(C)onficker Working Group

Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta. The latest variant (Conficker.C) will begin checking for a payload to download on March 31st, 2009. Conficker.A and Conficker.B variants continue to check for payloads each with a distinct domain generation algorithm.



Windows 95 Virus-Boza Announced

It would appear that an Austrailian “hacker” may have created the first computer virus specifically targeted at Microsoft’s Windows 95 program, according to British researchers. The virus can corrupt executable programs, and potentially be spread to other computers. It is allegedly the first virus that is written specifically for Windows 95.

Although the virus doesn’t appear to be well-written, “Boza will go down in history,” according to the Associated Press (AP) and British anti-virus specialist Paul Ducklin. Analysts have named the virus “Boza” after a Bulgarian liquor “so powerful that just looking at it will give you a headache,” Ducklin said. Fortunately for Windows 95 users, the virus also does not appear particularly contagious, if proper precautions are taken. The problem is vested in a sharing of software programs, which is already illegal (and certainly unwise) in most countries. To infect someone else’s machine, they would have to be given an infected program, and they would have to run it. The program could then infect that host machine and begin to replicate.


Ducklin said Boza is not generally being distributed on networks or among users’ personal computers. So far, it appears to be circulating mainly among anti-virus researchers. Software has reportedly already been developed to destroy it. Computer analysts do not know who made the virus, although there may be a clue in one of the messages that Boza can display on computer screens: “VLAD Australia does it again with the world’s first Win95 virus.” VLAD is thought by counter-virus analysts to be a Bulgarian-based international group of virus writers, who have previously developed several insidious and destructive pieces of computer code.


Anti-virus investigators say that they are concerned that Microsoft released Windows 95 in August without any sort of anti-virus program that could detect and kill 32 bit viruses. Boza is allegedly written specifically to corrupt 32-bit programs, like Windows 95. According to other press reports, Microsoft already had to fight an unconfirmed, but widely distributed, report that at least one version of Windows 95 came with a virus already on the installation diskettes. ERRI again reminds computer users to practice “safe computing”; back-up frequently, don’t share copyrighted programs, and run a competent anti-virus program on a constant basis.

(c) EmergencyNet News Service, 1996, All applicable rights reserved.

more about oneha|f

come and join, if you are a person interested in malware research, love systems programming, hit your head in asm instructions, and what so ever related to depth of systems programming …


malware research is an interesting area … we will learn about extreme programming concepts, nice techniques, and depth about computer networks and computer itself …


the main reason to create this group is to unite people in this arena … please no spammers, no script kiddies, no junkies … you can only join through people who are already in the group …


the group is highly moderated … the reason is … we don’t want to allow some one to come and sniff our messages, ask for tutorials, look for exploit codes … please don’t bug us .. we are already busy ! …



you can reach this group at http://groups.google.com/group/onehalf


and the web blog is at http://oneh.wordpress.com

VXers slap copyright notices on malware

Malware authors have lifted a page from the legit software industry’s rule book and are slapping copyright notices on their Trojans.

One Russian-based outfit has claimed violations of its “licensing agreement” by its underworld customers will result in samples of the knock-off code being sent to anti-virus firms.

The sanction was spotted in the help files of a malware package called Zeus, detected by security firm Symantec as “Infostealer Banker-C”. Zeus is offered for sale on the digital underground, and its creators want to protect their revenue stream by making the creation of knock-offs less lucrative.

The copyright notice, a reflection of a lack of trust between virus creators and their customers, is designed to prevent the malware from being freely distributed after its initial purchase. There’s no restriction on the number of machines miscreants might use the original malware to infect.

Virus writers are essentially relying on security firms to help them get around the problem that miscreants who buy their code to steal online banking credentials have few scruples about ripping it off and selling it on.

In a blog posting, Symantec security researchers have posted screen shots illustrating the “licensing agreement” for Infostealer Banker-C.

The terms of this licensing agreement demands clients promise not to distribute the code to others, and pay a fee for any update to the product that doesn’t involve a bug fix. Reverse engineering of the malware code is also verboten.

“These are typical restrictions that could be applied to any software product, legitimate or not,” writes Symantec researcher Liam O’Murchu, adding that the most noteworthy section deals with sanctions for producing knock-off code (translation below).

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.
Despite the warning copies of the malware were traded freely on the digital underground days after its release, Symantec reports. “It just goes to show you just can’t trust anyone in the underground these days,” O’Murchu notes