Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - July 4, 2008

Tool-Jailbreak

Type Program

SubType Tool

This application has been observed along with the installation of CoreFlood.dr and CoreFlood.dll where a file named sstore2K.exe is observed to have been downloaded from mcupdate.net.

sstore2K.exe is an application used to export certificates from the windows certificate store (assuming administrator privileges) . It marks all the certificates as exportable and can store them in a file which is later uploaded to its server. This application also attempts to acquire the private key for every certificate, which could possibly be used for impersonation.

http://vil.mcafeesecurity.com/vil/content/v_146652.htm

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - July 4, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - July 4, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Pushu-Gen

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Category Viruses and Spyware

Type Trojan

Troj/Pushu-Gen is a family of Trojans for the Windows platform.

When members of Troj/Pushu-Gen are installed one of the following files is usually created:

<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<Windows>\system32\drivers\secdrv.sys

These files may be registered as a new system driver service named for example "Restore", "Ip6Fw", "NetDetect" or "Secdrv". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\<service name>

When members of Troj/Pushu-Gen are installed the following file is also usually created:

<Windows>\system32\drivers\runtime.sys

runtime.sys is usually registered as a new system driver service named "Runtime". Registry entries are created under:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojpushugen.html?_log_from=rss

Collapse -
Troj/Pushdo-Gen

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Category Viruses and Spyware

Type Trojan

Troj/Pushdo-Gen is a family of Trojans for the Windows platform.

When members of Troj/Pushdo-Gen are installed they drop and run a further file in memory, usually detected as Troj/Pushu-Gen or Mal/Basine-C. This may then drop further files, including some of the following:

<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys

These files are used to provide stealthing for the Trojan.

The dropped file in memory will also often attempt to inject further code into Internet Explorer.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpushdogen.html?_log_from=rss

Collapse -
Troj/Mdrop-BTP

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Dwnldr-HEZ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Dloadr-BNO

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Category Viruses and Spyware

Type Trojan

Troj/Dloadr-BNO is a Trojan downloader for the Windows platform.

Troj/Dloadr-BNO attempts to download two files from a remote server to the following locations, and then execute them:

<Windows>\regsvr.exe
<Windows>\spoolsv.exe

At the time of writing, the file regsvr.exe is detected as Troj/Bancos-BEE and the file spoolsv.exe is detected as Mal/Banspy-G.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbno.html?_log_from=rss

Collapse -
Troj/Bancos-BEE

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Agent-HEJ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/KCryDr-A

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/DwnLdr-HFB

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/PSW-FJ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/LdPinch-RZ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/KCryTl-A

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Buzus-C

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Mal/DwndLdr-AE

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
W32/YahLover.worm!F3BDF3AA

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
W32/Autorun.worm.dl

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Type Virus

SubType Worm

Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics
Characteristics -

This worm may be previously detected generically as HTool-PWSYahooDump.

W32/Autorun.worm.dl will attempt to steal any Yahoo Messenger password on the user's machine using a Yahoo Messenger password dump tool known as HTool-PWSYahooDump. In addition, it will also drop a keylogger and email any keylog and password to the following email address:

boydreadboy@yahoo.comThe following files are added:

http://vil.mcafeesecurity.com/vil/content/v_146666.htm

Collapse -
W32/Autorun.worm.av

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Type Virus

SubType Worm

Overview -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.




Characteristics
Characteristics -

This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes. Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.

The worm make copies of itself in one or more of the following location(s):

%SystemDrive%:\svchovst.exe (W32/Autorun.worm.av) %Windir%\svchovst.exe (W32/Autorun.worm.av) X:\bluefire.exe (W32/Autorun.worm.av)(Where %SystemDrive% is the Windows system drive letter, e.g. C:, and %Windir% is the Windows folder, e.g. C:\Windows. X:\ refers to the drive letter(s) of removable and network drives.)

It will also create the following registry key(s) to execute the worm at system startup :

HKEY_LOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"winserver" = "%Windir%\svchovst.exe /svchovst:Kernel32.Dll"In addition, the following key(s) are also created:

HKEY_LOCALMACHINE\Software\Microsoft\Windows\CurrentVersion\svchovstc


http://vil.mcafeesecurity.com/vil/content/v_143655.htm

Collapse -
JS/Puper.dldr

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Type Trojan

SubType Downloader

Overview -

This description is for a downloader trojan written in javascript, which downloads the Puper trojan onto the user?s computer.

Such downloader trojans, exploit vulnerabilities in the user?s internet browser and download other malware without any user interaction or trick the user into downloading the malware by pretending to be something beneficial.

Aliases
JS/Agent.EC [F-Prot] JS/Downloader.Agent [AVG] Trojan.HTML.Zlob.AA [Bit Defender] Trojan.HTML.Zlob.J [Kaspersky]

http://vil.mcafeesecurity.com/vil/content/v_144193.htm

Collapse -
KeyLogger Application

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Trojan.Peed.JVL

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

SYMPTOMS:

Computer slow-downs
Increased network activity.
Presence of the specified files and registry entries.

TECHNICAL DESCRIPTION:

When started, the malware copies itself to the following location:
%windows%\[malware_name].exe

It creates the following registry entry:
HKCU\Microsoft\Windows\CurrentVersion\Run\"[malware_name]" = "%windows%\[malware_name].exe"

A few examples of [malware_name] are:
"msserv"
"msssecurity"


http://www.bitdefender.com/VIRUS-1000333-en--Trojan.Peed.JVL.html

Collapse -
Troj/PSW-FJ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/LdPinch-RZ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/KCryTl-A

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Buzus-C

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Mal/DwndLdr-AE

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Iframe-AK

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Iframe-AG

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/FakeVir-CQ

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Category Viruses and Spyware

Type Trojan

Troj/FakeVir-CQ is a Trojan for the Windows platform.

Troj/FakeVir-CQ pretends to be a spyware and malware detection program, but will always report the presence of unwanted files, in an attempt to trick the user into paying to register the software.

Troj/FakeVir-CQ creates the following registry entry in order to start when Windows boots:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
pestsweeper
<Program Files>\PestSweeper\pestsweeper.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevircq.html?_log_from=rss

Collapse -
Troj/Agent-HEO

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Collapse -
Troj/Agent-HEN

In reply to: VIRUS \ Spyware ALERTS - July 4, 2008

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.