NEWS FROM THE LAB - February 2005


Monday, February 28, 2005

Case Send-Safe Posted by Mikko @ 16:25 GMT

There are some interesting developments going on with the Send-Safe spamming tool. Together with tools like "Mailerboy" and "Darkmailer", Send-Safe is one of the most popular tools used by spammers to send spam. Send-Safe even includes a built-in support for sending the spam via home machines infected with viruses like Mydoom, Bagle and Sobig.Whois info of

Various antispam organizations and authorities have tried to fight the company behind Send-Safe with little results. The company is run by Mr. Ruslan Ibragimov, operating just outside downtown Moscow.

Especially our friends at Spamhaus have aggressively tried getting the website shut down. Suprisingly, the site has apparently been hosted by MCI Worldcom - one of the largest service providers in the world.

But now something is finally happening, as the website has disappeared.

Previously, used to look like this:

What used to look like.

This morning it looked like this:

What looks like now.

And in fact, after that Tripod has taken the redirect site offline totally (kudos for them).

We've run into Send-Safe various times before - for example, in last October in our weblog posting about who wrote Sobig.

To illustrate how professional these tools really are, here's a screenshot of Send-Safe in action. Especially notice the text in the bottom about using "527 proxies" to send spam. These are the infected zombie home computers being used without the owner of the computer having the slightest clue his machine is sending out viagra spam.

Screenshot of Send-Safe
One last thing: Send-Safe has a feature to "call home" with an encrypted SSL connection every time it starts up; this checks that the user has a valid (and expensive!) license before allowing spamming. When we heard the website was down, we were hopeful it would also break this function, effectively shutting down all copies of the tool.

Unfortunately, this is not the case. The program calls home by making a https connection to, which belongs to a netblock owned by Race Telecom Ltd near Ural, and which is still fully operational.
Fake SSL certificate used for the SSL connection of Send-Safe


Friday, February 25, 2005

W32/Mytob.A - a mix of Mydoom and a Bot Posted by Katrin @ 23:22 GMT

We've got a new worm that is based on Mydoom but also contains Bot functionality. We are calling it W32/Mytob.A.

Wednesday, February 23, 2005

FBI is investigating the source of fake e-mails Posted by Alexey @ 11:49 GMT

FBI has issued a press-release that warns people about fake e-mails coming from addresses. The recently discovered Sober.K worm appears to be the source of these e-mails. Here's an example of a fake e-mail sent by Sober.K worm:

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ Washington, DC 20535
++-++ (202) 324-3000


Tuesday, February 22, 2005

Shadowcrew carding site operational again Posted by Jarno @ 10:19 GMT

In November 2004 we covered the case when carding site got taken down by US secret service, in the Operation Firewall. The operation resulted in 28 arrests and closing down, and

Now it seems that they or someone who is emulating them is back at operation at We hope that this site will also be closed in near future.


Monday, February 21, 2005

More cabir sightings Posted by Jarno @ 13:19 GMT


It seems that even slow worm as Cabir will spread given time, and lack of protection in target systems.

Today we got a E-Mail from reader in South Africa, who said that he has received Cabir file on his phone.

Which brings to another interesting point. Lately there have been couple rather well written articles. Which make the point how user has to answer
yes several times to get infected by Cabir after it has arrived on the phone, and thus it is impossible to get infected by accident, and Cabir and other mobile viruses being just hype.

And while I do agree with every technical point that this and other articles make, I do have to say that their authors assume quite a lot of knowledge and care from average phone user. People have been told not to click unknown attachments in E-Mail for past 5 years, and still E-Mail worms are one of the most common malware type on PC systems. So it would be unrealistic to assume that average phone users would be any more cautious.

As they say, curiosity killed the cat.

So now we have 14 countries with Cabir sightings:

 1. Philippines
 2. Singapore
 3. UAE
 4. China
 5. India
 6. Finland
 7. Vietnam
 8. Turkey
 9. Russia
10. UK
11. Italy
12. USA
13. South Africa
14. Australia


Paris Hilton's phone hacked Posted by Gergo @ 11:00 GMT

Paris Hilton

A list of celebrity phone numbers and email addresses appeared on the Internet after Paris Hilton's Sidekick phone's information was stolen - most likely from the web back end. The intruders stole Paris' Sidekick Address Book, Notes and some personal photos. Many of the phone numbers has been verified and found to be valid, until the owners change them, at least. On the list, among others, there is Christina Aguilera, Eminem, Lindsay Lohan and Vin Diesel.

Not much is known about the hack though. The site where the information was posted originally had the following note:

"The previous information was obtained using social engineering tactics."

This only serves as another reminder for people to use difficult enough passwords everywhere and no, pet names are not difficult enough...


Sober.K and another new Mydoom Posted by Katrin @ 05:26 GMT

This Monday morning starts with a new Sober.K and yet another new Mydoom. We are publishing update to detect Sober.K. The new Mydoom is detected with the current updates as Mydoom.M.


Sunday, February 20, 2005

Sunday's My Doom Posted by Katrin @ 12:48 GMT

We just got another new Mydoom variant. It is similar to the previous three variants: Mydoom.BB also Mydoom.BC and Mydoom.BD.

This new variant is detected with the updates published on Ferbruary 17th, 2005.


Saturday, February 19, 2005

Status update on the new Mydoom.BC and Mydoom.BD Posted by Katrin @ 09:31 GMT

We are seeing more, but not too many reports of the two new Mydoom variants found yesterday - currently just 2.7% of all the reports.


Fresh portion of Mydooms Posted by Ceco @ 00:22 GMT

Two new Mydooms have been spotted. There aren't many reports of the worms for now. The two are very closely related to the Radar Level 2 Mydoom.BB.

The new variants are Mydoom.BC and Mydoom.BD.

In addition, we've added detection for an earlier variant. This variant is detcted under the name


Friday, February 18, 2005

Study Finds Windows More Secure Than Linux Posted by Mikko @ 07:10 GMT

An interesting study was presented at the RSA Conference this week.

Richard Ford. Photo (c) M Hypponen 1999Two researchers compared Windows Server 2003 and Red Hat Enterprise Server 3. Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued.

Windows setup: risk window of 30 days
Red Hat setup: risk window of 71 days

The study was done by Richard Ford, a professor at the Florida Institute of Technology and Herbert Thompson, director of security research at Security Innovation Inc.

"That's a very surprising statistic, and I must say the first time I saw this statistic I thought you messed with my database", commented Dr. Ford.

So it's time to upgrade to a Mac.


Thursday, February 17, 2005

Gentlemen, start your engines: Your Lexus is safe from Cabir Posted by Jusu @ 11:29 GMT

We received an official reply from Lexus to our query about the case of Cabir worm possibly infecting cars. The reply based Lexus' immunity to Cabir on two points (quote):

Lexus LS470 dash - image Copyright (c) Autoreview1) Navigation systems in Lexus and Toyota vehicles do utilize an embedded operating system (OS) and some degree of random access memory (RAM) that is used to store several types of information such as recent destinations, names and attributes of saved destinations, and a telephone directory among other items. The operating system itself is proprietary, however, not Symbian as these reports have alleged.

2) Although the Bluetooth interface does support the Object Push Protocol for transferring the phone book from a Bluetooth cell phone to the navigation system, this is an operator controlled event and the data cannot be exported (or transmitted) from the navigation unit.

When contemplating this answer with our mobile researchers one issue came up:
Since the Bluetooth interface supports Object Push Protocol it could be possible that when Cabir is looking for a target it might try to send itself to the Lexus navigation system (which as said before is immune to the worm) and this could cause an error message on the system, but not more than that. Before we can afford a Lexus to try this on we'll just have to speculate however.


Plug for a good book Posted by Mikko @ 09:06 GMT

Peter Szor has just published a book titled The Art of Computer Virus Research and Defense.

Peter Szor presenting a paper for Data Fellows Oy in Virus Bulletin 1998 in M´┐ŻnichThis is a very good and very thorough book (744 pages!). I had a chance to proofread the book for Peter during the writing process, and I can tell you that this is the complete reference guide to all aspects of computer virus research. It's well written, entertaining, very technical and even controversial at places. It is the best book on viruses I've seen.

From the back cover: "Szor presents the state-of-the-art in both malware and protection, providing the full technical detail that professionals need to handle increasingly complex attacks. He also offers the most thorough and practical primer on virus analysis ever published—addressing everything from creating your own personal laboratory to automating the analysis process."

We've known Peter for years (he used to work for us in the 1990s), and he's one of the best virus researchers in the world. We recommend his book for everybody interested in viruses.


Mydoom.BB upgraded to level 2 Posted by Katrin @ 08:41 GMT

We are upgrading Mydoom.BB worm to Radar level 2 because of increased number of submissions.

This variant is binary patched Mydoom.M. As its predecessor, it uses uses Google, Yahoo, Altavista and Lycos to collect email addresses.


Another Mydoom Posted by Mikko @ 04:53 GMT

Another new Mydoom is going around. We haven't received many reports about this...but then again, our antivirus detected this one as an earlier variant with no need to update.

So right now we're detecting this one as Email-Worm.Win32.Mydoom.m while others use names such as W32/, W32/MyDoom-O, W32.Mydoom.AX@mm, Mydoom.AU, WORM_MYDOOM.BB. Oh well.

This variant installs a spammer proxy trojan detected as Backdoor.Win32.Surila.o. It downloads it from This site is being misused by the virus writers without the site owners permission.


Wednesday, February 16, 2005

T-Mobile hacker pleads guilty Posted by Mikko @ 04:31 GMT

Nicholas Lee Jacobsen, 22, pleaded guilty this morning in Los Angeles. This is the guy who hacked T-Mobile Sidekick systems, among others.

Jacobsen faces a maximum possible sentence of five years imprisonment and a $250,000 fine. Sentencing is set for May 16, 2005.

More info at Lawfuel.


Tuesday, February 15, 2005

Jigsaw Piece - 469 Posted by Mikko @ 10:21 GMT


Monday, February 14, 2005

Cabir found in-the-wild in USA Posted by Mikko @ 15:19 GMT

Well, it had to happen sooner or later. We've just heard about the first in-the-wild sighting of Cabir in USA. This was in California.

This is not going to be the end of the world; the common Cabir variants have been proved to be very slow in spreading in-the-wild. Also, Symbian-based phones probably aren't as common in USA as elsewhere yet (then again, Symbian has over 80% global market share in the operating systems of new phone shipments).

According to our notes, the list of countries Cabir has been spotted in so far looks like this:

 1. Philippines
 2. Singapore
 3. UAE
 4. China
 5. India
 6. Finland
 7. Vietnam
 8. Turkey
 9. Russia
10. UK
11. Italy
12. USA

Cool worldmap

There are more. Let us know of if you've seen Cabir in your country.

PS. We've been getting several reports of Cabir from downtown Moscow. Apparently it's fairly common to get a Cabir file offer if you walk around with your bluetooth enabled. We haven't been able to confirm which variant of Cabir this is.

PS2. The 3GSM World Congress 2005 started today in Cannes. This is the biggest conference on mobile issues, and mobile phone security is expected to be one of the hottest topics this year.
3GSM, visit F-Secure on Stand G44h, Hall 2


Sunday, February 13, 2005

War of the Worlds Posted by Mikko @ 15:46 GMT

We got a note from one of our readers about a web defacement which is more interesting than the average web graffiti. Mainly because this one hits a really high-profile web site; the official home page of one of the biggest movies of the year: War of the Worlds by Steven Spielberg and Tom Cruise.

Here's a screenshot of before and after. The defacement is done by the usual suspects: another Brazilian defacement group.

War of the Worlds

This site is run by Paramount Pictures on Apache/PHP in Internap address space.

Thanks to Grelmar for the heads-up.


Friday, February 11, 2005

VB99% Posted by Mikko @ 18:25 GMT

F-Secure Anti-Virus 5.43 has been awarded the VB 100% award in the February 2005 edition of the Virus Bulletin magazine.

There were technical problems during the testing, so the print edition of the Virus Bulletin magazine actually lists us as failing the test...which it didn't. One antivirus vendor from UK (which we shall not name here but it's Sophos) even put out a press release in the meanwhile stressing how we failed in the test. But we didn't, ha-ha!

Virus Bulletin tested 28 different anti-virus products for their detection rates against in-the-wild viruses. We have long and proven track record of receiving VB 100% awards on different platforms. So there.


Speaking about security holes... Posted by Mikko @ 06:48 GMT

Our product development group has put out a bulletin regarding a security hole affecting several of our antivirus products.

We urge all affected users to apply the patch, before some clown virus-writer tries to exploit it. This hole is related to a bug in our routine that unpacks ARJ archive files. The bug would allow an attacker to execute code when his ARJ file is scanned.

Also, thanks to ISS X-Force for the professional way they handled this issue with us.

Output of ARJ.EXE from 1991


Thursday, February 10, 2005

Exploit code for MS05-009 vulnerability on the loose Posted by Sami @ 08:06 GMT

The exploit code has been released for the MS05-009 vulnerability. The vulnerability is exploitable via Portable Network Graphics (PNG) images.

According to Microsoft, this vulnerability affects Microsoft's MSN Messenger, Windows Messenger and Windows Media Player: a hostile PNG image can be used to execute arbitary code on the vulnerable system.

Previosly GIF and JPEG processing among others on various platforms have had similar vulnerabilities.

Since the fix is available, it is time to apply some patches right now.


Tuesday, February 8, 2005

And the security update day arrives Posted by Ero @ 19:33 GMT

Today, as the tradition goes, Microsoft released new security updates.

MS05-005 affects Office XP, Microsoft Project, Visio and different versions of Microsoft Works and it is rated as Critical.

MS05-006 affects SharePoint Team Services and is rated as Moderate.

The following affect mostly different versions of the Windows Operating System.

Rated as Important are MS05-004, MS05-007, MS05-008

And as Critical MS05-009, MS05-010, MS05-011, MS05-012, MS05-013, MS05-014, MS05-015.


Monday, February 7, 2005 compromised Posted by Sami @ 13:46 GMT

phpBB's web site got compromised, and it is currently unavailable. phpBB is a popular web based discussion system.

According to the statement on their front page at the moment, the intrusion has nothing to do with the phpBB software itself. Instead there is an unconfirmed report that compromise may have been done using a security vulnerability in Awstats instead.


Commercial Pocket PC software wiping PDA if you use pirated serial code Posted by Jarno @ 10:29 GMT

It seems that bad ideas with copy protection and dealing with pirates are repeating themselves.

In August 2000 a Palm developer who created Liberty game boy emulator for Palm devices, created a Liberty trojan that pretended to crack for of his software, but actually deletes all files on the device and reboots.

About a week ago a Pocket PC developer who created Pocket Mechanic utility for pocket PC, created update of his software (version 1.50) that deletes all files on the device if user is using one specific pirated serial number. Which means that if user is using such number and upgrades to version 1.50 or downloads 1.50 and enters pirated serial code, he will lose all data.

The current version 1.51 does not contain the trojan functionality anymore.

While pirating software is illegal, so is creating trojans that check whether user has pirated version and damaging that users files. It is sad to see the same bad idea repeating time after time.

I as one who is working in software company, can well understand the frustration one feels when products of ones hard work is illegally copied. But using illegal ways of combating against that is not an answer either.

And to those who use pirated serial numbers, your typical Pocket PC software costs 15 USD, if you like
the software, why don't you just buy it, and save all the trouble.


Sunday, February 6, 2005

List of new virus descriptions as an RSS feed Posted by Mikko @ 12:25 GMT

Descs RSS shown in Sharpreader
We've received some questions on whether it would be possible to receive the list of our new virus descriptions as an RSS feed.

Well, turns out we've had this available for quite some time already, but I guess we've never really officially announced it.

So: our new virus descriptions are available as an RSS feed here:


Friday, February 4, 2005

Bobic.B making the rounds Posted by Ero @ 20:31 GMT

A variant of Bobic, detected as Net-Worm.Win32.Bobic.b has been found. The worm will use messages with subjects such as:

"Saddam Hussein - Attempted Escape, Shot dead", "Attached some pics that i found",
"Osama Bin Laden Captured.", "Attached some pics that i found", "Testing", "Secret!", "Remember this?", "Long time! Check this out!",
"I was going through my album, and look what I found..", "Check this out :-)"


Thursday, February 3, 2005

Bropia spreading in the wild Posted by Mikko @ 19:46 GMT

The Bropia worm has been making lots of news lately. But we didn't get too many real reports about it.

However, it is out there. We just got a call from Costa Rica from a company which reported a large-scale infection.

Since this worm spreads over MSN Instant Messenger, it can spread fairly fast in an environment where MSN chat is used. Do note this is not an automatic network worm; it still needs the recipients to accept the incoming file and run it.

The worm will display an image of a grilled chicken on infected computers:

Looks delicious

More info from the virus description.


Locknut.A and Cabir.B Posted by Jarno @ 08:05 GMT


There has been some questions whether the Cabir.B that is included in some Locknut.A samples would be able to spread and carry the Locknut.A into other phones. Thus allowing Locknut.A to piggyback with Cabir.B.

The answer is no.

The Cabir.B included in the Locknut.A samples is harmless as the Locknut kills all applications on the infected phone, including Cabir.B that is installed from the same SIS file.

Even if Locknut.B is disinfected the Cabir.B still wont start, as it is installed into wrong directory in the infected phone.

If user starts Cabir.B manually, after disinfecting locknut, the Cabir.B will spread as pure Cabir.B and will not transfer Locknut.A into other devices.

So the Cabir.B that is installed with Locknut.A is harmless and unless user intentionally runs it after disinfecting Locknut, will not be able to spread.


Tuesday, February 1, 2005

Disinfection tool for SymbOS/Locknut.A (Gavno.A and Gavno.B) published Posted by Jarno @ 11:16 GMT

We just published a detection and disinfection tool for Symbian trojan Locknut.A, which some AV companies call Gavno.A and Gavno.B. The whole case is rather interesting for completely different reasons than it being dangerous trojan.

Locknut.A is a Symbian SIS file trojan, that replaces critical system binary, causing the phone to lock down so that no applications can be used. This locking is quite similar to the one caused by Skulls variants, but more complete.

Locknut.A is also claimed to prevent user from calling with the phone, but we could not observe such behavior. All the phones we infected with Locknut.A were able to call just fine, all smartphone
features were disabled, but calling works fine.

Agreed upon name by the AV community for this trojan is Locknut.A not Gavno. The original name given by the AV company, that discovered it, is the original name given by the author of the Virus so, which we don't use by policy. Also the word Gavno is rather vulgar term for feces in Russian and also close to that in Bulgarian.

Also there is only one Locknut variant, there are several samples, so some AV companies call them A and B variant. But the variants are functionally identical, the only difference is that some samples contain Cabir.B added into the installation package, but this does not constitute as a new variant.

We have created a disinfection tool that can unlock phone infected by Locknut.A so that the
phone can be disinfected with help of another phone.

F-Locknut tool is able to disinfect phone even if the Locknut has locked the phone completely. The disinfection is done by installing the F-Locknut into a memory card with a clean phone. And then inserting the card with F-Locknut into infected phone and booting, during boot up the F-Locknut frees the critical system files so that use can access menu again and install an Anti-Virus for full disinfection.