Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - January 28, 2010

by Marianna Schmudlach / January 27, 2010 11:08 PM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - January 28, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - January 28, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Agent-MHV
by Marianna Schmudlach / January 27, 2010 11:09 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Protection available since 28 January 2010 13:09:52 (GMT)

Troj/Agent-MHV is a Trojan for the Windows platform.

Troj/Agent-MHV includes functionality to:

- steal confidential information
- access the internet and communicate with a remote server via HTTP

When Troj/Agent-MHV is installed it creates the file <Root>\SERASA.exe.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmhv.html?_log_from=rss

Collapse -
Troj/BDoor-AYO
by Marianna Schmudlach / January 27, 2010 11:10 PM PST
Collapse -
Troj/DwnLdr-IAS
by Marianna Schmudlach / January 27, 2010 11:10 PM PST
Collapse -
Troj/FakeAV-ASQ
by Marianna Schmudlach / January 27, 2010 11:11 PM PST
Collapse -
Troj/JSRedir-AK
by Marianna Schmudlach / January 27, 2010 11:12 PM PST
Collapse -
Troj/BredoZp-Q
by Marianna Schmudlach / January 27, 2010 11:12 PM PST
Collapse -
W32/Bredo-AI
by Marianna Schmudlach / January 27, 2010 11:13 PM PST

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Chat programs
* Peer-to-peer

Affected operating systems Windows
Characteristics

* Installs itself in the registry

Protection available since 28 January 2010 06:14:00 (GMT)

W32/Bredo-AI is a worm for the Windows platform.

W32/Bredo-AI includes functionality to run automatically.

When W32/Bredo-AI is installed it creates the file <Windows>\taskhost.exe.

The following registry entry is created to run taskhost.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Host Process for Windows Tasks
taskhost.exe


http://www.sophos.com/security/analyses/viruses-and-spyware/w32bredoai.html?_log_from=rss

Collapse -
Mal/Behav-361
by Marianna Schmudlach / January 27, 2010 11:14 PM PST
Collapse -
Troj/BDoor-AYN
by Marianna Schmudlach / January 27, 2010 11:14 PM PST
Collapse -
Troj/FakeAV-ASU
by Marianna Schmudlach / January 27, 2010 11:16 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAV-ASU is a Trojan for the Windows platform.

Troj/FakeAV-ASU includes functionality to:

- run automatically
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-ASU communicates via HTTP with the following locations:

new-soft . net
laptopantivirus . net


When Troj/FakeAV-ASU is installed it creates the file <User>\Local Settings\Application Data\qpstgw\odbksysguard.exe.

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer
Download
CheckExeSignatures

HKCU\Software\Microsoft\Internet Explorer
Download
RunInvalidSignatures

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Associations
LowRiskFileTypes

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Attachments
SaveZoneInformation

Registry entries are created under:

HKCU\Software\AvScan

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavasu.html?_log_from=rss

Collapse -
Troj/FakeAV-AST
by Marianna Schmudlach / January 27, 2010 11:17 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry
* Opens links to websites


Troj/FakeAV-AST is a Trojan for the Windows platform.

When Troj/FakeAV-AST is installed the following files are created:

<User>\Application Data\<NUMBERS>\<NUMBERS>.exe
<User>\Application Data\<NUMBERS>\<NUMBERS>.bat
<Start Menu\Programs>\Security Tool.lnk
<Desktop>\Security Tool.lnk

The following registry entries are created to run <NUMBERS>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<NUMBERS>
<User>\Application Data\<NUMBERS>\<NUMBERS>.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MigrateProxy
0x00000001

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavast.html?_log_from=rss

Collapse -
Troj/Banker-EWA
by Marianna Schmudlach / January 27, 2010 11:18 PM PST
Collapse -
Troj/Agent-MHT
by Marianna Schmudlach / January 27, 2010 11:18 PM PST
Collapse -
Troj/Agent-MHS
by Marianna Schmudlach / January 27, 2010 11:19 PM PST

Aliases

* Generic Dropper.pe trojan

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-MHS is a Trojan for the Windows platform.

Troj/Agent-MHS includes functionality to run automatically.

When Troj/Agent-MHS is installed it creates the file <User>\Application Data\Adobe\Update\corwid.dat.

Registry entries are created under:

HKCU\Software\Adobe
HKCU\Software\AppDataLow

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmhs.html?_log_from=rss

Collapse -
Troj/Agent-MHR
by Marianna Schmudlach / January 27, 2010 11:20 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-MHR is a Trojan for the Windows platform.

Troj/Agent-MHR includes functionality to run automatically.

When Troj/Agent-MHR is installed the following files are created:

<Windows>\admintxt.txt
<Windows>\livemessenger.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
system
DisableTaskMgr

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
system
DisableRegistrytools

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmhr.html?_log_from=rss

Collapse -
Mal/FakeAV-BZ
by Marianna Schmudlach / January 27, 2010 11:21 PM PST
Collapse -
Troj/VB-EMI
by Marianna Schmudlach / January 27, 2010 11:22 PM PST
Collapse -
HTTP FakeAV Redirect Request
by Marianna Schmudlach / January 27, 2010 11:23 PM PST

Yesterday we saw SEO poisoning attacks when searching for keywords such as "Apple Tablet". Now, after the product announcement has been made, we are seeing the same attack with the actual name of the product included in the search term.

Using search terms like "Apple Ipad rumor" or "Apple Ipad size" are likely to produce results from sites like youcanbesureforsafe.net, antyspywarescanblog.com, or mastersmegasecurity.net, ultimately compromising your computer with rogue security software.

More: http://www.symantec.com/connect/blogs/ipad-seo-poisoning-leads-rogue-security-software

Collapse -
W32.Ircbrute.B
by Marianna Schmudlach / January 27, 2010 11:24 PM PST
Collapse -
JS.SecurityToolFraud.C
by Marianna Schmudlach / January 27, 2010 11:24 PM PST

Discovered: January 27, 2010
Updated: January 28, 2010 8:31:54 AM
Type: Trojan
Infection Length: Between 90,000 and 92,000 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000

JS.SecurityToolFraud.C is a heuristic detection for JavaScript files that attempt to trick users into downloading files that are detected by Symantec products as SecurityToolFraud.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-012807-0739-99

Collapse -
W32.Ackantta!gen
by Marianna Schmudlach / January 27, 2010 11:25 PM PST
Collapse -
TROJ_BANLOAD.JAE
by Marianna Schmudlach / January 27, 2010 11:26 PM PST

As rescue efforts continue in Haiti, the world waits with bated breath for more good news about survivors. Unfortunately, while most people are thinking of ways to help victims, cybercriminals are using the tragedy to further their own malicious causes. Blackhat search engine optimization (SEO) poisoning attacks related to this tragedy have already led to FAKEAV infections.

However, the most recent FAKEAV run appears to be only the start of more Haiti-related malware attacks. We recently received Portuguese spam samples purporting to be from the international news site, BBC. Translated to English, the spammed message describes the current situation in Haiti. It also attempts to convince recipients to click the link to the embedded video, which supposedly contains photos taken by an amateur photographer who witnessed the earthquake.

Upon clicking the link, however, users are redirected to a site where they are asked to save an .EXE file detected by Trend Micro as TROJ_BANLOAD.JAE. This Trojan connects to websites to download another malicious file detected as TSPY_BANKER.LMG.

More: http://blog.trendmicro.com/

Collapse -
TROJ_FAKEAV.EAM.
by Marianna Schmudlach / January 27, 2010 11:27 PM PST

Even before the first user could buy the latest and upcoming Apple technology, the iPad, cybercriminals are already making profit from its popularity.

Trend Micro threat engineers today found some malicious search results while looking for information related to the announcement of the Apple tablet.

These poisoned search results turned out to be related to the never-ending blackhat search engine optimization (SEO) FAKEAV campaigns. When clicked, the search results lead to the download of a rogue antivirus software, which Trend Micro detects as TROJ_FAKEAV.EAM.

Since Apple announced when the iPad will be made available to consumers, it has been one of the hottest topics circulating the Web today. And cybercriminals are not just about to let this slide. With the growing user anticipation for this new product, it is most likely that many users will be victimized by the latest FAKEAV attack. Users are thus advised to be wary of malicious links and to instead go to reputable news sites to get the latest information about the iPad.

More: http://blog.trendmicro.com/

Collapse -
Win32/Warduncrypt!packed
by Marianna Schmudlach / January 27, 2010 11:28 PM PST

Date Published:
28 Jan 2010

Last Updated:
28 Jan 2010

Characteristics

Type : Trojan

Category : Win32

Description
Win32/Warduncrypt!packed is a heuristic detection that detects several fake or rogue antivirus programs. Should you have this detection reported on a file that you normally use, we highly recommend that you submit a sample of the affected file to CA Anti-Virus Research for analysis.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=81037

Collapse -
Win32/Fraud!packed
by Marianna Schmudlach / January 27, 2010 11:28 PM PST

Date Published:
28 Jan 2010

Last Updated:
28 Jan 2010

Characteristics

Type : Trojan

Category : Win32

Also known as: Win32/Adware.SecurityTool, Security Tool, Adware/SecurityTool, RogueAntiSpyware.SecurityTool, SecurityToolFraud


Description

Win32/Fraud!packed is a heuristic detection that detects several fake or rogue antivirus programs.

Should you have this detection reported on a file that you normally use, we highly recommend that you submit a sample of the affected file to CA Anti-Virus Research for analysis.

For detailed instructions on how to submit samples to CA, please see below.

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=81038

Collapse -
Win32/WindowsAntivirusPro!generic
by Marianna Schmudlach / January 27, 2010 11:29 PM PST

Date Published:
28 Jan 2010

Last Updated:
28 Jan 2010

Characteristics

Type : Trojan

Category : Win32

Also known as: Anti-Virus Pro, FraudTool.Win32.InternetAntivirusPro, WindowsAntivirusPro, RogueAntiSpyware.WindowsAntivirusPro


Description

Win32/WindowsAntivirusPro!generic is a heuristic detection that detects several fake or rogue antivirus programs.

Should you have this detection reported on a file that you normally use, we highly recommend that you submit a sample of the affected file to CA Anti-Virus Research for analysis.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=81039

Collapse -
Win32/InternetSecurity2010.U
by Marianna Schmudlach / January 27, 2010 11:30 PM PST

Date Published:
28 Jan 2010

Last Updated:
28 Jan 2010

Characteristics

Type : Trojan

Category : Win32

Also known as: Anti-Virus 2010, FraudTool.Win32.Antivirus2010, Adware/AntivirusPro2010, RogueAntiSpyware.InternetSecurity2010, Rogue:W32/InternetSecurity2010, InternetSecurity2010, Adware/ISecurity2010


Description

Win32/InternetSecurity2010.U is a detection that detects several fake or rogue antivirus programs.

Should you have this detection reported on a file that you normally use, we highly recommend that you submit a sample of the affected file to CA Anti-Virus Research for analysis.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=81040

Collapse -
WORM_ZIMUS.B
by Marianna Schmudlach / January 27, 2010 11:31 PM PST

Malware type: Worm

Aliases: No Alias Found

Malware Overview

This worm may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates folders. It drops copies of itself. It drops files/components.

It registers itself as a system service to ensure its automatic execution at every system startup. It does this by creating registry keys/entries.

It creates registry key(s)/entry(ies). It deletes files. As a result, programs and applications may not run properly.

It drops copies of itself in specific drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZIMUS.B

Collapse -
Bredolab!a
by Marianna Schmudlach / January 27, 2010 11:32 PM PST

Type
Trojan

Overview -

Similar to other malwares of this family, Bredolab!a shows a fake warning message, alarming the user that their machine is infected or at risk. The intention behind all the fake messages is drive users to buy the advertised antispyware product.

File Properties

* MD5 : B2A9A3368A28DC013CCC8EB201DD764A
* SHA1 : 1B61D86702FE15927CF9B0048155A3D7D5E7CEB4
* File Size : 39,936 bytes

Aliases

* Kaspersky : Trojan-Downloader.Win32.Piker.brn
* Symantec :Trojan.Bredolab
* Microsoft : TrojanDownloader:Win32/Bredolab.AB
* AhnLab : Win-Trojan/Bredolab.39936.Q

Characteristics
Characteristics -

Upon execution, the Trojan copies itself into the following location

* %Temp%\ ~TM7.tmp
* %Programs%\Startup\rarype32.exe

And downloads the following malicious files

More: http://vil.nai.com/vil/content/v_251049.htm

Collapse -
W32/Sality.gen.c
by Marianna Schmudlach / January 27, 2010 11:33 PM PST

Type
Virus
SubType
Generic

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

File Information :

o MD5 : D9A15BFCB7EBE40381440781E58A1734
o SHA1 : 9FAF1FEA558344E3309EED1F61A8B64251C5CC56
o Size : 1,160,963 bytes

Aliases :

o Ikarus : Virus.W32.Sality
o Kaspersky : Virus.Win32.Sality.ae
o NOD32 : Win32/Sality.NAY
o Norman : W32/Sality.AR

Characteristics
Characteristics -

W32/Sality.gen.c is a parasitic virus that infects Win32 PE executable files.
Upon execution, it starts a service to listen on a random[Example:8439] UDP Port and drops file in the following path:

o %Temp%\00126336_Rar\Hand.exe%\00126336_Rar\Hand.exe

The following files are downloaded from the remote sites to the following path :

More: http://vil.nai.com/vil/content/v_154584.htm

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.