HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - December 5, 2008

by Marianna Schmudlach / December 4, 2008 1:14 PM PST

Troj/Tiotua-AB

Category Viruses and Spyware

Type Trojan

Troj/Tiotua-AB is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Tiotua-AB includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Tiotua-AB is installed the following files are created:

<Program Files>\Microsoft Services\MSservice.exe - detected as Troj/Tiotua-AB
<Program Files>\Microsoft Services\logs.txt - clean text file
<Program Files>\Microsoft Services\search.txt - clean text file

http://www.sophos.com/security/analyses/viruses-and-spyware/trojtiotuaab.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - December 5, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - December 5, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Dloadr-CCD
by Marianna Schmudlach / December 4, 2008 1:15 PM PST
Collapse -
W32/Sohana-BM
by Marianna Schmudlach / December 4, 2008 2:59 PM PST
Collapse -
W32/Looked-Y
by Marianna Schmudlach / December 4, 2008 3:00 PM PST
Collapse -
W32/Autorun-RQ
by Marianna Schmudlach / December 4, 2008 3:01 PM PST
Collapse -
Troj/VBMDAC-A
by Marianna Schmudlach / December 4, 2008 3:02 PM PST
Collapse -
Troj/Fakevir-HY
by Marianna Schmudlach / December 4, 2008 3:03 PM PST
Collapse -
Troj/FakeVir-HX
by Marianna Schmudlach / December 4, 2008 3:04 PM PST

Category Viruses and Spyware

Type Trojan

Troj/FakeVir-HX is a Trojan for the Windows platform.

When run Troj/FakeVir-HX attempts to silently insert a customised username of "TsTest" with a password of "123" into the list of Administrators in an attempt to allow subsequent access to the infected computer using administrator privileges.

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
TsTest
0

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fAllowToGetHelp
0

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
fDenyTSConnections
0


http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirhx.html?_log_from=rss

Collapse -
Troj/DwnLdr-HLO
by Marianna Schmudlach / December 4, 2008 3:06 PM PST
Collapse -
Troj/Agent-IKK
by Marianna Schmudlach / December 4, 2008 3:07 PM PST
Collapse -
Troj/Agent-IKJ
by Marianna Schmudlach / December 4, 2008 3:08 PM PST
Collapse -
Cain n Abel Installer
by Marianna Schmudlach / December 4, 2008 3:09 PM PST
Collapse -
Cain n Abel
by Marianna Schmudlach / December 4, 2008 3:10 PM PST
Collapse -
Troj/PDFJs-H
by Marianna Schmudlach / December 5, 2008 12:13 AM PST
Collapse -
Troj/Bifrose-WP
by Marianna Schmudlach / December 5, 2008 12:14 AM PST
Collapse -
W32/Azero-A
by Marianna Schmudlach / December 5, 2008 12:15 AM PST
Collapse -
W32/AutoRun-RS
by Marianna Schmudlach / December 5, 2008 12:16 AM PST

Category Viruses and Spyware

Type Worm

W32/AutoRun-RS is a worm for the Windows platform.

When run W32/AutoRun-RS copies itself to:
<Windows>\data.exe
<System>\data.exe
<System>\test.exe

and creates the file <System>\dotnetfx.dll - detected as W32/AutoRun-RS

W32/AutoRun-RS sets the following registry entries:

HKLM\SOFTWARE\Microsoft\DotNetRecovery
(default)
A

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.Net Recovery
rundll32.exe dotnetfx.dll,repair

W32/AutoRun-RS spreads via removable shared drives by copying itself to <Root>\1864.exe and creating the file <Root>\autorun.inf (detected as W32/AutoRun-RS).

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunrs.html?_log_from=rss

Collapse -
W32/AutoRun-RR
by Marianna Schmudlach / December 5, 2008 12:17 AM PST

Category Viruses and Spyware

Type Worm

W32/AutoRun-RR is a worm for the Windows platform.

When run W32/AutoRun-RR copies itself to <System>\myrvc.exe and creates the files:
<System>\SysResources.dat - can be deleted
<System>\dotnetfx.dll - also detected as W32/AutoRun-RR

W32/AutoRun-RR spreads via removable shared drives (like USB keys) by copying itself as <Root>\Softwares.exe and creating the file <Root>\autorun.inf (detected as Mal/AutoInf-A).

The following registry entries are set:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunrr.html?_log_from=rss

Collapse -
Troj/PWS-AWO
by Marianna Schmudlach / December 5, 2008 12:18 AM PST
Collapse -
Troj/DwnLdr-HLP
by Marianna Schmudlach / December 5, 2008 12:19 AM PST
Collapse -
Troj/Dloadr-CCE
by Marianna Schmudlach / December 5, 2008 12:20 AM PST
Collapse -
Troj/BHO-IT
by Marianna Schmudlach / December 5, 2008 12:21 AM PST
Collapse -
Mal/TinyDL-W
by Marianna Schmudlach / December 5, 2008 12:22 AM PST
Collapse -
Creating MS08-067 Exploits
by Marianna Schmudlach / December 5, 2008 1:25 AM PST

Friday, December 5, 2008

We are seeing fair amounts of infections using the MS08-067 vulnerability.

Most of these belong to a worm family that goes by the names Downadup, Conficker, or Kido.

We have also discovered several Chinese tools that are being used by the underground to create files that exploit this vulnerability.

Below you'll see some screenshots of such tools.

More: http://www.f-secure.com/weblog/

Collapse -
2009 could be banner year for malware
by Marianna Schmudlach / December 5, 2008 1:36 AM PST

Attacks will only get worse, claims MessageLabs

Written by Shaun Nichols in San Francisco

vnunet.com, 05 Dec 2008

Malware volumes exploded in 2008 and could herald an even worse 2009, according to security experts.

MessageLabs said in its Annual Security Report that a number of new cyber-crime trends had taken shape, among them more targeted attacks and a greater focus on web services and social networks.

Among the major trends was a surge in web-based attacks. Reports of sites being used to spread malware jumped by 83 per cent over the year, a figure largely attributed to an increase in SQL injection attacks over the summer.

More:http://www.vnunet.com/vnunet/news/2232033/2009-banner-malware

Collapse -
W32/Azero-A
by Marianna Schmudlach / December 5, 2008 1:38 AM PST
Collapse -
W32/AutoRun-RS
by Marianna Schmudlach / December 5, 2008 1:39 AM PST

Category Viruses and Spyware

Type Worm

W32/AutoRun-RS is a worm for the Windows platform.

When run W32/AutoRun-RS copies itself to:
<Windows>\data.exe
<System>\data.exe
<System>\test.exe

and creates the file <System>\dotnetfx.dll - detected as W32/AutoRun-RS

W32/AutoRun-RS sets the following registry entries:

HKLM\SOFTWARE\Microsoft\DotNetRecovery
(default)
A

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.Net Recovery
rundll32.exe dotnetfx.dll,repair

W32/AutoRun-RS spreads via removable shared drives by copying itself to <Root>\1864.exe and creating the file <Root>\autorun.inf (detected as W32/AutoRun-RS).

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunrs.html?_log_from=rss

Collapse -
W32/AutoRun-RR
by Marianna Schmudlach / December 5, 2008 1:40 AM PST
Collapse -
Troj/PWS-AWO
by Marianna Schmudlach / December 5, 2008 1:41 AM PST
Collapse -
Troj/DwnLdr-HLP
by Marianna Schmudlach / December 5, 2008 1:42 AM PST
Collapse -
Troj/Dloadr-CCE
by Marianna Schmudlach / December 5, 2008 1:43 AM PST
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.