Php password script

After a couple of months of rather mild threats and updates, this week has been a busy one, Topping the list, is Microsoft's Patch Tuesday (released last week), and the Redmond-based company didn't disappoint, releasing seven new updates. The list includes patches for a newly discovered vulnerability in the Windows Shell that could allow attackers to take control of Windows systems. See our Windows Security Updates section for more info.

A scary new phishing attack method was reported over the weekend, and the financial institutions are more to blame than your browser. An eWeek story reports that many bank, government, and other "secure" web sites provide an open door for phishers and hackers to inject script code that can capture your information. The real kicker is that it works across multiple browsers! See our Windows security update section for more info.

Phishing e-mail's are still on the rise. One new HTML based e-mail we saw was allegedly from US Bank. Like many phishing messages, the e-mail claims to be announcing new security measures, and encourages the victim to click on the link to update their information. While more savvy users will hover the mouse cursor over a link to display the true URL in the status bar, this phish contains script code to display a bogus address. The link itself actually takes you to the phishers IP only web site, but looks like it's going to US Bank. When in doubt, check the source (right click, select view source).

Keeping safe online is a constant issue, and PC Magazine is addressing the issue of home and office computer safety. Check out Keep Your Office Safe, Keep Your PC Safe, and Keep Your Kids Safe for product reviews, tips and advice.

Another OS platform milestone was marked this week for viruses. WinCE.Dust, also known as WinCE.Duts.A, WinCE/Duts.1520 and Dtus, is the first reported Windows CE or PocketPC infector. According to an analysis by BitDefender, the virus asks the user if it can continue, and if allowed will attempt to append itself to uninfected PE (Portable Executable) files in the root folder on the victim's ARM processor based Pocket PC or SmartPhone, According to F-secure, the virus only attacks .EXE files greater than 4k in size. The virus was reportedly sent as a proof of concept to Antivirus vendors, and is not in the wild.

The Bagle virus, which first appeared in February 2004, has been kicking up again with a new prolific version. Bagle.AF or Beagle.AB (depending on which AV vendor detects it) was first seen late last week. On Monday July 19th, a new variant, Bagle.AG (or Beagle.AG) really started hitting, gaining a level 3 (out of 5) severity rating from Symantec, and a Severe/Epidemic rating from Panda software. See our Top threat for more information on this new Bagle.

Top Threat: W32/Bagle.AG-mm

 

Executive Summary

Name: W32/Bagle.AG-mm Affects: Windows XP/2000/9x/Me/NT

What it does: Bagle.AG is similar to the earlier Bagle.AD, spreading through e-mail and p2p file sharing programs. When it infects, it installs a back door and attempts to connect with a script at a remote website. Bagle.AG attempts to stop antivirus and security software from running by removing their startup entries from the registry and terminating their processes. It harvests e-mail addresses from the victim's hard drives, and sends out infected e-mail using its own SMTP engine. Bagle.AG also uses multipurpose mutexes to block Netsky infections, and removes Netsky related files and registry entries.

How to prevent it: Use an updated antivirus product, with e-mail and on access scanning set to all files and archives. Do not open attachments from anyone you're not expecting. Use a personal firewall and block port 1080 and 1040. If you use peer-to-peer file sharing services such as Kazaa, scan every file you receive before opening. Do not download files as listed below.

Infection removal: The easiest way to remove Bagle is using an online scanner, or installed antivirus. If you don't have an antivirus product, you can use these free scanners: Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or use Symantec's removal tool.

Fact file

Type of virus: Windows 32 executable Aliases: W32/bagle.ai@mm[McAfee], Worm.bagle.AH [Trendmicro] Main Executable file: winxp.exe (not related to any Windows XP files) Executable size: varies Date Discovered: July 18, 2004 Systems affected: Windows XP/2000/9x/Me/NT Systems not affected: DOS, Windows 3.x, Linux, Mac, OS/2, Unix Ports affected: 1080 (TCP) 1040 (UDP), possibly random ports. Subject: varies Message: varies Attachment: varies, can be executable, or password protected zip file.

Details

The most common way to catch Bagle.AG is through an infected e-mail message (Figure 1) . The worm uses a subject of Re_, with random message bodies, attachment names and extensions selected from the lists below. The "from" address is spoofed from a pool of harvested e-mail addresses. Bagle.AG scans the victim's hard drive for files with specific extensions and collects e-mail addresses which are used as both Sender and Recipient on outgoing mail. Like previous Bagles, it uses its own SMTP engine to send copies of itself to the collected addresses. It avoids e-mail addresses with certain strings, such as "Messagelab", or "Microsoft".

According to Trend Micro, Bagle.AG may use password protected zip files, in which case the subject, message, and attachments are different.

Unlike Bagle.AD, Bagle.AG does not display any messages when it starts. When Bagle infects, it attempts remove registry entries related to arch rival Netsky. It installs a Mutex on the victim's system to prevent the worm from running more than one copy. The mutexes are actually the same as some that the Netsky worm varieties use, so they also prevent a Netsky infection. The virus attempts to terminate processes from common security and antivirus programs, and also removes values from the following Window Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

Bagle.AG creates a series of files in the Windows System folder, including:

winxp.exe winxp.exeopen winxp.exeopenopen winxp.exeopenopenopen winxp.exeopenopenopenopen

Bagle.AG adds the following Registry key and value:

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run

Value: "reg_key" = "%System%\winxp.exe"

This allows Bagle.AG to start automatically when the victim's PC boots. Depending on the report, the worm then opens a backdoor on TCP Port 1080 and reports system information back to the virus author via a PHP script.

In addition to spreading by e-mail, Bagle.AG seeds Peer to Peer file sharing folders with attractive, but infected files. Bagle.AG scans the users local drives looking for any folder with the string "Shar", such as "Kazaa Shared" (see list below), and copies a number of bait files. Each is an executable copy of the worm. On some machines, this can add up to many files which can make cleaning tedious.

Removing Bagle.AG manually