Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - January 7, 2010

by Marianna Schmudlach / January 6, 2010 10:55 PM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - January 7, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - January 7, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Bredolab-H
by Marianna Schmudlach / January 6, 2010 10:56 PM PST
Collapse -
Troj/Hiloti-O
by Marianna Schmudlach / January 6, 2010 10:56 PM PST
Collapse -
Troj/KillAV-GF
by Marianna Schmudlach / January 6, 2010 10:57 PM PST
Collapse -
Troj/PDFJs-GL
by Marianna Schmudlach / January 6, 2010 10:58 PM PST
Collapse -
Troj/Swizzor-QK
by Marianna Schmudlach / January 6, 2010 10:58 PM PST
Collapse -
W32/AutoRun-AOA
by Marianna Schmudlach / January 6, 2010 10:59 PM PST

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/AutoRun-AOA is a worm for the Windows platform.

When run W32/AutoRun-AOA copies itself to
<System>\system3_.exe
<Windows>\system3_.exe

and creates the file
<System>\autorun.ini - detected as W32/AutoRun-AOA

W32/AutoRun-AOA spreads via removable drives by copying itself to <Root>\system3_.exe and creating the file <Root>\autorun.inf (detected as W32/AutoRun-AOA ).

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe system3_.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
shared
\New Folder.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo Messengger
<System>\system3_.exe


Registry changed are made under:

HKCU\Software\Microsoft\Internet Explorer\Main
Start Page

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Default_Page_URL

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Default_Search_URL

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Search Page

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
Start Page


http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunaoa.html?_log_from=rss

Collapse -
W32/AutoRun-AXT
by Marianna Schmudlach / January 6, 2010 11:00 PM PST

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/AutoRun-AXT is a worm for the Windows platform that spreads via removable shared drives.

When run W32/AutoRun-AXT copies itself to <System>\WMITPRK.EXE.

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center\
AntiVirusOverride
1

HKLM\SOFTWARE\Microsoft\Security Center\
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center\
FirewallOverride
1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
<System>\WMITPRK.EXE

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
DomainProfile\AuthorizedApplications\List
<System>\WMITPRK.EXE

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
<System>\WMITPRK.EXE

HKLM\SOFTWARE\Windows\CurrentVersion\Run
ctfmon.exe
ctfmon.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
ctfmon.exe
ctfmon.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
ctfmon.exe
ctfmon.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Debugger
WMITPRK.EXE

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
1


http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunaxt.html?_log_from=rss

Collapse -
Troj/Swizzor-QJ
by Marianna Schmudlach / January 6, 2010 11:01 PM PST
Collapse -
W32/Autorun-AXP
by Marianna Schmudlach / January 6, 2010 11:02 PM PST

Category

* Viruses and Spyware

Type

* Worm


Affected operating systems Windows

W32/Autorun-AXP is a Worm for the Windows platform.

W32/Autorun-AXP includes functionality to:

- run automatically
- steal confidential information
- access the internet and communicate with a remote server via HTTP - to download self updates
- disable other software, including anti-virus, firewall and security related applications

W32/Autorun-AXP communicates via HTTP with the following locations:

yahoox5f . com

When W32/Autorun-AXP is installed the following files are created:

e9naq.exe (in root folder)
<Temp>\cvasds0.dll
<Temp>\cvasds1.dll
<Temp>\herss.exe

The following registry entry is set:

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"cdoosoft"
"%Temp%\herss.exe"

The following registry entry is changed:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden
SHOWALL
CheckedValue - set to 0

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunaxp.html?_log_from=rss

Collapse -
W32/Brontok-EB
by Marianna Schmudlach / January 6, 2010 11:03 PM PST

Category

* Viruses and Spyware

Type

* Worm


Affected operating systems Windows

W32/Brontok-EB is a worm for the Windows platform.

When W32/Brontok-EB is installed, it copies itself to:

<User>\Local Settings\Application Data\csrss.exe
<User>\Local Settings\Application Data\inetinfo.exe
<User>\Local Settings\Application Data\lsass.exe
<User>\Local Settings\Application Data\services.exe
<User>\Local Settings\Application Data\smss.exe
<User>\Local Settings\Application Data\winlogon.exe
<Startup>\Empty.pif
<User>\Templates\bararontok.com
<System>\support's Setting.scr
<Windows>\ShellNew\ElnorB.exe

The following registry entries are created to run W32/Brontok-EB on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Tok-Cirrhatus
<User>\Local Settings\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bron-Spizaetus
<Windows>\ShellNew\ElnorB.exe

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0x00000000

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000

http://www.sophos.com/security/analyses/viruses-and-spyware/w32brontokeb.html?_log_from=rss

Collapse -
W32/SdBot-DNU
by Marianna Schmudlach / January 6, 2010 11:04 PM PST

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/SdBot-DNU is a Trojan for the Windows platform.

W32/SdBot-DNU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/SdBot-DNU copies itself to <Temp> with names like "svchost.exe" or "IXP000.TMP\jyty.exe".

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<Current Folder>\<original filename>:*:Enabled:svchost

W32/SdBot-DNU also could do:

- Modify IE Start Page (HKCU\Software\Microsoft\Internet Explorer\Main);

- Copy self into %Windows%\rndll.exe and set the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
"Firevall Administrating"
"rndll.exe"

HKLM\Microsoft\Windows\CurrentVersion\Run
"Firevall Administrating"
"rndll.exe"

http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotdnu.html?_log_from=rss

Collapse -
Mal/EncPk-MS
by Marianna Schmudlach / January 6, 2010 11:04 PM PST
Collapse -
Troj/FakeAV-AOG
by Marianna Schmudlach / January 6, 2010 11:05 PM PST

Aliases

* TR/Crypt.XPACK.Gen

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAV-AOG is a Trojan for the Windows platform.

Troj/FakeAV-AOG includes functionality to run automatically and copy itself to the <System> folder.

When Troj/FakeAV-AOG is installed the following files are created:

<System>\smss32.exe
<System>\winlogon32.exe

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
smss32.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Winlogon
Userinit

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaog.html?_log_from=rss

Collapse -
Troj/FakeAV-AOH
by Marianna Schmudlach / January 6, 2010 11:06 PM PST
Collapse -
OneStep
by Marianna Schmudlach / January 6, 2010 11:07 PM PST
Collapse -
Trojan:Win32/Alureon.DG
by Marianna Schmudlach / January 6, 2010 11:11 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This potentially unwanted software is detected by the Microsoft antispyware engine. Technical details are not currently available.

More details are available in the Family description of Win32/Alureon

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Alureon.DG&ThreatID=-2147336630

Collapse -
Backdoor:Win32/Hupigon.DV
by Marianna Schmudlach / January 6, 2010 11:12 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

More details are available in the Family description of Win32/Hupigon

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Hupigon.DV&ThreatID=-2147336619

Collapse -
Exploit:JS/Pdfjsc.AA
by Marianna Schmudlach / January 6, 2010 11:13 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:JS/Pdfjsc.AA&ThreatID=-2147336624

Collapse -
Exploit:JS/Pdfjsc.AB
by Marianna Schmudlach / January 6, 2010 11:13 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:JS/Pdfjsc.AB&ThreatID=-2147336623

Collapse -
Exploit:Win32/Pdfjsc.CV
by Marianna Schmudlach / January 6, 2010 11:14 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Win32/Pdfjsc.CV&ThreatID=-2147336631

Collapse -
Backdoor:Win32/Poison.AN
by Marianna Schmudlach / January 6, 2010 11:15 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Poison.AN&ThreatID=-2147336620

Collapse -
PWS:Win32/QQpass.CA
by Marianna Schmudlach / January 6, 2010 11:15 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is classified as a Trojan - Password Stealer. Typically, a password stealing trojan installs a keystroke logger (commonly referred to as a keylogger) which records keystrokes and sends the recorded information to remote attackers. Some keyloggers monitor only keystrokes involved in specific types of web-based transactions. For example, a keylogger may include a component that monitors browser activity, only recording keystrokes when certain bank or ecommerce sites are accessed. Other types of password-stealing trojans include those that capture screenshots in an attempt to bypass graphic-based security measures. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS:Win32/QQpass.CA&ThreatID=-2147336618

Collapse -
TrojanDownloader:Win32/RandBho.A
by Marianna Schmudlach / January 6, 2010 11:16 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is classified as a Trojan - Downloader. A downloader trojan accesses remote websites in an attempt to download and install malicious or potentially unwanted software. Some downloader trojans target specific files on remote websites while others may target a specific URL that points to a website containing exploit code that may allow the site to automatically download and software or malicious code on vulnerable systems. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/RandBho.A&ThreatID=-2147336617

Collapse -
Trojan:Win32/Remhead
by Marianna Schmudlach / January 6, 2010 11:17 PM PST
Collapse -
Worm:Win32/Rimecud.B
by Marianna Schmudlach / January 6, 2010 11:18 PM PST

Aliases
Win-Trojan/Buzus.143360.BT (AhnLab)
Trojan.Win32.Buzus.apjj (Kaspersky)
W32/Buzus.LFM (Norman)
Win32/Agent.NFV (ESET)
Win32/SillyP2P.BY (CA)
W32/Autorun.worm.fz (McAfee)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.71.1864.0
Released: Jan 07, 2010

Summary
Worm:Win32/Rimecud is a family of worms with multiple components that spreads via fixed and removable drives, and instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected machine.

More: https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Rimecud.B&ThreatID=-2147344354

Collapse -
Trojan:Win32/Sisproc
by Marianna Schmudlach / January 6, 2010 11:19 PM PST
Collapse -
Trojan:Win32/Sisron
by Marianna Schmudlach / January 6, 2010 11:20 PM PST
Collapse -
Trojan:Win32/Skintrim.K
by Marianna Schmudlach / January 6, 2010 11:20 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.

More details are available in the Family description of Win32/Skintrim


https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Skintrim.K&ThreatID=-2147336632

Collapse -
TrojanDropper:Win32/VB.FH
by Marianna Schmudlach / January 6, 2010 11:21 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is classified as a Trojan - Dropper. As its name suggests, a dropper trojan contains malicious or potentially unwanted software which it ?drops? and installs on the affected system. Commonly, the dropper installs a backdoor which allows remote, surreptitious access to infected systems. This backdoor may then be used by remote attackers to upload and install further malicious or potentially unwanted software on the system. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/VB.FH&ThreatID=-2147336626

Collapse -
TrojanDropper:Win32/VB.FI
by Marianna Schmudlach / January 6, 2010 11:22 PM PST

Encyclopedia entry
Published: Jan 07, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Definition: 1.71.1864.0
Released: Jan 07, 2010


Summary
This threat is classified as a Trojan - Dropper. As its name suggests, a dropper trojan contains malicious or potentially unwanted software which it ?drops? and installs on the affected system. Commonly, the dropper installs a backdoor which allows remote, surreptitious access to infected systems. This backdoor may then be used by remote attackers to upload and install further malicious or potentially unwanted software on the system. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper:Win32/VB.FI&ThreatID=-2147336622

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

We are giving away 'Black Panther' swag!

Four lucky readers will be taking home *Marvel*ous "Black Panther" prizes, including magazines autographed by the King of Wakanda himself! Giveaway ends Feb. 25, 2018.