C.I.S.R.T.

IM-Worm.Win32.Zeroll.a

Tue, 24 Aug 2010 01:27:03 +0000

Kaspersky reported a new IM-Worm "IM-Worm.Win32.Zeroll.a" was spreading in Latin America.

According to Kaspersky's description:

Quotation

On Aug 21, we (Kaspersky Lab) detected a new instant messenger worm that spreads through almost all well-known IM programs, including Skype, GTalk, Yahoo Messenger and Live MSN Messenger. The name of the threat is “IM-Worm.Win32.Zeroll.a”

It “speaks” 13 different languages (including Spanish and Portuguese) according to the local language of the infected Windows computer. There are some characteristics that show the worm originated Mexico. It is written in VB and the C&C is located on an IRC channel (an old botnet technique recycled by the Mexican coders).

So all the IM users should be careful of this worm.

Tags - im-worm.win32.zeroll.a

First iPhone Worm Ikee

Mon, 09 Nov 2009 00:43:26 +0000

There are lots of reports about first iPhone worm "Ikee" today.

F-Secure: First iPhone worm found

Sophos: First iPhone worm spreading in the wild

ISC: iPhone worm in the wild

Tags - ikee , iphone

Renren.com XSS Worm

Tue, 25 Aug 2009 01:44:19 +0000

I noticed Sophos and ISC reported a Chinese social web site - renren.com(aka xiaonei.com), was attacked by a flash XSS worm.

If you can read Chinese, you may read more details written by KnownSec Team here.

Tags - renren , xiaonei , xss

Really No Storm Codec on Your PC?

Wed, 09 Apr 2008 12:13:44 +0000

Zhelatin gang has updated its tactic again today. We've received its new spams. In the latest spams, a malicious domain "supeas.com" was contained. Besides spams, we also found this malicious domain was posted on lots of blogs.

Two files, "StormCodec.exe" and "StormCodec8.exe", will be downloaded. Kaspersky detects them as Email-Worm.Win32.Zhelatin.wt.

Here is the screenshot of this malicious site:
............

Tags - email-worm.zhelatin , stormcodec.exe , stormcodec8.exe , zhelatin.wt

Storm Worm, Blogspot.com

Mon, 07 Apr 2008 11:41:22 +0000

Storm Worm changed its tactic again. It began using Blog tactic now.

We received its latest spams which contained the links that point to Blogspot.com.

Here is the sample of spams body:

............

Tags - email-worm.zhelatin , withlove.exe , love.exe , zhelatin.ww

April Fools Day, Storm Worm Comes Back

Tue, 01 Apr 2008 11:00:43 +0000

Today is the April Fool's Day. More friends like joking on this day. The Storm Worm gang also like this day, and they come back after being inactive for a long time.

The new spams began being spread earlier today. We've received lots of spams in our mailbox. The subject lines are as the following:

April Fools' Day
Happy All Fools!
Doh! April's Fool.
I am a Fool for your Love
Gotcha! All Fool!
Happy April Fool's Day.

............

Tags - funny.exe , kickme.exe , foolsday.exe , email-worm.zhelatin , foolday , email-worm.win32.zhelatin.wt

Storm Worm Began Reactive

Mon, 03 Mar 2008 12:19:03 +0000

The last time Storm Worm active was Valentine Day.

Today, we monitored the Storm Worm gang began reactive. The file "postcard.exe" or "e-card.exe" will be downloaded automatically in a few seconds after users visit these websites.

The spams are like the following:
............

Tags - email-worm.zhelatin , postcard.exe , e-card.exe , zhelatin.vg

Valentine.exe, Zhelatin New Filename

Tue, 12 Feb 2008 09:44:40 +0000

Zhelatin gang began acitve again with new pictures and titles of its malicious websites.

When the users visit these websites, the file "valentine.exe" will be downloaded automatically after five seconds.

The following are the pictures on these malicious websites:
............

Tags - valentine.exe , email-worm.zhelatin

Beselo, New Symbian Worm in the Wild

Tue, 22 Jan 2008 12:41:10 +0000

F-Secure has reported a new symbian worm -- SymbOS/Beselo in the wild.

It affects S60 2nd Edition phones.

F-Secure said:

Quotation

The SymbOS/Beselo family of worms is very similar to Commwarrior. In fact at first we actually misidentified Beselo.A as Commwarrior.Y. Like Commwarrior, Beselo worms spread via MMS and Bluetooth using social engineering to trick users into installing an incoming SIS application installation file.

We also found the similar cases in China via Search Engine: Google and Baidu. The users received one of the following files via MMS:
............

Tags - symbos/beselo , beauty.jpg , love.rm , sex.mp3 , symbian , symbos/beselo.b

Storm Worm with Love Theme

Wed, 16 Jan 2008 07:49:53 +0000

New variant of Storm Worm began active now. The latest theme is about Love. The filenames are "withlove.exe" and "with_love.exe" this time, and the files on these websites are changing every 15-30 minutes, so keep being careful please.

The subjectlines may be as the following:

A Dream is a Wish
A Kiss So Gentle
For You....My Love
Love Is...
Memories of You
Our Love Will Last

The screenshot of spams:
............

Tags - withlove.exe , with love.exe , email-worm.zhelatin