Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 23, 2008

Troj/Spywad-AY


Aliases GenericDownloader.x
Hoax.Win32.Renos.vapf

Category Viruses and Spyware

Type Trojan

Troj/Spywad-AY is a Trojan for the Windows platform.

Troj/Spywad-AY includes functionality to access the internet and communicate with a remote server via HTTP.

Protection available since 23 July 2008

Troj/Spywad-AY changes settings for Microsoft Internet Explorer, including search settings, by modifying values under:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojspywaday.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 23, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 23, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Mdrop-BTZ

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/FakeVir-DO

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/DwnLdr-HFY

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HFY is a Trojan for the Windows platform.

Troj/DwnLdr-HFY includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/DwnLdr-HFY copies itself to <System>\winds32.exe and creates the file <System>\<Random>.exe.

The following registry entry is created to run winds32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System32
<System>\winds32.exe

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhfy.html?_log_from=rss

Collapse -
Troj/DelfDrp-B

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Spy-Agent.bw!rootkit

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Type Trojan

SubType Rootkit

Spy-Agent.bw!rootkit is a rootkits which can be installed in a system to steal user's sensitive data and communicate with specified internet websites, and it also has the ability to hide malicious files and monitor the system behaviors.

Characteristics
Characteristics -

As this detection covers many variants, the characteristics of this trojan with regards to the file names, registry keys, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.

When running, this rootkits creates the following hidden files:

%System%\ntos.exe (Spy-Agent.bw) %System%\wsnpoem\audio.dll (data file) %System%\wsnpoem\video.dll (data file)

http://vil.mcafeesecurity.com/vil/content/v_144031.htm

Collapse -
Troj/FakeVir-DP

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Agent-HHB

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Agent-HHA

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Zbot-AD

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/VB-EAK

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/LegMir-ARV

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/DwnLdr-HFZ

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/DwnLdr-HCY

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Bckdr-QOM

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Fakeav-AO

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Sotfone

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
WinFixer

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Dloadr-BOL

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
JS/Dloadr-BOM

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/Mdrop-BUA

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Troj/DorfHtml-E

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Trojan.Downloader.Wimad.A

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

SYMPTOMS:

While accessing the ".wma" which is a media file extension the following behavior is noticed :

A browser page opens to a certain webpage ( fastmp3player.com )
It tries to download and execute (when the user hits run on IE ) a piece of malware from the mentioned site.
The prompted file to download is named "Codec.exe" which has the Windows Media Player icon (the name could vary ("PLAY_MP3.exe" or another).


Take notice that the file could have any other extension that Windows Media Player can handle such as ".asf", ".wmw" , ".aiff", ".midi" or others.

Here is a screenshot of the malware in action.

http://www.bitdefender.com/VIRUS-1000346-en--Trojan.Downloader.Wimad.A.html

Collapse -
Ten Commandments for Your Computer Sanity

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

1. Dont assume anything. Make some time to learn about securing your system.

2. Acquire and use a reliable antivirus program. Select an antivirus that has a consistent track record. Checkmark, AV-Test.org and TuV are among the most respected independent testers of antivirus software.

3. Acquire and use a reliable firewall solution. Again, independent reviewers are your best bet for reasonable choices. Some operating systems come with a firewall which only filters incoming traffic. Use a firewall that can control both incoming and outgoing Internet traffic.

4. Do not open e-mails coming from unknown or distrusted sources. Many viruses spread via e-mail messages so please ask for a confirmation from the sender if you are in any doubt.

5. Do not open the attachments of messages with a suspicious or unexpected subject. If you want to open them, first save them to your hard disk and scan them with an updated antivirus program.

6. Delete any chain e-mails or unwanted messages. Do not forward them or reply to their senders. This kind of messages is considered spam, because it is undesired and unsolicited and it overloads the Internet traffic.

7. Avoid installing services and applications which are not needed in day-by-day operations in a desktop role, such as file transfer and file sharing servers, remote desktop servers and the like. Such programs are potential hazards, and should not be installed if not absolutely necessary.

8. Update your system and applications as often as possible. Some operating systems and applications can be set to update automatically. Make full use of this facility. Failure to patch your system often enough may leave it vulnerable to threats for which fixes already exist.

9. Do not copy any file if you don't know or don't trust its source. Check the source (provenance) of files you download and make sure that an antivirus program has already verified the files at their source.

10. Make backups of important personal files (correspondence, documents, pictures and such) on a regular basis. Store these copies on removable media such as CD or DVD. Keep your archive in a different location than the one your computer is in.
The Defense Center

http://www.bitdefender.com/site/Virus-Tips.html

Collapse -
Trojan.PWS.Onlinegames.ZGE

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

SYMPTOMS:

Presence of the specified files and registry keys.


TECHNICAL DESCRIPTION:

The virus is initialy an executable file, when is launched does following:
copies itself to %SYSTEM%\[virus_name].exe (e.g. ckvo.exe)
drop %SYSTEM%\[virus_name][N].exe (e.g. ckvo1.dll) - which is used to monitors
actions inside games executables(keystrokes)
drops %TEMP%\f.dll - which contains the code for bellow mentioned actions
overwrittes: %SYSTEM%\drivers\vga.sys and loads this driver.
In order to be launched when partitions' root folders are accesed from Explorer, the malware creates
in this locations the files autorun.inf and ffocj.com, which is a copy of the malware.

http://www.bitdefender.com/VIRUS-1000345-en--Trojan.PWS.Onlinegames.ZGE.html

Collapse -
Trojan.Peed.JVL

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

SYMPTOMS:

Computer slow-downs
Increased network activity.
Presence of the specified files and registry entries.

TECHNICAL DESCRIPTION:

When started, the malware copies itself to the following location:
%windows%\[malware_name].exe

It creates the following registry entry:
HKCU\Microsoft\Windows\CurrentVersion\Run\"[malware_name]" = "%windows%\[malware_name].exe"

A few examples of [malware_name] are:
"msserv"
"msssecurity"

http://www.bitdefender.com/VIRUS-1000333-en--Trojan.Peed.JVL.html

Collapse -
Trojan.Downloader.HTML.FM

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

SYMPTOMS:

At most you will notice increased network activity and possible the effect of some Trojans downloaded by this HTML script.



TECHNICAL DESCRIPTION:

This is an a small HTML file, possible sent by spam email. It tricks users into downloading a file called fireworks.exe hidden behind a fake embedded video related to the 4'th of July holiday.

Along with this video in the social engineering process the following phrase is used : "Colorful Independence Day events have already started throughout the country. The largest firework happens on the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it."

It also contains an "iframe" HTML tag redirecting the current page to a php script called "ind.php"

http://www.bitdefender.com/VIRUS-1000344-en--Trojan.Downloader.HTML.FM.html

Collapse -
Trojan.Downloader.Gadja.C

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

SYMPTOMS:

Presence of the file: %sysdir%/userini.exe.
TECHNICAL DESCRIPTION:

When executed, the malware copies original (clean) file %sysdir%/userinit.exe into %sysdir%/userini.exe.

It disables System File Protection, and overwrites %sysdir%/userinit.exe with a copy of itself, in order to be executed on every system start-up.

After it deletes the initially executed copy of itself, the malware drops the file:
%tempdir%\ie[hex-digit].tmp, detected as: Trojan.Downloader.Gadja.D.

It starts a new %sysdir%\svchost.exe process and injects its code into it in order to bypass firewalls or other security based software.

It also tries to download other malware from the following URL-s, save them to %tempdir%\ie[hex-digit].tmp and execute them:

http://fixaserver.ru/[hide]/gate.php?[8-digit-hex-number]
http://djaga-djaga.cn/[hide]/gate.php?[8-digit-hex-number]

An example of a malware downloaded file would be Trojan.Peed.JOP.

http://www.bitdefender.com/VIRUS-1000343-en--Trojan.Downloader.Gadja.C.html

Collapse -
JS_EXPL.AH

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Malware type: JavaScript

This JavaScript (JS) malware may be hosted on a Web site and run when a user accesses the said Web site.

it accesses a certain Web site to download and execute a file, which Trend Micro detects as TSPY_AGENT.AUAR. As a result, routines of the downloaded spyware are exhibited on the affected system.

This script also connects to a URL to download other possibly malicious files.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FEXPL%2EAH

Collapse -
TROJ_AGENT.AYZO

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Collapse -
Exploit.SinaDLoader.A

In reply to: VIRUS \ Spyware ALERTS - July 23, 2008

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.