Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - June 12, 2009

by Marianna Schmudlach / June 11, 2009 11:32 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - June 12, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - June 12, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/KeyLog-LM
by Marianna Schmudlach / June 11, 2009 11:33 PM PDT
Collapse -
Troj/Babeie-A
by Marianna Schmudlach / June 11, 2009 11:41 PM PDT
Collapse -
W32/Tiotua-R
by Marianna Schmudlach / June 11, 2009 11:42 PM PDT

Aliases

* TR/Autoit.CI.14
* Trojan.Win32.Autoit.ci
* W32/Autorun.worm.cs
* Win32/AutoRun.JZ
* WORM_DELF.FKZ

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices
* Network shares

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Tiotua-R is a worm for the Windows platform.

The worm attempts to spread by sending itself via Yahoo Messenger and is spread via removeable devices.

W32/Tiotua-R contains the functionality to disable certain anti-virus and security software.

When first run W32/Tiotua-R copies itself to the following locations:
<Windows>\regsvr.exe
<System>\regsvr.exe
<System>\svchost .exe

and creates the following files:

<System>\settings.ini
<System>\setup.ini (detected as W32/AutoIt-O)

and creates the following folder:

<System>\28463

On removeable devices W32/Tiotua-R will attempt to create the following files:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32tiotuar.html?_log_from=rss

Collapse -
VBS/Solow-K
by Marianna Schmudlach / June 11, 2009 11:43 PM PDT
Collapse -
Troj/Zbot-GC
by Marianna Schmudlach / June 11, 2009 11:44 PM PDT
Collapse -
Troj/DwnLdr-HSS
by Marianna Schmudlach / June 11, 2009 11:44 PM PDT
Collapse -
Troj/DwnLdr-HSR
by Marianna Schmudlach / June 11, 2009 11:45 PM PDT
Collapse -
Troj/Agent-KDN
by Marianna Schmudlach / June 11, 2009 11:50 PM PDT
Collapse -
Mal/LineDLL-B
by Marianna Schmudlach / June 11, 2009 11:51 PM PDT
Collapse -
W32/Koobfa-Gen
by Marianna Schmudlach / June 11, 2009 11:52 PM PDT

Aliases

* Net-Worm.Win32.Koobface
* W32/Koobface.worm virus
* Worm:Win32/Koobface.A

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Web downloads

Affected operating systems Windows

W32/Koobfa-Gen is a family of worms for the Windows platform that target social networking sites including Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog and fubar.

The worms attempt to send messages to users of the social networking site pointing to a copy of themselves.

When first run, members of W32/Koobfa-Gen often display an error message saying:

Error installing Codec. Please contact support.

Members of W32/Koobfa-Gen often create a clean .dat data file called in the Windows folder, for example <Windows>\fmark2.dat.

Members of W32/Koobfa-Gen may create registry entries similar to the folowing:

HKLM\SYSTEM\ControlSet001\Control\Session manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>

http://www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html?_log_from=rss

Collapse -
W32/Autorun-AJO
by Marianna Schmudlach / June 11, 2009 11:53 PM PDT
Collapse -
W32/Autorun-AJN
by Marianna Schmudlach / June 11, 2009 11:54 PM PDT

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices
* Network shares

Affected operating systems Windows

W32/Autorun-AJN copies itself to:
<Windows>\Backup\explorer.exe
<Program Files>\{17350501621331}.exe
<Program Files>\explorer.exe
<Root>\explorer.exe

W32/Autorun-AJN creates the following registry values:

HKLM\Software\Microsoft\CurrentVersion\Run
explorer
<Windows>\Backup\explorer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\{17350501621331}
<Root>\explorer.exe

W32/Autorun-AJN has a payload that is triggered on the first day of each month. This payload deletes the following files from the computer:
<System>\hal.dll
<Windows>\system.ini
<Windows>\win.ini

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunajn.html?_log_from=rss

Collapse -
W32/Autorun-AJM
by Marianna Schmudlach / June 11, 2009 11:56 PM PDT
Collapse -
Troj/FakeVir-NB
by Marianna Schmudlach / June 11, 2009 11:56 PM PDT
Collapse -
The Good and the Bad of Being A New Spam Bot
by Marianna Schmudlach / June 12, 2009 12:14 AM PDT

by Ryan Flores (Advanced Threats Researcher)

It seems like a new spam bot is currently being developed. Few days ago it was posted a pretty good analysis of a relatively simple spam bot, which Trend Micro detects as TROJ_PROXY.AIF.

This spam bot is quite straightforward. On execution the trojan (TROJ_PROXY.AIF) issues a DNS query to a single domain in order to obtain an IP address in order to connects to a C&C (Command and Control ). The C&C traffic is in plain text and one can easily identify how the C&C works (Figure 1).

We say the TROJ_PROXY.AIF is simple because, unlike other spam bots like WALEDAC, the former does not have any C&C command encryption or a robust C&C (takedown the domain and they?re out of business).

One saving grace of this spam bot however, is its implementation of certain techniques to avoid spam filters. Take a look at a sample spam mail generated by TROJ_PROXY.AIF (Figure 2).

More: http://blog.trendmicro.com/

Collapse -
Botnet Research on WALEDAC and PUSHDO
by Marianna Schmudlach / June 12, 2009 12:15 AM PDT

by Trend Micro

TrendLabs researchers have recently published their research on two of the most prevalent botnets in the threat landscape to date:

Infiltrating WALEDAC Botnet?s Covert Operations

Spam is not a mere inbox annoyance anymore but is the first step toward executing more dangerous kinds of system infiltration. Malware are no longer discrete executables but a motley group of related components and files that work together to surreptitiously get inside systems. The technologies malware crime fighters are using are?in some cases?being used against us. The people behind these cybercrimes are no longer fame-seeking script kiddies, they are now professional criminals who have created robust cybercrime businesses.

This paper provides a comprehensive view of the WALEDAC botnet?its activities, methodology, involved technologies, purpose, and business model?in order to paint a picture of the complex and intricate nature of the threats that we see today.

Pushdo / Cutwail Botnet

The Pushdo botnet has been with us since January 2007, and while it does not grab as many headlines as its attention-seeking peers such as Storm or Conficker, it is the second largest spam botnet on the planet ? sending approximately 7.7 Billion emails per day, making it single-handedly responsible for about 1 out of every 25 emails sent.

There are several reasons for Pushdo?s lack of notoriety ? the authors have actively used several techniques to help keep its activity ?under the radar.? Not only is Pushdo responsible for a huge amount of spam activity, it also is one of the primary conduits for other criminal gangs to spread their malware creations.

More: http://blog.trendmicro.com/

Collapse -
W32/Generic.worm.i
by Marianna Schmudlach / June 12, 2009 12:34 AM PDT

Type
Virus
SubType
Worm

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -

== Update 11 June 2009 ==

One variant scans all the files on disk and drops a copy of itself to %WINDIR%\system32\ as winlogin.exe (where %WINDIR% is usually C:\Windows).

It also drops the DNSChanger.ad Trojan to %WINDIR%\Temp as a randomly named file with a .tmp extension.

It creates the following registry keys:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FU
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FU

It modifies the following regsitry values:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Fast User Switching". New data: C:\WINDOWS\system32\winlogin.exe
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\winlogin.exe". New data: C:\WINDOWS\system32\winlogin.exe:*:Enabled:Explorer

More: http://vil.nai.com/vil/content/v_141742.htm

Collapse -
DNSChanger.ad
by Marianna Schmudlach / June 12, 2009 12:35 AM PDT

Type
Trojan
SubType
Win32

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -

== Update 11 June 2009 ==

This Trojan is dropped by W32/Generic.worm.i. When run, it places a copy of itself into %WINDIR%\Temp (where %WINDIR% is usually C:\Windows) with a random filename with a .tmp extension.
Symptoms
Symptoms -

* Presence suspicious files in the %WINDIR%\Temp folder
More: http://vil.nai.com/vil/content/v_163462.htm

Collapse -
Exploit-PDF.n.gen
by Marianna Schmudlach / June 12, 2009 12:36 AM PDT

Type
Trojan
SubType
Exploit

Overview -

Exploit-PDF.n.gen is a generic detection for malformed PDF files containing malicious Javascript.
Aliases

* Troj/PDFJs-BM (Sophos)

Characteristics
Characteristics -

Exploit-PDF.n.gen is not intented to be vulnerabity-specific. It is a generic detection for malformed PDF files containing malicious Javascript.

Upon opening the .pdf file with Acrobat Reader , then Acrobat Reader might show a small messagebox saying that the "File is damaged but is being repaired".

* Using Acrobat Reader v8.1.3 the file is then loaded - showing no content, Acrobat Reader doesn't crash, no files are dropped onto the test system , no changes to registry , no network traffic observed.
* Using Acrobat Reader v9.0.0 the file is then loaded - showing no content, Acrobat Reader does crash, no files are dropped onto the test system , no changes to registry , no network traffic observed.

More: http://vil.nai.com/vil/content/v_156087.htm

Collapse -
Troj/Small-ENL
by Marianna Schmudlach / June 12, 2009 1:15 AM PDT
Collapse -
Troj/PDFJs-AX
by Marianna Schmudlach / June 12, 2009 1:16 AM PDT
Collapse -
Troj/ObfJS-K
by Marianna Schmudlach / June 12, 2009 1:17 AM PDT
Collapse -
Troj/NetBus-BE
by Marianna Schmudlach / June 12, 2009 1:17 AM PDT
Collapse -
Troj/ClompPk-A
by Marianna Schmudlach / June 12, 2009 1:18 AM PDT
Collapse -
Troj/Agent-KDQ
by Marianna Schmudlach / June 12, 2009 1:19 AM PDT
Collapse -
Troj/Agent-KDP
by Marianna Schmudlach / June 12, 2009 1:19 AM PDT
Collapse -
Troj/Agent-KDO
by Marianna Schmudlach / June 12, 2009 1:20 AM PDT
Collapse -
Mal/Vapsup-A
by Marianna Schmudlach / June 12, 2009 1:21 AM PDT
Collapse -
Mal/ObfJS-BY
by Marianna Schmudlach / June 12, 2009 1:22 AM PDT
Collapse -
WSearch
by Marianna Schmudlach / June 12, 2009 2:32 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.