HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - March 21, 2008

by Marianna Schmudlach / March 20, 2008 3:08 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - March 21, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - March 21, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Zlob-AJJ
by Marianna Schmudlach / March 20, 2008 3:09 PM PDT
Collapse -
Troj/PWS-AQR
by Marianna Schmudlach / March 20, 2008 3:10 PM PDT
Collapse -
Troj/Prorat-DP
by Marianna Schmudlach / March 20, 2008 3:11 PM PDT
Collapse -
Troj/FakeAV-E
by Marianna Schmudlach / March 20, 2008 3:13 PM PDT
Collapse -
Troj/Dloadr-BJN
by Marianna Schmudlach / March 20, 2008 3:14 PM PDT
Collapse -
Troj/Agent-GTM
by Marianna Schmudlach / March 20, 2008 3:15 PM PDT
Collapse -
Troj/Agent-GTL
by Marianna Schmudlach / March 20, 2008 3:17 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-GTL is a Trojan for the Windows platform.

Troj/Agent-GTL intercepts network traffic for the infected computer.

Troj/Agent-GTL copies itself onto removable storage devices such as USB keys that are inserted into the infected computer.

Troj/Agent-GTL creates the following registry values:
-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser
-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload
-HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ntuser
-HKCU\Software\Microsoft\Windows\CurrentVersion\Run\autoload


http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgtl.html?_log_from=rss

Collapse -
Panda Security's weekly report on viruses and intruders
by Marianna Schmudlach / March 21, 2008 12:46 AM PDT

Madrid, March 21, 2008 - According to data gathered at the Infected or
Not website (http://www.infectedornot.com) this week, 25.41% of
computers with a security solution installed were infected.

"Given the vast amount of new samples of malware in circulation every
day, security laboratories are saturated and solutions can no longer be updated in time. That's why traditional solutions need to be
complemented with online tools capable of accessing a larger knowledge
base and detecting much more malicious code," explains Luis Corrons,
Technical Director of PandaLabs.

Among the thousands of malicious codes that have appeared this week, the present PandaLabs report focuses on the Bankolimb.AF Trojan and the Autorun.RS worm.

When it is run, Autorun.RS releases two files on the computer designed
to steal passwords for online games.

"The use of worms that can steal passwords, a feature more often
associated with Trojans, is a growing trend. The reason is that worms,
unlike Trojans, can spread by themselves, which represents a real
advantage for cyber-crooks", says Luis Corrons.

Theft of passwords for online games is motivated by the potential
financial returns that this can generate. In these games, there are
levels and items that can only be achieved through skill and experience.
However, many users are willing to pay for them on forums, web pages,
etc. Cyber-crooks readily profit from this situation.

The Bankolimb.AF Trojan drops several libraries on the computer, one of which is registered as a BHO (Browser Helper Object). This allows it to monitor the Internet activity of the user, monitoring when they access online bank pages, and adding fields to forms that users see on these pages, in order to collect additional information.

The Trojan captures keystrokes to steal passwords entered into these
pages. It then sends the information to its creator, uploading a file
with the data to a server.

Collapse -
Troj/Zbot-K
by Marianna Schmudlach / March 21, 2008 12:49 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Zbot-K is a Trojan for the Windows platform.

Troj/Zbot-K includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Zbot-K is installed the following files are created:

<System>\ntos.exe (detected as Troj/Zbot-K)
<System>\wsnpoem\audio.dll (harmless data file, can be deleted)
<System>\wsnpoem\video.dll (harmless data file, can be deleted)

The following registry entry is changed to run ntos.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotk.html?_log_from=rss

Collapse -
Troj/Mdrop-BQW
by Marianna Schmudlach / March 21, 2008 12:50 AM PDT

Aliases EXP/Office.Dropper.Gen

Category Viruses and Spyware

Type Trojan

Troj/Mdrop-BQW is a dropper Trojan for the Windows platform.

Troj/Mdrop-BQW is a Microsoft PowerPoint file which typically arrives as an email attachment.

Troj/Mdrop-BQW attemtps to exploit the Microsoft Office Remote Code Execution Using a Malformed Routing Slip vulnerability' (MS06-012) in order to execute shell code when the PowerPoint file is opened.

This shell code attempts to drop and run a malicious Windows executable (detected separately).

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmdropbqw.html?_log_from=rss

Collapse -
Troj/Dloadr-BJO
by Marianna Schmudlach / March 21, 2008 12:51 AM PDT

Aliases Trojan-Downloader.Win32.Agent.jtv
TROJ_DLOADER.DLH

Category Viruses and Spyware

Type Trojan

Troj/Dloadr-BJO is an adware related downloader Trojan for the Windows platform.

Troj/Dloadr-BJO attempts to download and install/run executables from the following sites:

hotwinsolutions.net
exedollars.com

These executables will typically display advertising popups when the browser is active.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbjo.html?_log_from=rss

Collapse -
Troj/Agent-GTP
by Marianna Schmudlach / March 21, 2008 12:53 AM PDT
Collapse -
Troj/Agent-GTO
by Marianna Schmudlach / March 21, 2008 12:54 AM PDT
Collapse -
Troj/Agent-GTN
by Marianna Schmudlach / March 21, 2008 12:55 AM PDT

Aliases TR/Crypt.XPACK.Gen

Category Viruses and Spyware

Type Trojan

Troj/Agent-GTN is a Trojan for the Windows platform.

When Troj/Agent-GTN is installed the following files are created:

<System>\hrpdcf.bin (harmless data file, can be deleted)
<System>\mp3res.dll (detected as Troj/Agent-GTN)
<System>\xprot.sys (detected as Troj/Agent-GTN)

The following registry entries are created to run code exported by mp3res.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res
DllName
mp3res.dll0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res
Startup
mp3res

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res
Impersonate
1

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgtn.html?_log_from=rss

Collapse -
W32/IRCBot-AAS
by Marianna Schmudlach / March 21, 2008 6:50 AM PDT

Aliases Backdoor.Win32.IRCBot.ccm

Category Viruses and Spyware

Type Worm

W32/IRCBot-AAS is a worm with IRC backdoor functionality for the Windows platform.

W32/IRCBot-AAS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/IRCBot-AAS copies itself to <System>\msmsgs.exe.

The following registry entries are created to run W32/IRCBot-AAS on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Oftice
<System>\msmsgs.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Oftice
<System>\msmsgs.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

http://www.sophos.com/security/analyses/viruses-and-spyware/w32ircbotaas.html?_log_from=rss

Collapse -
Troj/Zlob-AJK
by Marianna Schmudlach / March 21, 2008 6:51 AM PDT
Collapse -
Troj/Sanji-A
by Marianna Schmudlach / March 21, 2008 6:52 AM PDT

Aliases Trojan.Win32.Agent.ikq
Backdoor:Win32/Sanjicom

Category Viruses and Spyware

Type Trojan

Troj/Sanji-A is a backdoor Trojan for the Window platform which allows a remote intruder to gain access and control over the computer.

Troj/Sanji-A may be installed by a Trojan such as Troj/Mdrop-BQX. Trojans such as Troj/Mdrop-BQX are Microsoft Office files (PowerPoint, Word, Access or Excel) that typically arrive as email attachments. When the malicious Microsoft Office file is opened it attempts to exploit a vulnerability associated with the handling of the Microsoft Office file format in order to drop and run an executable file.

When Troj/Sanji-A is installed the following files are created:

<Temp>\kb<number>.tmp
<System>\rdpdrv.sys
<System>\msvmjeet\glp.uin

The file rdpdrv.sys is registered as a system driver service creating registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\RDPDrv

http://www.sophos.com/security/analyses/viruses-and-spyware/trojsanjia.html?_log_from=rss

Collapse -
Troj/Mdrop-BQY
by Marianna Schmudlach / March 21, 2008 6:54 AM PDT

Aliases xploit-MSExcel.h
TROJ_MDROPPER.GU

Category Viruses and Spyware

Type Trojan

Troj/Mdrop-BQY is a Trojan dropper for the Windows platform.

Troj/Mdrop-BQY is a Microsoft Excel document that typically arrives as an email attachment (the subject and message text of these email messages vary widely).

Troj/Mdrop-BQY attempts to exploit a known vulnerability associated with Microsoft Excel in order to drop and run a malicious Windows executable (detected separately).

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmdropbqy.html?_log_from=rss

Collapse -
Troj/Mdrop-BQX
by Marianna Schmudlach / March 21, 2008 6:55 AM PDT

Aliases Trojan-Dropper.MSWord.Agent
Exploit-MS06-027
EXP/Office.F
Bloodhound.Olexe
Trojan-Dropper.MSWord.1Table

Category Viruses and Spyware

Type Trojan

Troj/Mdrop-BQX is a Trojan dropper for the Windows platform.

Troj/Mdrop-BQX is a Microsoft Word document that typically arrives as an email attachment (the subject and message text of these email messages vary widely).

Troj/Mdrop-BQX attempts to exploit a known vulnerability associated with Microsoft Word (MS06-027) in order to execute shell code when the Word document is opened.

This shell code attempts to drop and run a malicious Windows executable (detected separately).

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmdropbqx.html?_log_from=rss

Collapse -
Troj/Dloadr-BJP
by Marianna Schmudlach / March 21, 2008 6:57 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.