Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - January 3, 2008

Jan 2, 2009 1:39PM PST

Discussion is locked

- Collapse -
Troj/FakeAV-HZ
Jan 2, 2009 1:40PM PST
- Collapse -
Troj/FakeAle-KL
Jan 2, 2009 1:41PM PST
- Collapse -
Troj/FakeAle-KK
Jan 2, 2009 1:42PM PST
- Collapse -
Troj/Daonol-Fam
Jan 2, 2009 1:43PM PST

Aliases Rootkit.Win32.Agent.fwt
Trojan:Win32/Daonol.A
Trojan:Win32/Daonol.B

Category Viruses and Spyware

Type Trojan

Troj/Daonol-Fam is a family of Trojans for the Windows platform.

Members of Troj/Daonol-Fam typically copy themselves to the Root folder and create some of the following files

<Root&gtMischief<random filename>.bat (clean batch file)
<System>\sysaudio.sys

The file sysaudio.sys is also a member of Troj/Daonol-Fam.

A registry entry is usually set similar to the following:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
aux
sysaudio.sys

Troj/Daonol-Fam attempts to redirect internet traffic from a number of websites.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdaonolfam.html?_log_from=rss

- Collapse -
Troj/BHO-IZ
Jan 2, 2009 1:44PM PST
- Collapse -
Troj/PWS-AXK
Jan 3, 2009 12:03AM PST
- Collapse -
W32/IRCBot-AAY
Jan 3, 2009 10:01AM PST

Category Viruses and Spyware

Type Worm

W32/IRCBot-AAY is a worm with IRC backdoor functionality for the Windows platform.

W32/IRCBot-AAY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/IRCBot-AAY copies itself to <System>\msddll.exe.

The file msddll.exe is registered as a new system driver service named "msddll", with a display name of "msddll" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\msddll

http://www.sophos.com/security/analyses/viruses-and-spyware/w32ircbotaay.html?_log_from=rss

- Collapse -
Troj/Renos-CG
Jan 3, 2009 10:02AM PST
- Collapse -
Troj/FakeAV-IA
Jan 3, 2009 10:03AM PST

Aliases Generic Downloader.x
not-a-virus:AdWare.Win32.BHO.dtl
Win32/TrojanDownloader.FakeAlert.OG

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-IA is a Trojan for the Windows platform.

The Troj/FakeAV-IA is registered as a COM object, creating registry entries under:

HKCR\CLSID\{32FD16DC-537C-4186-9BD6-C718A308342B}
HKCR\Interface\{268706F0-841C-446A-B757-8C1EF84527DC}
HKCR\TypeLib\{A0442DFA-1F7E-4DCE-B75C-A90993D6E7FC}

The following registry entry is set:

HKCR\getsn32.msiesn\Clsid
(default)
{32FD16DC-537C-4186-9BD6-C718A308342B}

Registry entries are created under:

HKCR\getsn32.msiesn

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavia.html?_log_from=rss

- Collapse -
Troj/Agent-INB
Jan 3, 2009 10:04AM PST
- Collapse -
Troj/CryptBox-A
Jan 3, 2009 10:05AM PST
- Collapse -
Troj/Adclik-Gen
Jan 3, 2009 10:06AM PST
- Collapse -
Mal/CryptBox-A
Jan 3, 2009 10:07AM PST