Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - January 24, 2008

by Marianna Schmudlach / January 23, 2008 2:15 PM PST
Discussion is locked
You are posting a reply to: VIRUS ALERTS - January 24, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - January 24, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/BhoDro-Fam
by Marianna Schmudlach / January 23, 2008 2:16 PM PST

Name Troj/BhoDro-Fam
Type Trojan

Affected operating systems Windows

Side effects Downloads code from the internet
Installs itself in the Registry
Monitors browser activity
Installs a browser helper object

Protection available since 24 January 2008

http://www.sophos.com/security/analyses/trojbhodrofam.html

Collapse -
Troj/Zlob-AHS
by Marianna Schmudlach / January 23, 2008 2:18 PM PST
Collapse -
Troj/Rootkit-BV
by Marianna Schmudlach / January 23, 2008 2:19 PM PST
Collapse -
Troj/Agent-GNJ
by Marianna Schmudlach / January 23, 2008 2:20 PM PST

Name Troj/Agent-GNJ
Type Trojan

Affected operating systems Windows

Side effects Downloads code from the internet
Installs itself in the Registry

Aliases TrojanDownloader:Win32/Worbom.A

Protection available since 24 January 2008

http://www.sophos.com/security/analyses/trojagentgnj.html

Collapse -
Troj/Dropper-TI
by Marianna Schmudlach / January 24, 2008 12:02 AM PST
Collapse -
W32/Sdbot-DJV
by Marianna Schmudlach / January 24, 2008 12:04 AM PST
Collapse -
JS/Dloadr-BHJ
by Marianna Schmudlach / January 24, 2008 12:05 AM PST
Collapse -
BetterInternet-Installer
by Marianna Schmudlach / January 24, 2008 12:06 AM PST
Collapse -
Troj/Agent-GNL
by Marianna Schmudlach / January 24, 2008 12:07 AM PST
Collapse -
Troj/Agent-GNM
by Marianna Schmudlach / January 24, 2008 12:09 AM PST
Collapse -
JS/Dloadr-BHW
by Marianna Schmudlach / January 24, 2008 12:10 AM PST
Collapse -
Mobile worm infects Nokia phones
by Marianna Schmudlach / January 24, 2008 12:55 AM PST

Report of 24.01.2008

Antivirus vendor Fortinet has issued an alert about a new mobile phone worm that spreads through MMS messages. The Beselo.A virus can only infect mobiles that run the Symbian S60 operating system, which includes many recent Nokia phones. It continues to spread from the infected mobiles by attempting to send itself as an installation file (SIS) to all of the contacts in the phone's address book. According to the alert, it then appears as Beauty.jpg, Sex.mp3 or Love.rm. Because Symbian identifies files based on their content and not their file extension, the installation dialogue starts once the file is opened. However the victim has to confirm several times before the actual malware functions are being executed.

http://www.heise-security.co.uk/news/102327

Collapse -
Free virus scanner for Macs: ClamXav 1.1
by Marianna Schmudlach / January 24, 2008 12:58 AM PST

Whether with useless anti-spyware or Trojans in video codecs on pornographic sites, criminal gangs on the internet are now attacking Mac users too. Some renowned antivirus software makers do of course have products for the Mac OS X in their portfolio, but these cost a fair bit. ClamXav, which has now appeared in version 1.1, provides a user interface for the free, open-source virus scanner ClamAV, which also accompanies it in an updated version.



ClamXav is aimed at users who don't want to mess about with ClamAV on the command line and who are unwilling to pay for an anti-virus product. The program also includes a background process called Sentry that can monitor specific folders and automatically check all files arriving in them. In the change log, the developers list many cosmetic changes to the software in its current version. They provide archives for Mac OS 10.5, 10.4 and 10.3. The new version already has a link on the web site, but clicking it results in an error message from the server. The developers say this may be a bandwidth problem with the provider.

http://www.heise-security.co.uk/news/102377

Collapse -
Symbian Malware Gives Love (and Beauty, and Sex) a Bad Name
by Marianna Schmudlach / January 24, 2008 1:02 AM PST

January 24th, 2008 by Dianne Lagrimas
A new Symbian malware detected by Trend Micro as SYMBOS_BESELO.A attempts to spread what appears to be the good stuff via Bluetooth and Multimedia Messaging Service (MMS) messages. Disguised as a picture or a multimedia file, it uses any of the following file names to spread to other mobile phones:

beauty.jpg
love.rm
sex.mp3
Notice the file extensions? Do not be deceived because in reality, these are .SIS files, the typical installer files used in mobile technology. Aside from using enticing file names, the disguised file extensions help in effecting its successful installation.

http://blog.trendmicro.com/

Collapse -
Namedropping MSN Worm Also a Polyglot
by Marianna Schmudlach / January 24, 2008 1:03 AM PST

A new worm detected as WORM_IRCBOT.SN is currently making its rounds via MSN Messenger. In some instances, it drops popular social networking sites? names MySpace and Facebook as it spreads itself. It sends any of the following messages together with a link where the picture referred to in the messages can be ?viewed? by its recipients:

can i throw this picture of you and me on myspace?
Wanna see my pictures before i send em to facebook?
can I throw this picture of us on my facebook.. please?
I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
do I look dumb in this picture? I want to put it on myspace.
do you think I look ugly in this pic? its one of my new ones too Sad
hey i found your picture on hotornot.com! I swear its you!
OMG, i found ur pic on cuteornot.com! im not kidding either!!!
jesus this person really looks like you!
This picture isnt you? right? lol

More: http://blog.trendmicro.com/

Collapse -
W32.Korron.A
by Marianna Schmudlach / January 24, 2008 1:05 AM PST

Discovered: January 24, 2008

Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

W32.Korron.A is a worm that spreads through removable drives and lowers security settings.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-012415-0905-99

Collapse -
W32.Uporesc
by Marianna Schmudlach / January 24, 2008 1:07 AM PST
Collapse -
W32/IRCBot-ZY
by Marianna Schmudlach / January 24, 2008 1:50 AM PST
Collapse -
Mal/Behav-187
by Marianna Schmudlach / January 24, 2008 1:52 AM PST
Collapse -
W32/Bckdr-QLH
by Marianna Schmudlach / January 24, 2008 1:53 AM PST
Collapse -
Troj/Vipdata-A
by Marianna Schmudlach / January 24, 2008 1:54 AM PST
Collapse -
Troj/MVMBind-A
by Marianna Schmudlach / January 24, 2008 1:55 AM PST
Collapse -
JS/Dload-AU
by Marianna Schmudlach / January 24, 2008 1:56 AM PST
Collapse -
Troj/Ovdoz-A
by Marianna Schmudlach / January 24, 2008 5:06 AM PST
Collapse -
Troj/Banker-EKN
by Marianna Schmudlach / January 24, 2008 5:07 AM PST
Collapse -
Symb/Beselo-A
by Marianna Schmudlach / January 24, 2008 5:09 AM PST
Collapse -
Troj/Dropper-TJ
by Marianna Schmudlach / January 24, 2008 5:10 AM PST
Collapse -
Symb/Beselo-B
by Marianna Schmudlach / January 24, 2008 5:11 AM PST
Collapse -
New generation of Commwarrior
by Marianna Schmudlach / January 24, 2008 5:27 AM PST

24 January 2008

Just to prove it is not about to retire any time soon, another Comwarrior variant has struck again. In fact, two new variants have been received (detection for which has been added as Symb/Beselo-A and Symb/Beselo-B) - both of which are reported to be in the wild [1].

Like previous members of the Comwarrior family, these new Beselo variants use Bluetooth and MMS functionality for spreading. Initial analysis also suggests the worm attempts to copy itself to flash memory cards inserted into the device. The worms run on Symbian S60-enabled devices (including Nokia 6600, 6630, 6680, 7610, N70 and N72 phones).

A slight twist in these variants is the use of misleading file extensions - Beselo sends itself out as a SIS file in messages using file extensions such as .jpg, .mp3 and .rm. Despite the fact that the Symbian OS correctly identifies the file type by its content (therefore alerting the user with an installation promt), some users have clearly been fooled by the use of harmless file extensions.

Once installed, Beselo creates the following files:

c:\system\data\[random_chars].exe
c:\system\data\[random_chars].dat
c:\system\data\[random_chars].ini
Beselo sends itself to numbers obtained from the device phone book, and also to numbers it generates itself. Sent MMS messages have the following characteristics:

More: http://www.sophos.com/security/blog/2008/01/1013.html

Collapse -
Best (not to) Buy infected picture frames
by Marianna Schmudlach / January 24, 2008 5:29 AM PST

24 January 2008

We had a couple of queries about the interesting story published yesterday by MSNBC.

It seems that many people, while buying digital picture frames as Christmas presents to their friends and family, bought more than they were hoping for. The stock of electronic retailer Best Buy allegedly contained a significant number of Insignia?s digital photo frames (model number NS-DPF10A) infected by a virus. The virus attempted to infect user?s computer when the frame was connected to the computer for transferring photos to the frame.

Insignia has confirmed that some of the frames indeed contained a virus. At the moment, it is not known to us which virus infected the frames, but we will try to get a sample and make sure we detect it. Since not all frames contain the virus, we will not be able to simply buy a frame, as was the case with some previous malware (for example Sony?s DRM rootkit).

Most of digital photo frames have a USB interface which allow them to appear as removable drives in Windows and to store data, similar to any other USB removable media. In the past we have been writing about viruses affecting USB media and this digital photo frame infection is not much different.

More: http://www.sophos.com/security/blog/2008/01/1012.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.