Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - January 7, 2009

Jan 6, 2009 10:44AM PST

Discussion is locked

- Collapse -
Troj/Bckdr-QQZ
Jan 7, 2009 1:40AM PST
- Collapse -
Troj/Agent-IOE
Jan 7, 2009 1:41AM PST
- Collapse -
Troj/Agent-IOD
Jan 7, 2009 1:42AM PST
- Collapse -
How celebrity Twitter accounts were hacked, and how it can b
Jan 7, 2009 1:45AM PST

How celebrity Twitter accounts were hacked, and how it can be stopped in future

Wired has published details of how a hacker managed to hack into Twitter?s internal systems earlier this week, opening the door for criminals to break into the Twitter accounts of the likes of Britney Spears, Fox News and Barack Obama.

The teenage hacker, who uses the online handle GMZ, claims he gained entry to the micro-blogging site?s administrative control panel by using a dictionary password guesser at a Twitter staffer?s account.

Unfortunately for Twitter and its hacked users, the staff member had chosen the dictionary word ?happiness?.

More: http://www.sophos.com/blogs/gc/g/2009/01/07/celebrity-twitter-accounts-hacked/

- Collapse -
W32.Downadup!autorun
Jan 7, 2009 3:05AM PST
- Collapse -
An Israeli patriot program or a trojan
Jan 7, 2009 3:07AM PST

Published: 2009-01-07,
Last Updated: 2009-01-07 18:40:22 UTC
by Bojan Zdrnja (Version: 1)

Recently we have been witnessing a rise of politically motivated hacking attacks by supporters both sides involved in military actions in Gaza. This was more or less expected, whenever two sides collide there will be people supporting them, even through various attacks on the Internet.

Over the weekend another site popped up, www.help-israel-win.com which is down at the moment. According to what was posted on the site, it was built by "a group of students who are tired of sitting around doing nothing".

The site asked visitors supporting Israel to download and install a file from the site (called PatriotInstaller.exe) that will help disrupt their enemy's efforts.

More: http://isc.sans.org/

- Collapse -
W32/Confick-D
Jan 7, 2009 6:20AM PST

Category Viruses and Spyware

Type Worm

W32/Confick-D is a worm for the Windows platform.

W32/Confick-D spreads through Windows file shares protected with weak passwords, by copying itself to removable devices and by exploiting the MS08-067 Windows Server service vulnerability.

When run W32/Confick-D attempts to copy itself to removable media, creating the following hidden files:

<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll (where x represents a random digit)

The DLL file is a copy of the original worm. The autorun.inf file is also detected as W32/Confick-D and will cause the worm to execute when the device is connected to a computer running Windows.

W32/Confick-D creates the following file:

<System&gtMischief<Random Letters>.dll

This file is set up to run as a service with a random name when Windows starts. W32/Confick-D modifies permissions on the service registry entries so that they are not visible to the user.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32confickd.html?_log_from=rss

- Collapse -
W32/Autorun-TI
Jan 7, 2009 6:21AM PST

Aliases W32/SillyFDC

Category Viruses and Spyware

Type Worm

W32/Autorun-TI is a worm for the Windows platform.

When first run W32/Autorun-TI copies itself to:

<Root>\250kg.exe
<Windows>\250kg.exe
<Program Files>\Common Files\Services\.exe
<Program Files&gtMischief.exe
<Windows>\provisioning\schemas\.exe
<Windows>\provisioning\.exe
<Windows>\provisioning.exe

W32/Autorun-TI creates the following files:

<Root>\autorun.inf
<Windows>\VNSPEECH.DLL

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunti.html?_log_from=rss

- Collapse -
Troj/QHost-AD
Jan 7, 2009 6:22AM PST
- Collapse -
Troj/FakeVir-IW
Jan 7, 2009 6:23AM PST
- Collapse -
Troj/FakeAV-IH
Jan 7, 2009 6:24AM PST
- Collapse -
Troj/DownLd-O
Jan 7, 2009 6:26AM PST

Aliases Win32/Injector.DO

Category Viruses and Spyware

Type Trojan

Troj/DownLd-O is a Trojan for the Windows platform.

When first run Troj/DownLd-O copies itself to <Windows>\services.exe.

The following registry entry is created to run Troj/DownLd-O on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
services
<Windows>\services.exe

Troj/DownLd-O sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdownldo.html?_log_from=rss

- Collapse -
Troj/Agent-IOF
Jan 7, 2009 6:27AM PST
- Collapse -
Troj/Agent-IOE
Jan 7, 2009 6:28AM PST
- Collapse -
Mal/QLowZ-A
Jan 7, 2009 6:29AM PST
- Collapse -
Ocean Baccarat
Jan 7, 2009 6:30AM PST
- Collapse -
CouponBar
Jan 7, 2009 6:31AM PST

Category Adware or PUA

Type Unspecified PUA

App/CoupBar-A is a potentially unwanted application.

When the application is installed the following files are created:

<Windows>\CBBasis.xml
<Windows>\CBVersion.txt
<Windows>\CouponBarIE.dll
<Windows>\cpbrkpie.ocx
<Windows>\UccSpecB.sys

The files CouponBarIE.dll and cpbrkpie.ocx are registered as COM objects, creating registry entries under:

More: http://www.sophos.com/security/analyses/adware-and-puas/couponbar.html?_log_from=rss

- Collapse -
W32/Sohana-BR
Jan 7, 2009 8:27AM PST

Category Viruses and Spyware

Type Worm

W32/Sohana-BR is a worm for the Windows platform.

W32/Sohana-BR includes functionality to access the internet and communicate with a remote server via HTTP.

The worm spreads via removeable media and chat programs such as Yahoo Messenger.

When first run W32/Sohana-BR copies itself to:

<Windows>\gphone.exe
<System>\gphone.exe

and creates the file <System>\autorun.ini.

The file autorun.ini is detected as W32/Sohana-BI.

W32/Sohana-BR copies itself to the root folder of removeable drives with the filenames:

gphone.exe
New Folder.exe

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32sohanabr.html?_log_from=rss

- Collapse -
Troj/FakeVir-JD
Jan 7, 2009 8:28AM PST
- Collapse -
Troj/Bancos-BFB
Jan 7, 2009 8:30AM PST
- Collapse -
Troj/Agent-IOG
Jan 7, 2009 8:31AM PST
- Collapse -
Troj/Agent-IMK
Jan 7, 2009 8:32AM PST
- Collapse -
An example of a hacked site
Jan 7, 2009 8:33AM PST

Wednesday, January 07, 2009

We?re working on getting this taken down. However, it?s something that may be of interest.


Offenbacher.com is hacked ? badly. The webserver performs a 302 redirect if the referrer is found. Seeing the hack requires that the site sees you as a referrer.


Going to the site normally yields this:

More: http://sunbeltblog.blogspot.com/index.html