Antivirus companies warn users about the dangerous payload of the Grew/Nyxem/Blackmal worm. On February 3, 2006 and on the 3rd month thereafter, or 30 minutes after the computer has been restarted, it is scheduled to delete and overwrite common document files (.DOC, .XLS, .PPT, .ZIP and others) with the string “DATA Error [47 0F 94 93 F4 K5]”.

Also, it disables the mouse and the keyboard, deletes files and registry entries of antivirus products, and closes AV windows so that users can’t use them.

Trend Micro’s description for this worm is here.

Best bet: update your AV product then perform a full scan on all of your hard drives. Back up your important or sensitive documents.

Thanks to Rocky for pointing another desperate attempt to steal Yahoo! login credentials. This link is sent via Yahoo! Messenger. Here’s how the page looks like:

(Click the image to enlarge)

Take note of the URL and the usual Yahoo! Geocities ads at the right.

When a user enters his credentials and clicks on Sign In, the trouble begins. The user is directed at another page of similar nature, only that the pictures are different.

Same link, different page. When you try logging in again, you are directed to an login error message page.

So what happens to the data entered? Now, when you click on Sign In for the first time, Internet Explorer’s status bar displays this:

It is sent to a CGI script! Uh oh. The URL of the CGI script is not apparent when you view the HTML source, since the link was encoded using HTML hexadecimal notation. We can suppose that the CGI script is a mailing script, where it sends the stolen info to an email address which was encoded in the HTML form using the tag. In this image, I highlighted the relevant info that made me arrive at the supposition made earlier.

In the form tag, there is an ACTION attribute, and it is set to a long series of characters in HTML hexadecimal notation. It points to the link you saw in the status bar image. There are four INPUT tags of type HIDDEN – that means these form objects are not visible to the user. Take note of the one whose value is set to a certain email address.

The link was spread via Yahoo! Messenger. Maybe it was a social engineering technique – one user enticing another to send the link. Maybe it was a malware that was somehow capable of interfacing with YM. Checking on the address bar of the browser is no guarantee. There are very good phishing sites that are able to interpose a window so that the true URL is hidden.

Good thing Yahoo! Geocities is ad-supported.

Be careful, again.

In a blog, a group of hackers known as “Bantown” has hacked “900,000 LJ accounts” to demonstrate that LiveJournal (LJ) is susceptible to cross-site scripting (XSS) through JavaScript. As an LJ user, this is troubling. While LJ claims that these holes were plugged, Bantown claims there are several holes still unplugged.

One of LJ’s solution is to use a new user subdomain.

LJ users: either have a backup blog (try Blogspot, or WordPress.com) or back up your entries. As on how to back up your entries: frankly, the only way I know is copy-paste. Also, Multiply has a feature where you can import your LJ blog to your Multiply blog (if you have an account).

The blog entry is here. Said link is also quoted at the LJ Infosec community.

Trying out the LiveJournal Crossposter plugin.

View the cross-post here.

What would you do if you find yourself having bought a new cellphone that was the first and the last in line?

Introducing the Nokia 7710:
Continue reading →

Some people just love stealing Yahoo! accounts. Continue reading →