Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - July 8, 2009

by Marianna Schmudlach / July 8, 2009 12:06 AM PDT
Post a reply
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - July 8, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - July 8, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Delarm-F
by Marianna Schmudlach / July 8, 2009 12:07 AM PDT
Collapse -
Mal/Xpaj-A
by Marianna Schmudlach / July 8, 2009 12:08 AM PDT
Collapse -
W32/Autorun-ALD
by Marianna Schmudlach / July 8, 2009 12:09 AM PDT
Collapse -
Troj/SWFDlr-O
by Marianna Schmudlach / July 8, 2009 12:10 AM PDT
Collapse -
Troj/FakeAle-OJ
by Marianna Schmudlach / July 8, 2009 12:10 AM PDT
Collapse -
Troj/Dropr-BH
by Marianna Schmudlach / July 8, 2009 12:11 AM PDT
Collapse -
Troj/Agent-KLG
by Marianna Schmudlach / July 8, 2009 12:12 AM PDT
Collapse -
JS/Agent-KLE
by Marianna Schmudlach / July 8, 2009 12:13 AM PDT
Collapse -
JS/Agent-KLD
by Marianna Schmudlach / July 8, 2009 12:13 AM PDT
Collapse -
Suspicious.S.MLApp
by Marianna Schmudlach / July 8, 2009 12:21 AM PDT

Discovered: July 7, 2009
Updated: July 7, 2009 9:23:29 PM
Type: Misleading Application
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Suspicious.S.MLApp is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-070721-0807-99

Collapse -
Trojan-Downloader:W32/Mebroot.gen!B
by Marianna Schmudlach / July 8, 2009 12:24 AM PDT

Name : Trojan-Downloader:W32/Mebroot.gen!B
Category: Malware
Type: Trojan-Downloader
Platform: W32

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.


Additional Details
Trojan-Downloader:W32/Mebroot.gen!B is a Generic Detection that identifies the downloader program responsible for fetching the Mebroot installer.

The downloader is known to be distributed to users via a malicious website (driveby download) or via an exploit.

When active, the downloader downloads an encrypted file on port 443 or 80 from:

? http://bcoxgcgxes.com (encrypted file)

where (encrypted file) is a defined string. This string is unique in every sample.

Once downloaded, the encrypted file is first saved in an allocated memory where it will be decrypted, then saved to a file in a temporary folder. The file will then be executed.

The encrypted file is encrypted with an RC2 encryption algorithm. The Cipher Hash that is used in the decryption is based on a defined string that is also unique in every sample.

http://www.f-secure.com/v-descs/trojan-downloader_w32_mebroot_gen!b.shtml

Collapse -
Activity Monitor
by Marianna Schmudlach / July 8, 2009 12:26 AM PDT

Category

* Adware or PUA

Type

* System Monitor


Affected operating systems Windows

"Activity Monitor" is a system monitoring application from www.softactivity.com.

The default installation location is:

<Program Files>\SoftActivity

The following files and folders will also be typically created:

<Start Menu\Programs>\\Activity Monitor
<Start Menu\Programs>\\Activity Monitor\Activity Monitor.lnk
<Start Menu\Programs>\\Activity Monitor\Activity Monitor Help.lnk
<Start Menu\Programs>\\Activity Monitor\Activity Monitor website.lnk
<Start Menu\Programs>\\Activity Monitor\Purchase Activity Monitor.lnk
<Start Menu\Programs>\\Activity Monitor\Uninstall Activity Monitor.lnk
<Start Menu\Programs>\\Activity Monitor\SoftActivity Log Viewer.lnk
<Desktop>\Activity Monitor.lnk
<User>\Application Data\Softativity
<User>\Application Data\Softativity\alist.dat

Registry entries are created under:

HKCR\SoftActivity Log
HKCR\.salog
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{142E758E-2AC3-443A-A549-7E6A036285A2}_is1
HKCU\Software\Softactivity
HKCU\Toolbars state\BCGPBaseControlBar-157
HKCU\Toolbars state\BCGPControlBar-157

Activity Monitor provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Activity Monitor 4.4".

http://www.sophos.com/security/analyses/adware-and-puas/activitymonitor.html

Collapse -
CasOnline!5c5a907e332c
by Marianna Schmudlach / July 8, 2009 12:32 AM PDT

Type
Program
SubType
-
Discovery Date
07/08/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files were analyzed:

# %USERPROFILE%\local settings\temp\5c5a907e332cd4bfeb00dbf47c31a1f1.exe

http://vil.nai.com/vil/content/v_175413.htm

Collapse -
Adware-TryMedia!b4abfb6c52a1
by Marianna Schmudlach / July 8, 2009 12:33 AM PDT

Type
Program
SubType
Adware
Discovery Date
07/08/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files were analyzed:

# %USERPROFILE%\local settings\temp\b4abfb6c52a168a1d00feef03e47384d.exe

http://vil.nai.com/vil/content/v_175377.htm

Collapse -
Trojan.Dozer
by Marianna Schmudlach / July 8, 2009 2:23 AM PDT

Discovered: July 8, 2009
Updated: July 8, 2009 3:05:27 PM
Type: Trojan
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Trojan.Dozer is a Trojan horse that performs distributed denial of service (DDoS) attacks.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-070814-5311-99

Collapse -
Troj/Inject-ID
by Marianna Schmudlach / July 8, 2009 2:28 AM PDT
Collapse -
Troj/Iframe-CJ
by Marianna Schmudlach / July 8, 2009 2:29 AM PDT
Collapse -
Troj/Dloadr-CPR
by Marianna Schmudlach / July 8, 2009 2:30 AM PDT
Collapse -
Troj/BankPh-Gen
by Marianna Schmudlach / July 8, 2009 2:30 AM PDT
Collapse -
Troj/Badsrc-F
by Marianna Schmudlach / July 8, 2009 2:31 AM PDT
Collapse -
Troj/Agent-KLK
by Marianna Schmudlach / July 8, 2009 2:32 AM PDT
Collapse -
Troj/Agent-KLJ
by Marianna Schmudlach / July 8, 2009 2:33 AM PDT
Collapse -
Troj/Agent-KLI
by Marianna Schmudlach / July 8, 2009 2:33 AM PDT
Collapse -
Troj/Agent-KLH
by Marianna Schmudlach / July 8, 2009 2:35 AM PDT
Collapse -
Troj/Dloadr-CPM
by Marianna Schmudlach / July 8, 2009 5:53 AM PDT
Collapse -
Troj/Agent-KLQ
by Marianna Schmudlach / July 8, 2009 6:02 AM PDT
Collapse -
Troj/Agent-KLP
by Marianna Schmudlach / July 8, 2009 6:03 AM PDT
Collapse -
Troj/Agent-KLN
by Marianna Schmudlach / July 8, 2009 6:04 AM PDT
Collapse -
Troj/Agent-KLM
by Marianna Schmudlach / July 8, 2009 6:05 AM PDT
Collapse -
Troj/Agent-KLL
by Marianna Schmudlach / July 8, 2009 6:05 AM PDT
Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Big stars on small screens

Smosh tells CNET what it took to make it big online

Internet sensations Ian Hecox and Anthony Padilla discuss how YouTube has changed and why among all their goals, "real TV" isn't an ambition.