Spyware, Viruses, & Security

General discussion

VIRUS \ Spyware ALERTS - October 17, 2008

by Marianna Schmudlach / October 16, 2008 12:27 PM PDT
Post a reply
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - October 17, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - October 17, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Agent-HXV
by Marianna Schmudlach / October 16, 2008 12:28 PM PDT
Collapse -
Troj/PWS-AUK
by Marianna Schmudlach / October 16, 2008 12:29 PM PDT
Collapse -
Troj/PWS-AUL
by Marianna Schmudlach / October 16, 2008 12:29 PM PDT
Collapse -
W32/AutoRun-MB
by Marianna Schmudlach / October 16, 2008 12:31 PM PDT
Collapse -
W32/HostInf-A
by Marianna Schmudlach / October 16, 2008 2:53 PM PDT

Category Viruses and Spyware

Type Worm

W32/HostInf-A is a worm with IRC backdoor functionality for the Windows platform.

W32/HostInf-A modifies the infected computers hosts file.

W32/HostInf-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over
the computer via IRC channels.

When first run W32/HostInf-A copies itself to <System>\<temp name>.exe.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32hostinfa.html?_log_from=rss

Collapse -
Troj/RootKit-DY
by Marianna Schmudlach / October 16, 2008 2:54 PM PDT
Collapse -
Troj/Agent-HXX
by Marianna Schmudlach / October 16, 2008 2:56 PM PDT
Collapse -
Troj/Agent-HXW
by Marianna Schmudlach / October 16, 2008 2:57 PM PDT
Collapse -
PlayMp3
by Marianna Schmudlach / October 16, 2008 2:58 PM PDT
Collapse -
Troj/Agent-HXY
by Marianna Schmudlach / October 17, 2008 12:41 AM PDT
Collapse -
JS/Psyme-KH
by Marianna Schmudlach / October 17, 2008 12:42 AM PDT
Collapse -
Troj/Zlob-APJ
by Marianna Schmudlach / October 17, 2008 12:43 AM PDT
Collapse -
Troj/Keygen-CN
by Marianna Schmudlach / October 17, 2008 12:44 AM PDT
Collapse -
Troj/IFrame-BH
by Marianna Schmudlach / October 17, 2008 12:45 AM PDT
Collapse -
Troj/FakeVir-GM
by Marianna Schmudlach / October 17, 2008 12:46 AM PDT
Collapse -
Troj/DwnLdr-HJI
by Marianna Schmudlach / October 17, 2008 12:47 AM PDT
Collapse -
Troj/Agent-HXZ
by Marianna Schmudlach / October 17, 2008 12:48 AM PDT
Collapse -
JS/Dload-DZ
by Marianna Schmudlach / October 17, 2008 12:49 AM PDT
Collapse -
CouponBar
by Marianna Schmudlach / October 17, 2008 12:59 AM PDT

Category Adware or PUA

Type Unspecified PUA

App/CoupBar-A is a potentially unwanted application.

When the application is installed the following files are created:

<Windows>\CBBasis.xml
<Windows>\CBVersion.txt
<Windows>\CouponBarIE.dll
<Windows>\cpbrkpie.ocx
<Windows>\UccSpecB.sys

The files CouponBarIE.dll and cpbrkpie.ocx are registered as COM objects, creating registry entries under:

http://www.sophos.com/security/analyses/adware-and-puas/couponbar.html?_log_from=rss

Collapse -
AntivirusPlasma
by Marianna Schmudlach / October 17, 2008 1:48 AM PDT
Collapse -
Worm:W32/AutoRun.NOI
by Marianna Schmudlach / October 17, 2008 1:55 AM PDT

Name : Worm:W32/AutoRun.NOI
Detection Names : Worm.Win32.AutoRun.noi

Aliases : W32/Autorun-jl (Sophos)
Generic.dx trojan (McAfee)
WORM_AUTORUN.RC (Trend Micro)
W32.SillyFDC (Symantec)
Worm:Win32/Emold.C (Microsoft)

Type: Worm
Category: Malware

Summary
AutoRun worm.

Additional Details
Worm.Win32.AutoRun.noi creates a copy of itself as the following:


C:\Program Files\Microsoft Common\wuauclt.exe

It creates the following registry key:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = "%ProgramFiles%\Microsoft Common\wuauclt.exe


Note: The key is created for automatic execution when explorer.exe is launched.

http://www.f-secure.com/v-descs/worm_w32_autorun_noi.shtml

Collapse -
Troj/JSRedir-D
by Marianna Schmudlach / October 17, 2008 1:56 AM PDT
Collapse -
Troj/JSAdCli-D
by Marianna Schmudlach / October 17, 2008 1:57 AM PDT
Collapse -
Troj/FakeVir-GL
by Marianna Schmudlach / October 17, 2008 1:58 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeVir-GL is a Trojan for the Windows platform.

Troj/FakeVir-GL creates the files:

<Windows>\brastk.exe - detected as Troj/FakeVir-GL
<Windows>\karna.dat - detected as Mal/EncPk-BB
<System>\beep.sys - detected as Mal/FakeAle-C

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
karna.da

HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
brastk
<Windows>\brastk.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirgl.html?_log_from=rss

Collapse -
Troj/FakeAV-EV
by Marianna Schmudlach / October 17, 2008 1:59 AM PDT
Collapse -
Troj/FakeAv-EU
by Marianna Schmudlach / October 17, 2008 2:00 AM PDT
Collapse -
Troj/Dloadr-BVY
by Marianna Schmudlach / October 17, 2008 2:01 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Dloadr-BVY is a Trojan for the Windows platform.

Troj/Dloadr-BVY includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Dloadr-BVY is installed it creates the file <Temp>\wewt0.bat.

Registry entries are created under:

HKCU\Software\Applications
HKCR\multimediaControls.chl\CLSID

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvy.html?_log_from=rss

Collapse -
Troj/Dloadr-BVX
by Marianna Schmudlach / October 17, 2008 2:02 AM PDT
Collapse -
Troj/Banker-ENU
by Marianna Schmudlach / October 17, 2008 2:03 AM PDT
Collapse -
Troj/JSRedir-C + Mal/EncPk-CZ.
by Marianna Schmudlach / October 17, 2008 2:06 AM PDT

Crafty little redirect

17 October 2008

As discussed previously, redirection - the ability to guide/control user traffic - plays a critical role in today?s malware [1]. In this post I will describe a crafty way of redirecting users from a web page. Not new by any means, but seen again recently in the distribution of fake alert malware.

Our favourite-fake-alert-attackers ? have uploaded a whole series of malicious web pages packed with enticing keywords intended to catch user traffic. Numerous domains have been used, including some that were hosted on AOL servers [2]. Many of the pages follow standard templates, so are visually very similar:

More: http://www.sophos.com/security/blog/2008/10/1865.html

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.