Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - April 13, 2008

by Marianna Schmudlach / April 12, 2008 3:07 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - April 13, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - April 13, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Delf-FAH
by Marianna Schmudlach / April 12, 2008 3:08 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Delf-FAH is an information stealing Trojan for the Windows platform.

When run Troj/Delf-FAH creates the file <System>\IRAT.mvb. This file is also detected as Troj/Delf-FAH.

Troj/Delf-FAH registers itself as a system service with the name of "IRAT" with the displayname of "IRAT" and a startup type of automatic. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IRAT\

Troj/Delf-FAH also creates registry entries under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
krnlsrvc
49 52 41 54 00


http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelffah.html

Collapse -
Troj/Agent-GVY
by Marianna Schmudlach / April 12, 2008 3:09 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-GVY is a Trojan for the Windows platform.

When run Troj/Agent-GVY copies itself to <System>\dmhfk.exe and sets the following registry entries under:

HKCU\Software\Microsoft\Windows\CurrentVersion\_r
kfhmd

HKCU\Software\Microsoft\Windows\CurrentVersion
dmhfk.exe

Troj/Agent-GVY also registers itself as a system service with the display name of "Windows Management Service" and a startup type of automatic. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Management Service\


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgvy.html

Collapse -
Troj/Agent-GWA
by Marianna Schmudlach / April 13, 2008 2:52 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-GWA is a Trojan for the Windows platform.

Troj/Agent-GWA includes functionality to download, install and run new software.

Troj/Agent-GWA attempts to download files to:

<Temp>\Plus.exe
<Temp>\flash.exe
<System>\doit.exe

When first run doit.exe creates the file <System>\native.exe which it adds to the following registry entry to run at startup:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
BootExecute


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgwa.html?_log_from=rss

Collapse -
Troj/Agent-GWB
by Marianna Schmudlach / April 13, 2008 2:54 AM PDT
Collapse -
Panda Security's weekly report on viruses and intruders
by Marianna Schmudlach / April 13, 2008 4:34 AM PDT

Virus Alerts, by Panda Security (http://www.pandasecurity.com)


27.19% of computers with a security solution
installed scanned last week were infected. In the case of computers with no protection, this figure rises up to 39.17%.

According to data gathered by PandaLabs, NaviPromo was the most active
malicious code this week followed by the Virtumonde spyware and the
OnlineAddon adware.

TotalScan Top 10

1 Adware/NaviPromo
2 Spyware/Virtumonde
3 Adware/OnlineAddon
4 Adware/SecurityError
5 Adware/VideoAddon
6 Adware/Lop
7 Adware/Gator
8 Adware/SaveNow
9 Adware/PurityScan
10 W32/Bagle.HX.worm

Of all the new malicious codes appeared this week, PandaLabs looks at
the Banker.KWA Trojan and the Nuwar.ST worm.

Banker.KWA acts a memory-resident backdoor and spreads through several
Internet services. To trick users, it reaches computers with the icon of a .PDF document. Once run, it gives users the option to download a PDF file dealing with a complaint against a mobile phone company.

However, what the Trojan actually does is steal confidential data like
passwords, certifications, etc. from the computer and send it to web
pages it changes at random.

Also, the Trojan disables certain security services that may be running on the computer. To perform all these actions, Banker.KWA downloads a series of files to the system and creates various entries in the Windows registry.

Nuwar.ST is a new variant of the prolific Nuwar family of worms. Like
its predecessors, Nuwar.ST uses infected computers to send out spam. As a result, it seriously slow downs the computer's Internet connection.

This new Nuwar worm spreads by using YouTube videos as bait. To watch
the video, target users are prompted to download a codec which actually contains the worm.

Also, Nuwar.ST uses a rootkit to hide its presence on the computer.

"It seems that this worm's creators have chosen the perfect bait to make it appear in blogs or forums, as these usually include YouTube videos.
Funny enough, this worm's authors have called the fake codec StormCodec.
This is quite meaningful, as the Nuwar family of worms is also known as Storm", explains Luis Corrons, Technical Director of PandaLabs.

Collapse -
Troj/PDFex-G
by Marianna Schmudlach / April 13, 2008 6:06 AM PDT
Collapse -
Troj/Dloadr-BKN
by Marianna Schmudlach / April 13, 2008 6:07 AM PDT
Collapse -
Fotomoto
by Marianna Schmudlach / April 13, 2008 9:25 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?