Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - March 28, 2008

by Marianna Schmudlach / March 27, 2008 4:07 PM PDT

JS_PSYME.BOU

Malware type: JavaScript

This malicious JavaScript (JS) script may be downloaded from a certain remote site.

It takes advantage of software vulnerabilities, which allows a remote malicious user or malware to download files on the affected machine.

It connects to a Web site to download a malicious file, which Trend Micro detects as TROJ_VUNDO.BHH. As a result, routines of the downloaded Trojan are also exhibited on the affected system.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FPSYME%2EBOU

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - March 28, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - March 28, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Spywad-AX
by Marianna Schmudlach / March 27, 2008 4:08 PM PDT

Category Viruses and Spyware

Type Trojan

Troj/Spywad-AX is a Trojan for the Windows platform.

Troj/Spywad-AX displays fake messages claiming the computer is infected with spyware and then tries to sell the user antispyware tools.

When Troj/Spywad-AX is run, the following files are created:

<Current Folder>\delself.bat - text file, can be deleted
<System>\braviax.exe - detected as Troj/Spywad-AX
<System>\dllcache\beep.sys - detected as Troj/Spywad-AX
<System>\cru629.dat - detected as Mal/EncPk-BB
<System>\univrs32.dat - detected as Troj/Agent-GPD
<WINDOWS>\braviax.exe - detected as Troj/Spywad-AX
<WINDOWS>\cru629.dat - detected as Mal/EncPk-BB

The following registry entries are created to run braviax.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
braviax
<System>\braviax.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
braviax
<System>\braviax.exe


http://www.sophos.com/security/analyses/viruses-and-spyware/trojspywadax.html

Collapse -
Troj/DwnLdr-HBZ
by Marianna Schmudlach / March 27, 2008 4:09 PM PDT
Collapse -
Troj/Bckdr-QMR
by Marianna Schmudlach / March 27, 2008 4:11 PM PDT
Collapse -
Troj/Agent-GUE
by Marianna Schmudlach / March 27, 2008 4:12 PM PDT
Collapse -
iDumpPro
by Marianna Schmudlach / March 27, 2008 4:13 PM PDT
Collapse -
Trojan.Acdropper.C
by Marianna Schmudlach / March 27, 2008 4:14 PM PDT
Collapse -
JS/Exploit-QVOD.gen
by Marianna Schmudlach / March 27, 2008 4:16 PM PDT

Type Trojan
SubType Generic

Overview -

JS/Exploit-QVOD.gen is a generic detection for Qvod Player QvodCtrl Class ActiveX Control buffer overflow vulnerability.


Characteristics
Characteristics -

JS/Exploit-QVOD.gen is a generic detection for Qvod Player QvodCtrl Class ActiveX Control buffer overflow vulnerability.

The Buffer Overflow occurs while supplying a long string as a parameter to the 'URL' Property. This vulnerability could be exploited by a malicious user to cause remote code execution.


http://vil.mcafeesecurity.com/vil/content/v_144076.htm

Collapse -
W32/Starter-H
by Marianna Schmudlach / March 27, 2008 4:17 PM PDT
Collapse -
Troj/Bifrose-VP
by Marianna Schmudlach / March 27, 2008 4:18 PM PDT
Collapse -
Troj/Agent-GUG
by Marianna Schmudlach / March 27, 2008 4:20 PM PDT
Collapse -
Troj/Agent-GUF
by Marianna Schmudlach / March 27, 2008 4:21 PM PDT
Collapse -
SearchSpy
by Marianna Schmudlach / March 27, 2008 4:22 PM PDT
Collapse -
TROJ_MDROPPER.SN
by Marianna Schmudlach / March 27, 2008 4:24 PM PDT

Malware type: Trojan

Malware Overview

This Trojan arrives on a system as an attachment to email messages spammed by another malware or a malicious user. Below is a screenshot of the spam email:

It may also be downloaded unknowingly by a user when visiting malicious Web sites.

This Trojan is a specially crafted PDF file that exploits a known vulnerability in Acrobat Reader 8.1.1 or earlier versions. This vulnerability is an integer overflow issue in a JavaScript function that potentially allows remote code execution on the vulnerable system. More information about the said vulnerability can be found on the following Web page:

Security Update Available for Adobe Reader and Adobe Acrobat 8

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMDROPPER%2ESN

Collapse -
WORM_KELVIR.EI
by Marianna Schmudlach / March 28, 2008 12:33 AM PDT

Malware type: Worm

This worm arrives on a system as a dropped file of other malware. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

It drops a copy of itself and several non-malicious component files. It also modifies the affected system's registry to ensure its automatic execution at every system startup.

This worm spreads via MSN Instant Messenger. It lures users into clicking a link that points to a copy of itself.

It has backdoor capabilities. It opens a random port to allow a remote user to connect to the affected system. It then connects to an Internet Relay Chat (IRC) server to join an IRC channel. Once a successful connection is established, the remote user executes commands on the affected system. This action, in turn, compromises the affected system's security.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FKELVIR%2EEI

Collapse -
Troj/Agent-GUH
by Marianna Schmudlach / March 28, 2008 12:34 AM PDT
Collapse -
WinFixer Downloader
by Marianna Schmudlach / March 28, 2008 12:36 AM PDT
Collapse -
W32/Honk-G
by Marianna Schmudlach / March 28, 2008 12:37 AM PDT

Category Viruses and Spyware

Type Virus

W32/Honk-G is an appending virus for the Windows platform

When first run, W32/Honk-G will copy itself to <System>\winsfc.exe and create the file <Temp>\kb021119.exe. The file kb021119.exe is detected as Troj/Dloadr-IB.

W32/Honk-G will then search for files with the extensions EXE, DLL and SCR and attempt to infect them.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32honkg.html

Collapse -
Troj/Psyme-HS
by Marianna Schmudlach / March 28, 2008 12:38 AM PDT
Collapse -
Troj/Droppr-B
by Marianna Schmudlach / March 28, 2008 12:39 AM PDT
Collapse -
Troj/Dload-BW
by Marianna Schmudlach / March 28, 2008 12:41 AM PDT
Collapse -
NaviPromo Downloader
by Marianna Schmudlach / March 28, 2008 12:42 AM PDT
Collapse -
DataHealer Installer
by Marianna Schmudlach / March 28, 2008 12:43 AM PDT
Collapse -
DataHealer
by Marianna Schmudlach / March 28, 2008 12:45 AM PDT
Collapse -
W32/AutoRun-CN
by Marianna Schmudlach / March 28, 2008 12:46 AM PDT

Category Viruses and Spyware

Type Worm

W32/AutoRun-CN is a worm for the Windows platform.

When first run W32/Autorun-CN copies itself to:

<Common Files>\Services\svchost.exe
<Root>\io.pif

and creates the file <Root>\autorun.inf.

The file autorun.if is detected as W32/Hoxi-A.

The following registry entry is created to run W32/Autorun-CN on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(default)
<Common Files>\Services\svchost.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autoruncn.html

Collapse -
MalwareWar
by Marianna Schmudlach / March 28, 2008 12:47 AM PDT
Collapse -
MailSkinner
by Marianna Schmudlach / March 28, 2008 12:48 AM PDT
Collapse -
Keystroke Spy
by Marianna Schmudlach / March 28, 2008 12:50 AM PDT
Collapse -
Evolving Pushdo - Mutant of the Future
by Marianna Schmudlach / March 28, 2008 1:19 AM PDT

28 March 2008

We?ve seen continued activity from the author of Pushdo this year, with new variants being pushed out on a regular basis, usually by spam.

One of the latest tricks we?ve seen them use is to use unusual API calls with the intention of them failing with particular error codes, and then feeding those error codes into some maths to generate the key which the Pushdo then uses to decrypt its executable payload.

More: http://www.sophos.com/security/blog/2008/03/1233.html

Collapse -
Virus Alerts, by Panda Security
by Marianna Schmudlach / March 28, 2008 1:59 AM PDT

- Panda Security's weekly report on viruses and intruders -
Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Madrid, March 28, 2008 - According to the data gathered at the Infected or Not website (http://www.infectedornot.com) this week, 21% of protected computers were infected by malware.

"Traditional solutions are no longer enough to combat the increasing
number of new malware samples that appear every day. The solutions need to be complemented with online tools that access a larger knowledge base and detect more malware," says Luis Corrons, Technical Director of PandaLabs.

The Comet adware, designed to display ads while users surf the Web, is
the malicious code that has infected most computers this week. The
Puce.E and Bagle.RP worms are next on the list.

Top 10 TotalScan

1 Adware/Comet
2 W32/Puce.E.worm
3 W32/Bagle.RP.worm
4 Adware/OneStep
5 W32/Archivarius.A.worm
6 Adware/Zango
7 Adware/Starware
8 W32/Bagle.RP.worm
9 Trj/Downloader.SZW
10 Adware/SpyAxe

Regarding new strains of malware that have appeared, the weekly report
from PandaLabs looks at the Nakuru.A and Selex.B Trojans, and the
RenameLoi.A worm.

When run, Nakuru.A slows down the infected computer's Internet
connection. It also modifies the Internet Explorer windows by including the title: "Welcome to Your New Home Page".

Selex.B on the other hand, is a Trojan designed to capture system
information and send it to its creator; it steals email addresses from
the infected computers to spam them.

To fool users, the first time it runs, it displays a page which looks
like it's downloading a download manager called: "Fastlane Downloader
3.34b".

When run for the first time, the RenameLoi.A worm displays a beeping
Internet screen with a green background and a religious text, which it
establishes as the Internet Explorer home and search page, and which it displays every time the PC is restarted. .

When the computer is started, it shows another screen, with the text
"[Day of judgment]". To spread, this worm copies itself to the removable drives on the computer and to the system. .

Additionally, it modifies the Internet browser home and search page and carries out annoying and malicious actions like hiding files with system file attributes.

Collapse -
Ultrasurf
by Marianna Schmudlach / March 28, 2008 2:13 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.