Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - January 16, 2009

by Marianna Schmudlach / January 15, 2009 10:39 AM PST

W32/Poebot-NC


Aliases Net-Worm.Win32.Kolabc.ewm
Backdoor:Win32/Poebot.gen

Category Viruses and Spyware

Type Worm


W32/Poebot-NC spreads
- to computers vulnerable to common exploits, including: LSASS (MS04-011), SRVSVC (MS06-040), RPC-DCOM (MS04-012) and PNP (MS05-039)
- to network shares

W32/Poebot-NC copies itself to <System>\winamp.exe and creates the registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winamp Agent
<System>\winamp.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32poebotnc.html

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - January 16, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - January 16, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Inject-DS
by Marianna Schmudlach / January 15, 2009 10:40 AM PST
Collapse -
Troj/Dloadr-CEX
by Marianna Schmudlach / January 15, 2009 10:41 AM PST
Collapse -
Troj/BHO-JF
by Marianna Schmudlach / January 15, 2009 10:42 AM PST
Collapse -
Troj/Bckdr-QRE
by Marianna Schmudlach / January 15, 2009 10:43 AM PST
Collapse -
Troj/Small-EJI
by Marianna Schmudlach / January 15, 2009 2:06 PM PST
Collapse -
Troj/FakeVir-JM
by Marianna Schmudlach / January 15, 2009 2:09 PM PST
Collapse -
Troj/Fakevir-JL
by Marianna Schmudlach / January 15, 2009 2:11 PM PST
Collapse -
Troj/Dwnldr-HNG
by Marianna Schmudlach / January 15, 2009 2:14 PM PST
Collapse -
Troj/Agent-IQH
by Marianna Schmudlach / January 15, 2009 2:16 PM PST
Collapse -
Troj/Agent-IQG
by Marianna Schmudlach / January 15, 2009 2:17 PM PST
Collapse -
Mal/EncPk-FO
by Marianna Schmudlach / January 15, 2009 2:18 PM PST
Collapse -
Trojan:W32/Vundo.HD
by Marianna Schmudlach / January 15, 2009 2:20 PM PST

Name : Trojan:W32/Vundo.HD
Detection Names : agent.bbko, zhelatin.ain

Aliases : dx trojan (McAfee)
Fakeinit (Microsoft)

Type: Trojan
Category: Malware
Platform: W32

Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.

http://www.f-secure.com/v-descs/trojan_w32_vundo_hd.shtml

Collapse -
Troj/SilBan-F
by Marianna Schmudlach / January 15, 2009 11:59 PM PST
Collapse -
Troj/PWS-AYE
by Marianna Schmudlach / January 16, 2009 12:00 AM PST
Collapse -
Troj/Mdrop-BXZ
by Marianna Schmudlach / January 16, 2009 12:01 AM PST
Collapse -
Troj/BHO-JG
by Marianna Schmudlach / January 16, 2009 12:02 AM PST
Collapse -
Troj/Rustock-A
by Marianna Schmudlach / January 16, 2009 12:03 AM PST

Aliases Win32/Rustock.NEL
Rootkit.Win32.KernelBot.ac

Category Viruses and Spyware

Type Trojan

Troj/Rustock-A is a Trojan for the Windows platform.

Troj/Rustock-A includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Rustock-A is installed it creates the file <Windows>\widuxngq.sys.

The file widuxngq.sys is detected as Mal/Generic-A.

The file widuxngq.sys is registered as a new system driver service named "widuxngq". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\widuxngq

http://www.sophos.com/security/analyses/viruses-and-spyware/trojrustocka.html

Collapse -
Troj/PhishKit-A
by Marianna Schmudlach / January 16, 2009 12:04 AM PST
Collapse -
Troj/Agent-IQI
by Marianna Schmudlach / January 16, 2009 12:05 AM PST
Collapse -
Mal/FakeAV-N
by Marianna Schmudlach / January 16, 2009 12:06 AM PST
Collapse -
Mal/EncPk-FY
by Marianna Schmudlach / January 16, 2009 12:08 AM PST
Collapse -
Mal/EncPk-FU
by Marianna Schmudlach / January 16, 2009 12:08 AM PST
Collapse -
Next-gen botnet armies fill spam void
by Marianna Schmudlach / January 16, 2009 12:34 AM PST

Out with the old, in with the new

By Dan Goodin in San Francisco

The demise late last year of four of the world's biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half - almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets - massive networks of infected Windows machines that spammers use to blast out billions of junk messages - sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped

More: http://www.theregister.co.uk/2009/01/14/botnets_of_2009/

Collapse -
Calculating the Size of the Downadup Outbreak
by Marianna Schmudlach / January 16, 2009 12:36 AM PST

Friday, January 16, 2009

The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing.

We've received a number of queries on just how exactly we're producing our estimates.

More: http://www.f-secure.com/weblog/

Collapse -
Trojan:JS/Agent.JP
by Marianna Schmudlach / January 16, 2009 12:47 AM PST

Name : Trojan:JS/Agent.JP
Detection Names : WORM:VBS/Autorun.Bl

Type: Trojan
Category: Malware
Platform: JS

Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.

More: http://www.f-secure.com/v-descs/trojan_js_agent_jp.shtml

Collapse -
TROJ_KILLAV.KAX
by Marianna Schmudlach / January 16, 2009 12:52 AM PST

Malware type: Trojan

Malware Overview

This Trojan may be downloaded from remote sites by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

Upon execution, it drops copies of itself. It creates registry entries to enable its automatic execution at every system startup. It modifies registry entries to hide files with both System and Read-only attributes. It creates registry key(s)/entry(ies) as part of its installation routine.

It connects to a Web site to download a text file. The said text file contains a link to a malicious Web site that downloads and executes a file that Trend Micro detects as TROJ_DLOADER.VKH. As a result, malicious routines of the downloaded files are exhibited on the affected system. It also creates mutex(es) to ensure that only one instance of itself is running in memory.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FKILLAV%2EKAX

Collapse -
TROJ_BANKER.GDK
by Marianna Schmudlach / January 16, 2009 12:53 AM PST

Malware type: Trojan

Malware Overview

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops several files on the affected system, including a copy of itself. It also modifies the Windows registry so that it will run at every system startup.

It monitors the Internet Explorer activities of the affected system, specifically the address and title bars. It recreates a legitimate Web site with a spoofed login page if a user visits banking sites.

The said routine tricks the user into giving out sensitive account-related information. This Trojan logs keystrokes entered by the user in the user name and password fields of the spoofed login page.

It sends any stolen data to a specified e-mail address using its own Simple Mail Transfer Protocol (SMTP) engine.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FBANKER%2EGDK

Collapse -
W32/Socks-C
by Marianna Schmudlach / January 16, 2009 1:29 AM PST

Category Viruses and Spyware

Type Worm

W32/Socks-C allows a remote intruder to gain access and control over the computer.

W32/Socks-C includes functionality to access the internet and communicate with a remote server via HTTP.

When W32/Socks-C is installed the following files are created:

<User>\cftmon.exe
<User>\ftp33.dll
<System>\drivers\spools.exe
<System>\ftp33.dll

The files <System>\ftp33.dll and <User>\ftp33.dll are detected as Troj/Drop-O.

The following registry entries are created to run cftmon.exe and spools.exe on startup:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32socksc.html

Collapse -
W32/Confick-D
by Marianna Schmudlach / January 16, 2009 1:30 AM PST

Category Viruses and Spyware

Type Worm

How it spreads Removable storage devices
Network shares

Affected operating systems Windows
Characteristics Installs itself in the registry

W32/Confick-D spreads through Windows file shares protected with weak passwords, by copying itself to removable devices and by exploiting the MS08-067 Windows Server service vulnerability.

W32/Confick-D is a member of the Conficker family of worms. For a detailed description of the behavior of these worms please refer to the information for Mal/Conficker-A.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32confickd.html

Collapse -
W32/Confick-A
by Marianna Schmudlach / January 16, 2009 1:31 AM PST

Aliases Worm:Win32/Conficker.A
W32/Conficker.worm
Trojan-Downloader.Win32.Agent.aqfw

Category Viruses and Spyware

Type Worm

W32/Confick-A is a worm which spreads by exploiting the MS08-067 Windows Server service vulnerability.

W32/Confick-A is a member of the Conficker family of worms. For a detailed description of the behavior of these worms please refer to the information for Mal/Conficker-A.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32conficka.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?