Next using ssqkit delete from the %systemroot% folder on most systems it will be c:\windows\

rundll16.exe

After you are all done restart your computer and once satisfied delete the backed up files from c:\killit

Kamsutra BlackWorm Nyxem First Reports of Damage

F-Secure is reporting the first cases of damage to files and lost data due to the Kamsutra BlackWorm Nyxem virus as I reported yesterday if you are infected and don't clean your system you will lose files. Since the the worm is triggered by the internal clock on the computer this could happen at any time if you don't have your clock set correctly. F-Secure is offering a free removal tool to allow users to remove the virus from an infected system independant of any anti-virus or security suites which may have been compromised. So do yourself a favor download and run their tool it won't hurt anything and it is better to be safe then sorry.

Removal tool
Required virus definitions for the tool

F-Secure : News from the Lab

February 3rd is Almost Here - Scan your computer now!!

If you haven't yet please take a moment and scan your machine to make sure you are clean of the nasty kama sutra worm aka the blackworm I wrote about earlier. February 3rd is the day this nasty will attempt to overwrite documents and files of pdf, xls, doc, and etc.. given that the value of most computing systems is in the data they hold this makes it paramount that we as users take this threat seriously. So if you haven't already go update your anti virus software and scan your computer for viruses and then to be doubly sure head over to:

http://houcall.trendmicro.com

Or

http://safety.live.com/site/en-US/default.htm

Run the online scan just to make sure you security software was not compromised as this software while remaining does disable and compromise certian key elements of commercial anti-virus and security products.

http://isc.sans.org/diary.php?storyid=1067

Manual Removal for the Technically Inclined

http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm

Kama Sutra Goes WMD

Be careful when covertly checking those naughty spam mails one might really bite you.  A new worm that exploits human behavior to open emails carrying the promise of the obscene or titillating (depending on your point of view) and will if executed corrupt files of the .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, or .dmp type with the garbage data on the third day of the month.

While viruses destroying files is nothing new, what is scary is the way it does it. Rather than simply deleting the file which could allow for recovery the Kama Sutra worm writes over the files to make them unrecoverable. This could affect business and individuals dramatically should they not have backups. So what should you do?

First off be aware, the virus arrives in the form of an e-mail porn with a subject line of "Arab sex," "give me a kiss," "Hot Movie," and "F***** Kama Sutra pics." Once executed the worm attempts to delete various anti-virus and firewalls software and then spread through mass-mailing and local and network folder shares. So if you are running a computer on a network and have your firewall disabled, enable it, and should you see any free porn in the in-box delete it.

Symantec Antivirus Vulnerable When Scanning RAR Files

Owners of Norton and Symantec products excluding Symantec Corporate versions 8 & 9, Symantec Client Security, Enterprise Firewall, Clientless VPN Gateway 4400 series, Firewall/VPN Appliance, and Gateway Security 300/400 series are vulnerable when decompressing RAR Files.

Due to the way these products decompress RAR files a user's system could be controlled remotely through a worm or virus hidden within a RAR file. A RAR file is an archive much like a zip file in that the data is compressed thereby making it easier for large amounts of and is popular on P2P networks and Usenets due to the way it can broken into multiple parts and reassembled.

According to Symantec there are no documented viruses or worms exploiting this but given the popularity of the Anti-virus platform and RAR files it is only a matter of time. The default configuration of Symantec Anti-Virus is to scan all incoming email makes it likely that this vulnerability could be exploited without any action from the user. Therefore until a solution is released it is advisable that users of these products do not scan RAR files delete the attachment if you are not sure of the user but do not scan the file. If you are unsure how to do this please ping me on yahoo or send me an Email and I will be happy to help unfortunately due to the number of affected products I can not post walk-throughs for each.

Affected Products

Product	Version
Norton AntiVirus for Microsoft Exchange	2.18
Symantec Mail Security for Microsoft Exchange	4.0
	4.5
	4.6.3
Symantec AntiVirus/Filtering for Domino NT	3.1
Symantec Mail Security for Domino NT	4.0
	4.1.4
Symantec AntiVirus/Filtering for Domino Ports	3.0.11
Symantec AntiVirus Scan Engine	4.1.8
	4.3.12
Symantec AntiVirus for MS ISA	4.3.12
Symantec AntiVirus for MS Sharepoint	4.3.12
Symantec AntiVirus for Messaging	4.3.12
Symantec AntiVirus for NAS	4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer	4.0
	4.3
Symantec AntiVirus Scan Engine for NetApp NetCache	4.0
	4.3
Symantec AntiVirus Scan Engine for Bluecoat	4.0
	4.3
Symantec AntiVirus for Clearswift	4.3.12
Symantec AntiVirus Scan Engine for Caching	4.3.12
Symantec AntiVirus for SMTP	3.1
	4.1.9
Symantec Client Security	3.x
Symantec Web Security	3.0.1
Symantec BrightMail AntiSpam	5.5
	4.0
Symantec Gateway Security 5000 Series	3.0
Symantec Gateway Security 5400 Series	2.0
Symantec Gateway Security	1.0
Symantec Norton Anti-virus for Macintosh Corporate Edition	9.0
Symantec Mail Security for Microsoft Exchange	5.0
	4.6
	4.5
	4.0
Symantec AntiSpam for SMTP	3.1
Symantec AntiVirus/Filtering for Domino NT	3.1
Symantec Mail Security for Domino	4.0
	4.1
Symantec AntiVirus/Filtering for Domino Ports	3.0
Symantec Scan Engine	5.0.1 and earlier
Symantec AntiVirus Scan Engine	4.3
Symantec AntiVirus Scan Engine for ISA	4.3.X
Symantec AntiVirus Scan Engine for Netapp Filer	4.3.X
Symantec AntiVirus Scan Engine for Netapp NetCache	4.3.X
Symantec AntiVirus for Caching	4.3.12 and earlier
Symantec AntiVirus for Clearswift	4.3.12 and earlier
Symantec AntiVirus Scan Engine for Microsoft Portal Server	4.3.X
Symantec AntiVirus Scan Engine for Bluecoat	4.3.X
Symantec AntiVirus Scan Engine for Filers	4.3.X
SharePoint Portal Server 2003
Symantec AntiVirus for SMTP	3.1
	4
Symantec Mail Security for SMTP	4.0
	4.1
Symantec Web Security	3.01x
Symantec BrightMail AntiSpam	6.0
	4.0
	5.5
Symantec AntiVirus Corporate Edition	10
Symantec Norton AntiVirus	7.6
Symantec I-Gear
Symantec AntiVirus for HandHelds - Corporate Edition
Symantec Client Security for Nokia

Consumer Products

Product	Version
Symantec Norton Anti-virus	2006
	2005
	2004
Symantec Norton Internet Security Professional	2006
	2005
	2004
Symantec Norton System Works	2006
	2005
	2004
Norton Personal Firewall	2006
	2005
	2004
Symantec Norton Anti-virus for Macintosh	9.x
Symantec Norton Internet Security for Macintosh	3.x
Symantec Norton System Works for Macintosh	3.x
Symantec Norton Anti-virus for Macintosh	7.x
Symantec Norton Anti-virus for Macintosh	8.x
Symantec Norton Internet Security for Macintosh	2.x
Symantec Norton System Works for Macintosh	7.0
Symantec Norton Anti-virus for Macintosh	9.x
Symantec Norton Internet Security for Macintosh	3.x
Symantec Norton System Works for Macintosh	3.x
Symantec AntiVirus for Handhelds	All

Link: SecurityFocus.

Link: Symantec Advisory

Santa Worm Brings Rootkits not Gifts this Holiday Season

Imlogic.com is reporting a new worm outbreak call IM.GiftCom.All that effects users of AIM, ICQ, MSN, and Yahoo Messenger clients. The worm spreads by broadcasting an Internet address to IM users the address maybe something like http://www.santas.com/gift.com when a user clicks it they are instead of visiting a website downloading a .com file which is a dos or command prompt executable containing a root-kit.

The root-kit hides itself from detection and deletion while monitoring the users activities via a key-logger . In addition to tracking user activities and monitoring the registry and Internet Explorer the IM.GiftCom.All also makes several attempts to connect various servers on the Internet and spread to other users in the infected users IM address book.

Prevention steps include upgrading your Instant Messenger client software to the latest version. Installing a firewall that includes content filtering and blocking the .com file extension or enabling content filtering in your Internet Messaging software.

First MSDTC exploiting Malware hits the net

FPROT posted in their blog earlier today that two attempts to exploit the Microsoft Windows Distributed Transaction Coordinator (MSDTC) have hit the nets these attempts are called Dasher.A and Dasher.B. Both attempts have been thus far unsuccessful. FPROT cites weak coding and server problems for the central distribution server as the primary reasons why this Malware has failed to spread. This could be the precursor to another Internet worm that effects a large number of systems simply because they are not patched. The only saving grace is that many systems will not have this service enabled and thereby are not vulnerable by default. Microsoft has issued a patch to fix this issue with all effected systems and is urging users to update as soon as possible. Bottom line if you are running Windows 2000 this primarily effects you as this service is enabled by default on Windows 2000 systems running SP 0 - 4, if you are not running Windows 2000 you should still patch because this could be a good exploit for a blended threat.

Link: F-Secure : News from the Lab.

Fake Notice from McAfee tries to trick you into downloading a virus

FPROT is reporting that they have seen an increase in emails warning of a fake virus called "Kongo31.XRW" and urges the email reader to click a link to update their McAfee virus definitions.

When they click the link they are redirected to a site called McAfee-Center which is not affiliated with McAfee. The site then attempts to download a file called ak26xrw-patch-installer-win32.exe is itself a virus.

If you are prompted by an email to follow a link to update your virus definitions don't do it. Instead either go through the program to update or barring that go to the website by typing it in the address bar.

To perform an update of McAfee from within the program follow the instructions below:

1.       First Double-click the  icon by your system clock in the lower right corner of your screen.

When the McAfee SecurityCenter window appears.

2.       Click Updates.

When the McAfee Security Center Updates window appears

.     3.       Click the Check Now button.

4.       If there are no updates then you will be notified simply click Ok you don't need to go any further.

5.       If an update is available, click the Next button to download it and then follow the Wizard after your done you may need to restart but you will be up to date.

Link: F-Secure : News from the Lab.