Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 25, 2008

by Marianna Schmudlach / July 24, 2008 12:20 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 25, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 25, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/DwnLdr-HGC
by Marianna Schmudlach / July 24, 2008 2:52 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HGC is a Trojan downloader for the Windows platform.

When first run,Troj/DwnLdr-HGC copies itself to:
<Program Files>\Microsoft Studio Files\lsass.exe

Troj/DwnLdr-HGC has the functionality to:
-download files from preconfigured URLs.

The following registry entry is created to run lsass.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lsass
<Program Files>\Microsoft Studio Files\lsass.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhgc.html?_log_from=rss

Collapse -
W32.Azero.A
by Marianna Schmudlach / July 24, 2008 3:07 PM PDT
Collapse -
Troj/FakeVir-DX
by Marianna Schmudlach / July 25, 2008 12:01 AM PDT
Collapse -
Troj/FakeAV-AR
by Marianna Schmudlach / July 25, 2008 12:02 AM PDT
Collapse -
Troj/FakeAV-AM
by Marianna Schmudlach / July 25, 2008 12:03 AM PDT

Aliases not-a-virus:FraudTool.Win32.UltimateAntivirus.ab

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-AM is a Trojan for the Windows platform.

Troj/FakeAV-AM includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/FakeAV-AM is installed the following files are created:

<Current Folder>\%ORIGFILENAME%

The following registry entries are created to run Troj/FakeAV-AM on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Antivirus
<pathname of the Trojan executable>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Antivirus
<pathname of the Trojan executable>

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavam.html?_log_from=rss

Collapse -
Troj/FakeAV-AA
by Marianna Schmudlach / July 25, 2008 12:04 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-AA is a Trojan for the Windows platform.

Troj/FakeAV-AA fraudulently reports a users system as infected and will not clean up these fraudulent reports until the users pays and registers the application.

The Trojan may claim to detect a number of files. These files are not malicious and may be deleted.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
XP SecurityCenter
"<path to Trojan> /hide"

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaa.html?_log_from=rss

Collapse -
Troj/FakeAle-DN
by Marianna Schmudlach / July 25, 2008 12:06 AM PDT

Aliases FakeAlert-C trojan
TROJ_DLOADER.VNQ

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-DN is a Trojan for the Windows platform.

When Troj/FakeAle-DN is installed the following files are created:

<Current Folder>\delself.bat
<System>\braviax.exe
<System>\dllcache\beep.sys
<System>\dllcache\figaro.sys

The following registry entries are created to run braviax.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
braviax
<System>\braviax.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
braviax
<System>\braviax.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealedn.html?_log_from=rss

Collapse -
Troj/Agent-HHM
by Marianna Schmudlach / July 25, 2008 12:07 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-HHM is a Trojan for the Windows platform.

Troj/Agent-HHM includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Agent-HHM copies itself to <System>\ieupdates.exe.

The following registry entry is created to run ieupdates.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ieupdate
<System>\ieupdates.exe

The Trojan downloads file from the predefined URL to the <System>/winsrc.dll.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthhm.html?_log_from=rss

Collapse -
Troj/Agent-HHL
by Marianna Schmudlach / July 25, 2008 12:08 AM PDT
Collapse -
Troj/AdClick-EX
by Marianna Schmudlach / July 25, 2008 12:09 AM PDT
Collapse -
Mal/EncPk-EI
by Marianna Schmudlach / July 25, 2008 12:10 AM PDT
Collapse -
Mal/DwnLd-A
by Marianna Schmudlach / July 25, 2008 12:11 AM PDT
Collapse -
RKnowledge Installer
by Marianna Schmudlach / July 25, 2008 12:13 AM PDT
Collapse -
RKnowledge
by Marianna Schmudlach / July 25, 2008 12:14 AM PDT
Collapse -
Troj/Agent-HHJ
by Marianna Schmudlach / July 25, 2008 12:16 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-HHJ is a Trojan for the Windows platform.

When first run,Troj/Agent-HHJ creates <System32>\bamr32.dll which is also detected as Troj/Agent-HHJ.

Troj/Agent-HHJ creates registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\WS2IFSL
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthhj.html

Collapse -
Troj/FakeVir-DW
by Marianna Schmudlach / July 25, 2008 12:18 AM PDT
Collapse -
Troj/DwnLdr-HGD
by Marianna Schmudlach / July 25, 2008 12:19 AM PDT
Collapse -
Troj/Banker-EML
by Marianna Schmudlach / July 25, 2008 12:20 AM PDT
Collapse -
Troj/Agent-HHK
by Marianna Schmudlach / July 25, 2008 12:22 AM PDT
Collapse -
W32/Generic.b
by Marianna Schmudlach / July 25, 2008 12:24 AM PDT

Type Virus

SubType Win32

Characteristics -

This is a generic detection of MSVB worms.

This detection covers many nondescript generic VB worms - typically one-off creations written in Visual Basic that have been received by AVERT.

Symptoms of malware vary greatly. Some common symptoms which may be observed in the case of W32/Generic.b detections are as follows.

Unknown processes are running. Unknown ports are open. Reduced system performance. Introduction of new files to the system

http://vil.mcafeesecurity.com/vil/content/v_120972.htm

Collapse -
Panda Security's weekly report on viruses and intruders
by Marianna Schmudlach / July 25, 2008 12:42 AM PDT

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

This week's PandaLabs report provides information about the Banbra.FXT,
Pushdo.C and Agent.JEN Trojans, as well as a series of emails that
inform about a false accident suffered by the F1 racer Fernando Alonso
to spread the Banker.LGC Trojan.

Banbra.FXT reaches computers by email and passes itself off as a warning
from Brazil's Federal Ministry (see photo here:
http://www.flickr.com/photos/2695780604@N03/2678703471/). With
information about a supposed investigation, the email encourages users
to open an attached .Zip file.

However, if the user downloads and runs the file, they will be
introducing a Trojan into their computer. The Trojan loads several
services to the system in order to monitor users' access to the web
pages of some Brazilian banks and steal the confidential data they enter
(passwords, account numbers, etc.).

The Pushdo.C Trojan is designed to steal confidential data and send it
to different servers to make it available to its creator. The data sent
includes the infected computer's IP address, whether the infected user
has administrator permissions or not, the hard disk serial number, the
hard disk file system, etc.

The danger to the infected computer increases as the malicious code is
also designed to download other malware strains from the same servers it
sends information to.

The Agent.JEN Trojan spreads in emails that inform users about UPS'
inability to deliver a package. These emails use subjects such as "UPS
packet N3621583925". The message body informs the recipient that it was
impossible to deliver a postal package sent by them and encourages them
to print out a copy of the attached invoice copy.

The invoice is included in an attached ".zip" file that contains an
executable file disguised as a Microsoft Word document with names like
"UPS_invoice". However, if the targeted user runs the file, they will
be saving a copy of the Trojan to their computer.

This malicious code copies itself to the system, replacing the
Userinit.exe file in the Windows operating system. This file runs the
Internet Explorer browser, the system interface and other essential
processes. For the computer to continue working properly and to avoid
raising suspicion of the infection, the Trojan copies the actual system
file to another location under the name userini.exe.

Finally, Agent.JEN connects to a Russian domain (already used by other
banker Trojans) and uses it to send a request to a German domain to
download a rootkit and an adware detected by PandaLabs as Agent.JEP and
AntivirusXP2008 respectively.

More information here:
http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?not
icia=9301

PandaLabs has also reported a series of emails that informed about a
false car crash suffered by the F1 racer Fernando Alonso in order to
spread the Banker.LGC Trojan. More information here:
http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?not
icia=9309

Collapse -
TROJ_FAKECLEAN.A.
by Marianna Schmudlach / July 25, 2008 12:51 AM PDT

Fake Trend Micro Virus Clean Tool Spreads Malware Dirt

Trend Micro recently discovered malware posing as the Trend Micro Virus Clean Tool being sent through email by Chinese hackers. This is a screenshot of the email message:

More: http://blog.trendmicro.com/

Collapse -
TSPY_BANKER.GRX.
by Marianna Schmudlach / July 25, 2008 12:52 AM PDT

Banker Summons You to Court

For the longest time now, Brazilian banking Web sites have been one of the favorite targets of malware criminals for stealing sensitive banking information from users. These spyware Trojans are usually coupled with spam emails with various, and quite clever, social engineering techniques to trick users into divulging such data. From the latest headlines to the sly imitation of legitimate Web sites, these BANKER authors never seem to run out of sneaky tactics for duping the Internet user.

One of the latest variants we?ve seen recently uses spam emails that supposedly came from one of Brazil?s Public Ministry offices. The said email is a fake notice of hearing letter, summoning the recipient to appear in the office of the attorney general for an investigation procedure.

More: http://blog.trendmicro.com/

Collapse -
Web Form Spam Alive and Kicking
by Marianna Schmudlach / July 25, 2008 12:54 AM PDT

Spammers have never balked at using Web forms as a way of sending out spam messages?anything to expose their wares. Basically, they will look for a public Web server that allows them to provide feedback or information to a certain company. These Web forms require them to fill up certain fields with information such as names, phone numbers, email addresses, and?wait for it?even spam messages. Even worse, spammers can also send image spam and/or infected files if the Web form contains a field that will allow them to attach such files. If they have finished filling up the form and submitted it to the Web server, recipients of the Web form will now receive the spam.

Strictly speaking, the messages they get are not spam email. What they get are another type of threat/annoyance. Here is a sample Web form:

More: http://blog.trendmicro.com/

Collapse -
Troj/FakeAv-AS
by Marianna Schmudlach / July 25, 2008 7:29 AM PDT
Collapse -
Troj/DwnLdr-HGE
by Marianna Schmudlach / July 25, 2008 7:31 AM PDT
Collapse -
Troj/Dloadr-BOU
by Marianna Schmudlach / July 25, 2008 7:32 AM PDT
Collapse -
Troj/Bdoor-AMP
by Marianna Schmudlach / July 25, 2008 7:33 AM PDT

Aliases Generic BackDoor.u
WORM_SHEUR.APH
Win32/AutoRun.TJ worm

Category Viruses and Spyware

Type Trojan

Troj/Bdoor-AMP is a password stealing Trojan for the Windows platform.

TrpkBdoor-AMP includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Bdoor-AMP copies itself to:

<System>\hiquooc.exe
<System>\koovyjyna.exe

The following registry entry is created to run hiquooc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
delol
<System>\hiquooc.exe

The file koovyjyna.exe is registered as a new system driver service named "c3ci6aip4mj", with a display name of "Websense CPM Report Scheduler" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\c3ci6aip4mj

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbdooramp.html?_log_from=rss

Collapse -
Troj/Banker-EMO
by Marianna Schmudlach / July 25, 2008 7:34 AM PDT
Collapse -
Troj/Banker-EMM
by Marianna Schmudlach / July 25, 2008 7:35 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?