Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - June 10, 2008

by Marianna Schmudlach / June 9, 2008 1:13 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - June 10, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - June 10, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
MeMedia AdVantage
by Marianna Schmudlach / June 9, 2008 1:17 PM PDT
Collapse -
Sus/Iframe-J
by Marianna Schmudlach / June 9, 2008 1:21 PM PDT
Collapse -
Sus/Behav-238
by Marianna Schmudlach / June 9, 2008 1:22 PM PDT
Collapse -
Troj/Dropr-O
by Marianna Schmudlach / June 9, 2008 11:13 PM PDT
Collapse -
W32/Autorun-EZ
by Marianna Schmudlach / June 9, 2008 11:14 PM PDT

Aliases W32/Autorun.worm.g
not-virus:BadJoke.Win32.Nuuh.g

Category Viruses and Spyware

Type Worm

W32/Autorun-EZ is a worm for the Windows platform.

When W32/Autorun-EZ is installed the following files are created:

<Temp>\68468.bat
<Temp>\es vbb 24-3-08.bat

68468.bat is also detected as W32/Autorun-EZ, and es vbb 24-3-08.bat is an empty file.

W32/Autorun-EZ displays the following message when run:

Hi %username% how are you? Valo Achoto? ebxbev@yahoo.com

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunez.html?_log_from=rss

Collapse -
Troj/Psyme-JD
by Marianna Schmudlach / June 9, 2008 11:15 PM PDT
Collapse -
Troj/DwnLdr-HEG
by Marianna Schmudlach / June 9, 2008 11:17 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HEG is a download and dropper Trojan for the Windows platform.

When first run Troj/DwnLdr-HEG copies itself to:

<User>\cftmon.exe
<System>\drivers\spools.exe

and creates the following files:

<User>\ftp34.dll
<System>\ftp34.dll

The files <System>\ftp34.dll and <User>\ftp34.dll are detected as W32/Niya-C.

The following registry entries are created to run cftmon.exe and spools.exe on startup:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrheg.html?_log_from=rss

Collapse -
Troj/Agent-HBR
by Marianna Schmudlach / June 9, 2008 11:18 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-HBR is a Trojan for the Windows platform.

When first run,Troj/Agent-HBR copies itself to
<Program Files>\Antivirus2008\Antvrs.exe

Troj/Agent-HBR has the functionalities to:
-download files from preconfigured URLs.
-open links to websites
-log key
-steal information from clipboard
-upload to preconfigured URLs
-be a proxy.

The following registry entry is changed to run Antvrs.exe on startup:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthbr.html?_log_from=rss

Collapse -
Mal/DocDrop-A
by Marianna Schmudlach / June 9, 2008 11:19 PM PDT
Collapse -
TROJ_GPCODE.AD
by Marianna Schmudlach / June 10, 2008 12:30 AM PDT

Malware type: Trojan

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware.

It searches and encrypts files with certain extension names found on any readable and writable drives.

As a result, the said files become unreadable. It then drops and opens a .VBS file which informs the user that the files have been encrypted, and that special software must be purchased to decrypt the files. It displays the following message box:

More: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FGPCODE%2EAD

Collapse -
Trojan-Dropper:W32/Agent.SLH
by Marianna Schmudlach / June 10, 2008 12:32 AM PDT
Collapse -
Vundo.gen.c
by Marianna Schmudlach / June 10, 2008 12:33 AM PDT

Description:
Vundo.gen.c is a Trojan displaying unsolicited pop-up advertisements and enticing users to install rogue Anti-Spyware or Anti-Virus programs and can be spread by malicious websites and SPAM emails.

http://vil.nai.com/vil/content/v_144540.htm

Collapse -
W32/Sdbot-DKL
by Marianna Schmudlach / June 10, 2008 1:05 AM PDT

Aliases W32/Sdbot.worm
Backdoor.Win32.Rbot.fbg

Category Viruses and Spyware

Type Worm

W32/Sdbot-DKL is a worm with IRC backdoor functionality for the Windows platform.

W32/Sdbot-DKL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run, W32/Sdbot-DKL copies itself to the System folder with a random name and creates the file <Windows>\wpcjmd.log. wpcjmd.log is harmless and can be deleted.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotdkl.html?_log_from=rss

Collapse -
W32/Otwycal-A
by Marianna Schmudlach / June 10, 2008 1:06 AM PDT
Collapse -
W32/Mabzat-A
by Marianna Schmudlach / June 10, 2008 1:09 AM PDT
Collapse -
W32/Autorun-FA
by Marianna Schmudlach / June 10, 2008 1:10 AM PDT

Category Viruses and Spyware

Type Worm

W32/Autorun-FA is a worm for the Windows platform.

W32/Autorun-FA includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Autorun-FA copies itself to:

<Windows>\regsvr.exe
<System>\regsvr.exe
<System>\winhelp.exe

and creates the following files:

<System>\setting.ini
<System>\setup.ini
<Windows>\winhelp.ini

The file setup.ini is detected as Troj/Agent-GXM.

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunfa.html?_log_from=rss

Collapse -
Troj/Winnet-C
by Marianna Schmudlach / June 10, 2008 1:11 AM PDT
Collapse -
Troj/Bckdr-QNV
by Marianna Schmudlach / June 10, 2008 1:13 AM PDT

Aliases BackDoor-AWQ.b
Backdoor.Win32.Hupigon.axbl
BKDR_HUPIGON.SLD

Category Viruses and Spyware

Type Trojan

Troj/Bckdr-QNV is a Trojan for the Windows platform.

When first run Troj/Bckdr-QNV copies itself to:

<Common Files>\Microsoft Shared\MSInfo\re101.exe
<Root>\re101.exe
<System>\_re101.exe

and creates the following files:

<Root>\AutoRun.inf
<Common Files>\Microsoft Shared\MSInfo\DelSvel.bat

AutoRun.inf is also detected as Troj/Bckdr-QNV, and DelSvel.bat is harmless.

The file re101.exe is registered as a new system driver service named "Microsoft Software", with a display name of "Microsoft Software10" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Software

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqnv.html?_log_from=rss

Collapse -
Mal/ExpJS-H
by Marianna Schmudlach / June 10, 2008 1:14 AM PDT
Collapse -
Mal/EncPk-DZ
by Marianna Schmudlach / June 10, 2008 1:15 AM PDT
Collapse -
Mal/Behav-066
by Marianna Schmudlach / June 10, 2008 1:17 AM PDT
Collapse -
W32/Sdbot-DKM
by Marianna Schmudlach / June 10, 2008 6:17 AM PDT

Aliases W32/Sdbot.worm.gen.ci

Category Viruses and Spyware

Type Worm

W32/Sdbot-DKM is a worm for the Windows platform.

When first run W32/Sdbot-DKM copies itself to <System>\filename.exe.

The following registry entries are created to run filename.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HOT FIX
filename.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HOT FIX
filename.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HOT FIX
filename.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HOT FIX
filename.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HOT FIX
filename.exe

The file filename.exe is registered as a new file system driver service named "hotfix.microsoft.com", with a display name of "HOT FIX" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\hotfix.microsoft.com

http://www.sophos.com/security/analyses/viruses-and-spyware/w32sdbotdkm.html?_log_from=rss

Collapse -
Troj/StartP-BG
by Marianna Schmudlach / June 10, 2008 6:18 AM PDT

Aliases Backdoor.Win32.IRCBot.dlu

Category Viruses and Spyware

Type Trojan

Troj/StartP-BG is a Trojan for the Windows platform.

When first run Troj/StartP-BG copies itself to <Windows>\rundll32.exe.

The following registry entry is created to run rundll32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Mr
<Windows>\rundll32.exe

Troj/StartP-BG changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.sophos.com/security/analyses/viruses-and-spyware/trojstartpbg.html?_log_from=rss

Collapse -
Troj/Rootkit-CU
by Marianna Schmudlach / June 10, 2008 6:19 AM PDT
Collapse -
Troj/PWS-ARM
by Marianna Schmudlach / June 10, 2008 6:21 AM PDT
Collapse -
Troj/FakeAle-BZ
by Marianna Schmudlach / June 10, 2008 6:22 AM PDT
Collapse -
Troj/Agent-HBT
by Marianna Schmudlach / June 10, 2008 6:23 AM PDT
Collapse -
Troj/Agent-HBS
by Marianna Schmudlach / June 10, 2008 6:24 AM PDT
Collapse -
Mal/EncPk-EA
by Marianna Schmudlach / June 10, 2008 6:26 AM PDT
Collapse -
Mal/Dbot-A
by Marianna Schmudlach / June 10, 2008 6:27 AM PDT

Category Viruses and Spyware

Type Malicious Behavior

Mal/Dbot-A is a file with behavioral characteristics typical of backdoor Trojans.

Typical functionality includes:

Installation of itself in a system folder and setting of a runkey;
Accessing the internet to communicate with a remote server via HTTP;
Possibly scanning for, and attempting to terminate, security related processes.


http://www.sophos.com/security/analyses/viruses-and-spyware/maldbota.html?_log_from=rss

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?