Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - August 5, 2009

by Marianna Schmudlach / August 4, 2009 11:42 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - August 5, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - August 5, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/MalDoc-U
by Marianna Schmudlach / August 4, 2009 11:43 PM PDT
Collapse -
Troj/Inject-IM
by Marianna Schmudlach / August 4, 2009 11:43 PM PDT
Collapse -
Troj/FakeAv-WU
by Marianna Schmudlach / August 4, 2009 11:44 PM PDT
Collapse -
W32/Autorun-ANO
by Marianna Schmudlach / August 4, 2009 11:45 PM PDT

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Autorun-ANO is a worm for the Windows platform.

When W32/Autorun-ANO is installed it creates the file <System>\windotnetsrv.exe.

The following registry entry is created to run windotnetsrv.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windll
<System>\windotnetsrv.exe

W32/Autorun-ANO copies itself to removeable storage devices as FunnyVid.exe.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunano.html?_log_from=rss

Collapse -
W32/AutoIt-FO
by Marianna Schmudlach / August 4, 2009 11:46 PM PDT
Collapse -
Troj/Renos-DG
by Marianna Schmudlach / August 4, 2009 11:46 PM PDT
Collapse -
Troj/Midgare-E
by Marianna Schmudlach / August 4, 2009 11:48 PM PDT
Collapse -
Troj/Agent-KSV
by Marianna Schmudlach / August 4, 2009 11:48 PM PDT
Collapse -
Mal/ObfJS-CD
by Marianna Schmudlach / August 4, 2009 11:49 PM PDT
Collapse -
W32/Autorun-ANM
by Marianna Schmudlach / August 4, 2009 11:50 PM PDT
Collapse -
Troj/FakeAle-PC
by Marianna Schmudlach / August 4, 2009 11:51 PM PDT
Collapse -
Troj/VB-EGC
by Marianna Schmudlach / August 4, 2009 11:52 PM PDT
Collapse -
Troj/Dloadr-CRB
by Marianna Schmudlach / August 5, 2009 1:26 AM PDT
Collapse -
Troj/Dloadr-CRA
by Marianna Schmudlach / August 5, 2009 1:27 AM PDT
Collapse -
Troj/Dloadr-CQZ
by Marianna Schmudlach / August 5, 2009 1:27 AM PDT

Aliases

* Artemis!366244768496 trojan
* VirTool:Win32/Injector.gen!AC
* Backdoor-EBM trojan

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Dloadr-CQZ is a downloader Trojan for the Windows platform.

When first run the following files are created:

<System>\sdra64.exe
<System>\stu2.exe
<System>\lowsec\user.ds.lll
<System>\lowsec\local.ds
<Current Folder>\dump1.dmp

The following registry entry is changed to run sdra64.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\sdra64.exe,

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0x00000000

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrcqz.html?_log_from=rss

Collapse -
Troj/Artemis-A
by Marianna Schmudlach / August 5, 2009 1:28 AM PDT
Collapse -
Troj/Agent-KSW
by Marianna Schmudlach / August 5, 2009 1:29 AM PDT
Collapse -
Troj/Agent-KRI
by Marianna Schmudlach / August 5, 2009 1:30 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-KRI is a Trojan for the Windows platform.

When first run Troj/Agent-KRI copies itself to <Program Files>\Bifrost\server.exe.

The following registry entry is created to run server.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath
<Program Files>\Bifrost\server.exe s

Registry entries are created under:

HKCU\Software\Bifrost

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentkri.html?_log_from=rss

Collapse -
Xema
by Marianna Schmudlach / August 5, 2009 1:31 AM PDT
Collapse -
Rugo
by Marianna Schmudlach / August 5, 2009 1:31 AM PDT
Collapse -
HTML_REDIR.ECT
by Marianna Schmudlach / August 5, 2009 1:33 AM PDT

Malware type: Html

Aliases: No Alias Found

In the wild: Yes

Details:

This is the Trend Micro detection for HTML pages and compromised Web sites that contain malicious scripts.

It may be downloaded from the following remote site(s):

* {BLOCKED}sts.freewebhostx.com/corazon-aquino-died.html
* {BLOCKED}nger.0adz.com/corazon-aquino-dies.html
* {BLOCKED}-1.0adz.com/corazon-aquino-died.html

It may be downloaded unknowingly by a user when visiting malicious Web site(s).

Once an unsuspecting user visits an affected webpage, this malicious HTML file attempts to access the following websites to download other malicious files:

* {BLOCKED}eams.cn/go.php?id=2022&key=4c69e59ac&p=1
* {BLOCKED}manager.cn/go.php?id=2022&key=4c69e59ac&p=1
* {BLOCKED}rno.ru/admin/red/av.php

The downloaded files are detected by Trend Micro as TROJ_FAKEALRT.FK. As a result, routines of the downloaded files are also exhibited on the affected system. However, the said sites are currently inaccessible.

This malicious HTML file runs on Windows 98, ME, NT, 2000, XP, Server 2003.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_REDIR.ECT&VSect=T

Message was edited by: admin

Message was edited by: admin

Collapse -
Troj/FakeAle-OZ.
by Marianna Schmudlach / August 5, 2009 1:35 AM PDT

Malware from Rapidshare links

Malware coming in the form of e-mails are not unusual these days.

However, malware links from blogs:


According to its name, PC****ct.exe, it seems to suggest to people that those links provide some kind of anti-virus software. However, the URLs lead you to an executable that then downloads various malicious files.

Sophos detects this file as Troj/FakeAle-OZ. This malware attempts to download from certain sites which seem to have been taken down (access to which is already blocked by Sophos?s web appliance).

Besides blogs, the malicious links also spread by emails.

More: http://www.sophos.com/blogs/sophoslabs/

Collapse -
Troj/xDrop-A
by Marianna Schmudlach / August 5, 2009 1:35 AM PDT

Flash in the Formula!

Well the malware authors have discovered yet another vehicle for delivering and triggering their dual-actioned Adobe Flash vulnerability (which I talked about at a recent conference), this time in Microsoft Excel (expect to see them in PowerPoint and Word as well!)

The style of attack was recently outlined by Pob here, where a PDF document with two specifically crafted Flash objects work together to exploit the vulnerability. It was only a matter of time before the AVs caught up and started blocking suspicious PDFs and so the game has moved onto finding other compound files capable of embedding and invoking Flash objects. Microsofts OLE2 compound document format is well suited to this scenario and is being actively exploited as the sample submissions indicate.

The submitted sample (detected as Troj/xDrop-A) already raises suspicion by being some 215k in size yet when opened in Excel appearing somewhat empty?

More: http://www.sophos.com/blogs/sophoslabs/

Collapse -
W32/AutoIt-FP
by Marianna Schmudlach / August 5, 2009 4:29 AM PDT
Collapse -
Troj/Pasur-A
by Marianna Schmudlach / August 5, 2009 4:30 AM PDT
Collapse -
Troj/Bumat-A
by Marianna Schmudlach / August 5, 2009 4:31 AM PDT
Collapse -
Troj/Bredolab-E
by Marianna Schmudlach / August 5, 2009 4:31 AM PDT
Collapse -
Troj/Backdr-AL
by Marianna Schmudlach / August 5, 2009 4:32 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Backdr-AL is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Backdr-AL includes functionality to access the internet and communicate with a remote server via HTTP.

The following registry entry is created to run Troj/Backdr-AL on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bar
<pathname of the Trojan executable>

Registry entries are created under:

HKLM\SOFTWARE\RelatedPageInstall

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbackdral.html?_log_from=rss

Collapse -
Troj/Agent-KRJ
by Marianna Schmudlach / August 5, 2009 4:33 AM PDT
Collapse -
Mal/Scribble-B
by Marianna Schmudlach / August 5, 2009 4:34 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?