Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 10, 2008

W32/Tilebot-GM

Category Viruses and Spyware

Type Virus


W32/Tilebot-GM is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-GM spreads to other network computers by exploiting common buffer overflow vulnerabilities.

W32/Tilebot-GM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-GM includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tilebot-GM moves itself to <Windows>\lsass.exe and creates the file <System>\rdriv.sys.

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32tilebotgm.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 10, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 10, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/DNSCha-B

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Category Viruses and Spyware

Type Trojan

Troj/DNSCha-B includes functionality to modify the DNS setting, access the internet and communicate with a remote server via HTTP.

When first run Troj/DNSCha-B copies itself to <System&gtMischief<random filename>.exe.

The following registry entries are created to run Troj/DNSCha-B on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System

Troj/DNSCha-B contains rootkit functionality.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdnschab.html?_log_from=rss

Collapse -
Mal/EncPk-EG

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
W32/Tilebot-GM

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Category Viruses and Spyware

Type Virus

W32/Tilebot-GM is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-GM spreads to other network computers by exploiting common buffer overflow vulnerabilities.

W32/Tilebot-GM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-GM includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tilebot-GM moves itself to <Windows>\lsass.exe and creates the file <System>\rdriv.sys.

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32tilebotgm.html?_log_from=rss

Collapse -
Troj/DNSCha-B

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Category Viruses and Spyware

Type Trojan

Troj/DNSCha-B includes functionality to modify the DNS setting, access the internet and communicate with a remote server via HTTP.

When first run Troj/DNSCha-B copies itself to <System&gtMischief<random filename>.exe.

The following registry entries are created to run Troj/DNSCha-B on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System

Troj/DNSCha-B contains rootkit functionality.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdnschab.html?_log_from=rss

Collapse -
Mal/EncPk-EG

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/FakeVir-DD

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/FakeAV-AE

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/DocDrop-E

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Aliases Downloader-BCG trojan

Category Viruses and Spyware

Type Trojan

Troj/DocDrop-E is spammed out as notice_<random number>.doc. The document file contains an embedded file called notice.pdf. The file notice.pdf is not a PDF document, but an executable file - detected as Troj/DocDrop-E.

Clicking on embedded file notice.pdf generates a message box with title: Adobe Acrobat Reader (tm)
and message:

"Adobe Reader could not open the document because it is either not a supported file type or because the file has been corrupted (for example, it was sent as an email attachment and wasn't correctly decoded).

This message box is generated by the embedded executable called notice.pdf and not by Adobe Reader.

Troj/DocDrop-E also drops the file:

<Local Settings>\Temp\msie.dat - detected as Troj/DocDrop-E

The file msie.dat attempts to download a file called q.exe detected as Troj/DwnLdr-HCM.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdocdrope.html?_log_from=rss

Collapse -
Troj/Agent-HFE

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Zlob-AME

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Zlob-AMD

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Dwnldr-HFD

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Dwnldr-HDY

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Bckdr-QOF

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFG

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFF

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
VAnti.gen.a!sys

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Type Trojan

SubType Generic

This is a generic detection that covers new encrypted variants of the VAnti rootkit.


Characteristics
Characteristics -

This is a generic detection that covers new encrypted variants of the VAnti rootkit.

Vanti.sys is the rootkit component responsible for hiding the presence of the trojan on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe

For more details about the characteristics of the VAnti rootkit, please refer to:

http://vil.nai.com/vil/content/v_140381.htm

http://vil.mcafeesecurity.com/vil/content/v_146696.htm

Collapse -
JS/Tenia.e

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Type Trojan

SubType Script

Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

http://vil.mcafeesecurity.com/vil/content/v_146380.htm

Collapse -
Adware-BrowsingHancer

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Type Program

SubType Adware

McAfee AVERT recognizes that this may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

http://vil.mcafeesecurity.com/vil/content/v_144520.htm

Collapse -
Troj/Agent-HFI

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFH

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Zbot-AA

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Category Viruses and Spyware

Type Trojan

Troj/Zbot-AA is a Trojan for the Windows platform.

Troj/Zbot-AA includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Zbot-AA is installed it creates the following files:

<System>\ntos.exe.
<System>\wsnpoem\video.dll
<System>\wsnpoem\audio.dll
<System>\config\systemprofile\Application Data\wsnpoem\audio.dll

ntos.exe is also detected as Troj/Zbot-AA, the other files are data and can be deleted.

The following registry entry is changed to run ntos.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotaa.html?_log_from=rss

Collapse -
Troj/Psyme-FM

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Dloadr-BNV

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Banld-D

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFM

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFL

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFK

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Collapse -
Troj/Agent-HFJ

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Aliases Backdoor.Win32.Agent.lzi

Category Viruses and Spyware

Type Trojan

Troj/Agent-HFJ is a Trojan for the Windows platform.

When Troj/Agent-HFJ is installed the following files are created:

<Root>\aa.bat
<System>\systemt.dll

The file systemt.dll is registered as a COM object and shell extension, creating registry entries under:

HKCR\CLSID\{3FDEB171-8F86-9558-0001-69B8DB553683}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3FDEB171-8F86-9558-0001-69B8DB553683

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthfj.html?_log_from=rss

Collapse -
Generic Rootkit.d

In reply to: VIRUS \ Spyware ALERTS - July 10, 2008

Type Trojan

SubType Win32

Overview -
Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Generic RootKit.d is one of the generic detections for such class of malicious programs.

Characteristics
Characteristics -

This detection, Generic RootKit.d, is for several specific trojan variants. So this description is meant as a general guide.

Rootkits are programs (device drivers) that can potentially be used with any malware to hide, or stealth, files, processes, registry keys, and network connections. Additionally, they make it harder to detect or remove the malware. This is one of the generic detections for such class of malicious programs.

As new trojans are frequently added to this detection, users are recommended to use the latest engine/DAT combination for optimal detection.

Exact details (filenames, Registry keys, file size) will vary between variants.

One of the most common techniques used by such programs is hooking into the kernel's System Service Descriptor Table (SSDT) and altering the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe.

Once the rootkit is loaded, it hides files and processes as specified by the author.

http://vil.mcafeesecurity.com/vil/content/v_140936.htm

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

REVIEW

Sublime suburban chariot

High on style and technology, the 2019 Volvo XC90 is an incredibly satisfying everyday crossover.