Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - June 3, 2009

Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - June 3, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Bank-Q

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KKF

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Mbroot-G

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/DwnLdr-HUE

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Clsldr-I

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/BHO-MQ

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KKH

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KKG

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
OSX/Jahlav-C

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Macintosh

OSX/Jahlav-C is a Trojan created for the Mac OS X operating system. OSX/Jahlav-C is used to deliver malicious code to the infected computer. The initial installer is distributed as a missing Video ActiveX Object, as described on the SophosLabs blog.

OSX/Jahlav-C creates a malicious shell script file named AdobeFlash in the /Library/Internet Plug-Ins folder and sets it to run periodically. The script contains another shell script in an encoded format which in turn contains a Perl script with the main malicious payload.

The Perl script uses http to communicate with a remote website and download code supplied by the attacker.

http://www.sophos.com/security/analyses/viruses-and-spyware/osxjahlavc.html?_log_from=rss

Collapse -
Mal/FakeAV-AL

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Category

* Viruses and Spyware

Type

* Malicious Behavior


Affected operating systems Windows
Characteristics

* Installs itself in the registry

Mal/FakeAV-AL is an application for the Windows platform that exhibits malicious behavior.

Mal/FakeAV-AL dowloads and installs a fake Anti-Virus application that fraudulently reports a users system as infected and will not clean up these fraudulent reports until the users pays and registers the application.

http://www.sophos.com/security/analyses/viruses-and-spyware/malfakeaval.html?_log_from=rss

Collapse -
Mal/Scribble-C

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KJY

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KJZ

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KKA

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KKC

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Agent-KKD

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/Dloader-QB

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Troj/JSRedir-T

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
W32/Koobfa-Gen

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Aliases

* Net-Worm.Win32.Koobface
* W32/Koobface.worm virus
* Worm:Win32/Koobface.A

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Web downloads

Affected operating systems Windows

W32/Koobfa-Gen is a family of worms for the Windows platform that target social networking sites including Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog and fubar.

The worms attempt to send messages to users of the social networking site pointing to a copy of themselves.

When first run, members of W32/Koobfa-Gen often display an error message saying:

Error installing Codec. Please contact support.

Members of W32/Koobfa-Gen often create a clean .dat data file called in the Windows folder, for example <Windows>\fmark2.dat.

Members of W32/Koobfa-Gen may create registry entries similar to the folowing:

HKLM\SYSTEM\ControlSet001\Control\Session manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>

http://www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html?_log_from=rss

Collapse -
Java.Boxer

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Gumblar Invades Best Buy

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

by Jovi Umawing (Technical Communications)

Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site.

Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, hxxp://pics. bubbled.cn/gallery/
hardcore/?23c4f60c1b9f604d6ffb21cba599301f (hxxp = http, and without the spaces). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page.

?If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ?Choose English or Spanish? page?and then bingo!? Macalintal says.

More: http://blog.trendmicro.com/

Collapse -
FFSearcher.dll

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Type
Trojan
SubType
-
Discovery Date
07/03/2009

Overview -

This detection is for DLL components dropped by FFSearcher
Characteristics
Characteristics -

The dll is dropped to the following location and injected into svchost.exe process:

* %system%\netcfgx.dll:Zone.Identifier

The following files are also dropped and loaded them as system drivers. The files are then deleted:

* %windows%\win32k.sys:1
* %windows%\win32k.sys:2

The following registry value are modified to make the dll loaded on windows startup:

* HKEY_CLASSES_ROOT\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32 "(Default)"=%system%\netcfgx.dll:Zone.Identifier

The trojan contacts wxtr812.com to get config info and saves the data to the following file:

* %Documents and Settings%\All Users\Documents\gifnoc.xtx

It then moniters the web browser and attempts to redirect searches in Google to the site in config file.

More: http://vil.nai.com/vil/content/v_174334.htm

Collapse -
FFSearcher

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Type
Trojan
SubType
Trojan

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.



Characteristics
Characteristics -

When executed, the trojan drops the following dll and injects into svchost.exe:

* %system%\netcfgx.dll:Zone.Identifier

It also drops the following files and loads them as system drivers. It then deletes the 2 files:

* %windows%\win32k.sys:1
* %windows%\win32k.sys:2

It then deletes the original dropper.

It modifies the following registry value to make the dll loaded on windows startup:

* HKEY_CLASSES_ROOT\CLSID\{5B035261-40F9-11D1-AAEC-00805FC1270E}\InProcServer32 "(Default)"=%system%\netcfgx.dll:Zone.Identifier

It contacts wxtr812.com to get config info and saves the data to the following file:

* %Documents and Settings%\All Users\Documents\gifnoc.xtx

It then moniters the web browser and attempts to redirect searches in Google to the site in config file.

More: http://vil.nai.com/vil/content/v_174013.htm

Collapse -
DeepDive!9ef6c5fcfab6

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Type
Program
SubType
-
Discovery Date
07/03/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

More: http://vil.nai.com/vil/content/v_174393.htm

Collapse -
Keylogger OCX

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
I Forgot

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Cain n Abel Installer

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
RemoteAdmin

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
HideExec

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Collapse -
Network Password Recovery - installer

In reply to: VIRUS \ SPYWARE ALERTS - June 3, 2009

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

DEALS, DEALS, DEALS!

Best Black Friday Deals

CNET editors are busy culling the list and highlighting what we think are the best deals out there this holiday season.