The goal of this project is to make virtual world a safer and better place without child pornography, major computer crime and RIAA.
Login As
You can log in if you are registered at one of these services:
Security Bulletins
Latest Malware Updates

Infostealer.Posteal

02/26/2015

Downloader.Busadom

02/26/2015

Trojan.Ladocosm

02/26/2015

SONAR.SuspDocRun

02/25/2015

SONAR.SuspHelpRun

02/25/2015
06/26/2012

Backdoor.Zemra

Type:  Trojan
Discovered:  26.06.2012
Updated:  26.06.2012
Affected systems:  Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
AV Vendor:  Symantec

Description:

When the Trojan is executed, it creates the following files:
  • %UserProfile%\Application Data\wscntfy.exe
  • %Program Files%\Common Files\lsmass.exe

Next, it deletes the following files:
  • %Windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.212.730029
  • %Windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.740.735006
  • %Windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.740.734996
  • %Windir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.212.729999
  • %%UserProfile%\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.212.730149
  • %%UserProfile%\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.740.735197

The Trojan then modifies the following file:
%System%\wbem\Logs\FrameWork.log

Next, the Trojan creates the following registry entries so that it executes whenever Windows starts:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Windows-Network Component" = "%Program Files%\Common Files\lsmass.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows-Audio Driver" = "%UserProfile%\Application Data\wscntfy.exe"

It then creates the following registry entry to add itself to the list of applications authorized by the Windows firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%UserProfile%\Application Data\wscntfy.exe" = "%UserProfile%\Application Data\wscntfy.exe:*:Enabled:Windows-Audio Driver"

It also creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"EnableBalloonTips" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"IsInstalled" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CLSID}\"StubPath" = "%UserProfile%\Application Data\wscntfy.exe -r"

The Trojan creates the following mutex to ensure that only one copy of itself executes:
Global\CLR_RESERVED_MUTEX_NAME

Next, the Trojan sends system information to a remote location, including:
  • Computer name
  • Language
  • OS version

It then opens a back door on TCP port 7710 to receive commands from the following remote command-and-control (C&C) server:
[http://]zemra-panel.ru/gate[REMOVED]

The Trojan then downloads files onto the compromised computer and saves them to the following locations:
  • %UserProfile%\Application Data\Microsoft\CryptnetUrlCache\MetaData\[THREAT FILE NAME]
  • %UserProfile%\Application Data\Microsoft\CryptnetUrlCahce\Content\[THREAT FILE NAME]

Security Advisories Database

Remote Code Execution Vulnerability in Microsoft OpenType Font Driver

A remote attacker can execute arbitrary code on the target system.

07/21/2015

SQL Injection Vulnerability in Piwigo

SQL inection vulnerability has been discovered in Piwigo.

02/05/2015

Cross-site Scripting Vulnerability in DotNetNuke

A cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke.

02/05/2015

Cross-site Scripting Vulnerability in Hitachi Command Suite

A cross-site scripting vulnerability was found in Hitachi Command Suite.

02/02/2015

Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk Handling

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-Forwards

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in MalwareBytes Anti-Exploit "mbae.sys"

An attacker can perform a denial of service attack.

01/30/2015

Denial of service vulnerability in Linux Kernel splice

An attacker can perform a denial of service attack.

01/29/2015

Denial of service vulnerability in Python Pillow Module PNG Text Chunks Decompression

An attacker can perform a denial of service attack.

01/20/2015