On a popular Bittorrent site during the last weekend there appeared a package that allegedly contains Avira AntiVir Premium and a so called keygen. A keygen is a tiny piece of software that calculates a license number for a commercial software, for free.

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:
<%AllUsers Profile%>\Local Settings\Application Data\scvhost.exe
C:\Sys.exe
C:\autorun.inf

The dropped scvhost.exe also gets added to the autorun registry keys so it gets executed after every reboot. The autorun.inf and sys.exe aren’t only created on the system hard disk, but also on all removable drives. This seems to be the spreading mechanism of the worm.

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings “VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1″. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:

Fig. 2: The Malware Toolkit used to create the worm.

Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- “Legit” Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

That string seems to be the configuration that the malware creator used with the Malware Construction Kit. The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

Fig. 1: The autorun-worm uses some anti-sandboxing tricks.

The Vaqxination Malware Construction Toolkit currently steals passwords from Firefox and Steam and also logs all keystrokes. Those log files get sent to the email account the creator has chosen before building the malware.

Avira detects the bogus key generator as Worm/Autorun.sxa with VDF version 7.01.06.18. For malware authors, keygens are a simple way to infect user PCs for a longer time already. If an antivirus solution warns from malware within such a keygen, this is nearly always a correct detection – the probability of a false positive detection is extremely low. Also the websites where such keygens usually are offered often try to infect PCs via drive-by-downloads. So be very careful when searching for software like this!

Dirk Knop
Technical Editor

There is a severe security hole in Microsofts Internet Information Services (IIS) versions 5 and 6. “0-day” Exploit code is publicly available on the net. The error is within the FTP component. Thus Microsoft recommends as workaround to disable (anonymous) FTP on IIS, or to withdraw anonymous users the rights to create directories. A security advisory was already available but currently leads to a Bing search page. There you can see the advisory as “cached page” at least.

Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.

The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.

Dirk Knop
Technical Editor

Last week a virus that infects Delphi development environments and then the compiled Delphi programs was detected and got some media attention – infected programs were distributed on cover-mount CDs and DVDs on computer magazines and via Download Portals.

Our developers created a special version of our Avira Removal Tool which is capable of detecting and deleting infected programs. You can download the English version here and the German version here!

Dirk Knop
Technical Editor

There are security flaws within Adobe Reader and Acrobat and the Adobe Flash Player which are getting actively exploited on the net currently. The company has published a security advisory where it announces that they are currently investigating the problem and plan an update for the 30th of July.

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

In a security advisory Microsoft published yesterday the company warns of a critical error within an ActiveX component for the Internet Explorer. This DirectShow component provides video playback, record and capture capabilities. Due to the error it is possible for attackers to inject malicious software (well – malware, let’s name it!) into the computer – without user intervention, just by visiting a hacked website. We detect the exploiting JavaScript as “HTML/Shellcode.Gen”.

Microsoft reports also that this vulnerability gets exploited on the Internet already. There is no patch to close the security hole yet. Anyhow, the company provides a knowledgebase article with a “FixIt for me” workaround. This installer can be distributed in company networks as well as on home computers and disables the execution of the faulty component within the Internet Explorer. Make sure to execute it if you use any Windows flavour of Windows XP or Windows Server 2003!

Dirk Knop
Technical Editor

Microsoft issued a warning about a security vulnerability in DirectX which is reportedly getting actively exploited. The affected component quartz.dll is removed in Windows Vista and 2008 Server (and also in Windows 7), so Windows 2000, XP and 2003 Server are vulnerable. With those operating systems, a user just needs to open a manipulated QuickTime file to infect her computer – independent of the Browser or Software used.

From Microsofts Security Response Center: “The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.”

The company offers a solution in a knowledgebase article. Users can apply a fix by clicking on the “fix it”-link in that article with Internet Explorer – currently the fix is undergoing maintenance obviously though. Microsoft writes that it wants to ship a patch as soon as it is production stable. It is unclear weather this means that they want to ship an update out-of-band or if it is ready for the June Black Tuesday.

Dirk Knop
Technical Editor

While refining and improving our detection of the W32/Tobin file patcher malware we analysed its “infection” algorithm closer. Upon execution, it drops a DLL (usually “nikitob.dll”) and modifies executable files on the system so that they load the dropped DLL once they get started. So far nothing new or unusual.

Fig. 1: The new import table

W32/Tobin adds a new section named “.lenna” at the end of the PE file. This section consists of an import table – such import tables are used by the Windows loader to dynamically load DLLs and provide the corresponding function from them to the started program. The new import table references the dropped DLL “nikitob.dll”. At the same time, the import data directory entry in the PE header gets modified to point to the newly attached import table. If there is a bound import table in the executable, W32/Tobin “removes” the entry from the data directory by setting it’s RVA and size to 0.

Fig. 2: Original data directory address

Fig. 3: Patched data directory address

The dropped DLL “nikitob.dll” just exports one function, “NikitaTob”. Upon calling it, it shows a message box with the text “NikitaTob”. The actual virus code is executed automatically when the DLL is loaded.

Fig. 4: The malware dll exports just one function

Among other things, the import address table is rebuilt to make the patched executable work. In our analysis we didn’t find further malicious routines in the malware.

Fig. 5: W32/Tobin just shows a message

In one of the W32/Tobin samples we found the reference to “C:\NIKITA\Soft\black_soft\29a\nikitob\Release\nikitob.pdb”. A short search in our archives turned up an old magazine of the VX group 29A. In the issue from January 2005 there is proof-of-concept code which exactly infects files the W32/Tobin-way. The new section there is called “.senna”, and a message box shows the text “PayLoad”. It looks like some malware writers used the Proof-of-Concept virus to learn new techniques.

Removing this kind of malware from an infected system isn’t as simple as it may look on first glance. Simply deleting the dropped DLL doesn’t work: The infected executables depend upon the DLL now and won’t start anymore. Most likely the whole system wouldn’t start up anymore. Since W32/Tobin stores the address of the original import table at the end of the executable, it is possible to restore that value and disinfect the system gracefully.

Dirk Knop
Technical Editor

Some hype established around the malware known as Psyb0t. It is unusual as it doesn’t infect windows machines, but MIPS-based Internet-routers and DSL-modems – which are very widespread. (This is only half of the story. There is a windows malware floating around which starts infecting the Internet gateway; this malware is detected and removed by Avira AntiVir though.)

In our analysis we found plenty of interesting strings in the Psyb0t-variant 2.9L.

Fig. 1: Disassembled Psyb0t and its function graph.

This malware is quite sophisticated and has a whole lot of functions which a bot master may need. Psyb0t connects to an IRC-Server and can be controlled from there.

It tries to exploit weak passwords on devices reachable via the Internet and contains an extensive list of default passwords and some often used passwords, too. Also it attacks SQL servers and software like PHPMyAdmin. So it doesn’t only infect Netcomm-DSL-Modems as has been reported on the media sometimes, but can break into plenty of other MIPS-based devices from other brands as well – even in OpenWRT installations, if they use some insecure service versions.

How can you detect if your router is infected? There is no easy way to tell. But the malware adds a firewall rule to block telnet connections (iptables -A INPUT -p tcp –dport 23 -j DROP). So if there is a telnet deamon running on your router and you can’t reach it, it would be a bad sign.

How to get rid of an infection? You have to connect via wired network to your Internet gateway in this situation. Fetch the latest firmware version available from a different network, maybe at a neighbour’s place or at a friend’s. Then you usually have to initiate a hard reset on the Internet gateway. Most devices reset their settings to the default ones when pressing the reset knob for 10 seconds, then pulling the power plug and reinserting the plug again.

After that, first change the default password to a good and safe one – you know the drill: Small and capital letters, special characters and numbers in most random fashion. Then upgrade the firmware to the most recent version. After that you can start configuring your Internet gateway again.

Dirk Knop
Technical Editor

Markus Hinderhofer
R&D Engine Team

Malware made its way into space! The International Space Station (ISS) has to fight against a trojan on some of the computers. Fortunately, no vital systems are affected; it remains yet unclear though how the malware made its way into space. Rumours have it that some astronauts may have had the virus on a USB-stick or some memory card. It is also unknown, from which nation the astronaut stems.

Even if there is no direct internet connection on the ISS, the trojan tries to steal gaming passwords. Its already nearly a year old. Avira detects it generic as a member of the Vundo-family of trojans, TR/Vundo.Gen. Even Avira AntiVir Personal would have kept the ISS clean of that malware! It’s time to think about further security mechanisms in space, it seems.

Dirk Knop
Technical Editor