Threat Category: Windows malware | Page 30

Solving the virus naming mess – not an easy task

Inside Nyxem.e’s 100K+ body there is a dreaded block of 32 bytes. On the 3rd of every month, exactly 30 minutes after the infected system is started, Nyxem.e will use this block.

We’ve got another version of GPCode. We’re currently looking at the encryption algorithms, and we’ll get back to you with the full story in the near future.

We’re seeing Bagle deployments on a number of websites, usually a sign of increased Bagle activity to follow

We’ve just issued an alert for Nyxem.e, due to the number of reports we’ve been receiving for the past few days but also because of its destructive payload which activates on 3rd of every month.

I recently came across an interesting IRCBot which KAV detects as Backdoor.Win32.IRCBot.lo. When I took a closer look at it, I found out that it’s quite an advanced bot with a lot of features.

It’s two years to the day that the antivirus industry first encountered Bagle – Email-Worm.Win32.Bagle.a.

Sober.y will attempt to update itself tonight from a predefined set of websites in Germany and Austria.

It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.

Another case of infected storage media

Between yesterday evening and this morning, we intercepted 12 programs created by the authors of Bagle: 5 Trojan downloaders and 7 worms.

Yes another modification. This time, not surprisingly, it’s Trojan-Downloader.Win32.Bagle.f

Sober.y, which is currently the most popular variant, started spreading actively on Monday, November 21.

For the last 24 hours or so we’ve seen a number of new Email-Worm.Win32.Sober variants, some of which we have got an alert out for.

Jerusalem caused the first major computer virus epidemic – it infected enterprises, government offices and academic institutions around the world.

Reports

Kaspersky experts analyze the ToddyCat APT attacks targeting corporate email. We examine the new version of TomBerBil, the TCSectorCopy and XstReader tools, and methods for stealing access tokens from Outlook.

Kaspersky GReAT experts dive deep into the BlueNoroff APT’s GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images.

Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks.

Kaspersky GReAT experts describe the latest Mysterious Elephant APT activity. The threat actor exfiltrates data related to WhatsApp and employs tools such as BabShell and MemLoader HidenDesk.

Windows malware

CME – the good and the not-so-good

Nyxem.e’s dreaded 32 bytes

New GPCode

An increase in the Bagle activity

Watch out for Nyxem.e

IM-Bot?

Bagle’s birthday

A Sober night

More on WMF exploitation

Get infected in a flash?

No rest for the Bagles – or for the virus analysts

And another Bagle

Sober.y increased activity

Sober steals your passwords

Once upon a time

Reports

ToddyCat: your hidden email assistant. Part 1

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

Mem3nt0 mori – The Hacking Team is back!

Mysterious Elephant: a growing threat

Subscribe to our weekly e-mails