Spyware Stop !

Aliases:
Trojan-Clicker.Win32.Bitdefener (Kaspersky Lab) is also known as: TrojanClicker.Win32.Bitdefener (Kaspersky Lab), Crackerbox (McAfee),   Trojan Horse (Symantec),   Trojan.CrackBox.109 (Doctor Web),   Troj/Crackerb (Sophos),   Trojan:Win32/Fender (RAV),   TROJ_FENDER.A (Trend Micro),   TR/Bitdefener (H+BEDV),   Win32:Trojan-gen. (ALWIL),   Trojan Horse (Panda),   Win32/TrojanClicker.Bitdefener (Eset)

Description added    Feb 16 2007
Behavior                 TrojanClicker

Technical details:
This Trojan opens a variety of links without the knowledge or consent of the user. It is a Windows PE EXE file. It is 40,960 bytes in size. It is written in Visual Basic.

Payload:
Once launched, the Trojan will periodically open the following links without the user’s knowledge or consent:

http://www.mp3.com/****seuq
http://artists.mp3s.com/artist_stats/239/****seuq.html
http://artists.mp3s.com/artist_calendar/239/23****.html
http://play.mp3.com/cgi-bin/play/play.cgi/****

Removal instructions:
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1.Use Task Manager to terminate the Trojan process:
2.Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3.Update your antivirus databases and perform a full scan of the computer (download a new version of Panda Internet Security 2007). 
 

Aliases:
Trojan-Proxy.Win32.Bobax.a (Kaspersky Lab) is also known as: TrojanProxy.Win32.Bobax.a (Kaspersky Lab), Exploit-DcomRpc.gen (McAfee),   W32.Bobax.B (Symantec),   Win32.HLLW.Mixer (Doctor Web),   W32/Bobax-A (Sophos),   Win32/Bobax.A.worm (RAV),   WORM_BOBAX.GEN (Trend Micro),   Worm/Bobax.A (Grisoft),   Win32.HLLW.Bobax.A (SOFTWIN),   Win32/Bobax.A (Eset)
==============================================

Description added    May 17 2004
Behavior                 TrojanProxy
==============================================

Technical details:

This Trojan program makes it possible for the infected machine to be used as a proxy server.

Bobax uses a vulnerability in Microsoft LSASS to propagate on command.

The Trojan is written in Microsoft Visual C++, and the body is encrypted. It runs under Windows, and is 20480 bytes in size.

Installation
When loading, Bobax deencrypts its body and saves it as a .dll file in the temporary directory under the random name ~xxxx.tmp, with xxxx being replaced by a random hexidecimal.

This .dll file is the main Trojan component; it is packed using UPX, and is 17920 bytes in size.

When the .dll file is loaded, the executable component copies itself to the Windows system directory under a name which is a string of symbols chosen at random.

It creates the mutex 00:24:03:54A9D in the computer memory to flag its presence in the system, and writes itself to the system registry as an auto-run key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
“[Random key name]” = “[Path to executable file]”
The key name is a random number in hexidecimal format.

Payload
The Trojan receives commands from web-servers, making it possible for:

the current version of the Trojan to be updated
programs to be downloaded to the victim machine, and then executed
the Trojan to propagate using a vulnerability in Microsoft LSASS
mass mailings to be carried out from the victim machine
the author of the program to get information about the victim machine

Remove Trojan-Proxy.Win32.Bobax.a Right Now !

Symantec on Wednesday patched a vulnerability in its Veritas NetBackup PureDisk application that left unfixed could let attackers worm their way into systems and gain control over the machines.The bug, which Danish vulnerability tracker Secunia pegged as “moderately critical,” was found during an internal security code review, Symantec said in an alert posted on its support site.Although NetBackup PureDisk’s management console is by default accessible only through an SSL connection, it was possible for an unauthorized users to bypass the authentication scheme and elevate their access rights to wrest complete control of the server.Symantec issued an update dubbed “Maintenance Pack 1″ to fix the flaw. (more…)