Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - June 30, 2008

by Marianna Schmudlach / June 29, 2008 11:39 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - June 30, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - June 30, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/BHO-FZ
by Marianna Schmudlach / June 29, 2008 11:40 PM PDT
Collapse -
Troj/Bdoor-AMH
by Marianna Schmudlach / June 29, 2008 11:41 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Bdoor-AMH is a Trojan for the Windows platform.

Troj/Bdoor-AMH copies itself to either the <Windows\naver2.exe> folder or C:\naver2.exe.

Troj/Bdoor-AMH edits the registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
naver2.exe

Troj/Bdoor-AMH connects to a remote host to receive information. After receiving instructions from the remote host, it will then send the data back to the remote host using SMTP.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbdooramh.html?_log_from=rss

Collapse -
Mal/VB-X
by Marianna Schmudlach / June 29, 2008 11:43 PM PDT
Collapse -
W32/AutoRun-FV
by Marianna Schmudlach / June 29, 2008 11:44 PM PDT

Aliases WORM_AUTORUN.AQR
Worm.Win32.AutoRun.efg

Category Viruses and Spyware

Type Worm

W32/AutoRun-FV is a worm with IRC backdoor functionality for the Windows platform.

W32/AutoRun-FV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/AutoRun-FV copies itself to <System>\msnclimgr.exe.

The following registry entry is created to run msnclimgr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN Client Manager
msnclimgr.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunfv.html?_log_from=rss

Collapse -
Troj/Spy-AQ
by Marianna Schmudlach / June 29, 2008 11:45 PM PDT
Collapse -
Troj/FakePriv-A
by Marianna Schmudlach / June 29, 2008 11:46 PM PDT
Collapse -
Troj/FakeAle-CU
by Marianna Schmudlach / June 29, 2008 11:47 PM PDT
Collapse -
Troj/FakeAle-CT
by Marianna Schmudlach / June 29, 2008 11:48 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-CT is a Trojan for the Windows platform.

When run Troj/FakeAle-CT copies itself to <Temp>\_addon.exe and attempts to download code from the internet and store it to the file <User>\Application Data\Adsl Software Ltd\Winspywareprotect.exe.

Registry entries are created under:
HKCU\Software\Adsl Software Ltd\Installer
HKCU\Software\Adsl Software Ltd\WinSpywareProtect


http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealect.html?_log_from=rss

Collapse -
Troj/Banker-EME
by Marianna Schmudlach / June 29, 2008 11:49 PM PDT
Collapse -
W32/Looked-EI
by Marianna Schmudlach / June 29, 2008 11:51 PM PDT
Collapse -
Troj/FakeAle-CR
by Marianna Schmudlach / June 29, 2008 11:54 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-CR copies itself to the <Windows> folder using random names.

Troj/FakeAle-CR drops the files
<System>\spywarewarning.mht
<System>\spywarewarning2.mht

These two files can be safely deleted.

Troj/FakeAle-CR changes the Internet Explorer settings to use <System>\spywarewarning.mht as the start page.

Troj/FakeAle-CR creates the service registry value:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IEUpdate


http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealecr.html

Collapse -
Troj/DwnLdr-HES
by Marianna Schmudlach / June 29, 2008 11:56 PM PDT
Collapse -
Troj/FakeAle-CS
by Marianna Schmudlach / June 29, 2008 11:58 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-CS is a Trojan for the Windows platform.

When run Troj/FakeAle-CS copies itself to <Program Files>\XP Antivirus\xpa.exe and sets the following registry entry to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random numbers>
<Program Files>\XP Antivirus\xpa.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealecs.html

Collapse -
Troj/PWS-ARP
by Marianna Schmudlach / June 29, 2008 11:59 PM PDT
Collapse -
Troj/PWS-ARQ
by Marianna Schmudlach / June 30, 2008 12:01 AM PDT
Collapse -
Troj/Spambot-C
by Marianna Schmudlach / June 30, 2008 12:02 AM PDT
Collapse -
Trojan:W32/Agent.SQT
by Marianna Schmudlach / June 30, 2008 12:04 AM PDT

Type: Trojan

Category: Malware

Summary
Trojans are malicious programs that pretend be to benign. Trojans do not replicate themselves.

Additional Details
Agent.SQT arrives as an attachment to spammed e-mail messages containing the following subjects:


Something hot
Hot news
Paris Hilton
Hot pictures

Here is an example message body:

http://www.f-secure.com/v-descs/trojan_w32_agent_sqt.shtml

Collapse -
W32/MumaWow.e!inf
by Marianna Schmudlach / June 30, 2008 12:06 AM PDT

Type Virus

SubType Win32

Overview -
W32/MumaWow.e!inf is a dropper for the W32/MumaWow virus. It also downloads multiple password stealers and newer variants of W32/MumaWow family.


Aliases
PE_MUMAWOW.BG (Trend Micro) Virus.Win32.Downloader.ba (Kaspersky) Virus:Win32/Cekar.B (Microsoft) W32.Mumawow.F!inf (Symantec)
Characteristics
Characteristics -

W32/MumaWow.e!inf is a dropper for the W32/MumaWow virus. It also downloads multiple password stealers and newer variants of W32/MumaWow family.

Upon execution of W32/MumaWow.e!inf infected files it drops and executes xue.xue (W32/MumaWow) infector and downloader. For further information on W32/MumaWow infector visit the following link:
http://vil.nai.com/vil/content/v_141958.htm

http://vil.nai.com/vil/content/v_146239.htm

Collapse -
New tool for GPcode trojan victims from Kaspersky
by Marianna Schmudlach / June 30, 2008 12:58 AM PDT

Anti-virus vendor Kaspersky has released StopGpcode2 ? a tool which may be able to recover most of the data encrypted by the GPcode.ak trojan. According to the developers, the Windows program requires pairs of encrypted files and unencrypted copies of the same files ? the more the merrier. These may be obtainable from backups or by using software such as PhotoRec that can reconstruct files deleted by the trojan from hard disk sectors.

The success rate is said to be up to 80 per cent, but is dependent on unspecified characteristics of the infected system. Affected users may be able to avoid having to buy the 'official' decryption tool offered by the blackmailers. Predecessors of the GPcode.ak trojan such as GPcode.ai and the earlier PGPcode.A could readily be cracked due to their weak encryption systems. The new version uses a hybrid of RC4 and RSA, however, which is taking cryptographers much longer to crack ? the trojan creates an RC4 session key for each file from a randomly generated master key. It saves an RSA encrypted version of the master key on the infected system.

More: http://www.heise-online.co.uk/security/New-tool-for-GPcode-trojan-victims-from-Kaspersky--/news/111028

Collapse -
Troj/Iframe-AG
by Marianna Schmudlach / June 30, 2008 1:10 AM PDT

SQL attacks: now using .MOBI domains and installing Scamware
Everyday, I look through the domains we detect as Troj/Iframe-AG because they are the domains associated with the SQL injections that have been plaguing the web over the last few months (1, 2, 3 and 4). This morning I saw three domains making use of the .MOBI TLD. The use of a .MOBI TLD is unusual and I was going to talk about all the possible new TLDs that people could use in the future (following the ICANN meeting last week). However, something more interesting was spotted.

Quickly visiting these sites to see is they were legitimate, we (Fraser and I) noticed that the root of each site attempted to load a script ?AD.JS?. This in turn attempted to load another website - a fake AV install site. The site pretends to do an online virus scan:

More: http://www.sophos.com/security/blog/2008/06/1525.html

Collapse -
W32/MumaWow
by Marianna Schmudlach / June 30, 2008 2:48 AM PDT

Type Virus

SubType Win32

Overview -

W32/MumaWow is a parasitic file infector and network worm that searches local drives and network shares for executable files and infects them. It also attempts to download updated copies of itself from malicious websites.

Aliases
Mal/DelpDldr-F (Sophos) TROJ_KILLAV.RX (Trend Micro) TrojanDownloader:Win32/Cekar.gen!A (Microsoft) Worm.Win32.AutoRun.dos (Kaspersky)

http://vil.mcafeesecurity.com/vil/content/v_141958.htm

Collapse -
StartPage-JU.dldr
by Marianna Schmudlach / June 30, 2008 2:49 AM PDT

Type Trojan

SubType Downloader

Overview -
It?s a start page modifier trojan.

Aliases
Trojan.Farfli (Symantec)
Characteristics
Characteristics -

Upon execution, trojan modifies user?s default startpage to http ://72{removed}5.com/?g

Drop the following files :

%WinDir%\system32\drivers\{random_a}.sys %WinDir%\system32\drivers\{random_b}.sys %WinDir%\system32\{random}.dll C:\Documents and Settings\{Usersname}\Favorites\收藏.url
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)Add the following registry keys :


More: http://vil.mcafeesecurity.com/vil/content/v_143679.htm

Collapse -
Troj/SWFexp-E
by Marianna Schmudlach / June 30, 2008 4:03 AM PDT
Collapse -
Troj/SWFexp-A
by Marianna Schmudlach / June 30, 2008 4:04 AM PDT
Collapse -
Troj/Buzus-B
by Marianna Schmudlach / June 30, 2008 4:05 AM PDT
Collapse -
Troj/Agent-HDW
by Marianna Schmudlach / June 30, 2008 4:06 AM PDT
Collapse -
Troj/Agent-HDV
by Marianna Schmudlach / June 30, 2008 4:07 AM PDT
Collapse -
Troj/Agent-HDU
by Marianna Schmudlach / June 30, 2008 4:08 AM PDT
Collapse -
Troj/Agent-HDO
by Marianna Schmudlach / June 30, 2008 4:09 AM PDT
Collapse -
Mal/Repl-A
by Marianna Schmudlach / June 30, 2008 4:10 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!