Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - January 21, 2010

by Marianna Schmudlach / January 20, 2010 10:45 PM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - January 21, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - January 21, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Mal/Nyrate-A
by Marianna Schmudlach / January 20, 2010 10:46 PM PST

Category

* Viruses and Spyware

Type

* Malicious Behavior


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Mal/Nyrate-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run Mal/Nyrate-A copies itself to <System>\wmisftl.exe.

The following registry entry is changed to run wmisftl.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Debugger
wmisftl.exe

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
(Default)
<no value>

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
(Default)
<no value>

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
(Default)
<no value>

More: http://www.sophos.com/security/analyses/viruses-and-spyware/malnyratea.html?_log_from=rss

Collapse -
Troj/Capa-Gen
by Marianna Schmudlach / January 20, 2010 10:48 PM PST
Collapse -
Troj/Agent-MGB
by Marianna Schmudlach / January 20, 2010 10:49 PM PST
Collapse -
W32/Autorun-AYN
by Marianna Schmudlach / January 20, 2010 10:50 PM PST

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry

Protection available since 21 January 2010 00:05:48 (GMT)

W32/Autorun-AYN is a worm for the Windows platform.

W32/Autorun-AYN spreads via removable storage devices.

W32/Autorun-AYN communicates via SSH with the following locations:

afvkebt .com

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunayn.html?_log_from=rss

Collapse -
Troj/VBECS-Gen
by Marianna Schmudlach / January 20, 2010 10:51 PM PST
Collapse -
Troj/Rootkit-HV
by Marianna Schmudlach / January 20, 2010 10:52 PM PST
Collapse -
Troj/FakeAV-AQY
by Marianna Schmudlach / January 20, 2010 10:52 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Protection available since 21 January 2010 00:05:48 (GMT)

Troj/FakeAV-AQY is a Trojan for the Windows platform.

Troj/FakeAV-AQY includes functionality to:

- run automatically
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-AQY communicates via HTTP with the following locations:

windows-antivirus . net
193 . 104 . 110 . 181


When Troj/FakeAV-AQY is installed it creates the file <User>\Local Settings\Application Data\<random letters>\<random letters>sysguard.exe.

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer
Download
CheckExeSignatures

HKCU\Software\Microsoft\Internet Explorer
Download
RunInvalidSignatures

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Associations
LowRiskFileTypes

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Attachments
SaveZoneInformation

Registry entries are created under:

HKCU\Software\AvScan

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaqy.html?_log_from=rss

Collapse -
Mal/Sality-B
by Marianna Schmudlach / January 20, 2010 10:53 PM PST
Collapse -
Troj/PWS-BGN
by Marianna Schmudlach / January 20, 2010 10:54 PM PST
Collapse -
Troj/BankDL-DZ
by Marianna Schmudlach / January 20, 2010 10:55 PM PST
Collapse -
Suspicious.MLApp
by Marianna Schmudlach / January 20, 2010 10:56 PM PST

Discovered: January 20, 2010
Updated: January 20, 2010 11:53:34 PM
Type: Misleading Application
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Suspicious.MLApp is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012023-3422-99

Collapse -
Packed.Generic.279
by Marianna Schmudlach / January 20, 2010 10:57 PM PST

Discovered: January 21, 2010
Updated: January 21, 2010 11:04:37 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Packed.Generic.279 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.

This heuristic detection is used to detect threats associated with multiple threat families.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012111-0437-99

Collapse -
JS_ELECOM.C
by Marianna Schmudlach / January 20, 2010 10:58 PM PST

Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC

Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent and still ongoing attacks targeting major organizations like Google and Adobe.

In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released.

Trend Micro? Smart Protection Network? protects users from this type of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan? users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

More: http://blog.trendmicro.com/

Collapse -
SASFIS Trojan variants
by Marianna Schmudlach / January 20, 2010 10:59 PM PST

The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook.

SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from Zeus and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

More: http://blog.trendmicro.com/

Collapse -
TSPY_ZBOT.SMAP
by Marianna Schmudlach / January 20, 2010 11:00 PM PST

Trend Micro fraud analysts recently came across spammed messages targeting customers of the Fifth Third Bank. The messages urged recipients to log in to a temporary link, http://www.53.com.{BLOCKED}.com.pl/wpserver/cmportal/cblogin.php?session=667882698791972326077742654898739&email=p2t2all@tacobell.com, in order to download and install a digital certificate that would supposedly reinforce the bank?s security. Clicking the link, however, led users to a phishing page that prompts them to key in their user names and passwords. This, as you all probably know by now, is a typical tactic to trick users into giving out their personal credentials, which can then be used for further malicious activities or sold in underground forums.

After signing in, users will see a prompt to download the said digital certificate, certificate.exe, which is actually a malicious file Trend Micro has detected as TSPY_ZBOT.SMAP, which is capable of stealing personal credentials via key logging. The stolen data, mostly banking-related information, are then sent to a couple of URLs via HTTP POST. It also has the capability to stop firewall-related processes to mask its malicious activities.

More: http://blog.trendmicro.com/

Collapse -
Trojan:Win32/Alureon.BK
by Marianna Schmudlach / January 20, 2010 11:02 PM PST

Aliases
Rootkit.Win32.TDSS.pqo (Kaspersky)
Trojan.TDss.BG (BitDefender)
Win32/Kryptik.FZ (ESET)
DNSChanger.gen (McAfee)
:Trj/Agent.LOY (Panda)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.2485.0
Released: Jan 20, 2010

Summary
Trojan:Win32/Alureon.BK is a component Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.

Symptoms
System Changes

The following system changes may indicate the presence of this malware:
The presence of the following folders:
%ProgramFiles%\hdextrem
<Start Menu>\programs\hdextrem
The presence of the following registry keys:
HKCR\videoshow
HKCU\HDExtremeSoft
HKCU\HDExtrem

More: https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Alureon.BK&ThreatID=-2147344583

Collapse -
Trojan:Win32/Boaxxe.B
by Marianna Schmudlach / January 20, 2010 11:03 PM PST

Aliases
Trojan.Bzub-309 (BitDefender)
W32/Downldr2.AJBB (Authentium (Command))
Win32/Kvol.H (CA)
Trojan.Downloader-16839 (Clam AV)
Trojan-Downloader.Win32.Delf.dbo (Kaspersky)
Downloader.gen.a (McAfee)
W32/Delf.BCCW (Norman)
Trojan Horse (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.2485.0
Released: Jan 20, 2010

Summary
Trojan:Win32/Boaxxe.B is a Trojan that installs itself as a Browser Helper Object and may contact remote sites related to rogue anti-spyware applications.


More: https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Boaxxe.B&ThreatID=-2147369132

Collapse -
Trojan:Win32/Busky.EM
by Marianna Schmudlach / January 20, 2010 11:03 PM PST

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.2485.0
Released: Jan 20, 2010

Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

More details are available in the Family description of Win32/Busky


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Busky.EM&ThreatID=-2147355284

Collapse -
Backdoor:MSIL/Cosgand.A
by Marianna Schmudlach / January 20, 2010 11:04 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

More: https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:MSIL/Cosgand.A&ThreatID=-2147336322

Collapse -
Trojan:MSIL/Cosgand.A
by Marianna Schmudlach / January 20, 2010 11:05 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:MSIL/Cosgand.A&ThreatID=-2147336320

Collapse -
Backdoor:MSIL/Cosgand.B
by Marianna Schmudlach / January 20, 2010 11:06 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:MSIL/Cosgand.B&ThreatID=-2147336321

Collapse -
Trojan:MSIL/Cosgand.B
by Marianna Schmudlach / January 20, 2010 11:06 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:MSIL/Cosgand.B&ThreatID=-2147336319

Collapse -
Trojan:MSIL/Cosgand.C
by Marianna Schmudlach / January 20, 2010 11:07 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:MSIL/Cosgand.C&ThreatID=-2147336318

Collapse -
Backdoor:Win32/Delf.KH
by Marianna Schmudlach / January 20, 2010 11:08 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Delf.KH&ThreatID=-2147336326

Collapse -
Trojan:Win32/Dogrobot.E
by Marianna Schmudlach / January 20, 2010 11:08 PM PST
Collapse -
TrojanSpy:Win32/Hitpop.AM
by Marianna Schmudlach / January 20, 2010 11:09 PM PST

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.2485.0
Released: Jan 20, 2010

Summary
This threat is classified as a Trojan - Data Theft. A data theft trojan gathers personal data, often of a financial nature, from affected systems. Collected data may include credit card numbers, tax returns, login credentials or any other informed deemed to be of interest to the attacker. The collected data is then surreptitiously sent to the remote attacker via a variety of electronic means. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy:Win32/Hitpop.AM&ThreatID=-2147343689

Collapse -
TrojanDownloader:Win32/Loah
by Marianna Schmudlach / January 20, 2010 11:10 PM PST

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.2485.0
Released: Jan 20, 2010

Summary
This threat is classified as a Trojan - Downloader. A downloader trojan accesses remote websites in an attempt to download and install malicious or potentially unwanted software. Some downloader trojans target specific files on remote websites while others may target a specific URL that points to a website containing exploit code that may allow the site to automatically download and software or malicious code on vulnerable systems. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Loah&ThreatID=-2147368783

Collapse -
Worm:Win32/Prolaco.gen!C
by Marianna Schmudlach / January 20, 2010 11:11 PM PST

Aliases
Trojan.Win32.Buzus.apot (Kaspersky)
W32/Buzus.LGC (Norman)
W32/Autorun-ABH (Sophos)
Win32/Merond.G (ESET)
Win32/Fruspam.S (CA)
IRC/Flood.dr (McAfee)
W32.Ackantta.B@mm (Symantec)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.2485.0
Released: Jan 20, 2010

Summary
Worm:Win32/Prolaco.gen!C is a worm that spreads via e-mail, removable drives and Peer-to-Peer file sharing networks. This worm also lowers security settings and installs Win32/Vundo.
Win32/Vundo is a multiple-component family of programs that deliver 'out of context' pop-up advertisements. They may also download and execute arbitrary files.


Symptoms
System Changes

The following system changes may indicate the presence of this malware:
The presence of the following files:
<system folder>\jucshed.exe
<system folder>\javase11.exe
<system folder>\<random>.dll
The presence of the following registry modifications:
Adds value: "Sun Java Updater v7.11"
With data: "<system folder>\jucshed.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<system folder>\jucshed.exe"
With data: "<system folder>\jucshed.exe:*:enabled:explorer"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Prolaco.gen!C&ThreatID=-2147344945

Collapse -
Exploit:JS/ShellCode.Z
by Marianna Schmudlach / January 20, 2010 11:12 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

More details are available in the Family description of JS/ShellCode


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:JS/ShellCode.Z&ThreatID=-2147336323

Collapse -
Trojan:BAT/Svguar.A
by Marianna Schmudlach / January 20, 2010 11:13 PM PST

Encyclopedia entry
Published: Jan 21, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.2485.0
Released: Jan 20, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:BAT/Svguar.A&ThreatID=-2147336325

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.