Posts Tagged ‘malware’

Not Guilty

Tuesday, 13 January 2009

Spybot-Search&Destroy produced a false positive yester-day. It notified me that KHALMNPR.EXE was a Trojan horse program. In fact, KHALMNPR.EXE is a basically benign program from Logitech.

The Spybot-S&D folk know about this problem, but are not planning to effect a correction until Wednesday. If you've already let Spybot-S&D effect the ostensible repair, you should be able to reverse that using Spybot-S&D; you can also reïnstall the Logitech software.

Another Horse Arrives

Friday, 8 August 2008

I have received another, different CNN spoof e.mail, this one ostensibly from CNN Alerts <ontlook_1970@brace4u.com> with subject CNN Alerts: My Custom Alert, [screen capture of spoof e.mail] now with a link to http://missglobe-albania.com/cnnplus.htmlgo there only at your own risk. The page again seeks to download and install malware adobe_flash.exe. See my earlier entry CNN Trojan Horse Attack for some discussion of this malware.

CNN Trojan Horse Attack

Thursday, 7 August 2008

I received an interesting piece of malevolent e.mail to-day.

It represents itself as coming from "Daily Top 10" <Aleksandra-namgof@asntechnologies.com> which isn't very slick, but the subject is given as CNN.com Daily Top 10, and the body looks very authentic: [capture of CNN spoof e.mail] Some of the links were indeed to servers at cnn.com, but the video links were to http://97folders.org/newsproceed there only at your own risk. When I looked at that site, it attempted to persuade Windows users to download and install a program named adobe_flash.exe, which contains trojan malware which AVG identifies as I-Worm/Nuwar.V.

(Now, someone might expect users to know, from the site-name of 97folders.org, that this wasn't a legitimate CNN site, but the fact is that I've more than once been sent by a legitimate — if none-the-less goddamn'd stupid — organization to a site with an odd name. So I won't much blame anyone who trusts this site.)

When run on a Windows system, this malware adds

CbEvtSvc.exe
to the System folder (typically \WINDOWS\system32\). If you know a system on which this file has been installed, delete it. A file of this name is not part of an original installation, so if you find one then it is probably an artefact of an infection.

The trojan horse will also make a number of modifications to the WIndows registry. If you know how to edit the registy, then delete keys containing either the string CbEvtSvc or LEGACY_CBEVTSVC.

According to McAfee, if the code has been resident for about 30 minutes or more, then it will have attempted to download further malware.