Kaspersky Lab, a leading developer of secure content management systems, reports detection of Virus.Win32.Induc.a, a virus that spreads via CodeGear Delphi, an integrated software development environment. Protection from the latest threat is already available in all Kaspersky Lab products. Virus.Win32.Induc.a takes advantage of the two-step mechanism used in the Delphi environment to create executable files. The source code is first compiled to produce intermediate .dcu (Delphi compiled unit) files, which are then linked to create Windows executables.

The new virus activates when an infected application is launched. It then checks whether Delphi development environment versions 4.0, 5.0, 6.0 or 7.0 are installed on the computer. If the software is detected, Virus.Win32.Induc.a compiles the Delphi source file Sysconst.pas, producing a modified version of the compiled file Sysconst.dcu.

Practically all Delphi projects include the string “use SysConst”, which means the infection of only one system module results in the infection of all applications under development. In other words, the modified SysConst.dcu file causes all subsequent programs created in the infected environment to contain the code of the new virus. The modified .pas file is no longer required and is deleted.

The virus is not currently a threat – there is no destructive behavior apart from infection. It is most probably intended for demonstration and testing of a new infection routine. The absence of a destructive payload, the infection of several versions of the popular instant messaging client QIP and the usual practice of publishing .dcu files by developers has already led to Virus.Win32.Induc.a becoming widespread throughout the world. It is very likely that in future it will be picked up and tweaked by cybercriminals to make it more destructive. Kaspersky Lab solutions successfully detect Virus.Win32.Induc.a and treat both compiled Delphi files and Windows executables.

FIXES:

1. Problem with system instability after long period of program operation has been fixed.
2. Error causing BSOD while updating the emulator driver has been fixed.
3. Pop-up message in the URL checking module has been fixed (for the Spanish version).
4. Problem with pausing the scan task while third party programs are running in full-screen mode has been fixed.
5. Problem with the update task freezing at system startup has been fixed.
6. Vulnerability that allowed disabling of computer protection using an external script has been eliminated.
7. Driver crash in rare cases while processing a write operation has been fixed.
8. Crash while processing data incompliant with the protocol of Mail.Ru Agent has been fixed.

If you do not have the software, please visit our eStore.

Kaspersky Lab, a leading producer of secure content management solutions, announces the beta-version release of Kaspersky Anti-Virus for Linux File Server 6.0.

Malicious programs are capable of passing through Linux file servers before targeting other components of a heterogeneous network including workstations running Microsoft Windows. Although they may be renowned for their reliability, Linux operating systems still require protection. Every year, there is an increase in the amount of malware being developed for Linux systems.

Kaspersky Anti-Virus for Linux File Server 6.0 is a solution offering antivirus protection to the vast majority of Linux file servers. It supersedes two earlier products – Kaspersky Anti-Virus for Linux File Server 5.7 and Kaspersky Anti-Virus for Samba Server 5.5, combining their functionalities with a number of new capabilities.

The architecture of Kaspersky Anti-Virus for Linux File Server 6.0 provides multi-layered protection for file systems in Linux/heterogeneous networks, functioning simultaneously on the entire file system level and on the Samba server level.

The product offers a substantially wider set of management solutions. Kaspersky Web Management Console, the new web-based interface, provides full-scale management capabilities available from any computer via a web browser. The final release of the product will support all centralized management services via Kaspersky Administration Kit.

Kaspersky Anti-Virus for Linux File Server 6.0 supports all modern 32-bit and 64-bit distributions of Linux-family operating systems, including Red Hat, Fedora, SUSE, openSUSE, Debian GNU, and Ubuntu. Another improvement on the previous product versions is the added support of Novell Open Enterprise Server 2 and Novell NSS, making it easier for Novell NetWare users to migrate to the new operating system.

Kaspersky Lab invites all Linux file server users to participate in the beta testing of Kaspersky Anti-Virus for Linux File Server 6.0. The company’s developers are interested in receiving constructive feedback about all aspects of the product, especially the new innovations. All users are welcome to send their feedback to linuxfs@kaspersky.com. Please ensure that any feedback addresses both the product and Kaspersky Web Management Console.

Kaspersky Lab, a leading developer of secure content management solutions, has implemented detection and treatment for a new variant of a unique MBR rootkit.

The new variant of Sinowal, a malicious program that is capable of hiding its presence in the system by infecting the Master Boot Record (MBR) on the hard drive, was detected by the company’s experts at the end of March 2009.

Throughout 2008, Kaspersky Lab’s analysts provided detailed reports about other variants of this rootkit: in the first quarterly report on malware evolution (http://www.viruslist.com/en/analysis?pubid=204792002) and in the article “Bootkit: the challenge of 2008” (http://www.viruslist.com/en/analysis?pubid=204792044).

However, the new variant has come as a surprise for researchers. Unlike earlier versions, the new modification, Backdoor.Win32.Sinowal, penetrates much deeper into the system to avoid being detected. The stealth method used in this variant hooks device objects at the operating system’s lowest level. This is the first time cybercriminals have used such sophisticated technologies.

This explains why no antivirus products could treat computers infected with the new Sinowal modification or even detect it when it first appeared. Once the bootkit penetrates the system, it conceals the payload’s activities, which are designed to steal user data and various account details.

According to Kaspersky Lab’s experts, over the last month the bootkit has been actively spreading from a number of malicious sites that exploit Neosploit vulnerabilities. In particular, it can penetrate a system via a vulnerability in Adobe Acrobat Reader that allows a malicious PDF file to be downloaded without the user’s knowledge.

Implementing detection and treatment for the bootkit, which is still spreading throughout the Internet, is the most difficult task that antivirus specialists have faced for a number of years. Kaspersky Lab was one of the first major antivirus vendors to incorporate both detection and successful treatment for the new Sinowal modification in its personal antivirus solutions.

To check whether the bootkit has infected a computer, users must update their antivirus databases and perform a complete system scan. If the bootkit is detected, the computer will need to be rebooted during the treatment process.

Kaspersky Lab specialists also recommend users to install all the necessary patches to close vulnerabilities in Acrobat Reader (http://www.adobe.com/support/security/bulletins/apsb09-04.html) and any browsers that they use.

Eugene Kaspersky, the co-founder and CEO of IT security firm Kaspersky Lab, has won the State Prize of the Russian Federation for Science and Technology, the company announced Thursday.

The award will be presented in the Kremlin on 12 June, 2009 by President Dmitry Medvedev.

The State Prize for Science and Technology is conferred annually to Russian citizens by the President of the Russian Federation for outstanding work, discoveries and achievements that enrich both Russian and world science and that make significant contributions to the advancement of science and technology.

The Russian Federation State Prize is the highest Russian award conferred to individuals for services to society and the state. Laureates receive prize money, a diploma and a medal with an accompanying certificate.

“I would like to express my deepest gratitude to President Dmitry Medvedev for the great honor he has bestowed upon me, and to the team that has supported me over the 20 years I have devoted to IT security research. I am convinced that Russian science has enormous potential and is capable of making a huge impact on the world’s hi-tech markets. I hope that the example set by our company will encourage the many talented researchers capable of contributing to Russia’s scientific renown and help cultivate a thriving hi-tech industry in the country,” says Eugene Kaspersky, CEO of Kaspersky Lab.

Eugene Kaspersky graduated from the Institute of Cryptography, Telecommunications and Computer Science. He began studying computer viruses in 1989 after the Cascade virus was detected on his computer. From 1991 to 1997 Eugene worked at the KAMI Information Technologies Center where he developed the AVP antivirus project with a group of associates (AVP was renamed Kaspersky Anti-Virus in November 2000). Eugene Kaspersky co-founded Kaspersky Lab in 1997, and in 2007 Eugene was named CEO of Kaspersky Lab.

Today, Eugene Kaspersky is one of the world’s leading antivirus experts, with 20 years of experience in the field of information security. He regularly speaks at seminars and conferences all over the world, and is the author of a number of articles and reviews covering topics related to computer virology.

Today, Kaspersky Lab is among the top five vendors of information security solutions in the world. The company’s products and technologies are used by over 250 million people worldwide. The Kaspersky Lab group of companies is headquartered in Moscow, has five regional divisions and numerous local offices throughout the world.

Kaspersky Lab, a leading developer of secure content management solutions, announces that a new version of the malicious program Kido (aka Conficker and Downadup) has been detected.

Kaspersky said computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P on April 8-9, telling infected machines to download new malicious files.

The latest Conficker variant differs significantly from previous variants: the malware is now once again a worm. Initial analyses suggest it has date-limited functionality until May 3, 2009.

In addition to downloading updates for itself, Conficker also downloads two new files to infected machines. One is a rogue antivirus application (detected as FraudTool.Win32.SpywareProtect2009.s) that is being spread from sites located in Ukraine. Once activated, the program offers to delete “detected viruses” for a charge of $49.95.

The second file which Conficker downloads to infected systems is Email-Worm.Win32.Iksmas.atz. This email worm is also known as Waledac, and is able to steal data and send spam. When this malicious program was first detected in January 2009, a lot of IT experts noted the similarity between Conficker and Iksmas. The Conficker epidemic was mirrored by an email epidemic of a similar scale caused by Iksmas.

“Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. In just 12 hours, one bot alone sent out 42,298 spam messages,” Aleks Gostev, head of Kaspersky Lab’s Global Research and Analysis Team, said in comments about the current situation.

“Virtually every email contained a unique domain. This was obviously done to prevent anti-spam filters from detecting the mass mailings using methods that analyze the frequency with which a specific domain is used. Overall, we detected the use of 40,542 third-level domains and 33 second-level domains. Virtually all of these sites are located in China and are registered in the names of various people, most probably invented.

“A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours. Assuming that there are 5 million infected machines out there, the botnet could send out about 400 billion spam messages over a 24-hour period!”

Kaspersky Lab is currently carrying out a detailed analysis of the new Kido variant. The company’s experts are working on a new version of the KKiller utility, taking into account the specific functionality of the latest version of the worm.

Users of Kaspersky Lab products have no cause for concern – the new version of the Kido worm (Net-Worm.Win32.Kido.js) has been detected heuristically from the outset (as HEUR:Worm.Win32.Generic), as has the variant of Iksmas that it downloads.