Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - April 14, 2008

by Marianna Schmudlach / April 13, 2008 3:04 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - April 14, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - April 14, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Zlob-AKC
by Marianna Schmudlach / April 13, 2008 3:05 PM PDT
Collapse -
Troj/Zlob-AKB
by Marianna Schmudlach / April 13, 2008 3:06 PM PDT
Collapse -
Troj/PWS-AQX
by Marianna Schmudlach / April 13, 2008 3:07 PM PDT
Collapse -
Troj/LdPinc-B
by Marianna Schmudlach / April 13, 2008 3:08 PM PDT
Collapse -
JS/Dloadr-BKO
by Marianna Schmudlach / April 13, 2008 3:10 PM PDT
Collapse -
Trojan-Downloader.Win32.Zlob.arm.
by Marianna Schmudlach / April 13, 2008 3:16 PM PDT

Security Watch: Codecs of Corruption
Fake Codecs

The people at Sunbelt Software have been arguing for some time that an increasing amount of malware, and subsequently bots out on the Internet, comes from fake codec software. In April they talked about Vcodec, which claims to be "a multimedia compressor/ decompressor which registers into the Windows collection of multimedia drivers and integrates with any application using Direct Show and Microsoft Video for Windows," but in fact is used to install spyware on your computer. Kaspersky AntiVirus detects it as Trojan-Downloader.Win32.Zlob.arm.

http://www.pcmag.com/article2/0,2704,2046053,00.asp

Also:

Google Groups continues to be inundated with malware-pushing porn

As we?ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs).

A simple search of Google Groups using the search term ?porn? shows just an extraordinary number of these sites (you can try it if you like, but realize the risk).

For example, here is a search looking for posts with the keywords ?porn video? in the last month, showing 256,000 hits (warning: graphic content):

More: http://sunbeltblog.blogspot.com/index.html

Collapse -
Troj/Zlob-AKD
by Marianna Schmudlach / April 14, 2008 12:44 AM PDT
Collapse -
Troj/DwnLdr-HCG
by Marianna Schmudlach / April 14, 2008 12:45 AM PDT
Collapse -
Troj/BKDoor-K
by Marianna Schmudlach / April 14, 2008 12:47 AM PDT
Collapse -
W32/IRCBot-ABK
by Marianna Schmudlach / April 14, 2008 12:48 AM PDT
Collapse -
Troj/Drop-P
by Marianna Schmudlach / April 14, 2008 12:49 AM PDT
Collapse -
Troj/Bckdr-QMZ
by Marianna Schmudlach / April 14, 2008 12:50 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Bckdr-QMZ is a Trojan for the Windows platform.

When Troj/Bckdr-QMZ is installed the following files are created:

<Program Files>\Internet Explorer\dnsw\lexplore.exe, which is detected as Mal/Heuri-E.
<Program Files>\Internet Explorer\dnsw\r_s.exe, which is also detected as Troj/Bckdr-QMZ.
<Program Files>\Internet Explorer\dnsw\zlib.dll, which is clean file and can be safely removed.
<Program Files>\Messenger\msmsngr.exe, which is detected as Mal/Behav-034.
<System>\zlib.dll - clean, which is clean file and can be safely removed.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqmz.html?_log_from=rss

Collapse -
Troj/Melko-A
by Marianna Schmudlach / April 14, 2008 12:52 AM PDT
Collapse -
Troj/Drop-ZLB
by Marianna Schmudlach / April 14, 2008 12:53 AM PDT
Collapse -
Troj/Banhost-L
by Marianna Schmudlach / April 14, 2008 12:54 AM PDT
Collapse -
Mal/ObfJS-AD
by Marianna Schmudlach / April 14, 2008 12:55 AM PDT
Collapse -
Mal/Bifrose-J
by Marianna Schmudlach / April 14, 2008 2:27 AM PDT
Collapse -
Mal/EncPk-DF
by Marianna Schmudlach / April 14, 2008 2:29 AM PDT
Collapse -
W32/Rbot-GWT
by Marianna Schmudlach / April 14, 2008 8:57 AM PDT

Aliases W32.Spybot.Worm
Backdoor.Win32.Rbot.gen

Category Viruses and Spyware

Type Worm

W32/Rbot-GWT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-GWT spreads
- to computers vulnerable to common exploits, including: SRVSVC (MS06-040), WKS (MS03-049), MSSQL (MS02-039), PNP (MS05-039), ASN.1 (MS04-007), Realcast, RealVNC (CVE-2006-2369) and Symantec (SYM06-010)
- to network shares protected by weak passwords

When first run W32/Rbot-GWT copies itself to <System>\msnupdate.exe.

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgwt.html?_log_from=rss

Collapse -
W32/Autorun-DC
by Marianna Schmudlach / April 14, 2008 8:58 AM PDT

Aliases WORM_TIHS.A

Category Viruses and Spyware

Type Worm

W32/Autorun-DC is a worm for the Windows platform.

W32/Autorun-DC spreads to other network computers.

When first run W32/Autorun-DC copies itself to:

<Startup>\Empty.pif
<Windows>\Web\printers\prtwebvw.exe
<Windows>\addins\services.exe
<Windows>\java\classes\lsass.exe
<Windows>\mui\smss.exe

and creates the following files:

<Windows>\Autorun.inf
<Windows>\SoftWareProtector\Error_out.pr

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorundc.html?_log_from=rss

Collapse -
W32/Autorun-DA
by Marianna Schmudlach / April 14, 2008 9:00 AM PDT
Collapse -
Troj/Pushdo-Gen
by Marianna Schmudlach / April 14, 2008 9:01 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Pushdo-Gen is a family of Trojans for the Windows platform.

When members of Troj/Pushdo-Gen are installed they drop and run a further file in memory, usually detected as Troj/Pushu-Gen or Mal/Basine-C. This may then drop further files, including some of the following:

<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys

These files are used to provide stealthing for the Trojan.

The dropped file in memory will also often attempt to inject further code into Internet Explorer.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpushdogen.html?_log_from=rss

Collapse -
Adware.PlayMp3z.A
by Marianna Schmudlach / April 14, 2008 9:05 AM PDT

SYMPTOMS:

This adware usually disguises itself as an "codec" for viewing or listening to media files. It states that without this product the user can't access the wanted file. A sample of this kind of strategy of spreading is explained here : http://www.bitdefender.ro/VIRUS-1000277-ro--Trojan.Downloader.WMA.Wimad.N.html

A window pops up while the user tries to access a certain kind of exploited media file with the title "Play Free MP3s" . It has a checkbox to validate the users choice of the products EULA to a company named "Media Holding Enterprises" . The user has the predefined choice ( the checkbox is already checked ) to install another adware : Adware.Mirar.


http://www.bitdefender.com/VIRUS-1000279-en--Adware.PlayMp3z.A.html

Collapse -
A Federal Subpoena or Just Some More Spam & Malware?
by Marianna Schmudlach / April 14, 2008 9:09 AM PDT

Published: 2008-04-14,
Last Updated: 2008-04-14 18:13:43 UTC
by John Bambenek (Version: 1)

We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via e-mail ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's total bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his e-mail directly. It's very highly targeted that way.

Second, the United States Federal Courts do not "serve" formal process over email. While there is an Electronic Case Management System, initial contact for a subpoena, lawsuit or other process is done the old fashioned way... someone serving you the old fashioned way. Presumably, if you did already get served you would have a lawyer handling the case for you. In that instance, the *lawyer*, not you, would be getting electronic notices from the court **after service has been handled**.

http://isc.sans.org/diary.html?storyid=4289

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!