HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - July 9, 2009

by Marianna Schmudlach / July 9, 2009 12:25 AM PDT

Troj/PCAgnt-Gen

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/PCAgent-Gen is a keylogging Trojan for the Windows platform.

When Troj/PCAgent-Gen is installed it creates the file <Windows>\p<random digits>.ini.

The following registry entry is set:

HKCR\pcamon\DefaultIcon
(default)
<pathname of the Trojan executable>

Registry entries are created under:

HKCR\.pca\

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpcagntgen.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - July 9, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - July 9, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Mdrop-CDS
by Marianna Schmudlach / July 9, 2009 12:25 AM PDT
Collapse -
Troj/MDrop-CDR
by Marianna Schmudlach / July 9, 2009 12:26 AM PDT
Collapse -
Troj/LdPinch-SH
by Marianna Schmudlach / July 9, 2009 12:27 AM PDT
Collapse -
Troj/JSShell-J
by Marianna Schmudlach / July 9, 2009 12:28 AM PDT
Collapse -
Troj/Dldr-AW
by Marianna Schmudlach / July 9, 2009 12:28 AM PDT
Collapse -
Troj/BHO-MS
by Marianna Schmudlach / July 9, 2009 12:29 AM PDT
Collapse -
Troj/Bckdr-QWP
by Marianna Schmudlach / July 9, 2009 12:30 AM PDT
Collapse -
Troj/Agent-KLY
by Marianna Schmudlach / July 9, 2009 12:31 AM PDT
Collapse -
Troj/Agent-KLX
by Marianna Schmudlach / July 9, 2009 12:31 AM PDT
Collapse -
Troj/AdClick-FP
by Marianna Schmudlach / July 9, 2009 12:33 AM PDT
Collapse -
Troj/Agent-KLW
by Marianna Schmudlach / July 9, 2009 12:33 AM PDT
Collapse -
Troj/Buzus-AP
by Marianna Schmudlach / July 9, 2009 12:34 AM PDT
Collapse -
Troj/Buzus-AQ
by Marianna Schmudlach / July 9, 2009 12:35 AM PDT
Collapse -
Troj/FakeAV-VM
by Marianna Schmudlach / July 9, 2009 12:36 AM PDT
Collapse -
"Sexy Space" Symbian Worm
by Marianna Schmudlach / July 9, 2009 12:39 AM PDT

Thursday, July 9, 2009

Posted by Response

Dancho Danchev of ZDNet's Zero Day blog has an interesting post regarding Transmitter.C ? which is supposedly a significant modification of the Sexy View SMS worm that we posted about in February.

We've analyzed this new variant, which we call Worm:SymbOS/Yxe.D, and from our point of view there are no major differences from our original detection.

Except for one thing?

This Yxe.D variant is signed with a certificate from yet another company.

More: http://www.f-secure.com/weblog/

Collapse -
W32.SillyFDC.BCI
by Marianna Schmudlach / July 9, 2009 12:41 AM PDT
Collapse -
W32.SillyFDC.BCJ
by Marianna Schmudlach / July 9, 2009 12:42 AM PDT
Collapse -
W32.SillyFDC.BCK
by Marianna Schmudlach / July 9, 2009 12:43 AM PDT
Collapse -
ColdFusion Spurs Another Mass Compromise
by Marianna Schmudlach / July 9, 2009 12:44 AM PDT

by Jonathan Leopando (Technical Communications)

June saw more than its fair share of mass-compromised websites?with one wave early in the month and Nine Ball hitting later on in the month. One would hope that July would be different, but it was not to be.

Last week saw another wave of compromised websites that had one thing in common?they were all running ColdFusion on their servers. ColdFusion is a popular platform for developing Internet applications. It is currently owned by Adobe. Users blamed the effectivity of this attack on older versions of certain ColdFusion applications that sported security vulnerabilities and allowed malicious users to upload code to run on already-compromised servers. Cybercriminals then modified the compromised sites to include iframe links to malicious websites.

As with previous attacks, these compromised websites download a malicious file Trend Micro detects as TROJ_DROPPER.PXQ onto the affected system. This file then drops and runs another file detected as TROJ_DLOADR.XNI, which in turn, downloads and executes files detected as TROJ_WIMPIXO.BG and TROJ_SOMEX.C.

Just like the other attacks, the end goal of this particular wave is to steal user information. However, the files in question are already detected by Smart Protection Network.

http://blog.trendmicro.com/

Collapse -
Click Fraud Takes a Step Forward with TROJ_FFSEARCH
by Marianna Schmudlach / July 9, 2009 12:45 AM PDT

by Det Caraig (Technical Communications)

Earlier this month, TrendLabs security experts discovered that around 40,000 websites have been hacked and seeded with code that bombarded visitors? PCs with countless browser exploits to install a Trojan, which we already detected as TROJ_FFSEARCH.A. This Trojan has been found to be among the malware installed by another threat. It is known as FFSearcher, named after one of the websites used in the scam, ffsearcher.com.

Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.

Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:

More: http://blog.trendmicro.com/

Collapse -
Other:W32/False Positive
by Marianna Schmudlach / July 9, 2009 12:46 AM PDT

Name : Other:W32/False Positive
Category: Clean - Not Malware
Type: Other
Platform: W32

Summary
When a legitimate file is detected as infected by an antivirus product, it is called a "false positive" or a "false alarm".


Additional Details
False positives sometimes occur in every antivirus product because of the complexity of present-day malware and file compression/protection utilities that are used on both malware and legitimate software.

If you encounter a false positive, please submit a sample of it for testing and verification, specifying that you are submitting a false positive. Any additional information such as the origin of the file, scanning report file, and false positive detection name will help to resolve the issue more quickly.

More: http://www.f-secure.com/v-descs/other_w32_false_positive.shtml

Collapse -
Worm:SymbOS/Yxe
by Marianna Schmudlach / July 9, 2009 12:49 AM PDT

Name : Worm:SymbOS/Yxe
Detection Names : Worm.SymbOS.Yxe
Worm:SymbOS/Yxe
Worm:SymbOS/Yxe.gen
Aliases : SymbOS/Yxes.A!worm, Transmitter (Other)
Category: Malware
Type: Worm
Type: SMS-Worm, Trojan
Platform: SymbOS

Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.


Disinfection
Prevention

S60 phones have a list of valid certificates.

To maintain a current list of valid certificates, the application manager settings should be adjusted from the defaults. The default App. manager setting for Online certif. check is Off.

The On setting is necessary to remove revoked certificates from your phone during installation.

Online Certificate Check details from Nokia:

? You should have network access to install applications if check is on.
? This may pose cost of data transfer to you.
? "On" means that if the connection to the server fails, installation can be done. A revocated application can in that case be installed.
? "Must be passed" means that if the connection to the server fails, you will not be able to install.

More: http://www.f-secure.com/v-descs/worm_symbos_yxe.shtml

Collapse -
Win32/Cbeplay.C
by Marianna Schmudlach / July 9, 2009 12:50 AM PDT

Date Published:
9 Jul 2009

Last Updated:
9 Jul 2009

Characteristics

Type : Trojan

Category : Win32

Also known as: W32/Downldr2.BLMD (exact)(F-Prot)


Description
This malware is detected by eTrust Antivirus solutions. Please see above for the relevant signature updates.

This malware is being dissected by the CA Security Advisory Team - a detailed analysis will be available shortly.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79080

Collapse -
Win32/Boaxxe.AC
by Marianna Schmudlach / July 9, 2009 12:51 AM PDT

Date Published:
9 Jul 2009

Last Updated:
9 Jul 2009

Characteristics

Type : Trojan

Category : Win32

Also known as: Trojan:Win32/Boaxxe.F (MS OneCare)


Description
This malware is detected by eTrust Antivirus solutions. Please see above for the relevant signature updates.

This malware is being dissected by the CA Security Advisory Team - a detailed analysis will be available shortly.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79079

Collapse -
Win32/AdClicker.ADH
by Marianna Schmudlach / July 9, 2009 12:52 AM PDT

Date Published:
9 Jul 2009

Last Updated:
9 Jul 2009

Characteristics

Type : Trojan

Category : Win32

Also known as: Trojan-Clicker.Win32.PronClick.hn(Kaspersky)


Description
This malware is detected by eTrust Antivirus solutions. Please see above for the relevant signature updates.

This malware is being dissected by the CA Security Advisory Team - a detailed analysis will be available shortly.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79078

Collapse -
Win32/Refpron.DZ
by Marianna Schmudlach / July 9, 2009 12:53 AM PDT

Date Published:
9 Jul 2009

Last Updated:
9 Jul 2009

Characteristics

Type : Trojan

Category : Win32

Also known as: Backdoor:Win32/Refpron.gen!C (MS OneCare)


Description
This malware is detected by eTrust Antivirus solutions. Please see above for the relevant signature updates.

This malware is being dissected by the CA Security Advisory Team - a detailed analysis will be available shortly.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79077

Collapse -
USBcillin
by Marianna Schmudlach / July 9, 2009 12:56 AM PDT
Collapse -
Troj/BHO-MQ more than meets the eye
by Marianna Schmudlach / July 9, 2009 1:39 AM PDT

July 9th, 2009

by Pob, SophosLabs, UK

One of the most difficult types of malware SophosLabs analysts face is the ones that appear to do nothing. Last week a colleague came across a file that appeared to do nothing and ask me to help dig deeper.

He found what looks like JavaScript in the Code Section


The rest of the code manipulates what Internet Explorer sees and will insert this JavaScript into pages.

The JavaScript is heavily obfuscated and decodes to:

More: http://www.sophos.com/blogs/sophoslabs/

Collapse -
W32/Autorun-ALK
by Marianna Schmudlach / July 9, 2009 2:14 AM PDT
Collapse -
Troj/Zlob-ASV
by Marianna Schmudlach / July 9, 2009 2:15 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.