Malware News

Top 10 Phishing Scams: 1. security alert! 2. account notification! 3. account notification 4. please confirm your data! 5. Chase Bank: online banking notification 6. Chase Bank: necessary to be read! 7. Chase Bank: important notice 8. Chase Bank: important security notice 9. Chase Bank: account secure confirmation 10.Chase Bank customer service: security alert.

W32/Winemmem Malware

Print PDF

W32/Winemmem infects packages, installers and self-extracting archives (files with extra data, so called "overlay"). It rewrites the code section of the original application and relocates a random size block of code from the beginning of code section and OEP to the end of the file, increasing the size of extra data. This Virus does not create new sections, it does not modify the PE header.

Overview -

W32/Winemmem is a file infecting virus with backdoor functionality.

Aliases

  • W32.Winemmem!Inf (Symantec)

 

Characteristics

Characteristics -

W32/Winemmem infects packages, installers and self-extracting archives (files with extra data, so called "overlay"). It rewrites the code section of the original application and relocates a random size block of code from the beginning of code section and OEP to the end of the file, increasing the size of extra data. This Virus does not create new sections, it does not modify the PE header. In order to gain control when an infected file is run the Virus rewrites the original code located at entry point.

On execution, the virus hooks the following APIs of the current process:

CreateFileA
ExitProcess
ExitWindowsEx

----Update on April 7, 2009---

Once infected, the virus hooks the CreateFileA() API.  W32/Winemmem gains control and searches for Windows PE executables in the Program Files folder.  It then parses the Import Table and searches for system dynamic link libraries (DLL) associated with executables (EXE).  Next, the virus copies the found DLL to the same folder that contains the found EXE file and infects the copied DLL by modifying code at the Entry-Point and appending the virus body to the end of last section, so that malicious code is executed every time any of the infected EXE files are run. 

Upon execution, virus hooks the WS2_32.dll Send() API and performs malicious activity the first time an infected application calls it.  It may infect files on removable drives by searching the entire drive for suitable executables, or download and execute remote files from [REMOVED].c0m.st. 

We also detect the infected versions of modified system libraries as W32/Winemmem.

 

Symptoms

Symptoms -

Modified executable files (increase in the size of exe files).

 

Method of Infection

Method of Infection -

W32/Winemmem is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

Common Threats

iTunes Hacking

Microsoft launches online security patch

Microsoft has released an emergency online security patch following the discovery of a potential glitch in its technology. The software giant announced that the online security update will automatically be installed for Internet Explorer customers. Microsoft released the patch after a vulnerability in the company's Active Template Library was discovered. The software is used to build ActiveX controls and other web application components.

Web users should be cautious of fake anti-virus programs

A new report has highlighted that malware posing as anti-virus software is spreading across tens of millions of computers each month. According to research by PandaLabs, over 1,000 examples of fake anti-virus software were found in the first quarter of 2008 alone. The program works by issuing false warnings of infections, persuading web users to buy software they do not need, and can also download Trojans or malware.

Spammers translating messages cause global security issues

Spam email is becoming a growing threat in non-English speaking nations, according to a new study. Research by MessageLabs highlights that spammers are now using free online translation sites to write messages in a variety of languages and target a greater number of people across the globe. As a result, some nations which previously enjoyed a high level of internet security are now falling victim to rising levels of spam.

Malware 'the greatest threat'

The greatest threat to computer networks is malware, meaning people should be wary of introducing unnecessary software to their machines, an expert has stated. Writing for his risk management blog hosted by online publication ComputerWeekly.com, Stuart King warned that some people are reporting that their new digital picture frames and gadgets such as MP3 players are infected with viruses.

Sun Java Runtime Environment Vulnerabilities

Sun Java Runtime Environment and Java Development Kit are prone to multiple security vulnerabilities. Successful exploits may allow attackers to violate the same-origin policy, obtain sensitive information, bypass security restrictions, run untrusted applets with elevated privileges, and cause denial-of-service conditions. This may result in a compromise of affected computers.

* Geeks Houston ®, Geeks Mobile, and geeksquadonline.com have no affiliation to Geek Squad or Best Buy

Internet Explorer Execution Vulnerability

Microsoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the browser. Successful exploits will compromise the browser and possibly the computer. Failed attacks may cause denial-of-service conditions.

Read more...
PCWorld
PCWorld.com
  • Windows 8 Security: What's New
    Windows 8 is a major OS overhaul, but some of the most important additions might be the ones you can't see. Here's a look at Windows 8's new security tools and features.

    Add to digg Add to Reddit Add to Slashdot Email this Article Add to StumbleUpon