Blog Archives

Soccer Trojan from South Africa

Home Grown Malware?

Satelite Image of South Africa

Image from Wikipedia

It looks like Trojan tvwjfm.exe (with several other names too – list of known names and further information) could have originated from South Africa. At least the first reported  infections came from this locale.

This makes a change to the norm where the largest percentage of new malware hails from the Asian Sub-Continent, although a tie-in to this region cannot be excluded.

This Trojan has not had a big impact; outbreaks so far seem to be limited, possibly deliberately targeting specific users. However, the few reported instances should not be taken to imply this Trojan is not dangerous – it is.

The file is unusually large for a Trojan, containing a package of other files. If run, it behaves like an application installer. Even if the install is cancelled, the Trojan installs other malware unknown to the PC user.

Soccer Trojan

Soccer TrojanI have decided to unofficially name this Trojan (as yet it has no official name) the Soccer Trojan. It presents itself with an icon of a soccer ball superimposed over a PC display, similar to the image on the left, which is clearly an attempt to encourage followers of this ball game to run the file.

Hopefully the Soccer Trojan will remain obscure, and not spread. Our vigilance is required at this early stage to interdict the malware before it gets the opportunity to ‘go viral’ and escape into the wild.

Trojan Generic24 Family

Article about Trojan Horse Generic24.cgol

The previous article posted on this blog about Generic 24 Trojans elicited a lot of interest. Even more interest was shown in my removal tips for the generic24.cgol variant, posted on my website.

I thought now would be a good time to post an update. The .cgol variety seems to have died down somewhat, however it seems everyday that a new version is detected. Recent references I found include;

  • trojan generic 24 cjgk (also generic24.cjgk (20 Sept 2011)
  • trojan Generic24.BRQA 
  • trojan Generic24.BRQD
  • trojan Generic24.BRQF etc (Full list at AVG)
  • Trojan Horse generic24.TSU (21 Sept 2011)
  • trojan Generic24.BUOM
  • Generic24.BVUA (22 Sept 2011)
  • trojan generic24 pnt (12 Sept 2011)
  • GENERIC 24.CPQJ (23 Sept 2011)
  • trojan-generic24-aawj (12 Sept 2011)
  • Trojan horse Generic24.CAVY (21 Sept 2011)
  • GENERIC 24.CPQJ (23 Sept 2011)
  • Generic24.BIVS (2 Sep 2011)
  • Generic24.FLZ (05 Oct 2011)
  • Trojan horse Generic24.PYB (01 Oct 2011)
  • Generic24.ATJW (03 Sept 2011)
  • Trojan horse Generic 24.WMQ (24 Sept 2011)

The list goes on; these are from recent forums and other articles found via a search engine, from Sept this year.

There are literally thousands of similar malware trojans with the name ‘generic’

One common factor is they are generally considered hacking malware, opening a backdoor to other viruses which capture personal information from the user of an infected PC.

Again I stress the importance of early intervention should one of these trojans infect your PC.

The removal tips at the above web address can be used to fix most early infections by looking for similar HKEY references to those mentioned for FireFox

Apple Mac Not Immune to Malware

Apple Macs do get Malware

Macs get worms tooHow often do we still hear Mac users blithely proclaiming they have no need for Anti Virus software because Macs don’t get viruses. Well Mac users, those days are gone for good, if they ever existed at all.

The fact that what some regard as the world’s first virus, “Elk Cloner”, was a Mac virus seems to have exited people’s minds.

The hardness of Mac’s Unix core operating system perhaps makes it more difficult for malicious persons to write viruses and trojans for Macs. Also in the old days Mac users were a very small group of computers users, mainly professionals involved in the print and graphics industries, not a big enough target for virus creators to spend their time on.

Mac users have been complacent, secure in the expectation their systems are safe;  At one time I was one of them. I used Macs for years with no AV software installed.

Recent Mac Viruses

Only a few months ago, MacDefender Tojan Horse was happily infecting Macs around the world, and just today, an article from Sophos Naked Security highlights another Mac trojan, OSX/Revir-B.

These Mac Trojans are not however the end of the story. Consider all the file sharing between Mac and Windows users in the commercial world.

Macs can give Window Malware

Is it safe to use Macs with no AV softwareHow often do files get transferred from Mac to Windows platforms. How often do vulnerable removable drives get used to transfer these files.

Here is an example:
User A prepares work on a Mac. User A has no Anti Virus software because Macs are immune! Unknown to user A, a visit to a website has installed a Windows virus or trojan in a Word or Excel file. User A sends the file to user B, a Windows user. User B’s PC gets infected!

Or another example;
User A gets an e-mail containing malware and forwards it to User B. Once again User B’s PC gets infected.

Mac Users, break the malware chain, get your Macs protected. The days of Mac immunity to malware are gone for ever.

Trojan Horse Generic24

Trojan Generic24 Information

This is a new virus in the wild. Trojan Horse Generic24.cgol is new; so new it has not yet Trojanbeen given a common name. Generic 24.cgol has already been seen in several versions. Trend Micro Threat Library and AVG Library have as yet no information on this version

Generic 24 is extremely dangerous.

At the time of writing this article (20 Sept 2011), and the one for Graphicline, no known anti-virus application is able to detect the initial infection by Generic24.cgol

It is only discovered by heuristic scanning algorithms, after it has infected the user’s PC. Neither AVG was unable able to fully remove the virus; some components needed to be removed manually.

On article on PC1News identifies the virus as an internet re-direct virus, spreading fake AV software with a single click. However I consider this information unreliable, contending there is more to the virus than just this. It definitely downloads other malware, including MsSQL database blockers, and password blockers. I have not seen any other references to this version spreading FakeAV.

The virus, generic24.cgol infected my Firefox browser, installed itself in the program folder, as well as in the Documents/Application settings folders. (and Windows registry)

Sources for this Trojan

The generic24 trojan may infect your PC from an e-mail containing a link to a website from where the trojan will download, or by clicking on a link to a website.

It is possible generic24 may be sent deliberately by malicious persons via e-mail, and may contain an e-mail worm. There is too little definitive information available at present to do anything but advise extreme caution.

Generic24 Removal

For removal information please refer to graphicline.co.za (removing-trojan-generic24cgol).

IMPORTANT – CHANGE ALL ONLINE PASSWORDS

Completely remove trojan

Generic 24 Trojans are typically hacking related.

The trojan, or at least this version poses an active security risk. It may download other malware automatically, including malware files masquerading as Dc#.exe (# = various numbers) as well as a Linux/Unix database blocking virus.

Generic24.cgol may include a keystroke logger, and it definitely tries to actively prevent password changes.

One significant result of the infection was my website graphicline.co.za becoming corrupted. As a normal procedure after any keystroke logger or spyware problem, I change any recently used passwords. When I changed the passwords for my website login, I was still unaware the anti-virus scans had not fully removed the infection, and after logging out of the site, was unable to log back in again. (More on this) Eventually after several failed log-in attempts, the entire CMS website crashed…

NOTE: graphicline.co.za has been completely re-stored (database, CMS, and all active files) from a known clean backup stored remotely, lost content replaced manually, and is safe to visit.

AVG Anti Virus almost useless

AVG Antivirus Review

AVG antivirus 2011It may seem late to write a review of an application (AVG 2011) that is already available for 2012. One thing is certain, I will not be purchasing AVG 2012…

I have used AVG 2011 since December 2010. It is fair to say I am not impressed. In less than a month, 127 viruses and 3 trojans horses slipped through the internet security features of the app one of which was serious.

So what use are the various built-in utilities; Online Shield, Link Scanner, Anti-Spyware then there’s another utility called Resident Shield…. None of these are worth having, sorry, I forgot, Online Shield did detect one instance of malware (another trojan horse) and stopped it before it installed itself!… not bad, 1 out of 130 – less than 1% effective…

Of note, only one of these bugs was new; the rest dating back as early as 2005/6 if not earlier.

Before I continue, I must give the application one very big plus.

A Big Plus for AVG 2011 AV Scanner

After reading the following comments one might find it strange I have something good to say about the application – I do:
It found the worst virus I have come across since MS Blaster – Trojan generic24.cgol. No, it did not stop the virus getting in – none of the AV apps appear to be doing so at the moment, but it FOUND IT when a full scan was performed, which from research conducted over the past several days, many of the competitors apps are not doing. It alos removed the basic virus file, even if the the residual and secondary infections needed manual removal – that is unfortunately often the case with the Trojan generic24 family of viruses.

Credit is given where due!

Hoewever, in general

AVG 2011 has been waste of money

I can accept a free application missing some bugs, or even a commercial release failing to stop a new virus or other malware, at least until the manufacturers catch up and provide the updates.

However, when I pay for a product that claims to have more than 100 million satisfied users, I expect it to work, reliably… Read the rest of this entry

Follow

Get every new post delivered to your Inbox.

Join 2,385 other followers