Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - March 14, 2008

by Marianna Schmudlach / March 13, 2008 3:11 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - March 14, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - March 14, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
SWF_ADHIJACK.E
by Marianna Schmudlach / March 13, 2008 3:13 PM PDT

Malware type: Others

Malware Overview

This malicious Shockwave Flash (.SWF) object file may arrive on a system via email informing users that they have received a postcard. Below is a screenshot of the object it displays:


Once clicked, this object file attempts to modify the 2wire modem localhost table to perform pharming against against a certain bank. It does this by pinging requests to the modem.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=SWF%5FADHIJACK%2EE

Collapse -
W32/Mumawow-A
by Marianna Schmudlach / March 13, 2008 3:47 PM PDT
Collapse -
Troj/Rootkit-CC
by Marianna Schmudlach / March 13, 2008 3:48 PM PDT
Collapse -
Troj/Mdrop-BQP
by Marianna Schmudlach / March 13, 2008 3:50 PM PDT
Collapse -
Troj/Badsrc-A
by Marianna Schmudlach / March 13, 2008 3:51 PM PDT
Collapse -
OneStepSearch
by Marianna Schmudlach / March 14, 2008 1:18 AM PDT
Collapse -
Mal/TibsPk-A
by Marianna Schmudlach / March 14, 2008 1:20 AM PDT
Collapse -
JS/Popupper-A
by Marianna Schmudlach / March 14, 2008 1:21 AM PDT
Collapse -
Hare
by Marianna Schmudlach / March 14, 2008 1:24 AM PDT

Aliases Hare-7750
Hare-7786
Krishna
HD_Euthanasia

Category Viruses and Spyware

Type Virus

A tricky multipartite virus,
polymorphic and stealth in the boot sector and files. It hides
the partition table to make the hard disc inaccessible to DOS
after a clean boot.
On 22nd August and 22 September
it displays a message and destroys the hard disk. (VB Aug 96)

Trigger condition:

22 Aug, 22 Sept

A tricky multipartite virus,
polymorphic and stealth in the boot sector and files. It hides
the partition table to make the hard disc inaccessible to DOS
after a clean boot.
On 22nd August and 22 September
it displays a message and destroys the hard disk. (VB Aug 96)

Trigger condition:

22 Aug, 22 Sept

http://www.sophos.com/security/analyses/viruses-and-spyware/hare.html

Collapse -
VBS/Solow-I
by Marianna Schmudlach / March 14, 2008 2:36 AM PDT
Collapse -
Troj/ServU-FG
by Marianna Schmudlach / March 14, 2008 2:38 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/ServU-FG is a hacked version of the Serv-U FTP server application.

Troj/ServU-FG allows a remote intruder to gain access and control over the computer.

Troj/ServU-FG reads configuration data from <Current Folder>\SyntCoreRes.dll and creates a log file <Current Folder>\commondllgl32st.dll.


http://www.sophos.com/security/analyses/viruses-and-spyware/trojservufg.html

Collapse -
Troj/DoSSypak-A
by Marianna Schmudlach / March 14, 2008 2:39 AM PDT

Aliases Win32/DoS.Sypak

Category Viruses and Spyware

Type Trojan

Troj/DoSSypak-A is a Trojan for the Windows platform.

When first run Troj/DoSSypak-A copies itself to the Windows system folder.

Troj/DoSSypak-A is registered as a new system driver service named "svcname", with a display name of "

Collapse -
Troj/Agent-GSP
by Marianna Schmudlach / March 14, 2008 2:40 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-GSP is a Trojan for the Windows platform.

When Troj/Agent-GSP is installed the following files are created:

<Temp>\1SBa59t6.exe
<Windows>\Installer\{0ab4eb09-6f4b-4996-b776-b27bd1e9fcdc}\zip.dll

The file zip.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\{0ab4eb09-6f4b-4996-b776-b27bd1e9fcdc}

The following registry entry is created to run code exported by zip.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
zip
{0ab4eb09-6f4b-4996-b776-b27bd1e9fcdc

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgsp.html

Collapse -
Troj/Agent-GSO
by Marianna Schmudlach / March 14, 2008 2:41 AM PDT
Collapse -
Adware.Superiorads
by Marianna Schmudlach / March 14, 2008 2:43 AM PDT
Collapse -
Panda Security's weekly report on viruses and intruders
by Marianna Schmudlach / March 14, 2008 3:03 AM PDT

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Madrid, March 14, 2008 - According to data gathered at the Infected or
Not website (http://www.infectedornot.com) this week, 26.05% of
protected computers are infected with some type of malicious code.

"Many users think that having an antivirus installed is enough to
protect them. However, not all solutions protect the same nor is it
enough to have a solution installed on the computer", explains Luis
Corrons, Technical Director of PandaLabs. "To be more protected,
traditional security software must be complemented with on-demand scans performed by online solutions that offer greater detection capacity".

Regarding the most prevalent malicious codes last week, the list is
headed by the Comet adware, which shows ads while users surf the
Internet.

The Bagle.RP and Puce.E worms take second and third place respectively.
These malicious codes use their own means to spread from one computer to another.

Top 10 TotalScan

Adware Comet
Worm Bagle.RP
Worms Puce.E
Adware Starware
Spyware Virtumonde
Worm Archivarius.A
Worm Bagle.SB
Trojan Rebooter.J
Worm Bagle.RC
Adware SaveNow

As for the thousands of new codes that have appeared this week, the
PandaLabs report looks at EbayRob.B and WinFake.A.

EbayRob.B is a Trojan designed to steal data entered in online forms on sites like eBay. This data is later on sent to the malware creator by email.

The Trojan modifies the Windows Registry in order to register itself as a service, which allows it to run automatically every time Windows is started up. It also edits the hosts file to redirect access to a series of websites to the affected computer. By doing this, the Trojan will be able to monitor access to those addresses.

When run by the user, EbayRob.B displays a series of cars photos.

Winfake.A is a worm that infects all available drives. It also prevents certain utilities, functions (like regedit) or the Windows console from being run, and hinders the normal use of the clipboard.

The worm appears as a Microsoft Word icon called Love. Once run, it
makes several copies of itself on the system and names them after songs to entice users to run them.

More information in PandaLabs' Encyclopedia
(http://www.pandasecurity.com/spain/homeusers/security-info/about-malwar
e/encyclopedia/?sitepanda=particulares)

Collapse -
Troj/Rootkit-CD
by Marianna Schmudlach / March 14, 2008 9:04 AM PDT
Collapse -
Troj/Bckdr-QMH
by Marianna Schmudlach / March 14, 2008 9:06 AM PDT
Collapse -
Troj/Agent-GSS
by Marianna Schmudlach / March 14, 2008 9:07 AM PDT

Aliases SpamTool.Win32.Agent.gd

Category Viruses and Spyware

Type Worm

Troj/Agent-GSS is a worm for the Windows platform.

Troj/Agent-GSS includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Agent-GSS is installed the following files are created:

<Temp>\_check32.bat
<Windows>\s32.txt
<System>\aspimgr.exe
<Windows>\ws386.ini

The file aspimgr.exe is registered as a new system driver service named "aspimgr", with a display name of "Microsoft ASPI Manager" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\aspimgr

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Sft

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgss.html?_log_from=rss

Collapse -
Mal/Behav-201
by Marianna Schmudlach / March 14, 2008 9:08 AM PDT
Collapse -
OneStepSearch
by Marianna Schmudlach / March 14, 2008 9:12 AM PDT
Collapse -
PE_TRATS.E-O
by Marianna Schmudlach / March 14, 2008 9:14 AM PDT

Malware type: File infector

Malware Overview

This file infector may be downloaded unknowingly from certain Web sites.

Upon execution, this file infector creates a folder, and drops several files. It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It also modifies a registry entry to enable its automatic execution at every system startup.

It also drops an infected copy of CTFMON.EXE. The infected copy is detected as PE_TRATS.E. It then creates a copy of the original CTFMON.EXE.

It infects EXE files by prepending its code and appending its DLL component code in the host file. Files infected by this malware are detected as PE_TRATS.E.

This file infector connects to a certain URL to download an updated copy of its DLL component.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FTRATS%2EE%2DO

Collapse -
Troj/Agent-GSQ
by Marianna Schmudlach / March 14, 2008 11:06 AM PDT
Collapse -
Troj/PWS-AQH
by Marianna Schmudlach / March 14, 2008 11:07 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/PWS-AQH is a Trojan for the Windows platform.

When Troj/PWS-AQH is installed the following files are created:

<Temp>\RarSFX0\11.sfx.exe
<Temp>\RarSFX0\mm\168_325566_f54679f96e1c490 [%P].jpg
<Temp>\RarSFX0\mm\168_378561_7ccc6cb8001c00f [%P].jpg
<Temp>\RarSFX0\mm\2005610010104150 [%P].jpg
<Temp>\RarSFX0\mm\242965581_9faa239705_o [%P].jpg
<Temp>\RarSFX0\mm\Thumbs.db
<Temp>\RarSFX0\mm\harajuku-15 [%P].jpg
<Temp>\RarSFX0\mm\harajuku-6 [%P].jpg
<Current Folder>\2.bat
<Windows>\help\F3C74E3FA248.dll
<Windows>\help\F3C74E3FA248.xe

The file F3C74E3FA248.dll is detected as Mal/LineDLL-B and the file F3C74E3FA248.xe is detected as Mal/EncPk-AZ.

The file F3C74E3FA248.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsaqh.html

Collapse -
Troj/Dloadr-BJH
by Marianna Schmudlach / March 14, 2008 11:08 AM PDT

Aliases Trojan-Downloader.Win32.Small.swg

Category Viruses and Spyware

Type Trojan

Troj/Dloadr-BJH is a Trojan for the Windows platform.

When Troj/Dloadr-BJH is installed it creates the file <System>\wmdmsvc32.dll.

The file wmdmsvc32.dll is registered as a new service named "WmdmPmSn". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSn

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbjh.html

Collapse -
Troj/Agent-GST
by Marianna Schmudlach / March 14, 2008 11:10 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-GST is a Trojan for the Windows platform.

Troj/Agent-GST attempts to contact a remote server over the internet .

When Troj/Agent-GST is installed the following files are created:

<Temp>\78453.vbs - also detected as Troj/Agent-GST
<Temp>\finaltemp.vbs - empty file

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgst.html

Collapse -
Troj/Agent-GSR
by Marianna Schmudlach / March 14, 2008 11:11 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?