To all in this forum!

Keep an eye on this! :shockingzap:

"You can fool some of the people some of the time,
you can fool some of the people all the time,
but you can't fool all the people all the time".
Abraham Lincoln (United States, 1809-1865),
President of the United States of America

- Panda Software reports the emergence of pharming as a serious threat to users -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, march, 23th, 2005 - Panda Software is now warning of the emergence of a new online fraud technique, sophisticated and dangerous: pharming.

Pharming involves altering DNS (Domain Name System) addresses so that the web pages that a user visits are not the original ones, but others created specifically by cyber-crooks to collect confidential data, especially information related to online banking.

Pharming attacks can be carried out directly against the DNS server, in such a way that the change of address will affect all users accessing this server while they browse the Internet, or they can be carried out locally i.e. in individual PCs. This second scenario is much more dangerous, not just because it is more effective, but because it is easier for attackers. They only need to take two actions: modify a small file, called hosts, which can be found in any computer running Windows and using Internet Explorer to access the Internet; and create a false web page. The host file stores a small table with the server and IP addresses most commonly accessed by the user, so that it is not necessary to access the DNS server to convert Internet addresses (URLs) into IP addresses. If this file is overwritten, for example, with false addresses for online banking pages, whenever a user types the name of this bank in the browser he will access the page created by the hacker which has exactly the same appearance as the genuine page. The unsuspecting victim could then enter confidential data unaware that it is really falling into the hands of the cyber-crook.

The hosts file can be edited directly by the hacker (by accessing remotely to the system) or using malicious code, normally Trojans such as some variants of the Bancos, Banker and Banbra families. Pharming attacks can also be perpetrated by exploiting any software vulnerability that gives access to the system files.

Panda Software is offering the following advice to users to help prevent them falling victim to pharming attacks:

- Use anti-malware software combining proactive and reactive detection systems: the simplest way of manipulating a computer so that it becomes the victim of a pharming attack is by using malicious code, generally Trojans. It is highly advisable to use proactive protection systems that can pre-empt threats and block them simply by analyzing their behavior.

- Install a personal firewall: this precaution will prevent a hacker from entering the computer through an unprotected communication port and modifying the system.

- Frequently update the software installed on the computer or have automatic update systems enabled to ensure there are no vulnerabilities that can be exploited in order to launch these kinds of attacks.

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner: 1)Netsky.P; 2)StartPage.FH; 3)Mhtredir.gen; 4)Downloader.GK; 5)Shinwow.E

Lagu

Good to see you back on line Lagu! :)

To fight the mentioned attack, for winXP users:
use MS's AntiSpyware Beta 1

Quote from its help:

What does this System Agent do?
The Windows Host File Agent monitors changes to your system hosts file. If a new entry is made, or an older entry is modified or deleted, an alert prompts you to confirm the change.

And a reminder for ZoneAlarm users
Firewall > Main > Advanced > Lock Hosts file

Found a swedish site about the ms AntiSpyware:
http://www.microsoft.com/sverige/security/protect/antispyware.asp

And a reminder for ZoneAlarm users
Firewall > Main > Advanced > Lock Hosts file

Thanks AMDave for this tip! I have now locked the host into my ZA
Lagu :)

Just locked mine too, thanks Lagu. :)

gd information well found lagu, nice to know about the security threats before they cripple your machine ;)

Found a swedish site about the ms AntiSpyware:
http://www.microsoft.com/sverige/security/protect/antispyware.asp

Thanks Meckano for this link!
I have download this software and let i go a run but no spyware was found. I have also AD-advare vho i run yesterday and it found some spyware who I remove.

Lagu :D

As well as locking it, check it to see if there are any oddities.
do a search on C drive for Hosts, it is called hosts, mine has no extension. Found it in:
C:\WINDOWS\system32\drivers\etc (winXP)
I deleted any *.bak's that spybot s&d created and ignored the one called *.sam.
Now the only non-comment line in that remaing file is:
127.0.0.1 localhost

As well as locking it, check it to see if there are any oddities.
do a search on C drive for Hosts, it is called hosts, mine has no extension. Found it in:
C:\WINDOWS\system32\drivers\etc (winXP)
I deleted any *.bak's that spybot s&d created and ignored the one called *.sam.
Now the only non-comment line in that remaing file is:
127.0.0.1 localhost

I have found by search:
wpa.bak (system32) 5 kb 17/3 2005
Ntmsdata.bak. (system 32) 108 kb 17/3 2005
imsins.bak (Windows) 5 kb 17/3 2005
personal_32_1053.dat.bak 147 kb (Windows\pchealt) 24/3 2005

Lagu

i would say be careful what you delete in the windows folders, check it is something you dont need as you dont want to corrupt your version of xp.

i would say be careful what you delete in the windows folders, check it is something you dont need as you dont want to corrupt your version of xp.

Yes, i will be safe. I have don't delete any file.
I am awaiting of Meckano and let him see what I have.
I have never before deleted a file from Win32. Only files who has not been removed when I have remowed a program who not longer need it.
Lagu

Lagu, the file to search for is ......hosts.....
I don't know how you got wpa.bak
Sure you are in:
WINDOWS\system32\drivers\etc
?

Lagu, the file to search for is ......hosts.....
I don't know how you got wpa.bak
Sure you are in:
WINDOWS\system32\drivers\etc
?

Meckano!

I searsh in WIN32
Now I looked in windows\system32\drivers\etc
On Swedish e.t.c is like as etcetera Ie and so on so I was thinking that this map not have this name
Hosts 1 Kb file 4/8-2004
Imhost 4 kb SAM-file 4/8-04
Protocol 7kb 4/8 -04
Service 7 kb 4/8-04
I couldn't see any bak file
Lagu

:)
now if you open that ....hosts.... file with notepad.exe
and, if it is like mine, there is only one line without an # sign, like:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

some of my *.bak's had many lines for spybot, but this is how it looks now, and it is now read-only.

Add:
You don't have to delete anything. That is just what I did.

:)
now if you open that ....hosts.... file with notepad.exe
and, if it is like mine, there is only one line without an # sign, like:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

some of my *.bak's had many lines for spybot, but this is how it looks now, and it is now read-only.

Add:
You don't have to delete anything. That is just what I did.

Yes I hawe the same. Should I write 2 lines as this exaple with this typo # in the beginning?

This part?
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

No, does not matter.
anything after # is not used.
# is a marker for notes.

This part?
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

No, does not matter.
anything after # is not used.
# is a marker for notes.

It's done.
Lagu

Hi again!

Keep an eye of this! :shockingzap:

"Experience: that most brutal of teachers.
But you learn, my God do you learn."
Â*C.S Lewis (1898-1963), British author.

- Vulnerability in Java Web Start -
Oxygen3 24h-365d, por Panda Software (http://www.pandasoftware.es)

Madrid, March 24, 2005- Sun has reported a vulnerability in Java Web Start that could allow privilege elevation of a non-trusted application and indiscriminate permission to read, write and execute on the local system.

Java Web Start is a platform that allows developers to deploy complete applications to final users accessible from any browser.

By default Java applications run in a virtual environment, called "sandbox", to prevent security problems that indiscriminate access to system resources could imply. Read, write and command execution restrictions are imposed on a Java application to protect the system from possible attack.

The vulnerability detected allows the files to be designed to prevent "sandbox" restrictions and take control of the system. The problem affects Java Web Start distributed with J2SE from versions 1.4.2 to 1.4.2_06, for Windows, Solaris and Linux platforms.

To resolve the problem, users should update to J2SE version 1.4.07 or later, available from http://java.sun.com/j2se/1.4.2/download.html. As an additional preventive measure, until a vulnerable version is updated, we recommend disabling the execution of Java Web Start applications, removing support for JNLP files in browsers.

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Lagu

Thank you, doing update. :D

Because time is sometimes a security related issue, I have changed to time zone -4 as I don't think there is daylight savings time taken into account, or something like that.

test.

Update:
Had no affect on front page times. :(
and is off by a few minutes. :(

Java ver. ...._07 is still the latest,
Did get a runtime update via Control Panal | Java, updates.

Meckano!

How have you get an update through the controlpanel?
I don't understand it?
I have not found this update by searcing after it.
Lagu :?

does anyone know if this also applies to IBM java ?? - what we all run for DHEP

I find it to be the worst web site on the internet that many places ask users to go for latest updates, programs...
I downloaded and installed this package, because I am slowly doing the java tutorial online.:
J2SE v 1.4.2_07 SDK with NetBeans 4.0 Bundle
- from here: http://java.sun.com/j2se/1.4.2/download.htm
-- which is newer than the 1.4.2_06, so all should be ok for me.

If you have the java virtual machine, which was only available during my Windows install; although maybe it is available through Add/Remove-programs(in control panel) | Add/Remove windows components. (i have not checked.)
- For that, I have no idea if there is an issue.

Lastly, in my control panel I have an icon called Java,
in there is a place to do an update, probably a different update to the 2 above, as I also have showing in Add/Remove programs,
along with Java 2 SDK, SE v. 1.4.2_07, which is part of the package I first mention above,
are 2 updates called:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2

Edit:
although if you look on this page, which shows what is in the package I installed:
http://java.sun.com/j2se/
- it shows the same name as the 2 updates I have; So then, probably related to the package I installed.

Conclusion:
I did install Java Virtual Machine, aka JVM, and don't know if there is an issue with it or an update for it.
I installed a package with 3 things:
The 2 mentioned here, again: http://java.sun.com/j2se/
and the Beans, which are modules, so-to-speak, that java programs can use.
- and the first component on that link seems to have had 2 updates so far.

Edit 2:
I realized I had not mentioned the words Web Start, I believe it is part of the package that I installed. (So if you installed something for like, DHEP, then you know you will need to have atleast ....*_07)
Just the same, see my post below about testing JVM.

:)

I would say yes, it probably affects you because I think you had to install something.

I will add, that for those who do not have the JVM installed, and do want it, it is this
........Download J2SE SDK........
which is pushed at users, from here, again:
http://java.sun.com/j2se/1.4.2/download.html
- Titled: J2SE v 1.4.2_07 SDK includes the JVM technology
- Edit 4: Something new, go to 2nd test site below, there is an installation of the JVM only, or so it appears, if you do not have the latest, or any at all.

To test if you have the latest JVM installed:
http://java.com/en/download/help/testvm.xml
Edit 3:
Here is another test page, should say You have the latest, on right:
http://java.com/en/
- Working ok now on IE and Firefox, they must have been doing updates as only 1/2 the page was showing, when I had the problem with IE.

Edit:
AT THE TOP OF EVERY JAVA PAGE, YOU CAN CHOOSE ANOTHER LANGUAGE, Swedish IS THERE TOO. :D

Hallo!

I have checked add/remove but there isn't any java. The java I have is installed with Windows XP SP 2. I have not download any Java because F@H isn't in need of it. I dont know if I need to download the Java machine or if I am safe enough?

Lagu :?:

Lagu, all you should need to do is the following:

To test if you have the latest JVM installed:
http://java.com/en/download/help/testvm.xml

This test will not work for me either. It's a window there or a picture who will not appear. it is blanc.

Lagu

meckano i dont know if you realise but a lot of us ran a project called DHEP. This requires java to run so we all updated - problems arose as we found various version some 1.4.2 as you say but also 1.4.4 and also 1.4.6 Later with ototeros advice some swapped to IBM java as it was the quickest.

Just thought i would point out there are newer verison than 1.4.2 that you provide links for in your post.

Yes, my info is all Sun Java.
Do you have a link for IBM Java?
and links to the other versions of my Java?

IBM Java 1.4 is in our Downloads section

To All!

Keep an eye of this! :shockingzap:

"Be brief, for no discourse can please when too long".
Miguel de Cervantes (1547 - 1616); Spanish author & poet

- Weekly summary -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, March 26 2005 - Over the last week, Oxygen3 24h-365d has covered the following news stories -summarized below- which can be read in full at: http://www.pandasoftware.com/about/press/oxygen3/oxygen.asp

- System downtime due to vulnerabilities will triple before 2008 (03/21/05).

According to Gartner, system downtime caused by software vulnerabilities will triple before 2008, if companies don't take proactive security steps. Companies that don't include security as a criterion when buying or developing software will witness downtime caused by security vulnerabilities increase from the 5 percent observed in 2004 to 15 percent in 2008.

- Drag and drop vulnerability in Thunderbird and Firefox. (03/25/05)

A vulnerability has been reported which affects both the Firefox browser and the Thunderbird mail client and which can be exploited by remote attackers to insert malware on a user's system. The problem is that images dragged and dropped from a web page to the desktop retain their name and extension. If the file has an executable extension, it could run instead of being opened by the corresponding multimedia application..

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/

__________________________________________________ ___________

"Experience does not err, it is only your judgment that errs"
Leonardo da Vinci (1452 - 1519); Italian artist and inventor.

- Drag and drop vulnerability in Thunderbird and Firefox -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, March 25, 2005- A vulnerability has been reported which affects both the Firefox browser and the Thunderbird mail client and which can be exploited by remote attackers to insert malware on a user's system.

The problem is that images dragged and dropped from a web page to the desktop retain their name and extension. If the file has an executable extension, it could be run instead of being opened by the corresponding multimedia application.

To exploit this vulnerability, an attacker would need to construct a valid image file which at the same time was executable. In Windows, this can be done using a hybrid of a GIF image and a batch file. The attacker then needs to trick the user into the dragging the image onto the desktop and double-clicking on it.
__________________________________________________ ___________

- Weekly report on viruses and intruders -
Virus Alerts, by Panda Software (http://www.pandasoftware.es)

Madrid, March 25h, 2005 - This week's report on viruses and intruders looks at two worms (Mydoom.BH and Crowt.B) and a Trojan, Downloader.BHV.

Mydoom.BH is an email worm which can also spread through the KaZaA P2P file sharing program. Once it has entered a computer and is run, it downloads a page from a website with code, which is saved to the Windows system directory as an executable file called TEMP1.EXE. It also displays a screen referring to an antivirus in order to distract users' attention.

To spread via email it sends itself to all contacts in the Outlook address book, using its own SMTP engine. The name that appears as the sender of the email is false and the message includes an attachment with malicious code.

In addition to using email, Mydoom.BH also creates a copy of itself in the shared KaZaA directory, which it obtains from the Windows registry. This copy has random file and extension names, selected from a list of names designed to attract KaZaA users.

Other users of this program could remotely access this shared directory, and voluntarily download to their computer files created by Mydoom.BH, thinking that they were actually interesting programs, etc. They would in fact, be downloading copies of the worm to their computers. When they run the downloaded file, these other computers would become infected by Mydoom.BH.

The second worm in this report, Crowt.B, has backdoor functionalities and sends itself by email using its own SMTP engine. It gets the addresses to which it sends itself from a list of contacts stored on the user's computer.

It allows remote commands to be executed on the compromised computer and information to be extracted from it. It also carries an additional danger, as it acts as a keylogger, recording keystrokes and stealing passwords entered. In order to conceal itself, Crowt.B, injects its code into other programs.

Finally, we will look at the Downloader.BHV Trojan. This malicious code downloads and installs adware programs on the infected computer.

Downloader.BHV needs the intervention of an attacker in order to propagate and cannot spread by itself automatically. Various propagation channels are used, including floppy disks, CDs, e-mail messages with attachments, Internet downloads, FTP file transfers, IRC channels, P2P file-sharing networks, etc.

When it is run, it downloads from a range of websites 5 executable files disguised as GIF files, which it runs on the infected system. To prevent detection, it uses some very basic techniques (some text strings are composed while the code is running).

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Sesurite greetings from Lagu

its gd but remember the company sending this produce virus products and various protection so they want to scare you into purchasing their newest most advanced package.

Agreed, Firefox ver. 1.0.1 fixed the drag and drop problem.

I newer bought after such alarm. I have already theirs product and it is enough. Perhaps other peoples will run to an reseller and upgrade or change antivirus. I think many in this forum is as smart that they dont is thinking to get panic.

You all can swim silent!
Lagu

i guess you are right lagu,
some people are reading that would go and buy panda's antivirus though

New secury report.

Madrid, April 4 2005 - Security Tracker has reported, at http://www.securitytracker.com/id?1013616, a vulnerability discovered in Linux kernel futex functions that could allow local users to cause denial of service conditions.

The problem stems from the fact that certain functions of the Linux kernel futex search for environment data with "get_user()" calls while holding the "mmap_sem" function for reserving memory for reading. If the get_user() call fails while another thread is in "mmap", the system can block.

The functions affected are in the 'kernel/futex.c' in Linux version 2.6. This vulnerability could be used by a local user to crash the system.

The fix for this error is available on the "Linux Kernel Mailinglist" page at: http://lkml.org/lkml/2005/2/22/185.
__________________________________________________ _________________________________________________

Madrid, April 5, 2005 - A vulnerability has been detected in Mozilla Suite and Firefox that could be exploited by an attacker to access sensitive user data. The problem lies in the JavaScript engine of these applications and can be exploited to access parts of the content of the memory used by the browser, which could contain sensitive user data.

This vulnerability is confirmed in Mozilla 1.7.6 and Firefox 1.0.1 and 1.0.2, although other versions could also be affected.

Until a patch is released, a temporary solution is to disable the JavaScript support, although this preventive measure could affect the functioning of some web pages or may prevent them from being correctly displayed.

More information is available on the developer's website at https://bugzilla.mozilla.org/show_bug.cgi?id=288688 and on the following websites:
http://cubic.xfo.org.ru/index.cgi?read=53004
http://www.securitytracker.com/alerts/2005/Apr/1013635.html
http://secunia.com/advisories/14820/

Lagu

Another way to block this is to disable Lmhosts lookup. This method is simple, free and extremely effective. LmHosts is an ancient method thats seldom used today and in my opinion, should not be enabled in the first place.

Hallo! Keep an eye of this! :shockingzap:


"Truth will rise above falsehood as oil above water."
Miguel de Cervantes Saavedra (1547-1616). Spanish writer.

- DNS Cache Poisoning Attacks -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, April 11, 2005 - "@RISK" (the SANS community's consensus bulletin) has reported a problem in the default configuration of the DNS servers in the DNS system in Windows NT and Windows 2000 (prior to SP3). Other configurations are also reportedly vulnerable and being studied.

SANS Internet Storm Center (ISC) has been actively analyzing reports of large-scale DNS cache poisoning attacks. By carrying out this type of attack, the attacker can redirect traffic for legitimate domains (for example, windowsupdate.com) to an IP address controlled by the attacker. The attacks have been used to redirect popular domains belonging to certain financial, entertainment, travel, health and software companies to the attackers' servers in order to install malware on users systems.

Microsoft has published an article KB241352 that describes how to configure a registry key on Windows 2000 (prior to SP3) and NT 4.0 (SP4 and later) to harden a DNS server's configuration. It is recommendable to upgrade to version 9.x in order to forward DNS servers running BIND. It is also recommendable to upgrade to Windows 2000 (SP3 or later) and Windows 2003 for Windows DNS servers, as these versions offer protection against cache poisoning attacks in their default configuration.

More information at http://isc.sans.org/presentations/dnspoisoning.php and at http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.
------------------------------------------------------------

The 5 most frequently detected viruses by Panda ActiveScan, Panda Software's free online scanner:
1)Mhtredir.gen; 2)Shinwow.E; 3)Netsky.P; 4)Sdbot.ftp; 5)Downloader.WT.

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

Lagu

Perhaps you has noticed this?

"My desire has been to deliver over to the detestation
of mankind the false and foolish tales of the books of chivalry"
Miguel de Cervantes Saavedra (1547-1616), escritor español.

- Weekly summary -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, April 24, 2005 - This week's report on viruses and intruders includes several new threats that have emerged this week; two variants of the Mytob worm, a variant of the Mitglieder Trojan and a new version of the Bancos Trojan.

The new variants of Mytob -Mytob.BC and Mytob.BD- open backdoors in affected computers. This action allows the BC variant to connect to a web server and the BD variant to connect to an IRC server, where they wait for commands from a malicious user. What's more, they modify the system HOSTS file so that the user cannot access the websites of certain antivirus companies. These worms spread via email, across networks protected with weak passwords and by exploiting the LSASS vulnerability. They also download other malware, such as the Faribot.A worm.

The Bancos.FC Trojan has also appeared this week. This malicious code goes memory resident and has keylogger functions. Bancos.FC waits for a dialup modem connection to be established (it only affects this type of connection). When this happens, it checks if the websites visited coincide with the address of any of the banking entities included in its code. If it finds any matches, it collects the information entered through the keyboard and sends it to an Internet server. Bancos.FC cannot spread alone, it needs external intervention to do so.

Finally, Mitglieder.CG is a Trojan that aims to disable certain security tools (antivirus and firewalls), which could be installed on the computers it affects. To do this, it can delete files and Registry entries or end the processes running in memory. What's more, it modifies the system HOSTS file so that the user cannot access the websites of certain antivirus companies.

Mitglieder.CG seems to have been mass-mailed, either manually or through zombi computers, and tries to download other malware from different websites.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

Lagu

Hallo!

Read this!

- A Trojan threatens the confidential data of the clients
of thousands of banks worldwide -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

MADRID, April 28, 2005 - PandaLabs reports the appearance of the NL variant of the Bancos Trojan, programmed to intercept the confidential data of the clients of over 2,500 banking portals. Panda Software has already informed law enforcement authorities of the appearance of this malicious code.

This Trojan cannot spread by itself, but needs to be distributed manually by third-parties. Bancos.NL can therefore be distributed through traditional channels (floppy disks, CD-ROM), or email messages, Internet downloads, FTP transfers, P2P networks, etc.

In the event that a user executes the file containing Bancos.NL, the Trojan will be installed on the system under the name MSCVC.EXE. It then starts monitoring the user's Internet activity, waiting for a connection to be established with one of the 2,500 Internet addresses listed in its code. When this happens, it registers all the information about bank account numbers, credit cards, passwords or any other information entered by the user. This information is sent to an Internet server where it can be collected by cyber criminals.

"Although this malicious code does not have any technical characteristics that make it stand out from other Trojans programmed to steal banking details, its danger lies in the large number of users that could be affected by Bancos.NL. In fact, the addresses of the banking portals listed in the Trojan's code belong to financial entities in 120 countries worldwide. These countries include Germany and Switzerland with over 200 addresses each," explains Luis Corrons, director of PandaLabs.

To prevent Bancos.NL or any other malicious code entering computers, Panda Software advises users to take precautions and to update their antivirus software. Panda Software has made the corresponding updates available to its clients to detect and disinfect this new malicious code.

Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection..

In order to help as many users as possible scan and disinfect their computers, Panda Software offers Panda ActiveScan, free of charge, at http://www.pandasoftware.com. ActiveScan is also available to webmasters that want to include it on their websites. Those who would like to include it on their sites can request the HTML code from http://www.pandasoftware.com/partners/webmasters/

Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software's website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.

For further information about this and other malicious code, visit Panda Software's Virus Encyclopedia at http://www.pandasoftware.com/virus_info/encyclopedia/.

------------------------------------------------------------
To unsubscribe from Virus Alerts, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------
__________________________________________________ ___________________________
"Without words, without writing and without books there would be no history,
there could be no concept of humanity"
Â*Â* Â*Â*Â*Â*Â*Â*Â*Â*Â* Hermann Hesse (1877-1962), German-born Swiss writer

Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â* - Adobe ActiveX allows file discovery -
Â*Â*Â*Â*Â*Â*Â*Â* Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, April 27 2005 - A vulnerability has been reported within the Adobe Reader and Acrobat web control. This vulnerability means that, under certain circumstances, the Internet Explorer ActiveX control can make it possible to discover the existence of local files by monitoring the behavior of certain methods.

Adobe Reader contains a Safe for Scripting method with the definition of "VARIANT_BOOL LoadFile([in] BSTR FileName)". A malicious user could take advantage of this if they get their victim to access the website controlled by the attacker. On the website, the attacker can call the LoadFile method, passing in a local file name on their victim's computer. In this way the attacker would be able to determine whether a certain file was present on the victim's system.

Although it is not possible to get the contents of the file, this method can be useful to attackers to know the path or presence of certain files. Although this does not allow attackers to take complete control of the system, it can be used as part of more complex attacks.

Adobe has reported this situation at http://www.adobe.com/support/techdocs/331465.html and recommended updating to version 7.0.1 of the product.

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner:
1)Netsky.P; 2)Mhtredir.gen; 3)Agent.PF; 4)Qhost.AF; 5)Downloader.CGD.

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------


I have update Adobe Reader to 7.0 + a patch so now I have version 7.1. This version is much faster to load than 6.01 and can handle 3D.
Lagu

Varnings

Read this

"There's no pleasure like meeting an old friend,
except, perhaps, making a new one."
Rudyard Kipling (1865-1936), British novelist.

- Two vulnerabilities discovered in Firefox -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 9, 2005 - According to the Secunia advisory SA15292 dated May 8, 2005, two vulnerabilities classified as extremely critical have been detected in the Firefox Internet browser.

These two flaws can be exploited to compromise the system through cross site scripting attacks. To do this, the onload() event can be exploited using a frame in a JavaScript page to access restricted elements, such as the history list. This can be exploited to run HTML and script code in the user's browser session.

The second vulnerability lies in the incorrect verification of the "IconURL" parameter in the "InstallTrigger.install()" function. It can be used to run arbitrary JavaScript code and elevate privileges in the affected system.

These vulnerabilities have been confirmed in version 1.0.3, but other versions, not yet confirmed, could be affected. More information is available on the Secunia website where the advisory is published, at http://secunia.com/advisories/15292/.

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.
------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner:
1)Sober.V; 2)Mhtredir.gen; 3)Netsky.P; 4)Shinwow.E; 5)Downloader.BSU.

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

Lagu

Thanks Lagu,

I'll be looking out for 1.0.4 then :mad:

And there I was thinking it was safer the Internet Explorer. Hey you guys! Stop using FireFox then the hackers can leave it alone and I can have it all to myself.

Firefox news about 1.0.4 available here http://www.mozillazine.org/

there are/will be vunerabilities in all programs just depends which is the most common -- which people will then find errors and exploit them.

1.04 is now available for download. See link above.

Linux kernel
:shockingzap:
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 17, 2005 - SecuriTeam has reported, at http://www.securiteam.com/unixfocus/5BP0G1FFPY.html, a vulnerability in the ELF binary format loader in Linux, which could be exploited to allow an attacker to gain root privileges and execute arbitrary code at kernel privilege level.

The versions of the Linux kernel that are vulnerable are:
- Linux kernel version 2.2 up to and including 2.2.27-rc2
- Linux kernel version 2.4 up to and including 2.4.31-pre1
- Linux kernel version 2.6 up to and including 2.6.12-rc42.2 to 2.2.27-rc2.

Some of the binary format modules (like ELF) provide an additional function to the kernel layer core_dump() in order to call this function if a fault occurs (such as a memory access error) when executing the binary. The kernel will call the core_dump() function if the process's limit for the core file (RLIMIT_CORE) is sufficiently high and the process's binary format supports core dumping.

The vulnerable code lies in fs/binfmt_elf.c and could allow local users to gain root privileges. Code could be run at kernel privileges level, potentially breaking out of Linux virtual machines. The patch for avoiding this problem has already been released.

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Lagu

Hello

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - Remote denial of service in Yahoo! Messenger -
Â*Â*Â*Â*Â*Â*Â*Â* Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 19, 2005 - A vulnerability has been reported in Yahoo! Messenger that could lead to a denial of service, with remote attackers being able to disconnect users from Chat sessions. The advisory is available at http://www.securiteam.com/windowsntfocus/5HP0H20FPE.html.

The problem lies in the way that Yahoo! Messenger processes arguments in YMSGR: URL handler links. An attacker modifying the links with certain characters after the colon could create malformed packets to send to Yahoo! YMSG servers. When these packets are sent, Yahoo! will immediately disconnect users from the chat session.

The problem affects Yahoo! Messenger versions 5.0 and 6.0 and all details have been published along with proof of concepts with malicious urls that could disconnect a user.

The recommended workaround is to eliminate the registry key: "HKEY_CLASSES_ROOT\ymsgr\shell\open\command" la cadena "c:\progra~1\yahoo!\messenger\ypager.exe %1".

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Lagu

Hello!

- A Trojan digitally encrypts files and asks for a ransom -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

MADRID, May 25, 2005 - PandaLabs has recently reported the appearance of a type of malware that encrypts files on the infected computer and then asks for a fee in order to release these files. This is a new type of behavior, rarely seen until now, and to which the FBI in the United States are now alert.

The malware in question, Trj.PGPCoder.A, is a Trojan, and as is usual in these cases, cannot propagate by itself. Once installed on a computer, it creates two registry keys: one to ensure it is run on every system startup, and the second to monitor the progress of the Trojan in the infected computer, counting the number of files that have been analyzed by the malicious code.

Once it has been run, the Trojan embarks on its mission, which is to encrypt, using a digital encryption key, all the files it finds on computer drives with extensions corresponding to those listed in its code. These extensions include DOC (Microsoft Word documents), HTML (web pages), JPG (images), XLS (Microsoft Excel spreadsheets), ZIP and RAR (two common compressed file formats).

The blackmail is completed with the Trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200.

To prevent infection from Trj.PGPCoder.A or other malicious code, Panda Software advises all users to keep their antivirus software up-to-date. Panda Software has already made the corresponding updates to detect and eliminate this new malicious worm available to clients.

Panda Software's clients can already access the updates for installing the new TruPrevent(tm) Technologies along with their antivirus protection, providing a preventive layer of protection against new malware. For users with a different antivirus program installed, Panda TruPrevent(tm) Personal is the perfect solution, as it is both compatible with and complements these products, providing a second layer of preventive protection that acts while the new virus is still being studied and the corresponding update is incorporated into traditional antivirus programs, decreasing the risk of infection.

Lagu

"Just because something doesn't do what you planned
it to do doesn't mean it's useless".
Thomas Alva Edison (1847-1931), US inventor and physicist.

- Disclosure of sensitive information in Microsoft ASP.NET -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 24 2005 - A vulnerability has been reported (at http://www.securitytracker.com/alerts/2005/May/1013996.html) in Microsoft ASP.NET web services which could allow an attacker to obtain certain sensitive information about the server.

The problem occurs when there is a file error. At this moment, the FileStream method may return an error message containing the full path to the requested file, even if an absolute path was requested. If the ASP.NET application does not filter error messages, remote users could see the exact location of the file.

Another problem occurs with an SQL query error, in that the server may return an error message containing information about the database structure. Like the previous case, if the ASP.NET application does not filter the error message, the information may be disclosed to remote users.
Programmers are advised to follow secure programming practices and implementing exception handling mechanisms to properly catch and filter the error exceptions.

Microsoft has published a series of security considerations for ASP.NET applications at: http://msdn.microsoft.com/library/en-us/vbcon/html/vbtskdisplayingsafeerrormessages.asp

NOTE: The address above may not show up on your screen as a single line. This would prevent you from using the link to access the web page. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

Lagu

Hello

Virus varnings!

"Recommend virtue to your children; it alone, not money,
can make them happy. I speak from experience."
Ludwig van Beethoven (1770-1827); German composer.

- Panda Software's weekly report on viruses and intruders -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

MADRID, June 19, 2005 - This week, Panda Software's report looks at three examples of malware, the Trojan Downloader.DCM, the backdoor Trojan Dumador.BC, and the hacking tool Looxee. What's more, it includes six new vulnerabilities in Microsoft Windows, classified as critical.

Downloader.DCM is a Trojan that downloads Dumador.BC and runs it. Like the majority of Trojans, it must be manually distributed. When it is installed on a computer, it uses a sophisticated technique to hide from any firewalls that can be installed on the computer: It creates a remote run thread associated to the process explorer.exe, so that the firewall thinks that Explorer is accessing the Internet, when Downloader.DCM is actually accessing. When it connects to the Internet, this thread deletes the downloader file and downloads and runs another file (the backdoor Trojan) from a specific website, pretending to be a temporary file.

Dumador.BC, the file downloaded by the downloader, is a backdoor Trojan that cannot spread by itself. Its function is to allow remote control of the affected computer by opening TCP ports in the computer and receiving remote run command requests. It also logs different user details and modifies the system hosts file to prevent the computer from accessing the websites belonging to antivirus companies.

Looxee is a hacking tool that monitors and logs different activities carried out by the user of the affected computer, such as the email messages sent and received, chats via instant messaging, websites visited and it even captures screenshots, among other actions. Curiously, it has a characteristic that warns the user, if a certain key word is entered. This tool is not dangerous as such, but can be used for malicious purposes.

What's more, a series of vulnerabilities have been reported and are detailed by Microsoft in the bulletins MS05-025, MS05-026, MS05-027, MS05-028, MS05-029 and MS05-030. These vulnerabilities affect various Microsoft applications and have been classified as critical. Therefore, it is recommendable to apply the update in order to keep your computer protected from malware that can exploit these vulnerabilities to get into your computer. The affected applications are Explorer, Windows, SMB (Service Message Block), Web Client Service, Outlook Web Access for Exchange Server 5.5 and Outlook Express.

To prevent these malware or any other malicious code from affecting your computer, Panda Software recommends keeping antivirus software up-to-date. Panda Software clients can already access the updates to detect and disinfect these malicious code.

For further information about these and other computer threats, visit Panda Software's Encyclopedia.

------------------------------------------------------------
To unsubscribe from Oxygen3 24h-365d, please visit:
http://www.pandasoftware.com/unsubscribe.asp

To contact with Panda Software, please visit:
http://www.pandasoftware.com/about/contact/
------------------------------------------------------------

Lagu

- Orange Alert:Panda Software reports new Trojan that could steal
online banking passwords of thousands of Spanish-speaking users

Virus Alerts, by Panda Software
(http://www.pandasoftware.com)

A new Trojan, Nabload.U, which is distributing itself through Messenger, has appeared a few hours ago. This Trojan downloads another Trojan, called Banker.bsx, which is currently the number one detected piece of malware from Panda's ActiveScan. Its objective is to obtain the passwords of certain banks that it has stored in its code primarily from Spanish-speaking users.

The most unusual aspect of this Trojan is its ability to capture the information without the use of a traditional key logger. The user will be unaware that this is occurring. Banks that use virtual keyboards to avoid keyloggers won't be protected from this Trojan.

Once the author has the keys, he can commit banking fraud with the accounts.

According to Luis Corrons, PandaLabs director: "This Trojan is an example of a hybrid virus that mixes different techniques. Once the user clicks on the URL, it is able to download a Trojan and use techniques similar to some spyware and phishing attacks. It is, without a doubt, a Trojan designed to steal data quickly, and without leaving any tracks."


Nabload.U uses social engineering techniques to get the user to click on the URL provided. The sentence is in Spanish: "ve esa vaina http://hometown.%eliminado%.au/miralafoto/foto.exe." It is disguised as a personal contact. When the user clicks on this URL, another Trojan, Banker.BSX, is downloaded. It also offers two others URLs_ http://hometown.%eliminado%.au/arqarq/coco2006.jpg and http://hometown.%eliminado%.au/modnatal/coco2006.jpg that downloads a configuration file. In this file, you can find - as well as other
information- the e-mail address where the stolen data will be sent.


This Trojan opens up port 1106 on the computer and stays active. So, when the user tries to access one of the online bank addresses shown bellow, the Trojan will be able to capture what the user is doing on the screen, including the login and password typed by virtual keyboards to access the bank account. This Trojan only captures the information from the addresses below:

https://secure2.venezolano.com/
https://e-bdvcp.banvenez.com
https://www.ibprovivienda.com.ve/personas/
https://banco.micasaeap.com/individualmc/
https://olb.todo1.com/servlet/msfv/
https://www.banesco.com/servicios_electronicos_pag.htm
https://www.banesconline.com
https://www.provinet.net/shtml/
https://bod.bodmillenium.com
https://www.corp-line.com.ve/personas/

Once the Trojan has captured the information, it sends this data to an e-mail address. The author can change this e-mail address as desired.

To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters.

TruPreventTM detection technologies detect and eliminate Banker.BSX with no need for previous updates, so computers with these technologies have been protected from the moment the Trojan Horse appeared.

For further information about Nabload.U and Banker.BSX, visit Panda Software's Encyclopedia:
http://www.pandasoftware.com/virus_info/encyclopedia/

Lagu

"There is no such thing on earth as an uninteresting subject;
the only thing that can exist is an uninterested person."
G. K. Chesterton (1874 - 1936); English author & mystery novelist.

- Vulnerability in Linux kernel -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 27 2005 - iDefense has announced a complete memory exhaustion vulnerability in versions 2.4 and 2.6 of the Linux kernel, which could allow denial of service attacks.

The flaw stems from a limitation in the design of the Linux kernel, and consists of a lack of resource checking during the buffering of data for transfer over a pair of sockets. An attacker could create a situation which, depending on the available system resources, can cause a 'kernel panic' due to memory resource exhaustion.

An attack can be launched by opening up a number of connected file descriptors or socket pairs and creating the largest possible kernel buffer for data transfer between the two sockets. By causing the process to enter a zombie state or closing the file descriptor while keeping a reference open, the data is kept in the kernel until the transfer can complete. If done repeatedly, system memory resources can be exhausted from the kernel.

To fully exploit this vulnerability, an attacker would need local access to the affected system.

------------------------------------------------------------

The 5 viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner: 1)Banker.BSX; 2)Nabload.U; 3)Sdbot.ftp; 4)Sober.AH; 5)Galapoper.IE.

Lagu

"Don't think of words when you stop but to see the picture better."
Jack Kerouac (1922-69); US writer.

- Windows MetaFile handling vulnerability -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, December 29 2005 - US-CERT has reported a security vulnerability in Windows that could allow arbitrary code to be run remotely. The security patch that fixes this vulnerability has not been made available yet, therefore the flaw continues to be exploited to affect systems.

The vulnerability stems from a buffer overflow in the library that handles WMF (Windows MetaFile) files, which is used, among other programs, by the Windows Picture and Fax Viewer. This weakness affects the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003, according to information published by Microsoft at http://www.microsoft.com/technet/security/advisory/912840.mspx

In order to exploit this security flaw, attackers are placing specially crafted WMF files in several web pages, so that, when users access them with Internet Explorer, malicious code is automatically run on their computers. If a different browser is used, users can be warned of a file download.

Until a security patch is made available to fix this vulnerability, users are advised not to access web pages they are invited to visit from untrusted sources (links in unsolicited emails, IRC channels, instant messaging, newsgroups, web forums, etc). It is also advisable to have a security solution installed like those offered by Panda Software, which can detect "Exploit/Metafile", malicious code specifically written to exploit this security flaw.

For more information about Panda Software solutions, go to:
http://www.pandasoftware.com

NOTE: The addresses above may not show up on your screen as a single line. This would prevent you from using the link to access the web page.
If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL.

------------------------------------------------------------

The five viruses most frequently detected by Panda ActiveScan, free online antivirus from Panda Software: 1)Banker.BSX; 2)Sdbot.ftp; 3)Sober.AH; 4)Qhost.DS; 5)Netsky.P.

Lagu

Hi

- Buffer overflow due to incorrect update of KDE kpdf/xpdf -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, March 13, 2006-A vulnerability has been reported in KDE kpdf/xpdf, the PDF viewer for Linux. This flaw could be used by a remote user to run arbitrary code on affected systems.

The problem which affects kpdf is based on the code of xpdf (which it shares with kpdf) and is due to an incorrect correction of a previously discovered vulnerability. A remote user could maliciously create a pdf file which, when loaded by the victim, would cause a buffer overflow and the consequent execution of code on the system with the same privileges as the victim.

Systems running KDE 3.3.2 with the patch for CVE-2005-3627 installed are affected. Updates for systems with KDE 3.4.x and later are not affected.

An update to avoid this problem has been published for KDE 3.3.2 and later versions, and is available at:
ftp://ftp.kde.org/pub/kde/security_patches/post-3.3.2-kdegraphics-CVE-20
06-0746.diff

Take care
Lagu :)

Hi

Madrid, March 15 2006 - Microsoft has published two updates for its products. The first of these, according to "Microsoft Security Bulletin MS06-011", corrects an error through which an attacker could take control of the affected system. The attacker could install programs with serious consequences, or carry out any type of task without the owner of the system realizing.

The systems affected are Microsoft Windows XP Service Pack 1 and Microsoft Windows Server 2003 (including the version for Itanium systems). The updates to correct the error, along with further information, can be found at:
http://www.microsoft.com/technet/security/Bulletin/ms06-011.mspx.

The second update, in bulletin MS06-012, corrects an error similar to the previous one, as it can also allow an attacker to take control of the system, in this case if the user starts a session as the administrator.

According to this second bulletin, the affected systems are Office 2000 SP 3, Office XP SP 3, Office 2003 SP 1 or 2 and Microsoft Works Suites, from version 2000 to 2006. In addition, Office for Mac (Versiones X and
2004) is affected. Microsoft offers more information at:
http://www.microsoft.com/technet/security/Bulletin/ms06-012.mspx.

Take care
Lagu ;)