HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \Spyware ALERTS - February 28, 2008

by Marianna Schmudlach / February 27, 2008 2:03 PM PST

W32/Looked-EE

Reported:
2008-02-28

Description:
W32/Looked-EE is a prepending virus and network worm for the Windows platform. W32/Looked-EE spreads by infecting Windows executable files on the local computer and on shared network drives.

http://www.sophos.com/security/analyses/w32lookedee.html

Discussion is locked
You are posting a reply to: VIRUS \Spyware ALERTS - February 28, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \Spyware ALERTS - February 28, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Dwnle-Gen
by Marianna Schmudlach / February 27, 2008 2:04 PM PST
Collapse -
Troj/Agent-GQR
by Marianna Schmudlach / February 27, 2008 2:06 PM PST
Collapse -
PWS-LegMir.gen.k.dll
by Marianna Schmudlach / February 27, 2008 2:07 PM PST

Reported:
2008-02-28

Description:
PWS-LegMir.gen.k.dll is dropped by PWS-LegMir.gen.k. It steals password from multiple games. It may also detect and terminate antivirus applications.

http://vil.nai.com/vil/content/v_144073.htm

Collapse -
Avert Labs Threat Advisory: Spy-Agent.cf
by Marianna Schmudlach / February 27, 2008 2:42 PM PST

Advisory
This is an Advisory for Spy-Agent.cf.

Justification
McAfee Avert Labs has seen multiple large spam runs of Spy-Agent.cf.

Read About It
The VIL entry for Spy-Agent.cf is currently being updated and can be found at http://vil.nai.com/vil/content/v_142478.htm

Detection
Spy-Agent.cf is proactively detected as New Malware.J if the McAfee Anti-virus products have Heuristic scanning enabled.

Collapse -
Troj/OnLineG-AO
by Marianna Schmudlach / February 27, 2008 11:52 PM PST
Collapse -
Troj/Enfal-C
by Marianna Schmudlach / February 27, 2008 11:53 PM PST
Collapse -
Troj/MalDoc-D
by Marianna Schmudlach / February 27, 2008 11:55 PM PST
Collapse -
Troj/Riler-AB
by Marianna Schmudlach / February 27, 2008 11:56 PM PST
Collapse -
Troj/MalDoc-E
by Marianna Schmudlach / February 27, 2008 11:57 PM PST
Collapse -
W32/SillyFDC-BZ
by Marianna Schmudlach / February 27, 2008 11:58 PM PST
Collapse -
Troj/Jetdrop-B
by Marianna Schmudlach / February 28, 2008 12:00 AM PST
Collapse -
Troj/BHO-EX
by Marianna Schmudlach / February 28, 2008 12:01 AM PST
Collapse -
WinCE/Infojack
by Marianna Schmudlach / February 28, 2008 12:02 AM PST

Reported:
2008-02-28

Description:
WinCE/InfoJack is malware that steals information on the device and sends it to a web site. It also disables a security setting allowing unsigned applications to be installed without a warning. Aliases:WinCE/Infomeiti(Symantec)

http://vil.nai.com/vil/content/v_144191.htm

Collapse -
Troj/Proxy-IG
by Marianna Schmudlach / February 28, 2008 12:03 AM PST
Collapse -
Mal/PHPShell-A
by Marianna Schmudlach / February 28, 2008 12:05 AM PST
Collapse -
Mal/Behav-196
by Marianna Schmudlach / February 28, 2008 12:06 AM PST
Collapse -
JS/Dload-BP
by Marianna Schmudlach / February 28, 2008 12:07 AM PST
Collapse -
JS/Psyme-HO
by Marianna Schmudlach / February 28, 2008 12:09 AM PST
Collapse -
Trojan-Downloader:W32/Injecter.GX
by Marianna Schmudlach / February 28, 2008 12:11 AM PST
Collapse -
Backdoor:W32/PoisonIvy
by Marianna Schmudlach / February 28, 2008 12:13 AM PST
Collapse -
Linux, FreeBSD and Mac (!) bot
by Marianna Schmudlach / February 28, 2008 12:56 AM PST

Published: 2008-02-28,
Last Updated: 2008-02-28 09:31:30 UTC
by Bojan Zdrnja (Version: 1)
Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc).

After initial analysis I found out that it's nothing special ? just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.

The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like.

More: http://isc.sans.org/

Collapse -
Adware.XPantivirus.A
by Marianna Schmudlach / February 28, 2008 12:58 AM PST

Discovered: 2008 Feb 28

SYMPTOMS:

An application that pretends to scan your computer for viruses. The name of the window is "XP Antivirus" followed by it's version.

An icon in the taskbar to the "XP Antivirus" application.

TECHNICAL DESCRIPTION:

This application is a standard rogue antivirus.

http://www.bitdefender.com/VIRUS-1000255-en--Adware.XPantivirus.A.html

Collapse -
Trojan.FakeAlert.PP
by Marianna Schmudlach / February 28, 2008 1:00 AM PST

Discovered: 2008 Feb 28

TECHNICAL DESCRIPTION:

This malware warns you about fake infections in your computer and requests a scan with the rogue antivirus "XP Antivirus". You can see the description to that unwanted program here : http://www.bitdefender.com/VIRUS-1000255-en--Adware.XPantivirus.A.html.

Then it downloads an installer from the product's website ( http://xpantivirus.com )
It installs the fake antivirus product in your system with the following path : " %program files% \ XPAntivirus\xpa.exe "

http://www.bitdefender.com/VIRUS-1000257-en--Trojan.FakeAlert.PP.html

Collapse -
W32/Sdbot-DKB
by Marianna Schmudlach / February 28, 2008 1:27 AM PST
Collapse -
Troj/DwnLdr-HBL
by Marianna Schmudlach / February 28, 2008 1:58 AM PST
Collapse -
Mal/EncPk-CP
by Marianna Schmudlach / February 28, 2008 1:59 AM PST
Collapse -
Mal/Behav-199
by Marianna Schmudlach / February 28, 2008 2:01 AM PST
Collapse -
Malware removes rival rootkits
by Marianna Schmudlach / February 28, 2008 3:40 AM PST

By John Leyden

28 Feb 2008

Worm wars get stealthy


Miscreants have created a strain of malware capable of removing rootkits from compromised PCs, only to install almost undetectable backdoor code of its own.

The Pandex Trojan stops previously installed rootkits from working by removing their hooks into system calls. Pandex then installs its own rootkit component, detected by Trend Micro as Pushu-AC.

Rootkits are a type of malware that hide their presence on infected PCs, making them more dangerous than typical viruses. By operating below the level of traditional malware scanning tools, rootkits are able to carry out covert functions, for example keystroke-logging, without detection.

More: http://www.channelregister.co.uk/2008/02/28/rootkit_wars/

Collapse -
Arsenal Fan Site Compromised, Serves Malware
by Marianna Schmudlach / February 28, 2008 3:45 AM PST

February 28th, 2008 by Jovi Umawing
Sports fan sites being compromised by malicious authors is not unheard of. We?ve seen it happen to a Jets fan site in early January this year, and we?re seeing it again in another fan site?this time of Arsenal, a popular English soccer team.

The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be ?maliciously active.? STAT confirmed that the fan site had been injected with malicious code, which led to the download of malware from the following IP addresses:

61(dot)19(dot)246(dot)58
202(dot)83(dot)212(dot)250
89(dot)107(dot)104(dot)30
It was observed that the aforementioned addresses were hosted from several parts of the globe, like Thailand, Hong Kong, and Russia. The downloaded malware was found to contain rootkit, keylogging, backdoor, ARP poisoning, and DNS spoofing capabilites ? all of which are, admittedly, pretty sophisticated features for a malware.

More: http://blog.trendmicro.com/

Collapse -
Troj/Agent-GQS
by Marianna Schmudlach / February 28, 2008 4:37 AM PST
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.