VIRUS \ Spyware ALERTS - January 2, 2009

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsaxi.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Ezio-I is a Trojan for the Windows platform.

Troj/Ezio-I includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Ezio-I copies itself to:

<Application Data>\Microsoft\logman.exe
<Application Data>\Microsoft\mstsc.exe
<Windows>\ieudinit.exe
<System>\dllhst3g.exe

The following registry entry is created to run ieudinit.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
IEudinit
<Windows>\ieudinit.exe /waitservice

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Logman
<Application Data>\Microsoft\logman.exe /waitservice


http://www.sophos.com/security/analyses/viruses-and-spyware/trojezioi.html?_log_from=rss

Category Viruses and Spyware

Type Worm

W32/Waled-Gen is a worm for the Windows platform.

W32/Waled-Gen includes functionality to access the internet and communicate with a remote server via HTTP and send itself out using built-in SMTP client.


http://www.sophos.com/security/analyses/viruses-and-spyware/w32waledgen.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Qhost-AC is a Trojan for the Windows platform.

When run Troj/Qhost-AC attempts to modify the HOSTS file to prevent access to P2P websites.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojqhostac.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpushdoab.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirja.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/Conficker-A is a worm for the Windows platform.

Mal/Conficker-A spreads over the network by exploiting the MS08-067 Windows server service vulnerability.

Mal/Conficker-A will attempt to copy itself to the following location:

<System&gt<random letters>.dll

http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html?_log_from=rss

Panda Security's weekly report on viruses and intruders -

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week, the PandaLabs report looks at the backdoor Trojan Emogen.B,
the SystemSecurity adware and the Gafermus.A Trojan.

Emogen.B is a backdoor Trojan that connects to a server and lets
attackers take control of the targeted computer remotely. They will then
be able to monitor system activities and take actions such as
downloading malware, stealing user information, controlling the Command
Prompt window remotely and even starting a chat session with the
infected user.

See an image of the Emogen.B console here:
http://www.flickr.com/photos/panda_security/3128211878/

This backdoor Trojan cannot spread automatically, but uses the usual
means of propagation: P2P networks, physical devices such as CDs or
floppy disks, Internet downloads or FTP file transfers.

SystemSecurity is a fake antivirus-type adware that displays a false
infection report to trick users. If the user clicks the button to
disinfect the computer, it displays a page asking for a fee. (Image
here: http://www.flickr.com/photos/panda_security/3159368914/).

"This type of fraud has become quite popular lately. Malware like this
shows the real financial motivation behind malicious code. Cyber-crooks
will turn to anything to profit from infected users", explains Luis
Corrons, Technical Director of PandaLabs.

Finally in this week's report, we mention Gafermus.A, a Trojan that
tries to connect to certain Web pages to download other malware. Then,
it makes several copies of itself on the infected system using random
names from the Windows services. It cannot spread automatically using
its own means but requires user intervention.

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealejx.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbdooramv.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Agent-IMX is a proxy Trojan for the Windows platform.


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentimx.html?_log_from=rss

Name : Worm:W32/Downadup.AL
Detection Names : Worm:W32/Downadup.AL
Worm:W32/Downadup.AL

Aliases : Mal/Conficker-A (Sophos)
W32/Conficker.worm.gen.b (Symantec)
Worm:Win32/Conficker.B (Microsoft)

Type: Worm
Category: Malware
Platform: W32


Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.


http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Type Virus SubType Worm

http://vil.mcafeesecurity.com/vil/content/v_148588.htm

No P2P For You!

2 January 2009

The large P2P file sharing community has always been the bane of the music and movie industries due to piracy.

As a result, I could not help but have a little chuckle coming across this particular Trojan - Troj/Qhost-AC.

Rather than surreptitiously redirecting banking websites (as some banking Trojans are known to do), this Trojan attempts to stop the user from accessing popular P2P websites by modifying the HOSTS file.

More: http://www.sophos.com/security/blog/2009/01/2565.html

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealejx.html?_log_from=rss

Aliases Trojan-PSW.Win32.Tibia.ag

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojtibiagen.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojspybj.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/JSRedir-F is a Trojan the redirects web users to a Fake Anti-Virus site.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojjsredirf.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavhy.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealekj.html?_log_from=rss

Aliases TROJ_AGENT.XNW

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojclickerfe.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbuchongen.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentimz.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Agent-IMY is a Trojan for the Windows platform.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentimy.html?_log_from=rss

Discovered: January 2, 2009
Updated: January 2, 2009 8:36:55 PM
Type: Trojan, Virus

Bloodhound.Exploit.221 is a heuristic detection for files which exploit Microsoft Word RTF Polyline/Polygon Integer Overflow Vulnerability (BID 32579).

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-010220-0214-99

Discovered: January 2, 2009
Updated: January 2, 2009 8:39:14 PM
Type: Trojan, Virus

Bloodhound.Exploit.222 is a heuristic detection for files which exploit Microsoft Word RTF Multiple Drawing Object Tags Remote Code Execution Vulnerability (BID 32585).

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-010220-0835-99

Discovered: January 2, 2009
Updated: January 2, 2009 8:40:37 PM
Type: Trojan, Virus

Bloodhound.Exploit.223 is a heuristic detection for files which exploit Microsoft Word RTF Malformed Control Word Variant 2 Remote Code Execution Vulnerability (BID 32642).


http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-010220-1432-99

Category Viruses and Spyware

Type Worm

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunsx.html?_log_from=rss

Category Viruses and Spyware

Type Worm

W32/AutoRun-SW is a worm for the Windows platform.

When first run W32/AutoRun-SW copies itself to <System>\XP-078F2E4E.EXE and creates the following files:

<System>\RegEx.fne
<System>\com.run
<System>\dp1.fne
<System>\eAPI.fne
<System>\internet.fne
<System>\krnln.fnr
<System>\shell.fne
<System>\spec.fne
<System>\ul.dll
<System>\og.dll
<System>\og.edt
<Temp>\e_4\RegEx.fne
<Temp>\e_4\com.run
<Temp>\e_4\dp1.fne
<Temp>\e_4\eAPI.fne
<Temp>\e_4\internet.fne
<Temp>\e_4\krnln.fnr
<Temp>\e_4\shell.fne
<Temp>\e_4\spec.fne

The files com.run, dp1.fne, internet.fne, krnln.fnr and shell.fne are detected as W32/AutoRun-MO and the file eAPI.fne is detected as Mal/Behav-027.

The files ul.dll, og.dll and og.edt are data files and can be safely removed.

All other files are detected as W32/AutoRun-SW.


More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunsw.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdnschanme.html?_log_from=rss