General discussion

VIRUS \ Spyware ALERTS - April 12, 2008

Discussion is locked
Follow
Reply to: VIRUS \ Spyware ALERTS - April 12, 2008
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS \ Spyware ALERTS - April 12, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Troj/DorfHtml-C
- Collapse -
Troj/Poison-U
- Collapse -
Troj/Agent-GVW
- Collapse -
Mal/Behav-218
- Collapse -
Trojan.Busdest
- Collapse -
Troj/Maldoc or Exp/1Table.

OLE2 a popular malware delivery mechanism?

12 April 2008

OLE2 (Object Linking and Embedding v2) is a Microsoft container file format which can hold objects of various types in a similar fashion to that files on in a file system. Due to the complex nature of this document format many vulnerabilities in software which opens these files have been found (see CVE-2007-0913, CVE-2007-0870) and are being used by malware authors.

In recent weeks I?ve noticed an increase of exploited Word, Excel and Powerpoint files being dealt with by SophosLabs and decided to graph the results. The graph indicates the number of unique samples of OLE2 files being detected by either the Troj/Maldoc or Exp/1Table.

More: http://www.sophos.com/security/blog/2008/04/1300.html

- Collapse -
Troj/Banld-C
- Collapse -
Troj/IRCBot-ABJ

Category Viruses and Spyware

Type Trojan

Troj/IRCBot-ABJ is a Trojan with IRC backdoor functionality for the Windows platform.

Troj/IRCBot-ABJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run Troj/IRCBot-ABJ copies itself to <System>\msmsgs.exe.

The following registry entries are created to run Troj/IRCBot-ABJ on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Oftice
<System>\msmsgs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Oftice
<System>\msmsgs.exe

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojircbotabj.html

- Collapse -
Troj/Agent-GVX

CNET Forums