Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 18, 2008

by Marianna Schmudlach / July 17, 2008 12:40 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 18, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 18, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Dloadr-BOH
by Marianna Schmudlach / July 17, 2008 12:41 PM PDT
Collapse -
Generic PUP.x!EF111FD0
by Marianna Schmudlach / July 17, 2008 12:44 PM PDT

Type Program

Characteristics -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

http://vil.mcafeesecurity.com/vil/content/v_147191.htm

Collapse -
Adware-180SA!9B88E0D6
by Marianna Schmudlach / July 17, 2008 12:45 PM PDT

Type Program

SubType Adware

Characteristics -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
Adware-180SA!664339BA
by Marianna Schmudlach / July 17, 2008 12:47 PM PDT

Type Program

SubType Adware

Characteristics -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
Adware-180SA!47EF87F1
by Marianna Schmudlach / July 17, 2008 12:48 PM PDT

Type Program

SubType Adware

Characteristics -

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
Generic PUP.x!E2AC39D0
by Marianna Schmudlach / July 17, 2008 12:49 PM PDT

Type Program

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

http://vil.mcafeesecurity.com/vil/content/v_147171.htm

Collapse -
Generic PUP.x!75F26CEB
by Marianna Schmudlach / July 17, 2008 12:50 PM PDT

Type Program

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

http://vil.mcafeesecurity.com/vil/content/v_147169.htm

Collapse -
Troj/Dload-CN
by Marianna Schmudlach / July 18, 2008 12:42 AM PDT
Collapse -
Troj/Bancos-BEF
by Marianna Schmudlach / July 18, 2008 12:43 AM PDT
Collapse -
Troj/Agent-HGI
by Marianna Schmudlach / July 18, 2008 12:44 AM PDT
Collapse -
Troj/MalDoc-I
by Marianna Schmudlach / July 18, 2008 12:46 AM PDT
Collapse -
W32/AutoRun-GL
by Marianna Schmudlach / July 18, 2008 12:47 AM PDT
Collapse -
Troj/Small-ELV
by Marianna Schmudlach / July 18, 2008 12:48 AM PDT

Aliases Trojan-Downloader.Win32.Small.yeb

Category Viruses and Spyware

Type Trojan

Troj/Small-ELV is a Trojan for the Windows platform.

Troj/Small-ELV includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Small-ELV copies itself to <System>\drivers\uzcx.exe.

The following registry entry is created to run uzcx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iut75
<System>\drivers\uzcx.exe

Registry entries are created under:

HKCU\Software\ewrew\uzcx\main

http://www.sophos.com/security/analyses/viruses-and-spyware/trojsmallelv.html?_log_from=rss

Collapse -
Troj/Agent-HGL
by Marianna Schmudlach / July 18, 2008 12:49 AM PDT
Collapse -
Troj/Agent-HGK
by Marianna Schmudlach / July 18, 2008 12:50 AM PDT
Collapse -
BackDoor-CKB!218F9A89
by Marianna Schmudlach / July 18, 2008 12:52 AM PDT

Type Trojan

SubType Remote Access

Overview -
This detection is for a BackDoor trojan, that modifies system processes and opens BackDoor ports for remote access.

Aliases
Backdoor.Win32.PcClient.cbk (Kaspersky) Win32/PcClient.CBK (Nod32)

http://vil.mcafeesecurity.com/vil/content/v_147295.htm

Collapse -
Trojan.Downloader.HTML.FM
by Marianna Schmudlach / July 18, 2008 12:53 AM PDT

SYMPTOMS:

At most you will notice increased network activity and possible the effect of some Trojans downloaded by this HTML script.



TECHNICAL DESCRIPTION:

This is an a small HTML file, possible sent by spam email. It tricks users into downloading a file called fireworks.exe hidden behind a fake embedded video related to the 4'th of July holiday.

Along with this video in the social engineering process the following phrase is used : "Colorful Independence Day events have already started throughout the country. The largest firework happens on the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."

It also contains an "iframe" HTML tag redirecting the current page to a php script called "ind.php"

http://www.bitdefender.com/VIRUS-1000344-en--Trojan.Downloader.HTML.FM.html

Collapse -
Trojan.PWS.Onlinegames.ZGE
by Marianna Schmudlach / July 18, 2008 12:55 AM PDT

SYMPTOMS:

Presence of the specified files and registry keys.


TECHNICAL DESCRIPTION:

The virus is initialy an executable file, when is launched does following:
copies itself to %SYSTEM%\[virus_name].exe (e.g. ckvo.exe)
drop %SYSTEM%\[virus_name][N].exe (e.g. ckvo1.dll) - which is used to monitors
actions inside games executables(keystrokes)
drops %TEMP%\f.dll - which contains the code for bellow mentioned actions
overwrittes: %SYSTEM%\drivers\vga.sys and loads this driver.
In order to be launched when partitions' root folders are accesed from Explorer, the malware creates
in this locations the files autorun.inf and ffocj.com, which is a copy of the malware.

http://www.bitdefender.com/VIRUS-1000345-en--Trojan.PWS.Onlinegames.ZGE.html

Collapse -
Panda Security's weekly report on viruses and intruders
by Marianna Schmudlach / July 18, 2008 1:53 AM PDT

Virus Alerts, by Panda Security (http://www.pandasecurity.com)


This week's PandaLabs report provides information about the Sinowal.VPB
and Spammer.AIT Trojans and the Antivirus2008Pro adware.

Sinowal.VPB uses the Windows API to intercept network communications
carried out by users. It is also designed to monitor users' access to
online banks and capture the data entered (credit card numbers,
passwords, etc.). Additionally, Sinowal.VPB creates a copy of itself on
the system.

The Antivirus2008Pro adware tries to pass itself off as an antivirus to
fool users. To do so, once run it displays a screen informing users they
are infected. Soon after, it starts to scan the system and reports fake
infections (see photo here:
http://www.flickr.com/photos/9696103@N03/2678703471/).

In this case, hackers are after the money obtained by selling a
pay-version of a false antivirus (see photo here:
http://www.flickr.com/photos/9696103@N03/2679524216/)

The Spammer_AIT Trojan is designed to steal all email addresses stored
on the system and save them to a file. Then, it opens a port on the
computer and adds itself to the list of authorized applications in the
Windows Firewall so that cyber-crooks can access the stolen data.

The information stolen from the infected computers is then stored on a
web page. This Trojan's aim is to allow cyber-crooks to store a large
number of email addresses for spamming purposes.

Collapse -
W32/Sality-AM
by Marianna Schmudlach / July 18, 2008 2:14 AM PDT

Aliases Win32/Sality.gen
W32/Sality.dll
New Win32.s

Category Viruses and Spyware

Type Virus

W32/Sality-AM is a virus for the Windows platform.

The virus includes the functionality to download additional files from a remote location.

When first run, the virus may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

http://www.sophos.com/security/analyses/viruses-and-spyware/w32salityam.html?_log_from=rss

Collapse -
Troj/SpyAgent-M
by Marianna Schmudlach / July 18, 2008 2:16 AM PDT
Collapse -
Troj/Dialer-FN
by Marianna Schmudlach / July 18, 2008 2:17 AM PDT
Collapse -
Troj/Agent-HGO
by Marianna Schmudlach / July 18, 2008 2:23 AM PDT
Collapse -
Troj/Agent-HGN
by Marianna Schmudlach / July 18, 2008 2:24 AM PDT
Collapse -
Troj/Agent-HGM
by Marianna Schmudlach / July 18, 2008 2:25 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-HGM is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Agent-HGM includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Agent-HGM copies itself to <System>\drivers\svchost.exe.

The following registry entry is created to run Troj/Agent-HGM on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SVCHOST.EXE
<System>\drivers\svchost.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthgm.html?_log_from=rss

Collapse -
Mal/DwndLdr-AG
by Marianna Schmudlach / July 18, 2008 2:27 AM PDT
Collapse -
GoldenKeylogger Installer
by Marianna Schmudlach / July 18, 2008 2:28 AM PDT
Collapse -
EvID4226
by Marianna Schmudlach / July 18, 2008 2:29 AM PDT
Collapse -
Mal/EncPk-DA - Same old social-engineering
by Marianna Schmudlach / July 18, 2008 2:31 AM PDT

18 July 2008

It often surprises me that malware authors continue to stick to the same old social engineering tricks to dupe victims into infecting themselves. Whether this says more about the malware authors or the large pool of people that are susceptible to the attacks is not clear. Whatever the case, it is clear that user education continues to be important.

A couple of campaigns using traditional social engineering lures that typify malware distribution today are outlined below.

Mal/EncPk-DA
The first attacks involve a combination of spam, compromised web sites and social engineering. The attacker has been sending out waves of sensationalist spam messages, encouraging the recipient to click on a link in the message to visit a web site.

http://www.sophos.com/security/blog/2008/07/1581.html

Collapse -
W32/IRCBot-ACI
by Marianna Schmudlach / July 18, 2008 7:00 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?