Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - July 31, 2009

by Marianna Schmudlach / July 30, 2009 11:30 PM PDT
Post a reply
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - July 31, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - July 31, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Bckdr-QXH
by Marianna Schmudlach / July 30, 2009 11:31 PM PDT
Collapse -
Troj/Agent-KRX
by Marianna Schmudlach / July 30, 2009 11:31 PM PDT
Collapse -
Mal/BHO-S
by Marianna Schmudlach / July 30, 2009 11:32 PM PDT
Collapse -
Troj/PcClien-ND
by Marianna Schmudlach / July 30, 2009 11:33 PM PDT
Collapse -
Troj/Patcher-G
by Marianna Schmudlach / July 30, 2009 11:34 PM PDT
Collapse -
Troj/DwnLdr-HVA
by Marianna Schmudlach / July 30, 2009 11:34 PM PDT
Collapse -
Troj/Agent-KSB
by Marianna Schmudlach / July 30, 2009 11:35 PM PDT
Collapse -
Troj/Agent-KSA
by Marianna Schmudlach / July 30, 2009 11:36 PM PDT
Collapse -
Troj/AdClick-FS
by Marianna Schmudlach / July 30, 2009 11:37 PM PDT
Collapse -
Mal/ObfJS-CC
by Marianna Schmudlach / July 30, 2009 11:37 PM PDT
Collapse -
TROJ_DLOADR.AQJ.
by Marianna Schmudlach / July 30, 2009 11:39 PM PDT

Sly Spam Run Targets Hotmail Users

by JM Hipolito (Technical Communications)

Hotmail users need to be wary about a malicious spam run that specifically targets users of the said webmail.

Senior Security Analyst Rik Ferguson reports that spam messages arrive with text indicating that it has file attachments that are image files with the JPEG format. In truth however, the file names of attachments are actually links that connect to shortened URLs, which in turn connect to malicious URLs.

Connecting to the malicious URLs, which are now blocked, leads to the download of the malicious file fotos.com which is now detected as TROJ_DLOADR.AQJ. The said file, in turn, downloads a wide variety of information-stealing malware. The malicious URLs and files are all blocked through the Trend Micro Smart Protection Network.

Quite noteworthy is the fact that the links were crafted to, at first glance, look very similar to how file attachments are displayed in most emails. An envelope-shaped icon is even seen at the side of each of the links, which is typical for file attachments.

However, there are also noticeable differences between such spam email and a legitimate email message, which users must watch out for should they receive a suspicious email message.

More: http://blog.trendmicro.com/

Collapse -
SnadBoy
by Marianna Schmudlach / July 30, 2009 11:41 PM PDT

Aliases

* PWCrack-SnadBoy
* PSWTool.Win32.SnadBoy.2011

Category

* Adware or PUA

Type

* Unspecified PUA


Affected operating systems Windows

SnadBoy is a hack tool for the Windows platform.

When SnadBoy is installed it creates the following files and folders:

<PROGRAM FILES>\SnadBoy's Revelation v2\RevelationHelper.dll
<PROGRAM FILES>\SnadBoy's Revelation v2\Revelation.exe
<PROGRAM FILES>\SnadBoy's Revelation v2\INSTALL.LOG

C:\Documents and Settings\All Users\Start Menu\Programs\SnadBoy's Revelation v2\Revelation.lnk

The following registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SnadBoy's Revelation v2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
\MenuOrder\Start Menu\Programs\SnadBoy's Revelation v2

HKCU\Software\SnadBoy Software\Revelation

http://www.sophos.com/security/analyses/adware-and-puas/snadboy.html

Collapse -
BlogChina
by Marianna Schmudlach / July 30, 2009 11:42 PM PDT
Collapse -
HotActionDating Dialler
by Marianna Schmudlach / July 30, 2009 11:42 PM PDT
Collapse -
Ilomo
by Marianna Schmudlach / July 30, 2009 11:44 PM PDT

Type
Trojan
SubType
Win32

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted, or may use other tools to assist in spreading. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -

--Update on July 31,2009--

The new variant is found downloading components that steal credential information, including components that monitor online bank to steal bank account. It also downloads password recovery program to retrieve passwords from a number of applications.

More: http://vil.nai.com/vil/content/v_138472.htm

Collapse -
W32/Rustock.gen.a
by Marianna Schmudlach / July 30, 2009 11:45 PM PDT
Collapse -
Adware-Addestination.dll!ff22af2354f3
by Marianna Schmudlach / July 30, 2009 11:46 PM PDT

Type
Program
SubType
Adware
Discovery Date
07/31/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
Generic PUP.x!c!b073ad79e820
by Marianna Schmudlach / July 30, 2009 11:47 PM PDT

Type
Program
SubType
-
Discovery Date
07/31/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
W32/Daum-A
by Marianna Schmudlach / July 31, 2009 12:31 AM PDT
Collapse -
W32/Autorun-ANH
by Marianna Schmudlach / July 31, 2009 12:32 AM PDT
Collapse -
Troj/PWS-BCJ
by Marianna Schmudlach / July 31, 2009 12:33 AM PDT
Collapse -
Troj/Mdrop-CEL
by Marianna Schmudlach / July 31, 2009 12:34 AM PDT
Collapse -
Troj/Dropr-BJ
by Marianna Schmudlach / July 31, 2009 12:34 AM PDT
Collapse -
Troj/Agent-KSC
by Marianna Schmudlach / July 31, 2009 12:35 AM PDT
Collapse -
Troj/Agent-KRZ
by Marianna Schmudlach / July 31, 2009 12:36 AM PDT
Collapse -
Mal/BKitDrp-A
by Marianna Schmudlach / July 31, 2009 12:37 AM PDT
Collapse -
- Panda Security's weekly report on viruses and intruders -
by Marianna Schmudlach / July 31, 2009 3:34 AM PDT

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report looks at the Koobface.EA worm, designed to
spread using Facebook, the Pidief.A Trojan, which takes advantage of an
Adobe vulnerability to infect users and P2Pworm.BJ, a worm designed to
steal the information entered on online forms.

To spread via Facebook, the Koobface.EA worm publishes a video on the
infected users' Facebook page, for all their friends and contacts to see
it. On trying to watch the video, users are redirected to a page similar
to YouTube's.

Then, they are asked to download an Adobe Flash version necessary to
watch the video. This file is actually a copy of the worm.

To make the attack even more dangerous, the worm downloads another
malicious code to the infected computer: the AntiSpyware Pro 2009 fake
antivirus. This malicious adware simulates a fake system scan detecting
dozens of actually non-existing malware strains. Then, it offers users
the option to eliminate them using a paid version of the fake antivirus.
As you can see, the objective is to get financial returns from this
malicious code.

You can find images of the infection process here:
http://www.flickr.com/photos/panda_security/tags/koobfaceea/

The Pidief.A Trojan uses the Adobe CVE-2009-1862 vulnerability to infect
users. The exploit takes advantage of a known vulnerability when trying
to open a PDF document with an embedded flash object.

The Acrobat file viewer has a feature to run flash objects included in
.PDF files. Thanks to the authplay.dll library, the file reader can open
the flash viewer and display the content. In this case, the information
sent to the viewer includes the instruction to download a malware file
(Trj/Pidief.A). Then, no flash object is displayed to the user.

Pidief.A can be used by its creator to download more malware to the
affected computer, or to gain total or partial control of the infected
system.

P2Pworm.BJ is a worm designed to steal the information entered on online
forms through the Internet Explorer and Firefox browsers.

The worm uses the following means to spread:

- Peer-to-peer (P2P) file sharing programs: It creates copies of itself
in the shared directories of several programs (Ares, BearShare, Emule,
Imesh and Shareaza).

The users of these programs can access the shared directories remotely
and download some of the files belonging to P2Pworm.BJ to their
computers.

- Removable drives: It copies itself to the RECYCLER folder of removable
drives. Also, it creates an AUTORUN.INF file on these drives to run
every time they are accessed.

- MSN Messenger: It sends messages with a copy of itself to the user's
contacts connected at the time of the infection.

More information about these and other malicious codes is available in
the Panda Security Encyclopedia
(http://www.pandasecurity.com/homeusers/security-info/about-malware/ency
clopedia/)

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Smartphone tip

Hoarding photos on your phone?

Those picture are hogging memory and could be slowing down your phone.