Virus masquerading as Kav av

*It seems I have posted this in the wrong forum,if someone could do the honours! *



Kaspersky Labs warns computer users of a massive mailing of the
Trojan-style malicious program, TrojanDownloader.Win32.Apher. Presently
there have already been several registered reports of infection.

The Trojan is sent out by an anonymous evildoer using an anonymous
e-mail address from a public access e-mail service. The messages
themselves have a spoofed address showing the sender as
info@microsoft.com. The infected message has the following attributes:

________________________________

From: info@microsoft.com
Subject: Protect Your NetWare with Kaspersky Anti-Virus
Attachment: AAprices.exe

Kaspersky Labs, an international data-security software developer,
announces the official release of Kaspersky Anti-Virus 4.0. "We are
pleased to present the latest version of our anti-virus product. The
unique technology, updated design, and perfected administering system
integrated into Kaspersky Anti-Virus 4.0 is the result of many years of
work dedicated to improving the ease of working with the program and
increasing computer defense reliability," said Natalya Kaspersky,
Kaspersky Labs CEO. The new Kaspersky Anti-Virus version (Personal Pro,
Personal, Lite) fully supports the Microsoft Windows XP operating
system. Amongst this versions latest innovations are: a complete user
interface upgrade corresponding to Tree Chart technology; perfected
system installation that allows for the saving the configuration of
previously installed versions, and a quarantine feature for isolating
infected and suspicious objects; expanded treatment of infected archived
files; an added function for the treatment of Microsoft Outlook Express
and objects upon system start up and also a memory scanning of active
applications; and simplified operating features for disk recovery.

Best regards,
If you have any questions
please call
+1(866) 7280-290
____________________________________

If the attached file is accidentally opened "Apher" automatically
initiates a connection with a remote web site. From this site a utility
enabling the control of the virus "Backdoor.Death.25" is loaded on the
infected machine. In turn, this program permits the evildoer to
clandestinely manage an infected computer, to view and send out
confidential information, and create, copy and delete files in addition
to much more.

 

Hi Tinribs! Kaspersky should maybe take a look at their recently "fired" list. Looks like someone is out for revenge?

This might be a job for Mike Lin's Startup Monitor!

 

Troj/Apher-A

Name: Troj/Apher-A
Type: Trojan
Date: 22 August 2002


At the time of writing Sophos has received just one report of
this Trojan from the wild.

Note: This IDE includes detection for Troj/Apher-A and
Troj/Death-25-J.

Description
Troj/Apher-A is a Trojan which will download and install Troj/Death-25-J.

Troj/Death-25-J is a backdoor Trojan. When run the Trojan will copy itself to C:\windows\system\vbwinsok.exe and set the following registry keys to point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\vbwinsok.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vbwinsok.exe



More information about Troj/Apher-A can be found at
http://www.sophos.com/virusinfo/analyses/trojaphera.html