Spyware, Viruses, & Security forum

General discussion

VIRUS ALERTS - May 7, 2007

by Marianna Schmudlach / May 6, 2007 11:47 PM PDT

W32/Rbot-GOT

Alert ID : FrSIRT/ALRT-2007-03119
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

W32/Rbot-GOT is a worm with IRC backdoor functionality for the Windows platform.

References

http://www.sophos.com/virusinfo/analyses/w32rbotgot.html

Credits

Reported by Sophos

Discussion is locked
You are posting a reply to: VIRUS ALERTS - May 7, 2007
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS ALERTS - May 7, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/BagleDl-CP
by Marianna Schmudlach / May 6, 2007 11:49 PM PDT
Collapse -
Troj/VB-DUF
by Marianna Schmudlach / May 6, 2007 11:50 PM PDT
Collapse -
Troj/Singu-AV
by Marianna Schmudlach / May 6, 2007 11:51 PM PDT

Alert ID : FrSIRT/ALRT-2007-03116
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

Troj/Singu-AV is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

References

http://www.sophos.com/virusinfo/analyses/trojsinguav.html

Credits

Reported by Sophos

Collapse -
Troj/Dloadr-AYB
by Marianna Schmudlach / May 6, 2007 11:52 PM PDT
Collapse -
Troj/Keygen-BH
by Marianna Schmudlach / May 6, 2007 11:53 PM PDT

Alert ID : FrSIRT/ALRT-2007-03114
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

Troj/Keygen-BH is a Trojan for the Windows platform. Troj/Keygen-BH is used to generate registration keys for Ethno World 3.

References

http://www.sophos.com/virusinfo/analyses/trojkeygenbh.html

Credits

Reported by Sophos

Collapse -
Troj/Hupigo-CIR
by Marianna Schmudlach / May 6, 2007 11:54 PM PDT

Alert ID : FrSIRT/ALRT-2007-03112
Aliases : Backdoor.Win32.Hupigon.cir
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

Troj/Hupigo-CIR is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

References

http://www.sophos.com/virusinfo/analyses/trojhupigocir.html

Credits

Reported by Sophos

Collapse -
Troj/Zlob-ACI
by Marianna Schmudlach / May 6, 2007 11:56 PM PDT

Type Trojan

Troj/Zlob-ACI is a downloader Trojan for the Windows platform.

Troj/Zlob-ACI may attempt to masquerade as an installer for a video codec "Video AX Object".

When run Troj/Zlob-ACI may create registry entries under:
HKCU\Software\Protection Tools\

Protection available since 7 May 2007

http://www.sophos.com/security/analyses/trojzlobaci.html

Collapse -
MadCodeHook!mem
by Marianna Schmudlach / May 6, 2007 11:57 PM PDT

Alert ID : FrSIRT/ALRT-2007-03111
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

This is a heuristic detection of code hooks created by a package called MadCodeHook. This package can be used for hooking various user mode APIs. McAfee Avert Labs has observed that the APIs provided by this package are in some cases also used to hide malware.

References

http://vil.nai.com/vil/content/v_142162.htm

Credits

Reported by McAfee

Collapse -
WORM_SDBOT.EPZ
by Marianna Schmudlach / May 6, 2007 11:58 PM PDT

Alert ID : FrSIRT/ALRT-2007-03110
Aliases : N/A
Size : 1388544 bytes (compressed) and 3227648 bytes (uncompressed)
Rated as : Low Risk
Release Date : 2007-05-07


Description

This worm arrives on a system as a dropped or downloaded file of other malware. It can also arrive as a file downloaded by unsuspecting users when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.EPZ

Credits

Reported by Trend Micro

Collapse -
W32.Rahiwi.A
by Marianna Schmudlach / May 6, 2007 11:59 PM PDT
Collapse -
More IE7 Beta spam/malware
by Marianna Schmudlach / May 7, 2007 1:14 AM PDT

Published: 2007-05-07,
Last Updated: 2007-05-07 15:01:20 UTC
by Johannes Ullrich (Version: 1)
A new wave of "Internet Explorer 7.0 Beta" spam is currently being reported. All links to an "update.exe" file, which is hosted on various URLs. The e-mail message is adopting spam methods by "hiding" the image link among chunks of text copied from web sites.

Characteristics:
From: admin@microsoft.com
Subject: Internet Explorer 7.0 Beta

URL:
we have seen these so far (but there are likely many more):
httx://xoozee. cd/update.exe
httx://merzingo. cd/update.exe
httx://endfriends. cd/update.exe
httx://netdesks. cd/update.exe
httx://pleasedostock. hk/update.exe
httx://wordcasts. cd/update.exe
httx://abyssrecycling. co.uk/images/update.exe
httx://accentstaffing. com/images/update.exe
httx://bcweblist. com/images/update.exe
httx://actorsandactresses. co.uk/images/update.exe
httx://mikelike .cd/update.exe

It doesn't look like a feasable idea to block all these sites. However, you probably should filter e-mail from 'admin@microsoft.com' (that particular "From" address has been used in the past).

update.exe itself is a downloader which will install a second stage binary upon execution.

http://isc.sans.org/

Collapse -
W32/WBoy
by Marianna Schmudlach / May 7, 2007 1:18 AM PDT

First Report: 2007-05-07 15:32
Last Update: 2007-05-07 16:07

Aliases: I-Worm/Luder
TR/Luder.Patched.84
Trojan.Mnless.ktj
Trojan.Starter.171
W32.Whybo
W32.Whybo!inf
W32/Agent.33!tr
W32/WBoy
Win32.KLdown.b
Win32.Luder.Gen
Win32/Agent.AMB
Win32/Luder.Gen
Win32:Small-EVF
Worm.Win32.Small.r
Worm/Generic.AYY

W32/WBoy basically is an internet worm but as a side-effect it modifies 32 bit PE files with a pointer to a malicious file.

Detection was added to cover protection against 32 bit PE files, using variable names such as but not limited to: rhbbt.exe, sxjxt.exe, svchost.exe, having a filesize of 10.473 bytes decimal. The files are internally compressed with the FSG packer.

Upon execution, it runs silently, no gui messageboxes appear. It immediately removes itself from the location where it was initially run from. It copies itself to numerous files, upon testing it copied itself to over 30 files, with random filenames, but byte-identical content.

It not only copies itself to numerous files, it also tries to modify 32 bit PE executable files with a pointer to a malicious file. It does not include its full viral code in target files, it only adds a small routine to point to a malicious file. So when a target file gets executed, the worm will also be executed this way. The added routine is very small, about 100 - 110 bytes decimal get changed. It simply changes the EP (entrypoint) so the virus gets executed right away. The actual bytes point to a malicious file such as a copy of the dropped worm c:\winnt\system32\drivers\mikgi.exe (10.473 bytes) . With such minial changes to a file, usually the filesize of infected files stays the same, usually there's some empty spaces in areas like text section due to file alignment. Modified files are already detected fine with released dat-5024.

Additionally it drops 2 other files:

RS.bat (105 bytes) , this is already detected with dat-5024 as Bat/Sdbot trojan WUAUSERV.dll ( 9.216 bytes) this is an innocent file.

http://vil.nai.com/vil/content/v_142031.htm

Collapse -
Troj/WLHack-C
by Marianna Schmudlach / May 7, 2007 3:48 AM PDT

Alert ID : FrSIRT/ALRT-2007-03127
Aliases : Trojan.Win32.Patched.q - Win32/Agent.NHJ
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

Troj/WLHack-C is a Trojan for the Windows platform.

References

http://www.sophos.com/virusinfo/analyses/trojwlhackc.html

Credits

Reported by Sophos

Collapse -
Troj/DwnLdr-GUG
by Marianna Schmudlach / May 7, 2007 3:49 AM PDT

Alert ID : FrSIRT/ALRT-2007-03126
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

Troj/DwnLdr-GUG is a downloader Trojan for the Windows platform. Troj/DwnLdr-GUG includes functionality to terminate security and anti-virus related processes.

References

http://www.sophos.com/virusinfo/analyses/trojdwnldrgug.html

Credits

Reported by Sophos

Collapse -
VBS/Solow-F
by Marianna Schmudlach / May 7, 2007 3:50 AM PDT
Collapse -
Troj/SpyAgent-B
by Marianna Schmudlach / May 7, 2007 3:52 AM PDT

Alert ID : FrSIRT/ALRT-2007-03124
Aliases : Spy-Agent.bv
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

TrojSpyAgent-B is a component of a multi-component Trojan for the Windows platform.

References

http://www.sophos.com/virusinfo/analyses/trojspyagentb.html

Credits

Reported by Sophos

Collapse -
Troj/Bckdr-QIC
by Marianna Schmudlach / May 7, 2007 3:53 AM PDT
Collapse -
Mal/Behav-053
by Marianna Schmudlach / May 7, 2007 3:54 AM PDT

Alert ID : FrSIRT/ALRT-2007-03122
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2007-05-07


Description

Mal/Behav-053 is a malware family for the Windows platform. Members of Mal/Behav-053 are typically worms with backdoor functionality, but the family may also include Trojan components.

References

http://www.sophos.com/virusinfo/analyses/malbehav053.html

Credits

Reported by Sophos

Collapse -
Infostealer.Multigame
by Marianna Schmudlach / May 7, 2007 3:55 AM PDT
Collapse -
Trojan.Mailbot
by Marianna Schmudlach / May 7, 2007 9:52 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.