Recent Posts

ThreatFire Research Blog

ThreatFire Research Blog

Return To Blog Listing

Blog from the threat research team at Threatfire about computer security.

Search This Blog's Tags For:

Recent Posts Tagged With 'worm'

  • Brontok Enjoys Sunny Climates as a Worm without a Head

    Posted on Wednesday September 9th, 2009 at 13:52 in worm, cybercrime

    Some hugely prevalent, worming families just won't wither away and disappear. They top vendors' prevalence lists for years on end, even as the malcode fails to serve its original purpose. As the ThreatFire community grows its presence in Mexico and B...

  • No Microsoft FTP Module 0day, but Spybot/Kolab Exploits

    Posted on Tuesday September 1st, 2009 at 15:38 in worm, exploit, 0day

    We've been waiting for some stats to come rolling in, but we haven't seen a hint of an 0day worm or any attacks for that matter on the current Microsoft Ftp module 0day.Instead of the Ftp 0day showing global activity, Spybot/Kolab is attempting to ri...

  • Waledac birdie_a.exe, birdie_b.exe, corvus_b.exe, william_a.exe Mixed in with FakeAv Download Scheme

    Posted on Monday August 24th, 2009 at 16:09 in worm, undetected malware, waledac

    We may be seeing the stirrings of yet another Waledac distribution. Servers at 95.211.8.215 and 95.211.8.161 have been serving up a number of unusually named files since the 20th that appear to maintain not only the common Waledac unpacking stub, but...

  • Tertwit? or Twitter Tweet Links Redirect to Koobface

    Posted on Friday August 7th, 2009 at 16:09 in trojan, worm, bot, social engineering, koobface

    koob-Face or ter-Twit? The ongoing abuse of twitter feeds by malware distributors continues to net more social networking victims. As always, be wary of any executable you are prompted to download and execute. Currently, evil tweets for "My home vide...

  • Undetected Autorun/Injector Variant on the Loose

    Posted on Tuesday June 2nd, 2009 at 16:20 in worm, autorun, rogueware, fakealert

    A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.ne...

  • Windows Security Center and Virus (I-Worm.Trojan.b)

    Posted on Tuesday May 12th, 2009 at 13:52 in worm, social engineering, rogueware, fakealert, im worm

    What is a virus i-worm trojan anyways? Well, it's not a legitimate detection with a valid CARO name, it's gibberish to lead a user to "Click 'Ok' to Install System Security Antivirus", either on XP:Or with a more sleek look on Vista:The distributors ...

  • Bruce Schneier on Conficker

    Posted on Monday April 27th, 2009 at 17:02 in Common Sense, worm, autorun

    At the RSA Conference in San Francisco, Bruce Schneier opined on the media sensation that Conficker became. According to Iain Thompson, Schneier said that "it was a classic example of how the mainstream news media misunderstood the threat from malwar...

  • A Quiet Morning

    Posted on Tuesday March 31st, 2009 at 20:45 in worm

    What has been described as a day of epic struggle appears to be starting quietly, with Conficker day setting in for China and S. Korea, two of the nations maintaining reportedly high Conficker infection volumes (the worm has spread to potentially a f...

  • Ridiculous Autorun Worm Names

    Posted on Tuesday January 20th, 2009 at 19:18 in worm

    Oh brother, you hate to write about it. A worm is spreading fairly high in prevalence this week and last. Sometimes, it is not because of foolish curiousity -- the worm is spreading over removable drives like Usb sticks, otherwise known as an "Autor...

  • Microsoft Patch Tuesday 009

    Posted on Tuesday January 13th, 2009 at 12:57 in worm, bot, vulnerability, software release

    We've been anxiously awaiting that first patch of the year, and here we have it:"Vulnerabilities in SMB Could Allow Remote Code Execution".The excitement for this one could be either downplayed or up-played. The MS09-001 patch replaces the patchwork ...

  • Card.exe is not Brought to you by 123Christmas-Greetings!

    Posted on Tuesday January 6th, 2009 at 14:31 in spam, adware, worm, exploit, storm

    Unfortunately, a handful of legitimate online greeting card sites continue to be spoofed as parts of the ongoing successful Waledac threat.While it is similar to the Storm threat, the shameless ripoff of multiple greeting card sites are even more bla...

  • Koobface Notes -- flash_update.exe, bolivar29.exe, tinyproxy.exe

    Posted on Tuesday December 9th, 2008 at 19:34 in adware, trojan, worm, undetected malware

    Earlier last week, we first posted our usual warning about the spike in Koobface threats that our ThreatFire users were being protected against on their systems. That post set off some interest in the worm again. The last spike in the worm coincided ...

  • Koobface Anti-Emulation Time Lock Trick

    Posted on Monday December 8th, 2008 at 13:55 in worm, reversing, evasion technique, undetected malware

    Koobface contains a lot of interesting tricks, components, and schemes to write about. In the interest of keeping this post somewhat brief, we'll focus on an anti-emulation technique that may be keeping the AV detection rates low for repacked and red...

  • Koobface flash_udpate.exe Around the World

    Posted on Friday December 5th, 2008 at 19:46 in worm, social engineering, dropper

    We are analyzing the binaries and koobface processes and will provide detailed technical information later -- this one performs lots of process, system admin, file create/delete activity, and each one has a tricky anti-emulation trick that we'll desc...

  • Koobface on the Loose as "flash_update.exe"

    Posted on Wednesday December 3rd, 2008 at 11:31 in worm, social engineering

    "Koobface". Like "Facebook", only sort of backwards. Clever.Social networking worms like the Koobface family are a reality, and their prevalence shows on our threatfire community. Users of facebook need to be aware that links appearing on friends' fa...

  • USB Worms and Government Policy

    Posted on Thursday November 20th, 2008 at 16:42 in worm, disclosure, password stealing, undetected malware

    When federal government systems are hit with malware, the incidents often receive no public reporting. However, the slew of infections from removable drive based worms have become so bad on the U.S. Dept of Defense's infrastructure that they've banne...

  • Yahlover Interrupts Software Evolution

    Posted on Monday October 6th, 2008 at 23:36 in fun, worm, virus bulletin, antimalware solutions

    A variation on an old IM-Worm is making the rounds in Thailand and Vietnam. It just may be interrupting your Virus Bulletin reading -- the papers were good this year.The worm is another AutoIt script compiled as "ssvichosst.exe" designed to interact ...

  • Facebook, Open These Images Scheme -- dvc-foto010.jpeg_www.facebook.com

    Posted on Wednesday September 24th, 2008 at 12:26 in worm, rootkit, social engineering, embedded trojan

    No, it is not a link, it is a file that does not have photos that you are interested in, and will not direct you to jpegs you are interested in on the facebook site. Also making the rounds is "newestpicture0021.jpeg-www.imageshack.com", and other "im...

  • New Undetected Worm

    Posted on Tuesday July 1st, 2008 at 12:01 in worm, rootkit, social engineering, undetected malware

    We're seeing a new version of the worms that we previously posted info about.Some slight changes in the newest version: circulating with the name "newphoto011.jpeg-www.myspace.com", which I'm sure will change soon enough. This time, it hides a new pr...

  • Removal Tool? No.

    Posted on Monday June 23rd, 2008 at 19:09 in worm, bot, rat, dropper, undetected malware, chasenet, swerat, bifrost

    A little detected "tool" is downloading and executing bots. A version of "driveguard.exe", with promises of cleaning up your system from infections and keeping it clean, is worming its way onto machines and downloading strains of Poison Ivy as "WinSe...

  • MSN IM Worm

    Posted on Wednesday June 4th, 2008 at 12:46 in worm, bot, social engineering, dropper

    Another MSN IM-worm is making the rounds, in an effort to create yet another IRC-based botnet. Almost all of the activity that we are seeing is coming from our user community in Italy, Spain, Argentina and Peru.A message will arrive, asking "Is this ...

  • Chartreuse pill

    Posted on Tuesday January 15th, 2008 at 16:28 in worm, virus bulletin, evasion technique

    Ok, we're running out of little pill colors to match up with Matrix analogies. But simply put, the red pill and the subsequent blue pill work attempted to achieve the goal of detecting and abusing virtual machines.Maybe chartreuse isn't what we're lo...

  • Storm's premature invitation

    Posted on Tuesday January 15th, 2008 at 13:05 in worm, storm, bot

    Some things arrive way too early. This time, it's the Storm worm.The Storm gang is starting early on the Valentine's day theme, and we are receiving emails from these affectionate souls, trying to deliver "withlove.exe", and other malicious vday them...

  • Help.exe still not much of a helper

    Posted on Tuesday January 8th, 2008 at 18:46 in worm, reversing, dropper, password stealing, evasion technique

    One of the highest hitting worms that ThreatFire encountered over the past week is a worm designed to target online game player logins by dropping a password stealer and rootkit components on infected systems. We previously blogged about the help.exe...