Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - August 21, 2009

by Marianna Schmudlach / August 20, 2009 11:50 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - August 21, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - August 21, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Agent-KXF
by Marianna Schmudlach / August 20, 2009 11:51 PM PDT
Collapse -
Troj/Agent-KXG
by Marianna Schmudlach / August 20, 2009 11:51 PM PDT
Collapse -
Troj/Atraps-D
by Marianna Schmudlach / August 20, 2009 11:52 PM PDT
Collapse -
Troj/Banker-ETV
by Marianna Schmudlach / August 20, 2009 11:53 PM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Drops more malware
* Installs itself in the registry


Troj/Banker-ETV is a Trojan for the Windows platform.

When run Troj/Banker-ETV copies itself to <System>\avg.exe and sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(default)
<System>\avg.exe

Troj/Banker-ETV also creates the file <System>DNT.SYS - detected as Mal/Generic-A.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankeretv.html?_log_from=rss

Collapse -
Troj/Bifrose-YH
by Marianna Schmudlach / August 20, 2009 11:54 PM PDT
Collapse -
Troj/Drop-DH
by Marianna Schmudlach / August 20, 2009 11:54 PM PDT
Collapse -
Troj/ExpJs-C
by Marianna Schmudlach / August 20, 2009 11:55 PM PDT
Collapse -
Troj/Inject-IS
by Marianna Schmudlach / August 20, 2009 11:56 PM PDT
Collapse -
Troj/Zapchas-EM
by Marianna Schmudlach / August 20, 2009 11:56 PM PDT
Collapse -
Troj/VB-CYJ
by Marianna Schmudlach / August 20, 2009 11:57 PM PDT

Aliases

* Win32/VB.EL worm
* Worm.Win32.VB.el
* W32/Backdoor.VXI

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/VB-CYJ is a Trojan for the Windows platform.

When first run Troj/VB-CYJ copies itself to \sal.xls.exe and creates the following files:

\autorun.inf
<Windows>\ufdata2000.log

The following registry entries are set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer
msfir80.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.2
msime80.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbcyj.html?_log_from=rss

Collapse -
Troj/Rootkit-GS
by Marianna Schmudlach / August 20, 2009 11:58 PM PDT
Collapse -
Troj/Lydra-AF
by Marianna Schmudlach / August 20, 2009 11:59 PM PDT
Collapse -
Troj/FakeAV-YD
by Marianna Schmudlach / August 21, 2009 12:00 AM PDT
Collapse -
Troj/Agent-KXC
by Marianna Schmudlach / August 21, 2009 12:01 AM PDT
Collapse -
Troj/Agent-KXB
by Marianna Schmudlach / August 21, 2009 12:02 AM PDT
Collapse -
Troj/Agent-KXA
by Marianna Schmudlach / August 21, 2009 12:02 AM PDT
Collapse -
OSX/Jahlav-C
by Marianna Schmudlach / August 21, 2009 12:03 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Macintosh

OSX/Jahlav-C is a Trojan created for the Mac OS X operating system. OSX/Jahlav-C is used to deliver malicious code to the infected computer. The initial installer is distributed as a missing Video ActiveX Object, as described on the SophosLabs blog.

OSX/Jahlav-C creates a malicious shell script file named AdobeFlash in the /Library/Internet Plug-Ins folder and sets it to run periodically. The script contains another shell script in an encoded format which in turn contains a Perl script with the main malicious payload.

The Perl script uses http to communicate with a remote website and download code supplied by the attacker.

http://www.sophos.com/security/analyses/viruses-and-spyware/osxjahlavc.html?_log_from=rss

Collapse -
Mal/VBInject-B
by Marianna Schmudlach / August 21, 2009 12:04 AM PDT
Collapse -
Mal/Dorf-A
by Marianna Schmudlach / August 21, 2009 12:05 AM PDT
Collapse -
Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac O
by Marianna Schmudlach / August 21, 2009 12:07 AM PDT

Trojan.Fakeavalert for Windows and as OSX.RSPlug.A for Mac OS.

Free Online Movie Blogs Serving up Trojan for Windows and Mac

We have recently observed that attackers are actively exploiting new movie releases to distribute malware. The general practice is to host a blog on a (relatively) reputable site, which in actual fact redirects users to a malicious website hosting malware.

The movie ?Obsessed? was released in April 2009 and in order to watch it online for free, users might search for a phrase that includes keywords such as movie, free, video, online, watch, etc.?along with the movie?s name, of course. So, a search phrase such as ?obsessed movie online free full video? would yield results similar to the following:

More: http://www.symantec.com/connect/blogs/free-online-movie-blogs-serving-trojan-windows-and-mac

Collapse -
W32.Induc.A!dr
by Marianna Schmudlach / August 21, 2009 12:08 AM PDT
Collapse -
TROJ_DLOADR.ZZD
by Marianna Schmudlach / August 21, 2009 12:22 AM PDT

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Description:

This Trojan has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It accesses a certain website to download an RSS feed. It saves the downloaded file in the current user's Temporary folder using a certain file name. However, the said site is currently inaccessible. The downloaded file may contain links where this Trojan downloads other files.

It then creates a registry entry to enable the automatic execution of one of the downloaded files. It also attempts to access another website to check for updates for the said RSS feed.

It attempts to download a file from a certain website. As a result, routines of the downloaded file are also exhibited on the affected system.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FDLOADR%2EZZD

Collapse -
PE_INDUC.A
by Marianna Schmudlach / August 21, 2009 12:23 AM PDT

Malware type: File infector

Aliases: No Alias Found

In the wild: Yes

Malware Overview

This file infector may arrive in a system as a compromised file compiled using an infected Borland Delphi Compiler.

Upon execution, it checks the Delphi Installation on the system by checking the existence of a certain registry key. It also gets information on the location of the Delphi installation folder from the said registry key. It then searches for a certain file which it modifies by appending its codes.

Using the Delphi compiler, it compiles a new copy of a certain file using the file modified earlier. The new compiled file is detected by Trend Micro as TROJ_INDUC.AA.

Once infected, all files compiled or linked using the compromised Delphi compiler will be infected.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FINDUC%2EA

Collapse -
Adware-Cinmus.gen.l!4a223fb74638
by Marianna Schmudlach / August 21, 2009 12:25 AM PDT

Type
Program
SubType
Adware
Discovery Date
08/21/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
CasOnline!219cde45e458
by Marianna Schmudlach / August 21, 2009 12:25 AM PDT

Type
Program
SubType
-
Discovery Date
08/21/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File Property Property Value
FileName Unavailable
McAfee Artemis Artemis!219cde45e458
McAfee Detection CasOnline
Length 280,816 bytes
CRC 0CF991D0
MD5 219cde45e4587e20578b5376df1fce06
SHA1 EF4EF64EF5835FF229C7959EF0286E9EB5C871BD

Other Common Detection Aliases

Company Name Detection Name
clamav Adware.Casino-29

Avert

Collapse -
ASKToolbar.dll!9f74744064ef
by Marianna Schmudlach / August 21, 2009 12:26 AM PDT

Type
Program
SubType
Tool
Discovery Date
08/21/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File Property Property Value
FileName i4j_extf_8_5p83tu.exe
McAfee Artemis Artemis!9f74744064ef
McAfee Detection ASKToolbar.dll
Length 552,960 bytes
CRC 2C445006
MD5 9F74744064EF1DB660639944170FA383
SHA1 7E5778DFD1D34D1C41E2F1593DD1ED5CB5F77F2D

Other Common Detection Aliases

Company Name Detection Name
Eset Win32/AdInstaller (application) (variant)
FortiNet Misc/ASKToolbar
F-Prot W32/Mywebsearch.A.gen!Eldorado
Kaspersky not-a-virus:WebToolbar.Win32.MyWebSearch.dm

Avert

Collapse -
Virus Alerts [Panda Security's weekly report on viruses and
by Marianna Schmudlach / August 21, 2009 2:57 AM PDT

Virus Alerts [Panda Security's weekly report on viruses and intruders - 08/21/09]

- Panda Security's weekly report on viruses and intruders -

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report looks at Total Security 2009, yet another
example of the many fake antiviruses in circulation.

This type of malware passes itself off as legitimate software
applications in order to steal users' money by tricking them into
believing that they will eliminate threats that actually do not exist.
For more information about this type of malicious program, read "The
Business of Rogueware", a report on fake antiviruses written by Luis
Corrons and Sean-Paul Correll, PandaLabs researchers. This report is
available at:
http://www.pandasecurity.com/img/enc/El%20Negocio%20de%20los%20falsos%20
antivirus.pdf

Once installed on the target computer (see photo on Flickr:
http://www.flickr.com/photos/panda_security/3836404446/), Total Security
displays a warning indicating that the computer is at risk (see photo on
Flickr: http://www.flickr.com/photos/panda_security/3835613711/). Then,
it simulates a system scan (see photo on Flickr:
http://www.flickr.com/photos/panda_security/3836404512/), reporting a
series of infections in order to scare users into buying the antivirus
solution (see photo on Flickr:
http://www.flickr.com/photos/panda_security/3835613765/). On finishing
the scan, Total Security displays a screen offering a solution to the
user's problem (see photo on Flickr:
http://www.flickr.com/photos/panda_security/3835613789/). The solution
consists of activating the fake antivirus (see photo on Flickr:
http://www.flickr.com/photos/panda_security/3835613811/). However, to
activate the product, users must pay a fee to the anti-malware vendor
(see photo on Flickr:
http://www.flickr.com/photos/panda_security/3835613871/). After this,
users receive a code they must enter in the program (see photo on
Flickr: http://www.flickr.com/photos/panda_security/3836404630/). Once
they do this, the malicious application stops displaying warnings about
threats. This aims to make users believe they have actually bought an
antivirus product, whereas, in reality, no infection has been removed
and users are not protected against threats.

Total Security installs on computers just as if it were a legitimate
security solution. It creates a shortcut in the desktop (see photo on
Flickr: http://www.flickr.com/photos/panda_security/3835613913/),
another one in the program directory of the Start menu (see photo on
Flickr: http://www.flickr.com/photos/panda_security/3835613929/), and a
third one in the Add or Remove Programs section (see photo on Flickr:
http://www.flickr.com/photos/panda_security/3835613965/).

This malware can reach users in a variety of ways: through links in spam
messages, downloaded from a malicious Web page, etc. Once run, the
program launches the installation process.


More information about these and other malicious codes is available in
the Panda Security Encyclopedia
http://www.pandasecurity.com/homeusers/security-info/about-malware/encyc
lopedia/.

Collapse -
W32/Autorun-APK
by Marianna Schmudlach / August 21, 2009 2:58 AM PDT
Collapse -
W32/Autorun-APJ
by Marianna Schmudlach / August 21, 2009 2:59 AM PDT

Category

* Viruses and Spyware

Type

* Worm


Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Autorun-APJ is a worm for the Windows platform.

W32/Autorun-APJ includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Autorun-APJ spreads by copying itself to root folder of all mounted drives.
When first run W32/Autorun-APJ copies itself to:

<System>\system3_.exe
<Windows>\system3_.exe

and creates the file <System>\autorun.ini.

The file autorun.ini is detected as W32/AutoRun-AOA.

The following registry entry is created to run system3_.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\system3_.exe

The following registry entry is changed to run system3_.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe system3_.exe

W32/Autorun-APJ changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunapj.html?_log_from=rss

Collapse -
Troj/Inject-IT
by Marianna Schmudlach / August 21, 2009 3:00 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.