Computer security news sources are announcing a relatively new trojan named Daonolfix, which spreads on forums, could potentially be devastating to a multitude of computers.

Daonolfix belongs to the Win32/Daonol of Infostealer.Daonol family of Trojans and spreads quickly through network and Internet. It is able to control network traffic, steal FTP credentials, prevent access to security Web sites, disable access to system programs and redirect Internet searches to websites which host other viruses from the affected computer.

Daonolfix hasn’t been as active as it is now for a while but has tried its recurrence which can slow network traffic and corrupt a user’s data throughout FTP Transmission. The Trojan is able to avoid the anti-virus software without being detected by copying itself. When the anti-virus software fails, Daonolfix attracts more malicious scripts and badware from the web, thus making the effected machine prone to other attacks.

Daonolfix saves to the “%System%\sqlsodbc.chm” file. The original “%System%\sqlsodbc.chm” file is overwritten. The Trojan may also try to download files on to the vulnerable computer. When executed, the Trojan copies itself as the particular file location: “%CurrentFolder%\[PARENT FOLDER]\[8 RANDOM CHARACTERS].[3 CHARACTERS]“. “[PARENT FOLDER]” denotes the folder one level higher in the file system tree. For instance, if the original threat executable is “%SystemDrive%\Documents” and “Settings\Administrator\[ORIGINAL FILE NAME].exe” it will copy itself to “%SystemDrive%\Documents and Settings\[8 RANDOM CHARACTERS].[3 CHARACTERS]“. The Trojan will try to delete itself if a URL that includes the DaonolFix string is accessed.

The Daonolfix trojan is found to be difficult to remove by anti-virus software as it recreates itself when deleted by standard anti-virus software. To prevent Daonolfix Trojan, users are recommended to use a firewall to prevent access or infiltration of their system.

Trojan.Ramvicrype has uncommon “Trojan behavior” because it encrypts data files on the compromised computer but does not ask the user to visit a Website to get the solution to decrypt the data. This particular Trojan renames the files with a new ‘vicrypt’ extension which is rather unheard of from other well-known Trojan parasites.

Trojan.Ramvicrype looks for links in the “Recent” folder in Windows and renames all the files in the particular folders that are pointed to by links and encrypts the head section of each file. This will in return lock the affected files. After that, Trojan.Ramvicrype shows the following security notification:

‘Vicrypt error! Please Restart Windows’.

Unlike other malicious software that we have seen in the past, Trojan.Ramvicrype doesn’t require purchase to get the parasite to decrypt the keys. Trojan.Ramvicrype assumes that the user of a vulnerable computer is going to look for information for helping them to unlock the files. The search usually leads to a deceitful company which provides a malware removal tool but requires a payment for obtaining the software program.

You may be asking, what happens after Trojan.Ramvicrype has infected a computer system and locked multiple files? If a file in the Windows system folder has been opened recently, then all the files in the system folder will be encrypted and the user may not be able to access the Internet to search for any tools, free or shareware versions.

The solution to this issue is utilizing a tool which can be used to fix this security issue instead of manual removal of each infected file. Users are strongly recommended to a reputable spyware removal tool to safely remove the Trojan.Ramvicrype parasite as to not cause any further damage to system files.

Zbot Trojan, or known as Zeus, has been around since the year 2006 where it was spread through spam messages that claimed to be a Microsoft Outlook critical update. A new study, taken place just recently of 10,000 computers infected with Zbot that had a majority running an up-to-date antivirus program, revealed that the antivirus programs only detected Zbot about 23 percent of the time.

In the study conducted by Trusteer, a security research firm, it was determined that no specific antivirus application had an advantage over one another in detecting and removing Zbot. Basically, Zbot is able to evade antivirus programs 77 percent of the time.

Security researchers believe that Zbot is able to go undetected because it uses a sophisticated morphing and rootkit method that allows it to penetrate deep into an operating system. It has been noted that we are seeing a rising number of parasites that use rootkit tactics to mask themselves or hide from security programs.

Although this study conducted does not verify that all parasites that use rootkit tactics will go undetected by security programs, it reemphasizes how hackers are developing more intelligent ways to spread infections.

Do you feel that hackers have an advantage over the makers of security programs such as antivirus applications?

Swine flu has gotten us all a little anxious. Maybe even a little paranoid. Was the man who sneezed next to me on the bus infected? Am I infected? I do feel a little head sore coming on. Regardless, Influenza H1N1 is not the life-threatening plague many might make it out to be.

The same, however, cannot be said for those malware authors out there now seeking to take advantage of the global panic surrounding this illness. These people are a different kind of plague, though, one that is more of an annoyance than life-threatening.

A recent scheme employed by these cybercriminals is the scenario they have managed to construct in their latest spam run. An email message typically informs you that the President of Peru, Alan Gabriel Ludwig García Pérez, and others who attended the delegation of UNASUR (Union of South American Nations) summit, have been infected with Swine flu.

And if this little morsel of information wasn’t juicy enough, the spam message continues by stating that the incident is being kept from the public. Is it a conspiracy? Well, that’s certainly worth further investigation. Peaking your curiosity is what these con-artists are aiming for, to such a degree that you might just leave common sense aside and click the malicious link provided in the email.

This link, purported to contain the audio news report regarding the incident, is nothing more than a one way ticket to opening and executable file – Alan.Gripe.Porcina.mp3.exe, one that has been detected and named TSPY_BANCOS.AEM. This is a Trojan known for gathering up personal and financial information from a system, and then sending this data to a remote server using HTTP POST.

So, while we are all a little uneasy about the Influenza H1N1 epidemic, we should never let our fear, or even our curiosity, get the better of us. Any email message you receive that comes from an unknown source should be deleted immediately, no matter how juicy the reports might be.

As with any new and promising technology, there comes the inevitable promise that it will become the target of malicious code authors. Such is the case with the transmission technology for delivery of voice communications over IP networks, such as the Internet or other packet-switched networks, more commonly known as Voice over IP (or VoIP).

With VoIP gaining more and more popularity, it should be no surprise that eventually there would be a malware targeting this impressive form of communication. In just this past week alone we have seen the arrival of a Trojan horse called Trojan.PeskySpy. This new trojan is specifically designed to target Skype VoIP communications.
How it works is that Trojan.PeskySpy will create an MP3 of a voice call and later transmit this from the infected computer, to an unauthorized user at a remote server. Mp3 files, as you already may know, are relatively small files. Not many computer users would notice the creation of one additional mp3 file. An explanation of what exactly is happening was offered by Symantec reading the following:

“What this threat is doing is actually grabbing the sound coming from the audio devices plugged into the computer. It does this by hooking various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device. The extracted audio data is then saved to .mp3 files and stored on the computer.”

Researchers were quick to point out, however, that the existence of this new “wiretap Trojan” isn’t due to any problems with Skype itself. In this instance, Skype is a target mainly to due it’s popularity. It is one of the most used VoIP applications available. More than likely we will be seeing this kind of threat in the future, targeting other VoIP applications.

As alarming as this news might seem, security researchers continue to downplay the immediate danger. Some security research firms have commented on the situation to say that it doesn’t see this particular attack gaining much of a foothold in the real world, and Trojan.PeskySpy does not appear to contain any method by which it can spread from one computer to another.

What should be made aware is that, in the future, we will probably be seeing variations on this Trojan theme. Keeping this in mind, it is recommended that you simply continue to employ the same protection you have always used against malware. Namely, keeping all software applications up-to-date and utilizing either an antivirus or antispyware application to detect and remove threats such as Trojan.PeskySpy.

An email has been discovered that appears to have come from CNN News that seems to contain news about Israel’s bombardment of Gaza. Within the body of the email is supposed to be a link to a graphic video of Al Jazeera English Report related to the news. As you can probably guess, the link does not go to an actual video but goes to a phishing site that looks like a CNN web page. On the page is a “click to play” icon where an error message popups up if it is clicked on. The message asks that you “Please Download correct Flash Movie Player!”. As we know from old CNN.com malspam attacks, a message like this will result in the download of a fake Flash player file which contains malware. The file was identified as “Adobe_Player10.exe”.

The Adobe_Player10.exe file was detected by security researchers as TROJ_DLOADR.QK which is a Trojan that has the ability to connect to another URL which may be detected as TROJ_INJECT.ZZ.

The second trojan infection, TROJ_INJECT.ZZ, is an information stealer that may log keystrokes that launches a sniffer to gain your passwords that you may enter. In addition to the second Trojan, a rootkit was discovered to be dropped which is identified as TROJ_ROOTKIT.FX.

Security researchers are currently warning online users of this serious threat as they suspect thousands of these fake CNN News phishing emails have been sent out. Below are images from Trendmicro of the fake CNN News email messages and the phishing website.

Hackers do a good job with making phishing sites look like the real thing. Do you think the image above of the CNN.com/world web page would fool you? Would you think that it is a real CNN.com web page?

Reports have come in of some video links that could lead to malware by clicking a Google reader article link. From this link a computer user may be prompted with a video where if it is clicked to play takes you to a player on a non-Google page which is designed to spread malware. The whole process makes it look like Google is the culprit but it is not.

The attackers that set up this devious process have taken it upon themselves to create Google Reader accounts where they place links on the reader that take computer users to malicious web sites that spread malware. The malware was found to be a Trojan Downloader that includes Browser Helper Objects. This type of infection behaves like typical rogue anti-spyware programs where it prompts you with a fake notification that says you are infected with a virus or spyware.

What is done to resolve issues like this?

Once an exploit or malware infection has been discovered by a big company like Google you can be assured that it will be investigated further and possible resolved in a timely manner. A representative from Google reiterated this from the following statement: “Google works actively to detect and remove accounts that serve or link to malware. We’re investigating reports we’ve received on this issue and are committed to shutting down any accounts that violate our guidelines.”

Has this scenario ever happened to you? Does this sound familiar to other attacks that you have witness or read about over the internet?