Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - December 4, 2008

by Marianna Schmudlach / December 3, 2008 10:08 AM PST
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - December 4, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - December 4, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Zbot-BF
by Marianna Schmudlach / December 3, 2008 10:09 AM PST
Collapse -
Troj/Mdrop-BXH
by Marianna Schmudlach / December 3, 2008 10:10 AM PST
Collapse -
Troj/Dloadr-CBX
by Marianna Schmudlach / December 3, 2008 10:11 AM PST
Collapse -
Troj/Bckdr-QQQ
by Marianna Schmudlach / December 3, 2008 10:12 AM PST
Collapse -
Mal/EncPk-FL
by Marianna Schmudlach / December 3, 2008 10:13 AM PST
Collapse -
MyCentria Installer
by Marianna Schmudlach / December 3, 2008 10:15 AM PST
Collapse -
Trojan-Downloader:W32/Agent.IDO
by Marianna Schmudlach / December 3, 2008 10:17 AM PST

Name : Trojan-Downloader:W32/Agent.IDO
Type: Trojan-Downloader
Category: Malware

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Additional Details
The trojan-downloader Agent.IDO drops the following files onto the system:


%windir%\system32\win.exe

%ProgramFiles%\Microsoft Commom\svchost.exe

The svchost.exe file is detected as Trojan-Downloader:W32/Agent.IDP.


More: http://www.f-secure.com/v-descs/trojan-downloader_w32_agent_ido.shtml

Collapse -
Troj/Dloadr-CBZ
by Marianna Schmudlach / December 3, 2008 1:38 PM PST
Collapse -
Troj/Dloadr-CBY
by Marianna Schmudlach / December 3, 2008 1:39 PM PST
Collapse -
Troj/Agent-IKF
by Marianna Schmudlach / December 3, 2008 1:40 PM PST
Collapse -
BKDR_AGENT.CAZZ
by Marianna Schmudlach / December 3, 2008 1:42 PM PST

Malware type: Backdoor

This backdoor arrives on a system as a file dropped or downloaded by other malware. When executed, it drops a copy of itself onto the affected system and injects threads into all running processes to stay memory-resident.

It makes multiple changes to the Windows Registry; one of these allows it to run at every system startup.

This backdoor is used by other malware for its rootkit functionalities. It hides files, processes, and/or registry entries.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FAGENT%2ECAZZ

Collapse -
Bloodhound.PDF.2
by Marianna Schmudlach / December 3, 2008 1:44 PM PST
Collapse -
Troj/DwnLdr-HLL
by Marianna Schmudlach / December 3, 2008 2:28 PM PST

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HLL is a Trojan for the Windows platform.

When run Troj/DwnLdr-HLL creates the files:
<System>\jdk-1_5_0_19-windows-i391-pp\jav.bat - can be safely deleted
<System>\jdk-1_5_0_19-windows-i391-pp\dc.class - detected as Troj/DwnLdr-HLL
<System>\jdk-1_5_0_19-windows-i391-pp\js.exe - detected as Troj/DwnLdr-HLL

Troj/DwnLdr-HLL sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Java VM v6.91
(blank)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Java VM v6.91
<System>\jdk-1_5_0_19-windows-i391-pp\\jav.bat

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Java VM v6.91
(blank)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Java VM v6.91
<System>\jdk-1_5_0_19-windows-i391-pp\\jav.bat

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhll.html?_log_from=rss

Collapse -
Troj/Banker-EOT
by Marianna Schmudlach / December 3, 2008 2:29 PM PST
Collapse -
Troj/Drop-BN
by Marianna Schmudlach / December 3, 2008 11:51 PM PST
Collapse -
Troj/Tometa-L
by Marianna Schmudlach / December 3, 2008 11:52 PM PST

Category Viruses and Spyware

Type Trojan

Troj/Tometa-L is a Trojan for the Windows platform.

When first run Troj/Tometa-L copies itself to <User>\Application Data\Microsoft\Windows\winlogon.exe.

The following registry entry is created to run Troj/Tometa-L on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows logon process
<User>\Application Data\Microsoft\Windows\winlogon.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojtometal.html?_log_from=rss

Collapse -
Troj/Ezio-H
by Marianna Schmudlach / December 3, 2008 11:53 PM PST

Category Viruses and Spyware

Type Trojan

Troj/Ezio-H is a Trojan for the Windows platform.

Troj/Ezio-H runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run Troj/Ezio-H copies itself to <System>\wopooe.exe.

The following registry entries are created to run wopooe.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SyteUpdtes
wopooe.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
SyteUpdtes
wopooe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SyteUpdtes
wopooe.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SyteUpdtes
wopooe.exe

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojezioh.html?_log_from=rss

Collapse -
Troj/Ezio-G
by Marianna Schmudlach / December 3, 2008 11:54 PM PST
Collapse -
Trojan.PWS.ChromeInject
by Marianna Schmudlach / December 4, 2008 12:39 AM PST
Collapse -
W32.Lopown!inf
by Marianna Schmudlach / December 4, 2008 12:45 AM PST
Collapse -
Backdoor:W32/TDSS
by Marianna Schmudlach / December 4, 2008 12:46 AM PST

Name : Backdoor:W32/TDSS
Type: Backdoor
Category: Malware

Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.

Details


File System Changes
Creates these files:


%Temp%\TDSS%randchar1%.tmp
%Temp%\TDSS%randchar2%.tmp


Process Changes
Creates these mutexes:


\TdlStartMutex

More: http://www.f-secure.com/v-descs/backdoor_w32_tdss.shtml

Collapse -
Backdoor:W32/SdBot.CNJ
by Marianna Schmudlach / December 4, 2008 12:47 AM PST

Name : Backdoor:W32/SdBot.CNJ
Detection Names : Backdoor:W32/SdBot.CNJ
Backdoor:W32/SdBot.CNJ
Trojan.Win32.Agent.asdj

Aliases : W32.Ackantta@mm (Symantec)
W32/Autorun-RI (Sophos)
W32/Xirtem@MM (McAfee)
VirTool:Win32/CeeInject.gen!K (Microsoft)

Type: Backdoor
Category: Malware

Summary
Backdoor:W32/SdBot.CNJ is a piece of malicious software that tries to disable various firewalls and antivirus programs, steal passwords from the infected machine and spread through removable media devices

More: http://www.f-secure.com/v-descs/backdoor_w32_sdbot_cnj.shtml

Collapse -
Trojan:W32/Krap.B
by Marianna Schmudlach / December 4, 2008 12:48 AM PST

Name : Trojan:W32/Krap.B
Detection Names : Packed.Win32.Krap.b

Type: Trojan
Category: Malware

Summary
This detection is of "packed" software. Packers are used to compress files and to disguise the malicious contents.

More: http://www.f-secure.com/v-descs/trojan_w32_krap_b.shtml

Collapse -
Infostealer.Vipect
by Marianna Schmudlach / December 4, 2008 12:50 AM PST
Collapse -
PrivacyCommander
by Marianna Schmudlach / December 4, 2008 12:51 AM PST
Collapse -
Coders Cheat with Ease in Online Contests
by Marianna Schmudlach / December 4, 2008 12:56 AM PST

December 4, 2008

There are few human instincts that are less powerful than winning. With that, however, comes the unfortunate problem of cheating. In the real world, cheating usually has a fairly direct consequence that makes you not want to do it again. Out in the online world, however, things are just a bit different.

Consider, for example, eBay. The number-one online auction site recently started a promotion called Holliday Doorbusters where people could buy certain items, from sports cars to mini-saunas for the low, low price of one dollar. Sounds like a good idea, right? Unfortunately, things didn?t work quite as planned.

The promotion?s catch was that the first user to find and bid on certain items wins. However, it didn?t take long before clever coders created scripts that could find and buy the steeply discounted items before humans could. It reached the point where some items were bought before anyone actually saw the items.

More: http://blog.trendmicro.com/

Collapse -
OSX_JAHLAV.A
by Marianna Schmudlach / December 4, 2008 12:57 AM PST

December 4, 2008

Apple?s suggestion to Mac users to install antivirus programs on their systems has been creating buzz in the online community. This is despite the fact that Apple initially pushed the same notion six years ago, and also echoed the same concern last year.

The matter surprised those who?ve heard of such news just recently, especially since Apple claims in their advertisements that Mac users should not worry about malicious software. Some users dismissed the announcement as admittance by Apple that Mac is also susceptible to malware attacks. The issue grew further after the antivirus suggestion post was deleted from the Apple website.

Though Apple?s motives for their actions are still unclear, one thing certain

More: http://blog.trendmicro.com/

Collapse -
Booby-trapped emails fly back into fashion
by Marianna Schmudlach / December 4, 2008 1:00 AM PST

Trojan assault wave takes many guises

By John Leyden

4th December 2008

Malicious email attachments disguised as airline ticket receipts are being spammed across the internet as part of a new attack. The assault is the latest in a series of booby-trapped email attachments, which have seemingly become fashionable among VXers again, after many months of playing second-fiddle to website attacks.

The mendacious "ticket receipt" messages have a .zip file attached to them which, if opened on an unprotected Windows PC, results in infection by a Trojan horse, dubbed Invo-Zip by anti-virus firm Sophos. The body text of the poison pill email claims to contain a receipt for travel tickets supposedly costing hundreds of dollars and booked through one of a number of well-known airlines.

Brands aped in the attacks include Virgin America, American Airlines, Continental Airlines and US Airways.

More: http://www.theregister.co.uk/2008/12/04/zip_malware_attacks/

Collapse -
ChromeInject-A - Firefox plug-in Trojan harvests logins
by Marianna Schmudlach / December 4, 2008 1:01 AM PST

Spy on the wire

By John Leyden

4th December 2008

Virus writers have latched onto the popularity of Firefox with a new variant on the established practice of stealing online banking passwords.

A password pinching Trojan that poses as a Firefox Plugin is doing the rounds, Romanian security firm BitDefender warns. ChromeInject-A is typically downloaded onto Windows PCs already compromised by other strains of malware.

Once installed, the Trojan sits in Firefox's Plugin folder, activating every time the popular browser is started. The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US.

Harvested login credentials are captured and subsequently posted to a server located in Russia.

More: http://www.theregister.co.uk/2008/12/04/firefox_plug_in_trojan/

Collapse -
Bot-wielding hackers crash eBay holiday giveaway
by Marianna Schmudlach / December 4, 2008 1:03 AM PST

eBay cares not

By Dan Goodin in San Francisco

4th December 2008

eBay users are howling in protest after discovering hackers are using automated scripts to win hundreds of steeply discounted auctions as part of a holiday season contest designed to draw visitors to the site.

Auctions for pricey items including a Green Life electric scooter and an Oscar de la Renta evening gown, which had been marked down to just $1, were scooped up even as the counter for their pages registered 0000 visitors. The Grinch stealing this year's Christmas booty were bot-armed hackers who were able to sniff out the promo pages before they went live to the public.

"This should have been advertised as a programming contest because those are the only people who can win," one eBay user complained to MSNBC's Red Tape Chronicles, which reported the story. "eBay can stop this if they want to by requiring a verification screen or something, they just don't care."

More: http://www.theregister.co.uk/2008/12/04/ebay_xmas_giveaway_hacked/

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?