Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - March 11, 2008

by Marianna Schmudlach / March 10, 2008 3:06 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - March 11, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - March 11, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Lineag-DI
by Marianna Schmudlach / March 10, 2008 3:11 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Lineag-DI is a Trojan for the Windows platform.

When first run Troj/Lineag-DI copies itself to <Windows>\Debug\<random filename>.exe and creates the following files:

<Current Folder>\2.bat - clean file
<Windows>\1.bat - clean file
<Windows>\Debug\<random filename>.dll - detected as Mal/EncPk-AP.

The dropped dll is registered as a COM object and shell extension, creating registry entries under:

HKCR\CLSID\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{083A5F21-BCB9-4B21-A121-2584BEEFBFEF}

Troj/Lineag-DI has been seen spammed in a zip file, in a self-extracting RAR file that also displays an image of a dog. Due of a coding error the malicious file may fail to run.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojlineagdi.html

Collapse -
Troj/FakeVir-AU
by Marianna Schmudlach / March 10, 2008 3:12 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeVir-AU is a Trojan for the Windows platform.

Troj/FakeVir-AU displays an icon in the system tray with a false warning that the computer is infected. The user must pay a licensing fee to disinfect the computer.

Troj/FakeVir-AU attempts to shut down other security software.

Troj/FakeVir-AU contains stealth functionality to hide itself.

Troj/FakeVir-AU drops the following files:
<System>\dllcache\beep.sys - detected as Troj/FakeVir-AU
<System>\braviax.exe - detected as Troj/FakeVir-AU
<System>\cru629.dat - detected as Troj/FakeVir-AU
<System>\users32.dat - detected as Troj/Agent-GPD

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirau.html

Collapse -
Troj/Agent-GRZ
by Marianna Schmudlach / March 10, 2008 3:14 PM PDT
Collapse -
Troj/DwnLdr-HBO
by Marianna Schmudlach / March 10, 2008 3:15 PM PDT
Collapse -
Troj/Buhow-A
by Marianna Schmudlach / March 10, 2008 3:17 PM PDT
In reply to: Troj/DwnLdr-HBO
Collapse -
Troj/Bckdr-QMG
by Marianna Schmudlach / March 10, 2008 3:19 PM PDT
Collapse -
Troj/Agent-GSA
by Marianna Schmudlach / March 10, 2008 3:20 PM PDT
Collapse -
Trojan Exploiting Microsoft Excel Vulnerability
by Marianna Schmudlach / March 10, 2008 3:23 PM PDT

US-CERT is aware of public reports of a trojan that may exploit a vulnerability in Microsoft Excel. This trojan is circulating through email messages that contain attached Excel files. Known file names for these attachments are OLYMPIC.XLS and SCHEDULE.XLS. These files may also contain Windows binary executables that can compromise an affected system.

US-CERT encourage users to do the following to help mitigate the risk:


Review Microsoft Security Advisory 947563 for workarounds.
Do not open unsolicited or untrusted email messages.
Use caution when opening email attachments.
Block executable files and unknown file types at the email gateway.
Install anti-virus software, and keep its virus signature files up-to-date.
Review the US-CERT Cyber Security Tip - Using Caution with Email Attachments.
US-CERT will provide more information as it becomes available.


http://www.us-cert.gov/current/current_activity.html#trojan_exploiting_microsoft_excel_vulnerability

Collapse -
Active exploitation of Excel vulnerability
by Marianna Schmudlach / March 10, 2008 3:24 PM PDT

It should be noted that the incidents we are aware of have been limited to a very specific targeted attack and were not widespread. In total, we established approximately 21 reports of attacks using only 8 different files, from within the same two communities, so far.

Below are the md5sum?s for the individual exploits:

More: http://isc.sans.org/

Collapse -
JS_PSYME.ANT
by Marianna Schmudlach / March 10, 2008 3:34 PM PDT

Bloggies Gives Out Malware Before Awards

The Web site of the Annual Weblogs Awards or more commonly known as Bloggies was hacked recently, serving up to its visitors a malicious Javascript. This happened on the eve of the its award ceremony, as reported in NEWS.com.au.

Upon loading, the site reportedly connects to the URL http://www.{BLOCKED}nwww.biz/1/1/ice-pack/index.php that Trend Micro researchers have verified to be malicious. It downloads the file INDEX.PHP which is detected as JS_PSYME.ANT. This JavaScript Quicktime exploit in turn connects to the URL http://{BLOCKED}nwww.biz/1/1/ice-pack/exe.php to download a file that is detected as TROJ_DROPPER.XX.

Whoever orchestrated this attack played on timing, knowing that people would more likely visit the Bloggies Web site on the eve of the awarding ceremony itself.

More: http://blog.trendmicro.com/

Collapse -
Troj/TinyDo-Fam
by Marianna Schmudlach / March 10, 2008 3:37 PM PDT
In reply to: JS_PSYME.ANT
Collapse -
Troj/GArch-A
by Marianna Schmudlach / March 10, 2008 3:38 PM PDT
Collapse -
W32/AutoInf-B
by Marianna Schmudlach / March 11, 2008 12:52 AM PDT
Collapse -
Troj/PWS-AQF
by Marianna Schmudlach / March 11, 2008 12:54 AM PDT
Collapse -
MalwareCore
by Marianna Schmudlach / March 11, 2008 12:55 AM PDT
Collapse -
Troj/Cheuko-D
by Marianna Schmudlach / March 11, 2008 12:57 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Cheuko-D is a Trojan for the Windows platform.

When first run Troj/Cheuko-D copies itself to <System>\svchoster.exe.

The following registry entry is created to run svchoster.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1961D16F-FA65-2C7F-0856-602C3407B1E2}
StubPath
<System>\svchoster.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojcheukod.html

Collapse -
Mal/Behav-175
by Marianna Schmudlach / March 11, 2008 12:58 AM PDT
Collapse -
Trojan:SymbOS/MultiDropper
by Marianna Schmudlach / March 11, 2008 12:59 AM PDT

Alias: Trojan:SymbOS/MultiDropper.A
Type: Trojan-Dropper, Trojan
Category: Malware
Platform: SymbOS
Origin: Asia

Summary
Multidropper is a trojan-dropper that operates on Symbian Series 60 2nd Edition devices.

It drops and runs other malware components on the compromised device.

http://www.f-secure.com/v-descs/trojan_symbos_multidropper.shtml

Collapse -
Trojan:SymbOS/Kiazha
by Marianna Schmudlach / March 11, 2008 1:01 AM PDT

Alias: Trojan:SymbOS/Kiazha.A
Type: Trojan
Category: Malware
Platform: SymbOS

Summary
Kiazha is a trojan that operates on Symbian Series 60 2nd Edition devices.

Trojan:SymbOS/Kiazha is a trojan that attempts to ransom money from the user of the device.

It is distributed as a component of Trojan:SymbOS/MultiDropper.A.

http://www.f-secure.com/v-descs/trojan_symbos_kiazha.shtml

Collapse -
TROJ_AGENT.LAM
by Marianna Schmudlach / March 11, 2008 1:02 AM PDT

Malware type: Trojan

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It displays the following icon to trick users into thinking that it is a legitimate image file:


It modifies the system's HOSTS files to prevent users from accessing certain Web sites.

This Trojan opens Internet Explorer upon execution and accesses a certain non-malicious URL.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FAGENT%2ELAM

Collapse -
Alex Dragulescu's Malwarez "is a series of visualization of
by Marianna Schmudlach / March 11, 2008 4:14 AM PDT
Collapse -
Troj/Zlob-AIS
by Marianna Schmudlach / March 11, 2008 4:18 AM PDT

Aliases Win32/TrojanDownloader.Zlob.BRB
Puper trojan

Category Viruses and Spyware

Type Trojan

Troj/Zlob-AIS is a Trojan for the Windows platform.

When Troj/Zlob-AIS is installed the following files are created:

<Current Folder>\sbmdl.dll
<Current Folder>\sbsm.exe

The following registry entry is created to run Troj/Zlob-AIS on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
start
<pathname of the Trojan executable>

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobais.html

Collapse -
Troj/Keygen-BR
by Marianna Schmudlach / March 11, 2008 4:19 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Keygen-BR is a Trojan for the Windows platform.

When Troj/Keygen-BR is run the following files are created:

<Temp>\ixp000.tmp\photos~1.exe
<Temp>\ixp000.tmp\setupi~1.exe

The files are also detected as Troj/Keygen-BR.

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Windows>\winlogon.exe
<Windows>\winlogon.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\winlogon.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojkeygenbr.html

Collapse -
Troj/ExePage-A
by Marianna Schmudlach / March 11, 2008 4:20 AM PDT
Collapse -
Troj/Dloadr-BIL
by Marianna Schmudlach / March 11, 2008 4:22 AM PDT
Collapse -
Troj/Bancban-QU
by Marianna Schmudlach / March 11, 2008 4:23 AM PDT
Collapse -
FakeShareaza MediaBar Installer
by Marianna Schmudlach / March 11, 2008 4:24 AM PDT
Collapse -
FakeShareaza MediaBar
by Marianna Schmudlach / March 11, 2008 4:26 AM PDT
Collapse -
FakeShareaza Installer
by Marianna Schmudlach / March 11, 2008 4:27 AM PDT
Collapse -
FakeShareaza
by Marianna Schmudlach / March 11, 2008 4:28 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?