Wednesday, June 30, 2004

Hungarian virus author sentenced Posted by Mikko @ 20:04 GMT

A Hungarian teenagers has been senteced today to two years probation for writing the Magold virus. The virus writer said he just wanted to prove himself after failing four subjects in hight school, reports the hungarian daily N�pszabads�g.

This virus was fairly widespread in central europe in the summer of 2003. The virus has various spreading mechanisms, one of which is sending itself in email attachments, claiming to be a screen saver showing pictures of the Hungarian Maya Gold porn star.

For more information, see the article in The Register.


Yet another virus writer caught Posted by Mikko @ 08:07 GMT

I think we've seen more virus writers caught during year 2004 than during last five years combined.

A new arrest was announced today: the Finnish Central Criminal Police is pressing charges against a Finnish man in his twenties. The man, who lives in the city of Tampere, is accused of writing and distributing the VBS/Lasku virus in the end of January 2004.

VBS/Lasku is an unremarkable virus which keeps crashing when it tries to spread. The virus displays a quote taken from Tolkien's "Lord of The Rings" and deletes data.


VBS/Lasku tries to replicate by sending email messages written in Finnish - which is quite rare.


Friday, June 25, 2004

Microsoft update on the Scob (aka Download.Ject) case Posted by Katrin @ 12:04 GMT

Microsoft published an update on the Scob (aka Download.Ject) case.


IIS Hacks? Posted by Katrin @ 00:56 GMT

We are investigating a case called "RFI - Russian IIS Hacks?" by

Some of the files at the hacked sites have been modified - a trojan downloader known as Scob has been appended to end of the files, causing Internet Explorer to execute it.

There are number of other files one of which is a new variant of Padodor.W.


Thursday, June 24, 2004

Yet another Korgo/Padobot worm variant found Posted by Alexey @ 10:55 GMT

We have received another new Korgo (aka Padobot) variant: Korgo.U. It is very similar to previous variants discovered during the last few days. Detection is already available.

Wednesday, June 23, 2004

Beastie Boys CD installs software? Posted by Katrin @ 14:13 GMT

According to The Register the Beastie Boys CD called "To the Five Boroughs" installs a software without user's permission. If this is true, the software could be a trojan. We haven't seen a sample of the installer yet so we can not confirm.

According to other source, news service, the suspicions have been denied by the music company.


Several new Korgo/Padobot variants appeared lately Posted by Alexey @ 08:55 GMT

There appeared 5 new Korgo/Padobot variants lately. At least two of them caused infections of numerous of computers in several companies. These variants are Korgo.P and Korgo.Q. They are detected since 17th and 21st of June respectively. Also there appeared 3 more Korgo/Padobot variants since 21st of June. These variants are detected as Worm.Win32.Padobot.i, Worm.Win32.Padobot.j and Worm.Win32.Padobot.k.

Thursday, June 17, 2004

New variant of Korgo was found Posted by Sami @ 17:55 GMT

A new variant of Korgo has been found. While we have not received any direct reports of it from the field, an update 2004-06-17_03 with detection has been released earlier today.

Wednesday, June 16, 2004

Two variants of Cabir sent to AV companies Posted by Jarno @ 10:10 GMT

Today we received another variant of Cabir trough sample exhange from other vendor.
It seems that Cabir author has sent different versions of the worm to different AV vendors.

We have named this new variant as Cabir.B, even as it may have been sent before the sample
that we call Cabir.A. Cabir.B seems to be functionally identical to Cabir.A except that it shows
different text on activation.

We have tested the Cabir worms on all Symbian Series 60 devices that we have got access to,
it seems to be able to infect any Series 60 device we have tested it on, regardless of the manufacturer.

Neither of the variants have been found in the wild so far.

A description of Cabir.B


Tuesday, June 15, 2004

More on Cabir.A worm Posted by Katrin @ 14:17 GMT

In response to the numerous requests, we have decided to publish a picture showing the disinfection of Cabir.A with F-Secure Anti-Virus for Symbian:

Security question


Cabir.A Pictures Posted by Jusu @ 12:59 GMT

Cabir.A infection on a mobile phone will display the following screens.

Please note that Caribe worm can reach only mobile phones that support bluetooth, have bluetooth switched on, and are in discoverable mode.

When user clicks on the caribe.sis in phone messaging inbox the phone will display a warning dialog

Security question

If user clicks yes the phone will ask normal installation question

Installation question

If user clicks yes the Cabir worm will activate and show a dialog that contains the name that virus author wants to give to the worm and the authors initialias and group initial 29A



Cabir detection for F-Secure Anti-Virus for Symbian Series 60 Posted by Sami @ 10:10 GMT

Cabir detection for F-Secure Anti-Virus for Symbian Series 60 has been published at 08:55 GMT on June 15th, 2004 in database build number 7.

Cabir - the worm for mobile phones Posted by Katrin @ 09:27 GMT

Cabir is a worm that runs under Symbian operating system. The worm is able to replicate from one device to another using Bluetooth.

Cabir is still under analysis. We will post more information shortly.


Sunday, June 13, 2004

Posted by Katrin @ 19:05 GMT

We upgraded Zafi.B to Radar level 2 due to increased number of infections. Zafi.B reached the top position in our virus statistics during the weekend.

The worm sends emails in many different languages with variable content and .pif attachment. It disables different security applications and tools.


Saturday, June 12, 2004

Virus Description Database: online for 10 years Posted by Mikko @ 11:20 GMT

Ten years ago, to the date, we set up a new service to our web site. We decided it would be cool to have an online database of virus descriptions so that anybody could browse them over the internet. Back then, this was a brand new idea, and such service did not exist anywhere. So we launched our Online Virus Description Database on 13th of June, 1994.

Quickly it became one of the most visited services on our site - and now, ten years later, it still is. Even the original address still works: (although we've changed the company name from Data Fellows to F-Secure since)...

Back then, the web looked a bit different. Here's a screenshot of the service as it looked like 10 years ago (screenshot from Lynx, the text-based browser):


Although this was the first ever online virus description database, offline versions had existed long before. Our original database was based on the descriptions written by Fridrik Skulason of the F-PROT fame, starting somewhere around 1989 or 1990. Other products had virus descriptions too. Dr. Solomon's Anti-Virus Toolkit product box even came with a separate book of descriptions, and some antivirus programs, such as Central Point Antivirus (CPAV) had a built-in hypertext database (some of you might remember that CPAV was the basis of Microsoft Antivirus v1.0, which was discontinued few years later).

There was even a DOS-based shareware hypertext application called VSUM, made by Patricia Hoffman. Haven't seen that for a while, though.

Anyway, this is what the front page of our site looked like 10 years ago:


You can find more info on ancient web history from our Webtennial pages.


Friday, June 11, 2004

Sober.H mass-mails political statements Posted by Katrin @ 18:22 GMT

We got a new Sober variant this evening - Sober.H. This Sober is not a worm but a spamming trojan. Instead of spreading its code, Sober.H mass-mails political statements, apparently trying to affect the EU parliament elections which are currently underway in most European countries".

Sober.H trojan is responsible for the spam that flooded Germany and other European countries since yesterday


Zafi.B worm uses more languages Posted by Katrin @ 11:22 GMT

A new variant of Zafi worm is spreading. While the original Zafi.A uses only Hungarian, the new Zafi.B speaks more languages such as English, Italian, Spanish, Russian, Swedish etc.


What could be the price of an infection? Posted by Katrin @ 10:41 GMT

What could be the price of an infection? Just few dollars or few million dollars?

Read more from The Inquirer.


Wednesday, June 9, 2004

Trojans, Logins, Banks Posted by Katrin @ 11:29 GMT

Spying against on-line bank users is becoming popular. Recently the Padodor backdoor collected information about certain banks. Montp trojan is even more powerful using a large list of banks and utilizing stealth techniques.

Monday, June 7, 2004

Yet another trojan exploiting... Posted by Katrin @ 12:47 GMT

One more trojan that uses object data exploit has been spammed. The set of the malware components are detected as: Zerolin, and Daemonize.t.


Thursday, June 3, 2004

The full picture on Korgo, Padobot and Padodor Posted by Mikko @ 17:48 GMT

Ok, the situation with Korgo is a bit confusing, let me try to explain what's going on.

- Most variants of Korgo are spreading worldwide. The numbers are not big when compared to outbreaks like Sasser, but it's definitely out there.

- Korgo does include a backdoor

- But Korgo does not include a keylogger, nor any code to steal banking info etc.

- It seems that the Hangup Team (virus group behind the worm) is actively installing a backdoor with password stealing capabilities known as Padodor to the infected computers. This is done via the backdoor left by Korgo.

- Padodor collects anything typed to any web forms, and specifically logs bank logins for users of some international banks

This gets pretty confusing, as "Padobot" (not Padodor) is one of the aliases of the Korgo worm.

So, not all machines infected by Korgo have the Padodor backdoor, and the Padodor backdoor can be found from machines which are not infected by Korgo. But they are both written by the same virus group.


Wednesday, June 2, 2004

More Korgo variants found Posted by Katrin @ 13:33 GMT

Last few days more new Korgo variants were found. We are now up to Korgo.G.