Assured Care Expert Network Design Network Migration Wireless Networking Introducing Networks Press Room Location Map Assured Networks(Central) Networks(Helpdesk) Networks(Vault) Services & Support Services & Solutions Network Projects Residential Services Internet Security Options Our Knowledgebase Resources

February 29, 2008 - he worm arrives as a comment, commonly called a "scrap", in the Orkut user's scrapbook. The worm uses a GreaseMonkey script to send a scrap to all contacts in the user's address book. The scrap contains a Youtube-like image that redirects the browser to the following URL: [http://]instantflashx.zip.net/watch[REMOVED] The above site prompts the user to download Macromedia Flash Player in order to play the video. However, the link is actually pointing to the following URL, which is a copy of the worm: [http://]installgetflash.blogcindario.com/ficheros/flashx_play[REMOVED] When downloaded and executed, it displays a message box in Portuguese stating that the plugin has been successfully installed. The worm also downloads potentially malicious files from the following URLs: * [http://]avdetectordok.ifastnet.com/vaiprim[REMOVED] * [http://]pluginforweb22.ifastnet.com/auook[REMOVED] * [http://]youprincipalpug.ifastnet.com/gamesys[REMOVED] Note: It saves them as the following files: * %Windir%\windosremote.exe * %Windir%\logservicess.exe * %Windir%\win32chekupdate.exe Next, the worm executes a batch file that attempts to end antivirus-related processes. It then executes the file %Windir%\win32chekupdate.exe that downloads files from the following URLs: * [http://]plugddownload.ifastnet.com/PP.[REMOVED] * [http://]plugddownload.ifastnet.com/system32/Partiz[REMOVED] * [http://]plugddownload.ifastnet.com/drivers/Partiz[REMOVED] * [http://]plugddownload.ifastnet.com/addre[REMOVED] Note: It saves them as the following files: * %Windir%\PP.reg * %System%\Partizan.exe * %System%\drivers\Partizan.sys * %Windir%\addreg.exe It also connects to the following URL, which appears to be a counter that monitors the number of infections: [http://]www.csiclasnwebgamer.com/contad[REMOVED] The worm then modifies the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\"BootExecute" = "[a.u.t.o.c.h.e.c.k. .a.u.t.o.c.h.k. .*...P.a.r.t.i.z.a.n]" The worm also creates the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Partizan\"Group" = "Boot But Extender" It then creates a service with the following characteristics so that it runs when Windows starts: Image Path: %System%\drivers\Partizan.sys Display Name: Partizan Startup Type: Automatic The worm injects code into the Internet Explorer process. The worm spreads by sending scraps to all contacts when the user logs in to Orkut from the compromised computer. For Removal detail click below

Click Here for the full article.
';

Security Notices

February 29, 2008 - W32.Scrapkut Discovered: February 28, 2008 Updated: February 29, 2008 4:26:42 AM Type: Worm Infection Length: Varies Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 W32.Scrapkut is a worm that spreads through the Orkut network and downloads files from remote locations. read more... February 29, 2008 - InfeStop Remover Updated: February 29, 2008 5:13:43 PM Type: Misleading Application Name: InfeStop Remover Version: 3.6.2.10 Publisher: Pandora-Software Risk Impact: Medium Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000 read more...