Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - June 23, 2009

by Marianna Schmudlach / June 23, 2009 12:28 AM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - June 23, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - June 23, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/FakeAv-TW
by Marianna Schmudlach / June 23, 2009 12:29 AM PDT
Collapse -
Troj/FakeAV-TV
by Marianna Schmudlach / June 23, 2009 12:29 AM PDT
Collapse -
Troj/FakeAV-TU
by Marianna Schmudlach / June 23, 2009 12:30 AM PDT
Collapse -
Troj/Dloadr-COX
by Marianna Schmudlach / June 23, 2009 12:31 AM PDT
Collapse -
Troj/Chimoz-J
by Marianna Schmudlach / June 23, 2009 12:32 AM PDT
Collapse -
Troj/BDoor-AVF
by Marianna Schmudlach / June 23, 2009 12:32 AM PDT
Collapse -
Troj/Agent-KGS
by Marianna Schmudlach / June 23, 2009 12:33 AM PDT
Collapse -
Troj/Agent-KGR
by Marianna Schmudlach / June 23, 2009 12:34 AM PDT
Collapse -
Troj/Agent-KGQ
by Marianna Schmudlach / June 23, 2009 12:35 AM PDT
Collapse -
Troj/Agent-KGP
by Marianna Schmudlach / June 23, 2009 12:36 AM PDT
Collapse -
Troj/FakeAV-TQ
by Marianna Schmudlach / June 23, 2009 12:37 AM PDT
Collapse -
Troj/FakeAV-TR
by Marianna Schmudlach / June 23, 2009 12:38 AM PDT
Collapse -
Troj/FakeAV-TS
by Marianna Schmudlach / June 23, 2009 12:38 AM PDT
Collapse -
Troj/PoisonI-D
by Marianna Schmudlach / June 23, 2009 12:39 AM PDT
Collapse -
Trojan.Spadenf
by Marianna Schmudlach / June 23, 2009 12:41 AM PDT
Collapse -
ErrorFix
by Marianna Schmudlach / June 23, 2009 12:42 AM PDT

Updated: June 23, 2009 9:11:37 AM
Type: Misleading Application
Name: ErrorFix
Version: 2.8.3456.520
Publisher: PC Utility Inc
Risk Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Behavior
ErrorFix is a misleading application that may give exaggerated reports of threats on the computer.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-062308-1901-99

Collapse -
Another Messy Mass Compromise Emerges
by Marianna Schmudlach / June 23, 2009 12:43 AM PDT

by Det Caraig (Technical Communications)

The hype after recent mass compromises has not even died down yet, and already another massive attack has been launched. Trend Micro was alerted of the emergence of another mass compromise, dubbed Nine Ball, for the same reason Gumblar was named Gumblar, only that this time, the Nine Ball domain is only one of hundreds of landing pages users can be redirected to.

As reported by Ivan Macalintal, Manager of Threat Research, the infection starts when a user accesses a compromised site that automatically redirects him/her to several sites. These sites were actually a trio of malicious domains (specific .KZ and .TW sites) constantly used by attackers in their scheme of redirecting users to a malicious IP address registered somewhere in Ukraine.

The chain ends when the user?s browser lands on a page that contains exploits for vulnerabilities in various software including Adobe Acrobat, Adobe Shockwave. Advanced Threat Researcher Joey Costoya also pointed out that a previously reported PoC in Office OCX Word Viewer is also among the exploits used in this attack.

Compromised websites were injected with the following 1?3 blocks of obfuscated script, which is detected as JS_DLOADR.ALP (see Figure 1):

* hdOruVsHnKBXZuvtsRmw
* eMCeGjolMPJFNuucZWLk
* vIkytowORShQVZqTBFox

More: http://blog.trendmicro.com/

Collapse -
All feedback is good feedback
by Marianna Schmudlach / June 23, 2009 12:45 AM PDT

Jun23

by Robert McArdle (Senior Malware Researcher)

In our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

Poshel-ka ti na hui drug aver

This string roughly translates to ?Screw you my friend Aver? (well its actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean ?AVer? (a slang term used mainly on english virus writing forums meaning AV researcher).

Doh!

This is not the first time that malware writers have left hidden message that are only revealed during reverse engineering. My personal favorite was from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

Dear Symantec:
For years I have longed for just one thing,
to make malware with just the right sting,
you detected my creation and got my domains killed,
but I will not stop,
I can rebuild.

P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

http://blog.trendmicro.com/
More:

Collapse -
Limited FakeAV?s
by Marianna Schmudlach / June 23, 2009 12:48 AM PDT

Posted on June 23rd, 2009 by PrashantKumar


I have seen Fake Anti Virus software before. In fact, SophosLabs have been seeing them in various of different forms, like 1 and 2.

What stood out about today?s sample (Protection System), was how easily it seems to have been created. Virus names are stolen, messages and detection info are hard-coded and even the website has the *same* virus names which are hard-coded into the malware. Here are some screenshots

http://www.sophos.com/blogs/sophoslabs/

Collapse -
Anti-Malware-Malware!?!
by Marianna Schmudlach / June 23, 2009 12:51 AM PDT

Posted on June 22nd, 2009 by Pete, SophosLabs AU

Na

Collapse -
The end of an era?
by Marianna Schmudlach / June 23, 2009 12:52 AM PDT

Posted on June 22nd, 2009 by Dmitry Samosseiko, SophosLabs Canada

Alan Ralsky? His name is too familiar to the veterans of the anti-spam industry.

He was notorious for the ?stock pump-n-dump? scam e-mails and was the #1 spammer on the SpamHaus?s ?The 10 Worst Spammers? list as early as November 2005:

Today, one of the world?s first spam kings pleaded guilty ?to charges of violating federal anti-spam laws by sending millions of emails in a stock-fraud scheme?.

It?s good to see anti-spam laws like the CAN-SPAM Act being put to use.

http://www.sophos.com/blogs/sophoslabs/

Collapse -
PWS-Banker.gen.bq.dr
by Marianna Schmudlach / June 23, 2009 12:54 AM PDT

Type
Trojan
SubType
Dropper

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


Characteristics -

When this Trojan is executed, it drops following files:

%System%\bekbn.dll (http://vil.nai.com/vil/content/v_160660.htm)
%\System%\inform.dat
%\System%\fkas

Note:

%System% is a variable location and refers to the windows system directory
This Trojan by itself doesn�t create any startup registry entries, and hence doesn�t execute on system startup
The dropped dll is registered as a BHO by the trojan.

It creates following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\InprocServer32

More: http://vil.nai.com/vil/content/v_143667.htm

Collapse -
Generic PWS.y!bb
by Marianna Schmudlach / June 23, 2009 12:55 AM PDT

Type
Trojan

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics -

It is registered as a BHO by trojan PWS-Banker.gen.bq.dr (http://vil.nai.com/vil/content/v_143667.htm)

It is capable of logging keystrokes and also capable of spreading via USB devices.

It creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{AC018590-FBBD-4789-A15B-FFBBBE6C8965}
StubPath = "rundll32 bekbn.dll,InitO"

More: http://vil.nai.com/vil/content/v_160660.htm

Collapse -
W32/Autorun.worm.fl
by Marianna Schmudlach / June 23, 2009 12:56 AM PDT
Collapse -
Troj/FakeAV-TY
by Marianna Schmudlach / June 23, 2009 2:06 AM PDT
Collapse -
Troj/FakeAV-TX
by Marianna Schmudlach / June 23, 2009 2:07 AM PDT
Collapse -
Troj/ExpPPT-F
by Marianna Schmudlach / June 23, 2009 2:07 AM PDT
Collapse -
Troj/Dwnldr-HTQ
by Marianna Schmudlach / June 23, 2009 2:08 AM PDT
Collapse -
Troj/Agent-KGU
by Marianna Schmudlach / June 23, 2009 2:09 AM PDT
Collapse -
Troj/Agent-KGT
by Marianna Schmudlach / June 23, 2009 2:10 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?