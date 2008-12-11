Spyware, Viruses, & Security forum

VIRUS \ Spyware ALERTS - December 12, 2008

by Marianna Schmudlach / December 11, 2008 12:23 PM PST
Troj/Agent-GHL
Troj/Agent-GHL
by Marianna Schmudlach / December 11, 2008 12:24 PM PST
Troj/Agent-GHE
Troj/Agent-GHE
by Marianna Schmudlach / December 11, 2008 12:25 PM PST
Mal/TDSS-A
Mal/TDSS-A
by Marianna Schmudlach / December 11, 2008 12:26 PM PST
Mal/EncPk-GJ
Mal/EncPk-GJ
by Marianna Schmudlach / December 11, 2008 12:27 PM PST
Mal/Behav-114
Mal/Behav-114
by Marianna Schmudlach / December 11, 2008 12:28 PM PST
Troj/PWS-ASO
Troj/PWS-ASO
by Marianna Schmudlach / December 11, 2008 12:50 PM PST
Troj/Inject-CF
Troj/Inject-CF
by Marianna Schmudlach / December 11, 2008 12:51 PM PST
Troj/DwnLdr-HFF
Troj/DwnLdr-HFF
by Marianna Schmudlach / December 11, 2008 12:52 PM PST

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HFF is a downloader Trojan for the Windows platform.

When run Troj/DwnLdr-HFF copies itself to <System>\Ahead\nero.exe and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion
inf
<System>\Ahead\

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Nero
StubPath
<System>\Ahead\nero.exe


http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhff.html?_log_from=rss

Troj/Agent-GHW
Troj/Agent-GHW
by Marianna Schmudlach / December 11, 2008 12:53 PM PST
Troj/AdClick-EV
Troj/AdClick-EV
by Marianna Schmudlach / December 11, 2008 12:54 PM PST
Vapsup
Vapsup
by Marianna Schmudlach / December 11, 2008 12:55 PM PST
Collapse -
Mysidesearch Search Enhancer
by Marianna Schmudlach / December 11, 2008 12:56 PM PST
CmdAsp
CmdAsp
by Marianna Schmudlach / December 11, 2008 12:57 PM PST
Troj/PWS-ASP
Troj/PWS-ASP
by Marianna Schmudlach / December 12, 2008 12:38 AM PST
Troj/DwnLdr-HIR
Troj/DwnLdr-HIR
by Marianna Schmudlach / December 12, 2008 12:38 AM PST
Troj/DwnLdr-HFR
Troj/DwnLdr-HFR
by Marianna Schmudlach / December 12, 2008 12:40 AM PST
Troj/Agent-GKZ
Troj/Agent-GKZ
by Marianna Schmudlach / December 12, 2008 12:41 AM PST
Troj/Fakevir-ID
Troj/Fakevir-ID
by Marianna Schmudlach / December 12, 2008 12:42 AM PST
Troj/Bckdr-QIY
Troj/Bckdr-QIY
by Marianna Schmudlach / December 12, 2008 12:43 AM PST
Troj/Agent-GMX
Troj/Agent-GMX
by Marianna Schmudlach / December 12, 2008 12:44 AM PST
Troj/Agent-GJP
Troj/Agent-GJP
by Marianna Schmudlach / December 12, 2008 12:45 AM PST
Mal/Iframe-G
Mal/Iframe-G
by Marianna Schmudlach / December 12, 2008 12:46 AM PST
Exp/Datbi-A
Exp/Datbi-A
by Marianna Schmudlach / December 12, 2008 12:47 AM PST
Collapse -
Adware.MyCentria
by Marianna Schmudlach / December 12, 2008 1:08 AM PST
Collapse -
Worm:W32/AutoRun.DMO
by Marianna Schmudlach / December 12, 2008 1:11 AM PST

Name : Worm:W32/AutoRun.DMO
Aliases : W32.Dutan.A (Symantec)
Worm:Win32/Dutan.A (Microsoft)

Size: 548864
Type: Worm
Category: Malware
Platform: W32


Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.

http://www.f-secure.com/v-descs/worm_w32_autorun_dmo.shtml

JS_AGENT.CSZZ
JS_AGENT.CSZZ
by Marianna Schmudlach / December 12, 2008 1:14 AM PST

Malware type: JavaScript

Malware Overview


This malicious Javascript may be hosted on a Web site and run when a user accesses the said Web site. It may currently be found at the Web site http://{BLOCKED}look.tw.

It takes advantage of an undetermined vulnerability in patched versions of Internet Explorer 7 (7.0.5730.13). Once it successfully exploits the vulnerability, it accesses a specific Web site to download possibly malicious files. However, the said site is currently inaccessible.

The vulnerable browser may also crash when accessing a site that contains the malicious JavaScript code.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FAGENT%2ECSZZ

TROJ_MCWORDP.A
TROJ_MCWORDP.A
by Marianna Schmudlach / December 12, 2008 1:15 AM PST

Malware type: Trojan

Malware Overview

This Trojan may be dropped or downloaded by other malware.

It arrives a specially-crafted .DOC, .WRI, or .RTF file that exploits a known vulnerability in Microsoft WordPad. This vulnerability may cause the said application to crash and may also allow a remote malicious user to take control over an affected system when a user views the said file.

More details on the said vulnerability can be found here:

Microsoft Security Advisory (960906) - Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
Once successfully exploited, it drops a malicious file on the affected system, which is detected as BKDR_AGENT.VBI. As a result, malicious routines of the dropped file are exhibited on the affected system.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMCWORDP%2EA

Collapse -
Win32/ChromeInject.A
by Marianna Schmudlach / December 12, 2008 1:32 AM PST

Date Published:
12 Dec 2008

Last Updated:
12 Dec 2008

Type : Trojan

Category : Win32

Also known as: TrojanSpy:Win32/Agent (MS OneCare)


Description
Win32/ChromeInject.A is a trojan that runs as a Mozilla Firefox plugin, and attempts to steal sensitive information by monitoring visited URLs.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76479

Collapse -
Virus Alerts [Panda Security's weekly report on viruses and
by Marianna Schmudlach / December 12, 2008 3:59 AM PST

Virus Alerts [Panda Security's weekly report on viruses and intruders - 12/12/08]

- Panda Security's weekly report on viruses and intruders -

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report looks at the BankerFox banker Trojan, the
Azero.B virus and the P2PShared.U worm, distributed through a fake
McDonald's email message.

Banker.LAX is designed to steal bank details. To do this, it drops a
library on targeted computers passing itself off as a legitimate Firefox
plug-in. Then, if the user accesses the website of their bank, the
malicious code will capture all the information entered. The malware
creator will then use this information to empty the users' accounts.
This malware can steal passwords from more than one hundred banking
institutions.

"Oddly enough, this Trojan affects Firefox only, whereas cyber-criminals
usually exploit Internet Explorer", says Luis Corrons, technical
director of PandaLabs. "The reason for this is the increasing number of
people who are using this Internet browser. As always, cyber-crooks
target the most popular tools to affect as many users as possible. It
is very likely that we will see more attacks like this in the future."

Azero.B is a virus designed to infect executable files by inserting
malicious code at the beginning of their code. Also, it replaces the
computer wallpaper with an image with the following text: ""Hello
Administrator! If you have seen me you are same as a Fool guy" .

See an image of this wallpaper here:
http://www.flickr.com/photos/panda_security/3101557477/

Also this week PandaLabs has discovered a fake email message that
pretends to be a special Christmas promotion from McDonald's but really
is a bait to spread the P2PShared.U worm.

The message subject is "Mcdonalds wishes you Merry Christmas!" and the
text body reads as follows:

"McDonald's is proud to present our latest discount menu. Simply print
the coupon from this Email and head to your local McDonald's for FREE
giveaways and AWESOME savings."

For more information about this malicious code, go to
http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?not
icia=9476

Finally, PandaLabs has reported a new variant of the Boface worm,
Boface.J, which uses Facebook to spread. More information in the
PandaLabs blog:
http://pandalabs.pandasecurity.com/archive/My-friend-was-a-worm.aspx

Troj/CracSr-Gen
Troj/CracSr-Gen
by Marianna Schmudlach / December 12, 2008 4:01 AM PST
