Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - February 10, 2009

by Marianna Schmudlach / February 9, 2009 10:17 AM PST
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - February 10, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - February 10, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Waled-AD
by Marianna Schmudlach / February 9, 2009 10:18 AM PST
Collapse -
Troj/Dloadr-CGM
by Marianna Schmudlach / February 9, 2009 10:20 AM PST
Collapse -
Troj/Dloadr-CGL
by Marianna Schmudlach / February 9, 2009 10:21 AM PST
Collapse -
Troj/Daonol-Fam
by Marianna Schmudlach / February 9, 2009 10:22 AM PST

Aliases Rootkit.Win32.Agent.fwt
Trojan:Win32/Daonol.A
Trojan:Win32/Daonol.B

Category Viruses and Spyware

Type Trojan

Troj/Daonol-Fam is a family of Trojans for the Windows platform.

Members of Troj/Daonol-Fam typically copy themselves to the Root folder and create some of the following files

<Root>\<random filename>.bat (clean batch file)
<System>\sysaudio.sys

The file sysaudio.sys is also a member of Troj/Daonol-Fam.

A registry entry is usually set similar to the following:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
aux
sysaudio.sys

Troj/Daonol-Fam attempts to redirect internet traffic from a number of websites.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdaonolfam.html?_log_from=rss

Collapse -
Troj/Bdoor-ARX
by Marianna Schmudlach / February 9, 2009 10:24 AM PST
Collapse -
Troj/Banker-EPF
by Marianna Schmudlach / February 9, 2009 10:25 AM PST
Collapse -
Troj/Agent-IVW
by Marianna Schmudlach / February 9, 2009 10:26 AM PST
Collapse -
Troj/Agent-IVV
by Marianna Schmudlach / February 9, 2009 10:27 AM PST
Collapse -
W32/Waled-AG
by Marianna Schmudlach / February 9, 2009 1:28 PM PST
Collapse -
W32/Waled-AF
by Marianna Schmudlach / February 9, 2009 1:30 PM PST
Collapse -
Troj/PSW-GH
by Marianna Schmudlach / February 9, 2009 1:31 PM PST

Category Viruses and Spyware

Type Trojan

Troj/PSW-GH is an information stealing Trojan for the Windows platform.

When run Troj/PSW-GH copies itself to <System>\Msxmltrue.exe and sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B8A4FDE4-C54A-A729-CA24-7491D70DBF72}
StubPath
<System>\Msxmltrue.exe

Troj/PSW-GH then stores keystrokes and records them to the file <System>\Msxmltrue. This file can be deleted.


http://www.sophos.com/security/analyses/viruses-and-spyware/trojpswgh.html?_log_from=rss

Collapse -
Troj/Agent-IVX
by Marianna Schmudlach / February 9, 2009 1:32 PM PST

Category Viruses and Spyware

Type Trojan

Troj/Agent-IVX is a Trojan for the Windows platform.

When run Troj/Agent-IVX creates the files:
<Windows>\svchost.exe - detected as Troj/Agent-IVX
<System>\explorer.exe - detected as Troj/Agent-IVX
<System>\iexplore.exe - detected as Troj/Agent-IVX
<System>\flash.exe - can be safely removed

Troj/Agent-IVX sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost
<Windows>\svchost.exe


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentivx.html?_log_from=rss

Collapse -
Mal/Behav-227
by Marianna Schmudlach / February 9, 2009 1:34 PM PST
Collapse -
W32/Waled-AL
by Marianna Schmudlach / February 9, 2009 11:28 PM PST
Collapse -
W32/Waled-AK
by Marianna Schmudlach / February 9, 2009 11:29 PM PST
Collapse -
W32/Sohana-BU
by Marianna Schmudlach / February 9, 2009 11:30 PM PST
Collapse -
W32/AutoRun-XA
by Marianna Schmudlach / February 9, 2009 11:31 PM PST

Category Viruses and Spyware

Type Worm

W32/AutoRun-XA is a worm for the Windows platform.

When run W32/AutoRun-XA copies itself to <System>\<original name of worm> and sets the following registry entries:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
open
<System>\<original name of worm>

W32/AutoRun-XA spreads via removable shared drives by copying itself as <Root>\HiBestfriendThisIsMyPictureWhenIwasOnthebeach.exe and creating the file <Root>\autorun.inf (also detected as W32/AutoRun-XA).

W32/AutoRun-XA also creates the files
<Root>\HelloPhilippines.txt
<System>\HelloPhilippines.txt

These files are not malicious and can be safely removed.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunxa.html?_log_from=rss

Collapse -
Troj/PWS-AYD
by Marianna Schmudlach / February 9, 2009 11:32 PM PST
Collapse -
Troj/Dload-FE
by Marianna Schmudlach / February 9, 2009 11:33 PM PST
Collapse -
Troj/Bancos-BFF
by Marianna Schmudlach / February 9, 2009 11:34 PM PST
Collapse -
Troj/BHO-JV
by Marianna Schmudlach / February 9, 2009 11:55 PM PST
Collapse -
W32/AutoRun-WZ
by Marianna Schmudlach / February 9, 2009 11:57 PM PST

Category Viruses and Spyware

Type Worm

W32/AutoRun-WZ is a worm for the Windows platform.

When run W32/AutoRun-WZ copies itself to <Windows>\agp6xdrv.exe and spreads via removable shared drives by copying itself to <Root>\naqcfgn.exe and creating the file <Root>\autorun.inf (also detected as W32/AutoRun-WZ).

The following registry entries ares set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Policies\Microsoft\Windows\System
DisableCMD
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGPVideo16
<Windows>\agp6xdrv.exe


http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunwz.html

Collapse -
W32/Waled-AH
by Marianna Schmudlach / February 9, 2009 11:58 PM PST
Collapse -
W32/Waled-AI
by Marianna Schmudlach / February 9, 2009 11:59 PM PST
Collapse -
Troj/Ilomo-A
by Marianna Schmudlach / February 10, 2009 12:01 AM PST
Collapse -
Troj/HexZone-B
by Marianna Schmudlach / February 10, 2009 12:02 AM PST
Collapse -
Troj/Agent-IUA
by Marianna Schmudlach / February 10, 2009 12:03 AM PST

Aliases Generic Dropper.cx
Win32/Agent.OVQ

Category Viruses and Spyware

Type Trojan

Troj/Agent-IUA is a Trojan for the Windows platform.

Troj/Agent-IUA includes functionality to access the internet and communicate with a remote server via HTTP.

The following registry entry is created to run Troj/Agent-IUA on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Cognac
<pathname of the Trojan executable>

Registry entries are created under:

HKCU\Software\Cognac

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiua.html?_log_from=rss

Collapse -
New-age cyber-attack inflicts major damage with modest means
by Marianna Schmudlach / February 10, 2009 12:05 AM PST

Ladyboydolls.com and the new DDoS

By Dan Goodin in San Francisco
10th February 2009

A sustained cyber-attack against a handful of niche pornography sites has demonstrated a novel way to inflict major damage on hardened targets using a modest amount of data, a security researcher has warned.

The technique - which tricks the net's authoritative name servers into bombarding innocent victims with more data than they can handle - is growing increasingly common, and it's likely only a matter of time before commercial attack kits add it to their arsenal, said Don Jackson, a researcher with Atlanta-based security provider SecureWorks. He also warned there is no easy fix because any remedy will potentially require settings for millions of DNS, or domain-name system, servers to be individually changed.

More: http://www.theregister.co.uk/2009/02/10/new_dns_amplification_attacks/

Collapse -
Scribble In Your Files
by Marianna Schmudlach / February 10, 2009 12:13 AM PST

10 February 2009

We?ve been seeing a lot of activity from a new polymorphic mid-infecting virus, W32/Scribble-A. While this new family has quite a lot in common with members of the older Vetor and Virut families of viruses, the main code looks to have undergone a fairly major overhaul.

As well as being able to infect executable files such that the code changes each time (hence ?polymorphic?), and being able to infect the host file at arbitrary locations in its executable code instead of just targeting the entry-point (hence ?mid-infecting?), W32/Scribble-A can also modify htm, html, php and asp files, among others, inserting an iframe pointing to a malicious website. This is a trick we first saw used widely by the Fujacks family of viruses, and clearly the authors of W32/Scribble-A decided it was a good way to help them spread.

We detect files with these Scribble-injected iframes as Troj/Fujif-Gen, which includes disinfection. These iframes point to a page heavy with javascript obfuscation, detected as Mal/ObfJS-BP, which tries to exploit a variety of vulnerabilities (including a PDF exploit detected as Troj/PdfJS-U) to load an executable ? detected as W32/Virut-Gen. So the new W32/Scribble-A is writing iframes which point to the older W32/Virut-Gen code.

More: http://www.sophos.com/security/blog/2009/02/3130.html

Collapse -
Win32/Waledac.AJ
by Marianna Schmudlach / February 10, 2009 12:16 AM PST

Date Published:
10 Feb 2009

Type : Trojan

Category : Win32

Description
Win32/Waledac.AJ is a trojan that can steal information such as email addresses from affected systems and upload it to remote websites. It may also download and execute additional malware. This trojan has been observed to arrive in Valentine's Day-themed spam emails.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77663

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.