Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - June 6, 2008

by Marianna Schmudlach / June 5, 2008 2:30 PM PDT

W32/Tdibd-C

Category Viruses and Spyware

Type Rootkit

W32/Tdibd-C is a multi-component rootkit worm for the Windows platform.

When run W32/Tdibd-C creates the following files:

<System>\_tdiserv_\autorun.inf - detected as W32/Tdibd-C
<System>\_tdiserv_\setup.exe - detected as W32/Tdibd-C
<System>\_tdiserv_\reckey.dll - detected as W32/Tdibd-C
<System>\_tdiserv_\tdiupdate.sys - detected as W32/Tdibd-C
<System>\_tdiserv_\_tdicli_.exe - detected as W32/Tdibd-C
<System>\_tdiserv_\config.dat - non-malicious and can be safely deleted
<System>\_tdiserv_\guid.txt - non-malicious and can be safely deleted

W32/Tdibd-C also creates the following folders:
<System>\_tdiserv_\CacheFile
<System>\_tdiserv_\SendFile

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32tdibdc.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - June 6, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - June 6, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Tdibd-B
by Marianna Schmudlach / June 5, 2008 2:34 PM PDT

Aliases BackDoor-CSS
Backdoor.Win32.Rootcip.a

Category Viruses and Spyware

Type Virus

W32/Tdibd-B is a worm for the Windows platform with backdoor Trojan functionality.

W32/Tdibd-B includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tdibd-B copies itself to <System>\_tdiserv_\setup.exe and creates some of the following files:

<System>\_tdiserv_\autorun.inf
<System>\_tdiserv_\Config.dat
<System>\_tdiserv_\Guid.txt
<System>\_tdiserv_\kill
<System>\_tdiserv_\tdi95dev.vxd
<System>\_tdiserv_\TdiUpdate.sys
<System>\_tdiserv_\_tdicli_.exe

The file TdiUpdate.sys is detected as Troj/RKProc-Fam. The files _tdicli_.exe and tdi95dev.vxd are detected as W32/Tdibd-B. The other files are not malicious and may be deleted.

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32tdibdb.html?_log_from=rss

Collapse -
W32/Tdibd-A
by Marianna Schmudlach / June 5, 2008 2:36 PM PDT
Collapse -
Troj/MalHost-A
by Marianna Schmudlach / June 5, 2008 2:37 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/MalHost-A creates and runs a batch file in the following folder
<Temp>\<random>.bat (also detected as Troj/MalHost-A )

When run, this batch file copies:
<System>\drivers\etc\hosts
to
<System>\drivers\etc\host.bak
and creates a new host file that directs specific banking domains to statically assigned IP addresses in an attempt to capture the users banking details.

Note that if Troj/MalHost-A is run twice, both hosts and host.bak will be corrupted.

Troj/MalHost-A disables the Windows firewall.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmalhosta.html?_log_from=rss

Collapse -
Troj/PSW-FG
by Marianna Schmudlach / June 6, 2008 12:10 AM PDT
Collapse -
Troj/NtRootK-DP
by Marianna Schmudlach / June 6, 2008 12:12 AM PDT
Collapse -
Troj/FakeAle-BX
by Marianna Schmudlach / June 6, 2008 12:16 AM PDT
Collapse -
Troj/Dwnldr-HEC
by Marianna Schmudlach / June 6, 2008 12:18 AM PDT
Collapse -
Troj/Delf-EZZ
by Marianna Schmudlach / June 6, 2008 12:19 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Delf-EZZ is a Trojan for the Windows platform.

Troj/Delf-EZZ includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Delf-EZZ copies itself to <System>\qtplugin.exe and creates the following files:

<System>\qtprot.sys which also is detected as Troj/Delf-EZZ
<System>\hdport.sys which is detected as Troj/Delf-EZY

The following registry entry is created to run qtplugin.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegistryMonitor1
<System>\igfxpers.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
RegistryMonitor2
<Windows>\ServicePackFiles\ServicePackCache

The file qtprot.sys is registered as a new system driver service named "qtprot", with a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\qtprot

The file hdport.sys is registered as a new system driver service named "hdport", with a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\hdport

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelfezz.html

Collapse -
Backdoor:W32/SdBot.CKN
by Marianna Schmudlach / June 6, 2008 12:20 AM PDT
Collapse -
W32/Autorun-EW
by Marianna Schmudlach / June 6, 2008 12:23 AM PDT
Collapse -
W32/Autorun-EV
by Marianna Schmudlach / June 6, 2008 12:24 AM PDT
Collapse -
W32/Autoit-J
by Marianna Schmudlach / June 6, 2008 12:25 AM PDT
Collapse -
Troj/Zlob-AKY
by Marianna Schmudlach / June 6, 2008 12:27 AM PDT
Collapse -
Troj/Rootkit-CT
by Marianna Schmudlach / June 6, 2008 12:28 AM PDT
Collapse -
Panda Security's weekly report on viruses and intruders
by Marianna Schmudlach / June 6, 2008 1:00 AM PDT

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Madrid, June 6, 2008 - Two dangerous Trojans, Banker.LAX and Peregar.C
and the Autocrat.A worm are the subjects of this week's PandaLabs
report.

Banker.LAX is designed to steal bank details. To do so, it downloads a
file with numerous bank addresses onto a system and spies on users'
Internet movements. The malicious code then compares the addresses
entered in the browser bar with the entries of the file downloaded; if
it coincides at least partially, the Trojan's fraud mechanism is
activated.

This mechanism consists of redirecting users to a spoof Internet page,
instead of the bank's original page. Meanwhile, the Trojan gains control of the browser bar and changes the spoof page for the legitimate one, so users don't suspect anything.

On the spoof page, users are asked to enter their details for accessing the Internet. When they do, an error screen is displayed. Then, the data stolen is sent to the server.

This dangerous malicious code also steals victims' files and service
accounts (MSN Messenger or Outlook).

The Peregar.C Trojan on the other hand, is designed to fool users into
installing a false antivirus. The procedure is as follows: when run, the malicious code opens an Internet Explorer window with a search in
Youtube to distract users. Meanwhile, it modifies the system so that
when users try to open a Windows Explorer or Internet Explorer window,
an error screen with the following message is displayed:

"your system is infected with dangerous virus! Note: Strongly recommend to install antispyware program to clean your system and avoid total crash of your computer! Click OK to download the antispyware. . . . .

If users agree to download the anti-spyware, they will actually be
downloading the IEAntiVirus adware onto their computer. Additionally,
Peregar.C displays false infection pop-ups so users pay to disinfect
their system.

The Autocrat.A worm copies itself on every system drive, including flash memories and external drives. The malicious actions it carries out include hiding files, blocking the task manager, etc. In short, it slows the PC down.

Collapse -
Backdoor:W32/SdBot.CKN
by Marianna Schmudlach / June 6, 2008 1:26 AM PDT
Collapse -
Bloodhound.Exploit.195
by Marianna Schmudlach / June 6, 2008 1:27 AM PDT
Collapse -
Bloodhound.Exploit.194
by Marianna Schmudlach / June 6, 2008 1:29 AM PDT
Collapse -
W32.Evolym
by Marianna Schmudlach / June 6, 2008 1:30 AM PDT
Collapse -
W32/Sohana-BA
by Marianna Schmudlach / June 6, 2008 1:34 AM PDT
Collapse -
VBS/Redlof-B
by Marianna Schmudlach / June 6, 2008 1:35 AM PDT
Collapse -
Troj/Rider-X
by Marianna Schmudlach / June 6, 2008 1:37 AM PDT
Collapse -
Troj/PWS-ARI
by Marianna Schmudlach / June 6, 2008 1:38 AM PDT
Collapse -
Troj/PWS-ARH
by Marianna Schmudlach / June 6, 2008 1:40 AM PDT
Collapse -
Troj/Delf-FAA
by Marianna Schmudlach / June 6, 2008 1:42 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Delf-FAA is a Trojan for the Windows platform.

Troj/Delf-FAA includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Delf-FAA copies itself to <System>\qtplugin.exe

The following registry entry is created to run qtplugin.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegistryMonitor1
<System>\qtplugin.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
RegistryMonitor2
<Random Number>

The file qtprot.sys is registered as a new system driver service named "qtprot", with a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\qtprot

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelffaa.html?_log_from=rss

Collapse -
Troj/Agent-HBG
by Marianna Schmudlach / June 6, 2008 1:43 AM PDT
Collapse -
Troj/Agent-GZK
by Marianna Schmudlach / June 6, 2008 1:45 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-GZK attempts to edit websites to promote a target website.

Troj/Agent-GZK consists of three components:

<System>\jdk-1_5_0_19-windows-i391-pp\jav.bat
<System>\jdk-1_5_0_19-windows-i391-pp\js.exe
<System>\jdk-1_5_0_19-windows-i391-pp\dc.class

The files js.exe and dc.class are both detected as Troj/Agent-GZK.

Troj/Agent-GZK installs itself in the registry so it autoruns at startup with the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"Java (VM) v6.9"
"C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Java (VM) v6.9"
"C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat"

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgzk.html?_log_from=rss

Collapse -
Mal/Behav-249
by Marianna Schmudlach / June 6, 2008 1:46 AM PDT
Collapse -
Java/Ignoble-A
by Marianna Schmudlach / June 6, 2008 1:48 AM PDT
Collapse -
Troj/Small-ELP
by Marianna Schmudlach / June 6, 2008 2:03 PM PDT

Category Viruses and Spyware

Type Trojan

When first run Troj/Small-ELP copies itself to <Windows>\xxx.exe.

The following registry entry is created to run xxx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
abc
<Windows>\xxx.EXE

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1

http://www.sophos.com/security/analyses/viruses-and-spyware/trojsmallelp.html

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!