Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 1, 2008

by Marianna Schmudlach / June 30, 2008 3:15 PM PDT

W32/Rbot-GWZ


Category Viruses and Spyware

Type Worm

W32/Rbot-GWZ is a network worm with backdoor Trojan functionality for the Windows platform.

The worm copies itself to <System>\NPFMONTR.exe and creates the following registry entries:

HKCU\Software\Microsoft\OLE
NPFValue
<System>\NPFMONTR.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NPFValue
<System>\NPFMONTR.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
NPFValue
<System>\NPFMONTR.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgwz.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 1, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 1, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Zlob-ALS
by Marianna Schmudlach / June 30, 2008 3:16 PM PDT
Collapse -
W32/Munfor-C
by Marianna Schmudlach / July 1, 2008 12:06 AM PDT
Collapse -
W32/Autorun-FW
by Marianna Schmudlach / July 1, 2008 12:07 AM PDT
Collapse -
VBS/Rieve-A
by Marianna Schmudlach / July 1, 2008 12:08 AM PDT
Collapse -
Troj/Wilco-A
by Marianna Schmudlach / July 1, 2008 12:09 AM PDT
Collapse -
Troj/FakeVir-CL
by Marianna Schmudlach / July 1, 2008 12:10 AM PDT
Collapse -
Troj/FakeVir-CK
by Marianna Schmudlach / July 1, 2008 12:11 AM PDT
Collapse -
Troj/DwnLdr-HEU
by Marianna Schmudlach / July 1, 2008 12:12 AM PDT
Collapse -
Troj/Dloadr-BNJ
by Marianna Schmudlach / July 1, 2008 12:13 AM PDT
Collapse -
Troj/Banloa-FM
by Marianna Schmudlach / July 1, 2008 12:14 AM PDT
Collapse -
W32/Dorf-BO
by Marianna Schmudlach / July 1, 2008 1:09 AM PDT
Collapse -
VBS/Solow-Gen
by Marianna Schmudlach / July 1, 2008 1:10 AM PDT

Category Viruses and Spyware

Type Worm

VBS/Solow-Gen is a worm for the Windows platform.

VBS/Solow-Gen attempts to spread through removable storage devices.

The worm may attempt to set a registry entry to run at startup.

VBS/Solow-Gen may enumerate available devices repeatedly in an attempt to copy itself and may create the file autorun.inf that contains instructions to run the copy of the worm automatically when an infected drive is accessed.

http://www.sophos.com/security/analyses/viruses-and-spyware/vbssolowgen.html?_log_from=rss

Collapse -
Troj/PDFex-H
by Marianna Schmudlach / July 1, 2008 1:11 AM PDT
Collapse -
Troj/Agent-HDY
by Marianna Schmudlach / July 1, 2008 1:12 AM PDT
Collapse -
WORM_GAEL.B
by Marianna Schmudlach / July 1, 2008 1:14 AM PDT

Malware type: Worm

Malware Overview

This memory-resident worm arrives via removable drives.

When executed, it drops a copy of itself in the Windows system folder. The dropped copy uses the same file name as the originally executed worm.

It also uses the icon of the normal Windows folder to trick users that it is a legitimate folder.

This worm adds a registry entry to enable its automatic execution at every system startup.

It propagates by dropping copies of itself in all removable and physical drives using the file name of its originally executed copy. It also drops an AUTORUN.INF file to automatically execute its dropped copies when the said drives are accessed.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FGAEL%2EB

Collapse -
WebHelper Startpage
by Marianna Schmudlach / July 1, 2008 1:15 AM PDT

Category Adware or PUA

Type Adware

WebHelper Startpage is an Adware application for the Windows platform.

WebHelper Startpage copies itself to <System>\stw.exe and sets the following registry entry to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
STW
<System>\stw.exe

WebHelper Startpage drops the file <System>\search.html, and sets the following registry entry to make it the default start page on some internet browsers:

HKCU\Software\Microsoft\Internet Explorer\Main
Start Page
<System>\search.html

WebHelper Startpage may modify values at the following registry location:

More: http://www.sophos.com/security/analyses/adware-and-puas/webhelperstartpa_EqeMfKNc.html

Collapse -
New Nuwar Spam Brings Best AntiSpyware Solution
by Marianna Schmudlach / July 1, 2008 1:17 AM PDT

July 1, 2008

Here is a new Nuwar style. Nuwar is sending spam as usual but with this time with slightly different content. As can be seen here it is claiming to link to a free video starring Liv Tyler (see highlighted text).

The said ?security errors? suggest that the PC has been infected by spyware. If the user succumbs to the ploy and clicks on OK he/she is prompted to download INSTALL_EN.EXE which is detected by Trend Micro as WORM_NUWAR.AL.

WORM_NUWAR.AL then drops other malicious files that Trend Micro detects as WORM_NUWAR.AE and WORM_NUWAR.AN. Unlike the modus operandi of cyber criminals using typical rogue anti-spyware, this attack takes a somewhat different route: the downloaded file is not a fake anti-spyware program, instead it is a malware itself.

More: http://blog.trendmicro.com/

Collapse -
Critical Microsoft update via Amazon EC2?
by Marianna Schmudlach / July 1, 2008 1:22 AM PDT

1 July 2008

This past weekend a fairly typical malware campaign started to arrive on our global network of spam traps, using the common technique of disguising itself as an ?Important Windows Update?. Its characteristics are mostly what you would expect from spammed out malware:

Varying subject lines:


Varying, forged ?From? addresses:


Advises the reader to ?Update? via a link in the email:

More: http://www.sophos.com/security/blog/2008/07/1528.html

Collapse -
Paq Keylogger
by Marianna Schmudlach / July 1, 2008 3:57 AM PDT
Collapse -
Troj/Zlob-ALT
by Marianna Schmudlach / July 1, 2008 7:31 AM PDT

Aliases Win32/TrojanDownloader.Zlob.CCH

Category Viruses and Spyware

Type Trojan

Troj/Zlob-ALT is a Trojan for the Windows platform.

Troj/Zlob-ALT includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Zlob-ALT is installed it creates the file <Temp>\awer0.bat.

Registry entries are created under:

HKCU\Software\Web Technologies
HKCR\multimediaControls.chl\CLSID

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobalt.html?_log_from=rss

Collapse -
Troj/FakeVir-CM
by Marianna Schmudlach / July 1, 2008 7:32 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeVir-CM is a Trojan for the Windows platform.

Troj/FakeVir-CM includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/FakeVir-CM is installed it creates the file <System>\univrs32.dat. This file is detected as Troj/Agent-GPD.

Troj/FakeVir-CM changes settings for Microsoft Internet Explorer, including search settings, by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevircm.html?_log_from=rss

Collapse -
Troj/Bdoor-AMI
by Marianna Schmudlach / July 1, 2008 7:34 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Bdoor-AMI is a Trojan for the Windows platform.

When first run, Troj/Bdoor-AMI copies itself to <System>\wupdmng.exe.

Troj/Bdoor-AMI attempts to connect to an external site, and also acts as a backdoor server, allowing others to connect to the infected computer.

The following registry entry is created to start Troj/Bdoor-AMI when Windows boots:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WindowsUpdateManager
<System>\wupdmng.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbdoorami.html?_log_from=rss

Collapse -
Troj/Agent-HEA
by Marianna Schmudlach / July 1, 2008 7:36 AM PDT
Collapse -
Mal/Behav-265
by Marianna Schmudlach / July 1, 2008 7:37 AM PDT
Collapse -
Mal/Behav-264
by Marianna Schmudlach / July 1, 2008 7:38 AM PDT
Collapse -
Mal/Behav-262
by Marianna Schmudlach / July 1, 2008 7:39 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.