General discussion

VIRUS \ Spyware ALERTS - April 13, 2008

Discussion is locked
Reply to: VIRUS \ Spyware ALERTS - April 13, 2008
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS \ Spyware ALERTS - April 13, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -

Category Viruses and Spyware

Type Trojan

Troj/Delf-FAH is an information stealing Trojan for the Windows platform.

When run Troj/Delf-FAH creates the file <System>\IRAT.mvb. This file is also detected as Troj/Delf-FAH.

Troj/Delf-FAH registers itself as a system service with the name of "IRAT" with the displayname of "IRAT" and a startup type of automatic. Registry entries are created under:


Troj/Delf-FAH also creates registry entries under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
49 52 41 54 00

- Collapse -

Category Viruses and Spyware

Type Trojan

Troj/Agent-GVY is a Trojan for the Windows platform.

When run Troj/Agent-GVY copies itself to <System>\dmhfk.exe and sets the following registry entries under:



Troj/Agent-GVY also registers itself as a system service with the display name of "Windows Management Service" and a startup type of automatic. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Management Service\

- Collapse -

Category Viruses and Spyware

Type Trojan

Troj/Agent-GWA is a Trojan for the Windows platform.

Troj/Agent-GWA includes functionality to download, install and run new software.

Troj/Agent-GWA attempts to download files to:


When first run doit.exe creates the file <System>\native.exe which it adds to the following registry entry to run at startup:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

- Collapse -
- Collapse -
Panda Security's weekly report on viruses and intruders

Virus Alerts, by Panda Security (

27.19% of computers with a security solution
installed scanned last week were infected. In the case of computers with no protection, this figure rises up to 39.17%.

According to data gathered by PandaLabs, NaviPromo was the most active
malicious code this week followed by the Virtumonde spyware and the
OnlineAddon adware.

TotalScan Top 10

1 Adware/NaviPromo
2 Spyware/Virtumonde
3 Adware/OnlineAddon
4 Adware/SecurityError
5 Adware/VideoAddon
6 Adware/Lop
7 Adware/Gator
8 Adware/SaveNow
9 Adware/PurityScan
10 W32/Bagle.HX.worm

Of all the new malicious codes appeared this week, PandaLabs looks at
the Banker.KWA Trojan and the Nuwar.ST worm.

Banker.KWA acts a memory-resident backdoor and spreads through several
Internet services. To trick users, it reaches computers with the icon of a .PDF document. Once run, it gives users the option to download a PDF file dealing with a complaint against a mobile phone company.

However, what the Trojan actually does is steal confidential data like
passwords, certifications, etc. from the computer and send it to web
pages it changes at random.

Also, the Trojan disables certain security services that may be running on the computer. To perform all these actions, Banker.KWA downloads a series of files to the system and creates various entries in the Windows registry.

Nuwar.ST is a new variant of the prolific Nuwar family of worms. Like
its predecessors, Nuwar.ST uses infected computers to send out spam. As a result, it seriously slow downs the computer's Internet connection.

This new Nuwar worm spreads by using YouTube videos as bait. To watch
the video, target users are prompted to download a codec which actually contains the worm.

Also, Nuwar.ST uses a rootkit to hide its presence on the computer.

"It seems that this worm's creators have chosen the perfect bait to make it appear in blogs or forums, as these usually include YouTube videos.
Funny enough, this worm's authors have called the fake codec StormCodec.
This is quite meaningful, as the Nuwar family of worms is also known as Storm", explains Luis Corrons, Technical Director of PandaLabs.

- Collapse -
- Collapse -
- Collapse -

CNET Forums