Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - January 9, 2009

by Marianna Schmudlach Jan 8, 2009 11:03AM PST

Discussion is locked

31 - 60 of 56 Posts
- Collapse + Expand Details
- Collapse -
Troj/PWS-AXT
by Marianna Schmudlach Jan 9, 2009 1:59AM PST
- Collapse -
Troj/Mdrop-BXQ
by Marianna Schmudlach Jan 9, 2009 2:00AM PST
- Collapse -
Troj/Mdrop-BXP
by Marianna Schmudlach Jan 9, 2009 2:01AM PST

Aliases TROJ_DROPPER.GAJ

Category Viruses and Spyware

Type Trojan

Troj/Mdrop-BXP is a Trojan for the Windows platform.

When Troj/Mdrop-BXP is installed it creates the following files
<System>\dllcache\explorer.exe.
<System>\qwinsta.dll

The file explorer.exe is detected as Troj/Mdrop-BXP

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmdropbxp.html?_log_from=rss

- Collapse -
Troj/Bank-B
by Marianna Schmudlach Jan 9, 2009 2:02AM PST
- Collapse -
Troj/Agent-IOO
by Marianna Schmudlach Jan 9, 2009 2:03AM PST
- Collapse -
Virus Alerts, by Panda Security (http://www.pandasecurity.co
by Marianna Schmudlach Jan 9, 2009 2:12AM PST

This week's PandaLabs report provides information about the
PasswordStealer.BJ Trojan, the Expressantivirus2009 rogue antivirus and
the Conficker.C worm.

When run on computers, PasswordStealer.BJ displays a Christmas card
(image here: http://www.flickr.com/photos/panda_security/3179325467/).
This is a trick to fool users, as it simultaneously carries out
malicious actions on the computer to steal confidential data such as
passwords.

Expressantivirus2009 is adware, specifically a rogue antivirus. The
first action it takes once installed on the computer is to restart it.
It then passes itself off as an antivirus, pretending to carry out a
system scan and detecting several (non-existent) viruses. The aim is to
get users to buy the rogue antivirus: either for life ($79.99) or for a
year ($59.99). You can see an image of the online store here:
http://www.flickr.com/photos/panda_security/3179348349/

The rogue antivirus prevents users from closing the application and
stopping the scan
(http://www.flickr.com/photos/panda_security/3180184034/). This adware
tries to get the computer to malfunction to get users to buy the rogue
antivirus.

The Conficker.C worm on the other hand, uses several means to spread,
for example, by exploiting the recent Microsoft Windows MS08-067
vulnerability. To do so, it sends a specially-crafted RPC request with a
shellcode, which enables code to run and therefore download the worm
onto the computer.

This worm also copies itself onto shared and removable drives (i.e.
pendrives).

This worm is also designed to download more malware onto the computers
it infects.

For more information about these and other malware threats, go to:
http://www.pandasecurity.com/homeusers/security-info/latest-threats/?sit
epanda=particulares

- Collapse -
TROJ_INJECT.ZZ
by Marianna Schmudlach Jan 9, 2009 6:02AM PST

Malware type: Trojan

Malware Overview

This Trojan may be downloaded from remote Web sites by the following malware:


TROJ_DLOADR.QK
Upon execution, it drops files detected by Trend Micro as TROJ_ROOTKIT.FX and TROJ_INJECT.ZZ.

It creates registry entry to enable its automatic execution at every system startup. It also modifies registry entries.

It logs keystrokes and gathers the data entered by the user in the submission forms of Internet Explorer. It also deletes browser cookies to force users to re-enter sensitive account related information.

It also launches a carnivore sniffer to retrieve passwords from network packets. It searches for certain strings. It uploads the gathered information to several Web sites.

It creates mutex to make sure that only one instance of the malware is running.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FINJECT%2EZZ

- Collapse -
Trojan.TDss.AT
by Marianna Schmudlach Jan 9, 2009 6:07AM PST

( DNSChanger.f.gen.a )

SYMPTOMS:

- the presence of the following file c:\resycled\boot.com and an autorun.inf pointing to boot.com.
- system running slowly

TECHNICAL DESCRIPTION:

When run, this malware will first drop the following files in %TEMP% folder: tmp1.tmp and tmp2.tmp.
The first file will be injected in spoolsv.exe under the name dll.dll and this is the main component of the malware. It communicates with the following site via http: http://94.247.2.104. It is also able to change the DNS settings of the computer in order to steal user's sensitive information. The changed DNS addresses will be: 85.255.115.237 and 85.255.112.201. It will also create the following registry keys:
HKCR\msqpdxvx\
msqpdxaff @= 0xBFF
msqpdxid @= rfy... (the first DNS address crypted)
msqpdxinfo @= 3qxvy ... (the second DNS address crypted)
msqpdxpff @= 0x1F03
msqpdxrun @= 0x47 (the key used to decrypt the DNS addresses)
msqpdxsw @= 0x6802f719

The second file is a modified version of advapi32.dll which will be copied over the original version. It will be used to load the dll.dll file at every system startup (it is detected as Trojan.Patched.CK).

In order to spread itself on every removable drive, it makes a copy of itself in c:\resycled\boot.com and creates an autorun.inf file pointing to this copy of the worm.

http://www.bitdefender.com/VIRUS-1000464-en--Trojan.TDss.AT.html

- Collapse -
Trojan.Downloader.JS.MF
by Marianna Schmudlach Jan 9, 2009 6:08AM PST

( Tojan-Downloader.JS.Agent.der, Exploit.SinaDL, Mal/ExpSinaDl-A, HTML:Iframe-inf, HTML/Malicious.ActiveX.Gen )

SYMPTOMS:

slow internet connection, high processor usage or any other malware related behaviors.

TECHNICAL DESCRIPTION:

Trojan.Downloader.JS.MF is a small Java Script which exploits a vulnerability in the Sina DLoader Class (an ActiveX Control) in order to download and execute arbitrary malicious files on a user's computer.

http://www.bitdefender.com/VIRUS-1000463-en--Trojan.Downloader.JS.MF.html

- Collapse -
New Variants of W32.Downadup.B Find New Ways to Propagate
by Marianna Schmudlach Jan 9, 2009 6:10AM PST

01-09-2009

Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability as soon as possible.

A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords. These propagation methods are nothing new; W32.Spybot, W32.Randex, and W32.Mytob variants all use almost identical methods to spread, but this variant requires more effort to protect corporate networks.

More: https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225

- Collapse -
Troj/VBInject-A
by Marianna Schmudlach Jan 9, 2009 6:13AM PST
- Collapse -
Troj/Mdrop-BXR
by Marianna Schmudlach Jan 9, 2009 6:14AM PST
- Collapse -
Troj/FakeAle-KX
by Marianna Schmudlach Jan 9, 2009 6:15AM PST
- Collapse -
Troj/Dloadr-CEM
by Marianna Schmudlach Jan 9, 2009 6:16AM PST
- Collapse -
Troj/Bifrose-VI
by Marianna Schmudlach Jan 9, 2009 6:19AM PST

Aliases Backdoor.Win32.Bifrose.aimu
Win32/TrojanDropper.VB.NGF
BKDR_RBOT.SD

Category Viruses and Spyware

Type Trojan

Troj/Bifrose-VI is a Trojan for the Windows platform.

Troj/Bifrose-VI copies itself to msddll.exe in the Windows system folder and registers itself as a service process with a start type of "Automatic".

If run with sufficient rights Troj/Bifrose-VI will install itself as an application authorised by Windows Firewall to communicate with the outside world.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbifrosevi.html?_log_from=rss

- Collapse -
Troj/Agent-IOP
by Marianna Schmudlach Jan 9, 2009 6:20AM PST

Category Viruses and Spyware

Type Trojan

Troj/Agent-IOP is a Trojan for the Windows platform.

Troj/Agent-IOP is registered as a new system driver service named "Wuausurv", with a display name of "Wuausurv" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Wuausurv


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiop.html?_log_from=rss

- Collapse -
Mal/Renos-F
by Marianna Schmudlach Jan 9, 2009 6:21AM PST
- Collapse -
Mal/OnlineG-C
by Marianna Schmudlach Jan 9, 2009 6:22AM PST
- Collapse -
Mal/FearDoor-A
by Marianna Schmudlach Jan 9, 2009 6:23AM PST
- Collapse -
Mal/Behav-148
by Marianna Schmudlach Jan 9, 2009 6:24AM PST
- Collapse -
ZenoSearch
by Marianna Schmudlach Jan 9, 2009 6:25AM PST
- Collapse -
FakeInstaller
by Marianna Schmudlach Jan 9, 2009 6:26AM PST
- Collapse -
Exploit-MSWord.j
by Marianna Schmudlach Jan 9, 2009 7:06AM PST
- Collapse -
Mal/Banker-F
by Marianna Schmudlach Jan 9, 2009 7:08AM PST
- Collapse -
Troj/Agent-IOQ
by Marianna Schmudlach Jan 9, 2009 8:24AM PST
- Collapse -
Mysidesearch Search Enhancer
by Marianna Schmudlach Jan 9, 2009 8:25AM PST
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info