Malware / (download.ject)

[JimmyZ1]

Can someone confirm the following news article, I can't find anything on it. It was forwarded from one boss to another till it made it to me and I can't find anything so i figure i'd ask you peoples.


-----------------------------------------------------------

Attack Pierces Fully Patched XP Machines
By Dennis Fisher
August 19, 2004



Security researchers have identified a new version of the Download.Ject attack that is now being used on the Internet and can compromise fully patched Windows XP machines.

The new version of the attack just appeared Thursday afternoon, and while details are still sketchy, experts say its main purpose is to install a back door on compromised PCs. Users victimized by the attack receive an e-mail or an instant message containing a link directing them to a malicious Web page.



The page is being hosted by a number of different sites, all of which share common "whois" information and appear to be deliberately serving the page, according to Thor Larholm, senior security researcher at PivX Solutions LLC, based in Newport Beach, Calif. The Trojan also will change the start page of the infected PC.

Click here to read about a pop-up program that swipes banking passwords.

Once a user clicks on the link, the Web server attempts to download the back door. Larholm said a PC running a fully patched copy of Windows XP and Internet Explorer 6 will be compromised by the new version of Download.Ject, as will machines running older version of Windows and IE.

But machines running SP2 (Service Pack 2) for XP are not vulnerable to the new attack. Larholm added that the vulnerabilities exploited in this attack have been known for some time.

"It doesn't use any unknown flaws," he said. "But it's not at automated as it could be. I think it's still evolving. But this clearly has a financial motivation behind it."



The original version of the attack surfaced in late June, and experts said the servers being used to compromise client machines had themselves been compromised and pressed into service.

This time around, the attackers have been able to place their code on a variety of servers, apparently with the owners' knowledge. Some of the sites serving the malicious code are porn sites, and others are advertising servers, Larholm said.

The earlier version of Download.Ject was used to monitor outgoing Web traffic to capture passwords and user IDs for online banking sites and other sensitive data


Doh!!

 

[JimmyZ1]

it's from

http://www.eweek.com

Doh!!

 

[jbrackett]

Another article about this one at

http://www.computerworld.com/printthis/2004/0,4814,95387,00.html

I note in this story that the worm can only infect systems that are not up to date on crits, and it specifically states that those that "...have already installed the recently released Service Pack 2 for Windows XP or the patches contained in MS04-25 should be safe."

Avert rates the worm as "Low-Profiled" due to media attention, and refers to it as "StartPage-EU". There is an Extra.dat presently available to McAfee users on their site.

Content of article below.
______________
New Download.Ject worm variant appears
It infects vulnerable systems with a Trojan horse and keystroke logger


News Story by Jaikumar Vijayan




AUGUST 20, 2004 (IDG NEWS SERVICE) - Users who have not yet installed the three out-of-cycle patches contained in Microsoft Corp.'s July 30 security bulletin MS04-25 now have another reason to do so immediately.

A new version of a worm called Download.Ject takes advantage of one of the flaws fixed by the patches and has begun circulating online, according to Thor Larholm, a researcher at PivX Solutions Inc.

Like its predecessor, the new version of Dowload.Ject infects vulnerable systems with a Trojan horse and a keystroke logger. But unlike the original worm, which was designed to capture sensitive information such as credit card numbers and ATM codes from infected systems, the new worm generates pop-up advertisements to pornographic sites, Larholm said.

The worm also changes the Web home page and the Internet Explorer search pane on infected systems, Larholm said. A user's regular home page is replaced with a site called TargetSearch and several browser windows with adult advertisements and links to adult sites, a PivX advisory said.

"The worm is still using the same vulnerabilities and the same attack vectors" as its predecessor, Larholm said. Those who have already installed the recently released Service Pack 2 for Windows XP or the patches contained in MS04-25 should be safe.

A link to the Web site hosting the worm arrives as an instant message on AOL Instant Messenger or on ICQ from either a known or unknown source. The message contains a reference and a link to a personal home page. Users who click on the link are directed to a Web site that proceeds to infect their computers, Larholm said.

The worm is relatively easy to modify and may begin spreading via e-mail as well, he said.

PivX, which first discovered the new version yesterday, has informed the major antivirus vendors, which are working to update their virus signatures, Larholm said.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}