Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - March 2, 2009

by Marianna Schmudlach / March 1, 2009 1:35 PM PST

W32/AutoRun-ZP

Category

* Viruses and Spyware

Type

* Worm


W32/AutoRun-ZP is a worm for the Windows platform.

When run W32/AutoRun-ZP copies itself to <Root>\RECYCLER\<User>\win32.exe and sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612
StubPath
<Root>\RECYCLER\<User>\win32.exe

W32/AutoRun-ZP spreads by copying itself to <Root>\RECYCLER\<User>\win32.exe on removable shared drives and by creating the file <Root>\autorun.inf (detected as W32/HostInf-A)

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunzp.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - March 2, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - March 2, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Rootkit-FA
by Marianna Schmudlach / March 1, 2009 1:36 PM PST
Collapse -
Troj/PWSDlg-Gen
by Marianna Schmudlach / March 1, 2009 1:37 PM PST
Collapse -
Troj/Pushdo-AH
by Marianna Schmudlach / March 1, 2009 1:38 PM PST
Collapse -
Troj/Inject-EX
by Marianna Schmudlach / March 1, 2009 1:39 PM PST
Collapse -
Troj/BHO-KF
by Marianna Schmudlach / March 1, 2009 1:40 PM PST
Collapse -
Troj/Agent-IYV
by Marianna Schmudlach / March 1, 2009 1:41 PM PST
Collapse -
W32/Sohana-CC
by Marianna Schmudlach / March 1, 2009 11:36 PM PST
Collapse -
W32/Autorun-ZQ
by Marianna Schmudlach / March 1, 2009 11:37 PM PST
Collapse -
W32/Agent-JBV
by Marianna Schmudlach / March 1, 2009 11:38 PM PST
Collapse -
Troj/PWS-AZD
by Marianna Schmudlach / March 1, 2009 11:39 PM PST
Collapse -
Troj/FakeAV-LU
by Marianna Schmudlach / March 1, 2009 11:40 PM PST
Collapse -
Troj/Dloadr-CHP
by Marianna Schmudlach / March 1, 2009 11:41 PM PST
Collapse -
Troj/Agent-JBU
by Marianna Schmudlach / March 1, 2009 11:42 PM PST
Collapse -
Troj/Agent-JBT
by Marianna Schmudlach / March 1, 2009 11:43 PM PST
Collapse -
Troj/Agent-JBS
by Marianna Schmudlach / March 1, 2009 11:44 PM PST
Collapse -
W32/Rbot-GXO
by Marianna Schmudlach / March 1, 2009 11:45 PM PST

Category

* Viruses and Spyware

Type

* Worm


W32/Rbot-GXO is a worm and backdoor Trojan for the Windows platform.

When run W32/Rbot-GXO copies itself to <System>\svhost.exe and creates the file <System>\drivers\sysdrv32.sys (detected as W32/Rbot-GXM):

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSNETDED\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNETDED\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32\
HKLM\SYSTEM\CurrentControlSet\Services\sysdrv32\

http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgxo.html?_log_from=rss

Collapse -
W32/AutoRun-ZR
by Marianna Schmudlach / March 1, 2009 11:46 PM PST
Collapse -
W32/Autorun-AV
by Marianna Schmudlach / March 1, 2009 11:47 PM PST

Category

* Viruses and Spyware

Type

* Worm


W32/Autorun-AV is a worm for the Windows platform.

W32/Autorun-AV contains functionality to spread via removable storage devices.

When first run W32/Autorun-AV copies itself to <System>\amvo.exe and creates the following files:

<Temp>\fq9.dll
<Temp>\w2e.sys
<System>\amvo0.dll

The file amvo0.dll is detected as Mal/EncPk-CE and the file w2e.sys is detected as Mal/RootKit-A.

The following registry entry is created to run amvo.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
amva
<System>\amvo.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunav.html?_log_from=rss

Collapse -
Troj/Dloadr-CHO
by Marianna Schmudlach / March 1, 2009 11:49 PM PST
Collapse -
Troj/BHO-KG
by Marianna Schmudlach / March 1, 2009 11:50 PM PST
Collapse -
Troj/Bckdr-QRX
by Marianna Schmudlach / March 1, 2009 11:51 PM PST
Collapse -
Troj/Agent-JBR
by Marianna Schmudlach / March 1, 2009 11:52 PM PST
Collapse -
Conficker call-backs threaten to swamp legit domains
by Marianna Schmudlach / March 2, 2009 12:08 AM PST

Southwest Airlines faces Friday the 13th horror

By John Leyden
2nd March 2009

The infamous Conficker worm is set to disrupt the operation of at least four legitimate websites this month.

Machines infected with Conficker (Downadup) are programmed to dial home for updates through a list of domains which changes every day. Microsoft is heading an alliance to block unregistered domains on this list but that still leaves a number of registered domains on the storm front.

An analysis by Sophos identified that of 7750 Conficker call-home domains found around half are active (ie resolve to an IP address). Fortunately the vast majority of these (3,861 from 3,889) domains resolve to only 42 unique IP addresses. That leaves 28 domains to worry about, most of which are up for sale with registrars.

More: http://www.theregister.co.uk/2009/03/02/conficker_collateral_damage/

Collapse -
Phishers automate attacks using 'Google hacking'
by Marianna Schmudlach / March 2, 2009 12:09 AM PST

Why pay when you can pwn?

By John Leyden
2nd March 2009

Three in four phishing sites are hosted on compromised servers, according to a new survey.

A study of 2,486 fraudulent websites found that 76 per cent were housed on hacked webservers, typically pwned after hackers identified well-known vulnerabilities using search engine queries. Free web hosting for fraudulent websites was used in just 17.4 per cent of cases.

The paper, called Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing, by security researchers Tyler Moore and Richard Clayton, also found that a sizeable minority of compromised systems were serial victims of attack.

One in five (19 per cent) were hit again less than six months after a phishing-related hack attack. That's because legitimate owners might turf out fraudsters from their systems but they often fail to fix underlying vulnerabilities that let them in.

More: http://www.theregister.co.uk/2009/03/02/phishing_hackedserver_survey/

Collapse -
New Variant of Koobface Worm Spreading on Facebook
by Marianna Schmudlach / March 2, 2009 12:13 AM PST

I just received a Facebook message from a friend; it was a pretty standard one that is beginning to look familiar to a lot of us I am sure.


What surprised me though, was the page that the link led to. On the face of it is a very familiar looking spoofed version of YouTube, complete with bogus comments from ?viewers?.

Take a second look though, the link had taken me to a site supposedly hosting a video posted by the same person that I had received the Facebook message from. In fact not only was the malicious landing page displaying his name, it had also pulled the photo from his Facebook profile. A very neat little piece of social engineering.

Clicking the Install button redirects to a download site for the file setup.exe which is the new Koobface variant detected as WORM_KOOBFACE.AZ. It is hosted on an IP address in another part of the world, and in the last hour, we?ve seen 300+ different unique IP addresses hosting setup.exe and we?re expecting more. All seen IP addresses hosting the said malicious file are now detected as HTML_KOOBFACE.BA.

More: http://blog.trendmicro.com/

Collapse -
Trojan:SymbOS/KBlock.A
by Marianna Schmudlach / March 2, 2009 12:14 AM PST

Name : Trojan:SymbOS/KBlock.A
Detection Names : Trojan:SymbOS/KBlock.A
Type: Trojan
Category: Malware
Platform: SymbOS

Summary
KBlock is a trojan for Series 60 1st and 2nd Edition phones.

KBlock prevents the usage of the phone by automatically locking the keypad and keeping it locked.

http://www.f-secure.com/v-descs/trojan_symbos_kblock_a.shtml

Collapse -
W32/Autorun-ZW
by Marianna Schmudlach / March 2, 2009 1:18 AM PST
Collapse -
W32/AutoRun-ZV
by Marianna Schmudlach / March 2, 2009 1:19 AM PST
Collapse -
W32/AutoRun-ZT
by Marianna Schmudlach / March 2, 2009 1:19 AM PST
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?