Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 31, 2008

Troj/Danmec-Z


Aliases TROJ_ASPROX.AE
Backdoor.Win32.Agent.nrb
Win32/Agent.ACG
Trojan.Asprox

Category Viruses and Spyware

Type Trojan

Troj/Danmec-Z is a Trojan for the Windows platform.

Troj/Danmec-Z has the functionalities to:

- Modify <System>\drivers\etc\hosts file
- Terminate AV related processes and services
- Steal information
- Communicate with a remote server via email
- Create a backdoor to receive encrypted data/instructions

Troj/Danmec-Z may run as a Service with the service name of 'aspimgr'.

Protection available since 31 July 2008

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdanmecz.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 31, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 31, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Exploit-PHPBB.b

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Type Trojan

SubType Exploit

Overview -

This detection is for Javascript malware that maybe hosted on a website, with an intention to serve further malware to users visiting the site.



Aliases
JS/Redirector.A [Norman] JS/Redirector.E [NOD32v2] JS_REDIRECTOR.M [TrendMicro] Trojan.JS.Redirector.C [BitDefender] Trojan.JS.Redirector.e [Kaspersky] Trojan.Redirect.10 [DrWeb]
Characteristics
Characteristics -

When a user visits a site which hosts this malicious java script, the script could execute to perform any of the following:

Redirect users to other sites Display pop-ups Download additional malware

http://vil.mcafeesecurity.com/vil/content/v_144753.htm

Collapse -
Generic Downloader.bs

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Type Trojan

SubType Script

Overview -
Generic Downloader.bs is a detection for mainly javascript downloaders

Characteristics
Characteristics -

Generic Downloader.bs have been observed to be obfuscated java scripts which arrive in emails. These scripts are then executed to download files and possibly more scripts from servers. Some of the observed servers contacted are:

pay4logs.com 80.233.245.154Files including the rootkit Cutwail have been observed during downloads. After download, svchost is launched with injected code. The injected code is used to contact various SMTP servers inorder to send out similar emails which contain the java script.

The following is a typical example of the text contained in the spammed emails:

"Greetings, how are you doing? Give we shall meet!"

http://vil.mcafeesecurity.com/vil/content/v_140855.htm

Collapse -
Troj/FakeAle-DP

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/PWS-ASE

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
W32/Sohana-BD

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/FakeAV-AV

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/PDFJs-A

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/Bckdr-QON

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Aliases Possibly a new variant of W32/Threat-SysVenFak-based!Maximus
Backdoor.Win32.Hupigon.axbr

Category Viruses and Spyware

Type Trojan

Troj/Bckdr-QON is a Trojan for the Windows platform.

Troj/Bckdr-QON includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Bckdr-QON copies itself to:

<Root>\bootfont.exe
<System>\_bootfont.exe
<System>\bootfont.exe

and creates the file <Root>\AutoRun.inf.

The file bootfont.exe is registered as a new system driver service named "WICSVC", with a display name of "Wireless Internet Configuration" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WICSVC

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqon.html

Collapse -
Troj/Banloa-FO

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Mal/DwndLdr-AF

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Sus/Behav-277

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
W32/Yahlover.worm.gen.d

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Type Trojan

SubType Generic Worm

Overview -

This threat is a generic detection for the W32/YahLover.worm which are obfuscated and packaged with AutoIT. Please view the W32/YahLover.worm VIL for more specific information about this threat.

http://vil.mcafeesecurity.com/vil/content/v_148418.htm

Collapse -
W32/Yahlover.worm.gen.c

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Type Trojan

SubType Generic Worm

Overview -

This threat is a generic detection for the W32/YahLover.worm which are packaged with AutoIT. Please view the W32/YahLover.worm VIL for more specific information about this threat.

http://vil.mcafeesecurity.com/vil/content/v_148419.htm

Collapse -
W32/Yahlover.worm.gen.e

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Type Virus

SubType Worm

Overview -
This threat is a generic detection for the W32/YahLover.worm which are obfuscated and packaged with AutoIT. Please view the W32/YahLover.worm VIL for more specific information about this threat.


http://vil.mcafeesecurity.com/vil/content/v_148529.htm

Collapse -
TROJ_FAKEAV.BH

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Malware type: Trojan

Malware Overview

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates folders and drops a file detected by Trend Micro as TROJ_RENOS.ACQ.

It creates a registry key and a registry entry as part of its installation routine

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FFAKEAV%2EBH

Collapse -
W32/SdBot-DKU

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/FakeAV-AW

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-AW is a Trojan for the Windows platform.

Troj/FakeAV-AW includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/FakeAV-AW is installed the following files are created:

<User>\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
<Desktop>\antivirus-2008pro.lnk
<Program Files>\Antivirus 2008 PRO\zlib.dll
<Program Files>\Antivirus 2008 PRO\vscan.tsi
<Program Files>\Antivirus 2008 PRO\antivirus-2008pro.exe
<User>\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk

The files zlib.dll and vscan.tsi may be deleted.

The following registry entry is set to automatically run the Trojan:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
antivirus-2008pro.exe
<Program Files>\Antivirus 2008 PRO\antivirus-2008pro.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaw.html?_log_from=rss

Collapse -
Troj/Dorf-BQ

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/Wimad-E

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
W32/Slenpin-Gen

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Category Viruses and Spyware

Type Worm

W32/Slenpin-Gen is a family of worms for the Windows platform, otherwise known as the Slenping family of malware.

Members of W32/Slenpin-Gen usually attempt to send itself through a variety of different instant messaging applications.

When first run, members of W32/Slenpin-Gen typically copy themselves to the following files:

<User profile>\<random letters>.exe
<System>\<random letters>.exe

Members of W32/Slenpin-Gen may set or modify one of the following registry entries to run themselves on startup:

http://www.sophos.com/security/analyses/viruses-and-spyware/w32slenpingen.html?_log_from=rss

Collapse -
W32/Autorun-GY

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
W32/Autorun-GX

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/FakeAle-DQ

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-DQ is part of a multi-component Trojan that displays fraudulent security alerts.

The Trojan contains functionality to disable legitimate security applications.

Troj/FakeAle-DQ is installed to <System>\drivers\beep.sys, replacing the legitimate system file of this name.

The following files are created:

<Windows>\buritos.exe
<Windows>\karina.net
<System>\buritos.exe
<System>\karina.net

Files files burito.exe are detected as Troj/Renos-AX. The files karina.net are detected as Mal/EncPk-BB.

The following registry entry is created in order to load karina.dat automatically:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<System>\karina.dat


http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealedq.html?_log_from=rss

Collapse -
Troj/Bancban-QX

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/Alpha-H

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Category Viruses and Spyware

Type Trojan

Troj/Alpha-H is a Trojan for the Windows platform.

When Troj/Alpha-H is installed the following files are created:

<Windows>\inform.dat
<System>\ritz8.dll
<System>\xd.txt

The following registry entry is created to run ritz8.dll on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9988775D-4368-4857-871A-D01D66CA3A71}
StubPath
rundll32 ritz8.dll,InitO

The file ritz8.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930247B4-16BE-48d2-87DD-86D7FB314639}
HKCR\CLSID\{930247B4-16BE-48d2-87DD-86D7FB314639}

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojalphah.html?_log_from=rss

Collapse -
Troj/Agent-HIK

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Troj/Agent-HIJ

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Mal/EncPk-EN

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Sus/Behav-192

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Collapse -
Sus/Behav-277

In reply to: VIRUS \ Spyware ALERTS - July 31, 2008

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.