Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - December 1, 2009

Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - December 1, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Agent-LWH

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Dloadr-CXH

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Dloadr-CXH is a Trojan for the Windows platform.

Troj/Dloadr-CXH includes functionality to:

- run automatically
- access the internet and communicate with a remote server via HTTP

Troj/Dloadr-CXH communicates via HTTP with the following locations:

yourgunparts . com

When Troj/Dloadr-CXH is installed the following files are created:

<System>\ntos.exe
<System>\wsnpoem\audio.dll
<System>\wsnpoem\video.dll

The following registry entry is created to run ntos.exe on startup:

HK_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\userinit
<System>\ntos.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrcxh.html?_log_from=rss

Collapse -
Troj/FakeAV-AJM

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Iframe-DG

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Proxy-JP

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Poison-BR

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Mal/TDSSPk-B

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Agent-LVZ

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/PWS-BFW

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Rootkit-HH

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/FakeAV-AJJ

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/FakeAV-AJJ is a Trojan for the Windows platform.

Troj/FakeAV-AJJ includes functionality to:

- run automatically
- copy itself to the <System> folder
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-AJJ communicates via HTTP with the following locations:

downloadavr12 . com
testavrdown . com

When Troj/FakeAV-AJJ is installed the following files are created:

<System>\41.exe
<System>\AVR10.exe
<System>\critical_warning.html
<System>\winhelper86.dll
<System>\winlogon86.exe
<System>\winupdate86.exe

The following registry entry is created to run winupdate86.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winupdate86.exe
HKCU\Software

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoSetActiveDesktop
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoSetActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavajj.html?_log_from=rss

Collapse -
Troj/FakeAV-AJI

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/FakeAV-AJI is a Trojan for the Windows platform.

Troj/FakeAV-AJI includes functionality to:

- run automatically
- steal confidential information
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-AJI communicates via HTTP with the following locations:

advancedvirusremover-2010 . com

When Troj/FakeAV-AJI is installed the following files are created:

<User>\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
<Desktop>\Advanced Virus Remover.lnk
<Start Menu>\Advanced Virus Remover.lnk
<Program Files>\AdvancedVirusRemover\AVR.exe

The following registry entry is created to run AVR.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Advanced Virus Remover
<Program Files>\AdvancedVirusRemover\AVR.exe

Registry entries are created under:

HKCU\Software\AVR

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaji.html?_log_from=rss

Collapse -
Troj/FakeAV-AJH

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAV-AJH is a Trojan for the Windows platform.

Troj/FakeAV-AJH includes functionality to:

- run automatically
- create batch scripts
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-AJH communicates via HTTP with the following locations:

theprotectionlawyers . com


When Troj/FakeAV-AJH is installed the following files are created:

<Desktop>\Security Tool.lnk
<User>\Application Data\83399840\83399840.exe
<Start Menu\Programs>\Security Tool.lnk

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Connections
SavedLegacySettings

Registry entries are created under:

HKLM\SOFTWARE\83399840
HKLM\SOFTWARE

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavajh.html?_log_from=rss

Collapse -
Troj/FakeAV-AJG

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/FakeAV-AJF

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/FakeAle-RD

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAle-RD is a Trojan for the Windows platform.

Troj/FakeAle-RD includes functionality to:

- run automatically
- steal confidential information
- access the internet and communicate with a remote server via HTTP

Troj/FakeAle-RD disables the System Restore and Windows Update services from the registry.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealerd.html?_log_from=rss

Collapse -
Troj/Dloadr-CXG

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Dloadr-CXF

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Proxy-JO

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Proxy-JO is a Trojan for the Windows platform.

The following registry entry is created to run Troj/Proxy-JO on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Windows Updat
<Windows>\fonts\svchost.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyServer
http=localhost:8872

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
1

http://www.sophos.com/security/analyses/viruses-and-spyware/trojproxyjo.html?_log_from=rss

Collapse -
Troj/FakeAV-AJK

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/DwnLdr-HYN

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Troj/Aspdoor-C

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Mal/Voterai-A

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Malicious Behavior


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Mal/Voterai-A detects a family of worm for the Windows platform.

Mal/Voterai-A spreads by copying itself to removable storage devices.

When first run Mal/Voterai-A copies itself to:

<System>\drivers\<random name>.exe

and creates a clean image file on the Desktop which it displays.

Mal/Voterai-A creates the following registry entry to start itself automatically:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random filename>.exe
<System>\drivers\<random filename>.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/malvoteraia.html?_log_from=rss

Collapse -
Mal/FakeAV-BV

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
SpectorSoft

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Adware or PUA

Type

* System Monitor


Affected operating systems Windows
Characteristics

* Installs itself in the registry
* Monitors browser activity


SpectorSoft is a potentially unwanted application.

SpectorSoft monitors user activities such as emails, chats, web sites visited and keystrokes typed.

http://www.sophos.com/security/analyses/adware-and-puas/spectorsoft.html

Collapse -
Cain n Abel Installer

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
Cain n Abel

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Collapse -
W32/Autorun.worm.zs!2978F27B3DAC

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Type
Virus
SubType
Worm

Overview -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

Worm.AutoRun is a network-aware worm that attempts to replicate across the existing network
Characteristics
Characteristics -

File Information :

o MD5 - 2978F27B3DAC6DC534DAC4A980C85C92
o SHA - 12F4474251F2F0EB5489E41F95A91A55D73B4802
o File Size - 6,115,666 bytes

Aliases :

o Microsoft - Worm:Win32/Neeris.AV
o NOD32 - Win32/AutoRun.IRCBot.AU
o Ikarus - Backdoor.Win32.IRCBot
o Kaspersky - Backdoor.Win32.IRCBot.jgd

Characteristics:

Upon execution, the following registry changes happened to the system

The following registry Keys have been added :

o HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\sysdrv32
o HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\sysdrv32\Security
o HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\sysdrv32\Enum

The worm registers the run entry to run the process after reboot.

o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
�Ilasss� = "%Windir%\system\lsass.exe"

The worm registers a service with the following properties.

More: http://vil.nai.com/vil/content/v_153838.htm

Collapse -
W32/Cindy-B

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Worm


Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Cindy-B is a worm for the Windows plafform.

When W32/Cindy-B is run the following files are created:

<System>\SVCHOST.exe
<System>\Windows\System.exe
<Root>\Gambar\PicCindy.jpg .exe

The following registry entries are created to run W32/Cindy-B on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows SVCHOST
<System>\SVCHOST.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows System
<System>\Windows\System.exe

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
0x00000001

}


http://www.sophos.com/security/analyses/viruses-and-spyware/w32cindyb.html?_log_from=rss

Collapse -
Troj/VB-EKZ

In reply to: VIRUS \ SPYWARE ALERTS - December 1, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/VB-EKZ is a Trojan for the Windows platform.

Troj/VB-EKZ includes functionality to:

- run automatically
- steal confidential information
- access the internet and communicate with a remote server via HTTP

Troj/VB-EKZ communicates via HTTP with the following locations:

google . com . br

When Troj/VB-EKZ is installed it creates the file <Windows>\KB70CC13.log.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbekz.html?_log_from=rss

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GRAMMYS 2019

Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.