Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - January 7, 2009

by Marianna Schmudlach Jan 6, 2009 10:44AM PST

Discussion is locked

31 - 60 of 53 Posts
- Collapse + Expand Details
- Collapse -
Troj/Bckdr-QQZ
by Marianna Schmudlach Jan 7, 2009 1:40AM PST
- Collapse -
Troj/Agent-IOE
by Marianna Schmudlach Jan 7, 2009 1:41AM PST
- Collapse -
Troj/Agent-IOD
by Marianna Schmudlach Jan 7, 2009 1:42AM PST
- Collapse -
How celebrity Twitter accounts were hacked, and how it can b
by Marianna Schmudlach Jan 7, 2009 1:45AM PST

How celebrity Twitter accounts were hacked, and how it can be stopped in future

Wired has published details of how a hacker managed to hack into Twitter?s internal systems earlier this week, opening the door for criminals to break into the Twitter accounts of the likes of Britney Spears, Fox News and Barack Obama.

The teenage hacker, who uses the online handle GMZ, claims he gained entry to the micro-blogging site?s administrative control panel by using a dictionary password guesser at a Twitter staffer?s account.

Unfortunately for Twitter and its hacked users, the staff member had chosen the dictionary word ?happiness?.

More: http://www.sophos.com/blogs/gc/g/2009/01/07/celebrity-twitter-accounts-hacked/

- Collapse -
W32.Downadup!autorun
by Marianna Schmudlach Jan 7, 2009 3:05AM PST
- Collapse -
An Israeli patriot program or a trojan
by Marianna Schmudlach Jan 7, 2009 3:07AM PST

Published: 2009-01-07,
Last Updated: 2009-01-07 18:40:22 UTC
by Bojan Zdrnja (Version: 1)

Recently we have been witnessing a rise of politically motivated hacking attacks by supporters both sides involved in military actions in Gaza. This was more or less expected, whenever two sides collide there will be people supporting them, even through various attacks on the Internet.

Over the weekend another site popped up, www.help-israel-win.com which is down at the moment. According to what was posted on the site, it was built by "a group of students who are tired of sitting around doing nothing".

The site asked visitors supporting Israel to download and install a file from the site (called PatriotInstaller.exe) that will help disrupt their enemy's efforts.

More: http://isc.sans.org/

- Collapse -
W32/Confick-D
by Marianna Schmudlach Jan 7, 2009 6:20AM PST

Category Viruses and Spyware

Type Worm

W32/Confick-D is a worm for the Windows platform.

W32/Confick-D spreads through Windows file shares protected with weak passwords, by copying itself to removable devices and by exploiting the MS08-067 Windows Server service vulnerability.

When run W32/Confick-D attempts to copy itself to removable media, creating the following hidden files:

<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll (where x represents a random digit)

The DLL file is a copy of the original worm. The autorun.inf file is also detected as W32/Confick-D and will cause the worm to execute when the device is connected to a computer running Windows.

W32/Confick-D creates the following file:

<System&gtMischief<Random Letters>.dll

This file is set up to run as a service with a random name when Windows starts. W32/Confick-D modifies permissions on the service registry entries so that they are not visible to the user.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32confickd.html?_log_from=rss

- Collapse -
W32/Autorun-TI
by Marianna Schmudlach Jan 7, 2009 6:21AM PST

Aliases W32/SillyFDC

Category Viruses and Spyware

Type Worm

W32/Autorun-TI is a worm for the Windows platform.

When first run W32/Autorun-TI copies itself to:

<Root>\250kg.exe
<Windows>\250kg.exe
<Program Files>\Common Files\Services\.exe
<Program Files&gtMischief.exe
<Windows>\provisioning\schemas\.exe
<Windows>\provisioning\.exe
<Windows>\provisioning.exe

W32/Autorun-TI creates the following files:

<Root>\autorun.inf
<Windows>\VNSPEECH.DLL

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunti.html?_log_from=rss

- Collapse -
Troj/QHost-AD
by Marianna Schmudlach Jan 7, 2009 6:22AM PST
- Collapse -
Troj/FakeVir-IW
by Marianna Schmudlach Jan 7, 2009 6:23AM PST
- Collapse -
Troj/FakeAV-IH
by Marianna Schmudlach Jan 7, 2009 6:24AM PST
- Collapse -
Troj/DownLd-O
by Marianna Schmudlach Jan 7, 2009 6:26AM PST

Aliases Win32/Injector.DO

Category Viruses and Spyware

Type Trojan

Troj/DownLd-O is a Trojan for the Windows platform.

When first run Troj/DownLd-O copies itself to <Windows>\services.exe.

The following registry entry is created to run Troj/DownLd-O on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
services
<Windows>\services.exe

Troj/DownLd-O sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdownldo.html?_log_from=rss

- Collapse -
Troj/Agent-IOF
by Marianna Schmudlach Jan 7, 2009 6:27AM PST
- Collapse -
Troj/Agent-IOE
by Marianna Schmudlach Jan 7, 2009 6:28AM PST
- Collapse -
Mal/QLowZ-A
by Marianna Schmudlach Jan 7, 2009 6:29AM PST
- Collapse -
Ocean Baccarat
by Marianna Schmudlach Jan 7, 2009 6:30AM PST
- Collapse -
CouponBar
by Marianna Schmudlach Jan 7, 2009 6:31AM PST

Category Adware or PUA

Type Unspecified PUA

App/CoupBar-A is a potentially unwanted application.

When the application is installed the following files are created:

<Windows>\CBBasis.xml
<Windows>\CBVersion.txt
<Windows>\CouponBarIE.dll
<Windows>\cpbrkpie.ocx
<Windows>\UccSpecB.sys

The files CouponBarIE.dll and cpbrkpie.ocx are registered as COM objects, creating registry entries under:

More: http://www.sophos.com/security/analyses/adware-and-puas/couponbar.html?_log_from=rss

- Collapse -
W32/Sohana-BR
by Marianna Schmudlach Jan 7, 2009 8:27AM PST

Category Viruses and Spyware

Type Worm

W32/Sohana-BR is a worm for the Windows platform.

W32/Sohana-BR includes functionality to access the internet and communicate with a remote server via HTTP.

The worm spreads via removeable media and chat programs such as Yahoo Messenger.

When first run W32/Sohana-BR copies itself to:

<Windows>\gphone.exe
<System>\gphone.exe

and creates the file <System>\autorun.ini.

The file autorun.ini is detected as W32/Sohana-BI.

W32/Sohana-BR copies itself to the root folder of removeable drives with the filenames:

gphone.exe
New Folder.exe

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32sohanabr.html?_log_from=rss

- Collapse -
Troj/FakeVir-JD
by Marianna Schmudlach Jan 7, 2009 8:28AM PST
- Collapse -
Troj/Bancos-BFB
by Marianna Schmudlach Jan 7, 2009 8:30AM PST
- Collapse -
Troj/Agent-IOG
by Marianna Schmudlach Jan 7, 2009 8:31AM PST
- Collapse -
Troj/Agent-IMK
by Marianna Schmudlach Jan 7, 2009 8:32AM PST
- Collapse -
An example of a hacked site
by Marianna Schmudlach Jan 7, 2009 8:33AM PST

Wednesday, January 07, 2009

We?re working on getting this taken down. However, it?s something that may be of interest.


Offenbacher.com is hacked ? badly. The webserver performs a 302 redirect if the referrer is found. Seeing the hack requires that the site sees you as a referrer.


Going to the site normally yields this:

More: http://sunbeltblog.blogspot.com/index.html

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info