Attention: The forums are currently placed on Read Only.

Thank you for visiting the CNET forums. Our site is currently undergoing some maintenance. During this period (6:30 AM to 8 PM PDT,) you can read the forums content, however posting in the forum will not be available. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - March 5, 2009

by Marianna Schmudlach / March 4, 2009 10:54 PM PST
Discussion is locked
Collapse -
Troj/Zlob-ARZ
by Marianna Schmudlach / March 4, 2009 10:55 PM PST
Collapse -
Troj/Spynov-Gen
by Marianna Schmudlach / March 4, 2009 10:56 PM PST

Aliases

* TR/Spy.Gen

Category

* Viruses and Spyware

Type

* Trojan


Troj/Spynov-Gen is a family of Trojans for the Windows platform.

When run, members of Troj/Spynov-Gen will typically copy themselves to the Windows folder as wdfmgr.exe.

<Windows>\wdfmgr.exe

The Trojans install themselves as a service, setting the following registry entries.

HKLM\SYSTEM\ControlSet001\Services\wdfmgr
DisplayName
WDF Manager

ImagePath
<Windows>\wdfmgr.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojspynovgen.html?_log_from=rss

Collapse -
Troj/PDFJs-AE
by Marianna Schmudlach / March 4, 2009 10:56 PM PST
Collapse -
Troj/Fakevir-KU
by Marianna Schmudlach / March 4, 2009 10:57 PM PST
Collapse -
Troj/Dloadr-CHW
by Marianna Schmudlach / March 4, 2009 10:58 PM PST
Collapse -
Mal/ObfJS-AT
by Marianna Schmudlach / March 4, 2009 10:59 PM PST
Collapse -
Mal/Inject-D
by Marianna Schmudlach / March 4, 2009 11:00 PM PST
Collapse -
Troj/SillyFD-M
by Marianna Schmudlach / March 4, 2009 11:01 PM PST
Collapse -
Troj/Hosts-F
by Marianna Schmudlach / March 4, 2009 11:02 PM PST
Collapse -
Phishing Delivery Services
by Marianna Schmudlach / March 4, 2009 11:39 PM PST

The Trend Micro Content Security Team discovered fake websites that purport to be login pages of DHL, a company that offers air express transportation of goods between countries. Here?s a sample screenshot of a bogus page:

More: http://blog.trendmicro.com/

Collapse -
Net-Worm:W32/Koobface.ES
by Marianna Schmudlach / March 4, 2009 11:40 PM PST

Name : Net-Worm:W32/Koobface.ES
Detection Names : Net-Worm.Win32.Koobface.es
Aliases : Worm:Win32/Koobface.I (Microsoft)
W32/Koobface.worm (McAfee)
W32.Koobface.A (Symantec)
Size: 30720
Type: Net-Worm
IM-Worm
Category: Malware
Platform: W32

Summary
A type of worm that replicates by sending complete, independent copies of itself over a network.

Details


File System Changes
Creates these files:

* %windir%\freddy35.exe


More: http://www.f-secure.com/v-descs/net-worm_w32_koobface_es.shtml

Collapse -
Trojan:W32/DNSChanger
by Marianna Schmudlach / March 4, 2009 11:41 PM PST

Name : Trojan:W32/DNSChanger
Type: Trojan
Category: Malware
Platform: W32

Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.

Registry Modifications
Creates these keys:

* HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
* HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random}
NameServer = 85.255.xxx.133,85.255.xxx.xxx
* HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
* HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
NameServer = 85.255.xxx.xxx,85.255.xxx.xxx


http://www.f-secure.com/v-descs/trojan_w32_dnschanger.shtml

Collapse -
Win32/Dialer.JF
by Marianna Schmudlach / March 4, 2009 11:43 PM PST

Characteristics

Type : Trojan

Category : Win32

Also known as: Troj/Agent-IXF (Sophos), PWS-Banker (McAfee), Dialer JF (CA Anti-Spyware)


Description

Win32/Dialer.JF is a trojan component that is usually dropped onto a system by other malware and used as a dialer.

The trojan uses Remote Access Service to dial certain phone numbers and create a dial up connection. This causes unwanted expensive call charges.

Win32/Dialer.JF also downloads a file from the following URL:

http://91.195.118.122/<censored>/number.asp

and saves it to %Windows%\number.txt.

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77839

Collapse -
Win32/Fruspam.J
by Marianna Schmudlach / March 4, 2009 11:45 PM PST

Characteristics

Type : Worm

Category : Win32

Also known as: W32.Mytob@mm (Symantec)


Description
Win32/Fruspam.J is a mass-mailing worm that has the capability to send spam email through its own SMTP engine. It also targets systems running servers with IIS.

Method of Infection

When executed, Win32/Fruspam.J drops a copy of itself as "javaload.exe" in the %System% directory, along with the following malicious files:

%System%\javame4.exe - also detected as Win32/Fruspam.J
%System%\javase4.exe - also detected as Win32/Fruspam.J
%System%\mlJAqpqo.dll - detected as Win32/Vundo.CGP

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77836

Collapse -
W32/Pykse-E
by Marianna Schmudlach / March 5, 2009 1:03 AM PST

Aliases

* Worm:Win32/Pykspa.C

Category

* Viruses and Spyware

Type

* Worm


W32/Pykse-E is a worm for the Windows application.

When first run W32/Pykse-E copies itself to:

<System>\cleanlb.exe
<System>\inetsrc.exe
<System>\tcontrl.exe
<System>\updtic.exe

The following registry entries are created to run cleanlb.exe, inetsrc.exe and tcontrl.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Inet Service
inetsrc.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tc Object Control
tcontrl.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Install cleanup
cleanlb.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32pyksee.html?_log_from=rss

Collapse -
W32/Autorun-AAL
by Marianna Schmudlach / March 5, 2009 1:04 AM PST
Collapse -
W32/Autoit-CE
by Marianna Schmudlach / March 5, 2009 1:05 AM PST
Collapse -
Troj/Tiotua-AK
by Marianna Schmudlach / March 5, 2009 1:06 AM PST
Collapse -
Troj/FakeAV-LY
by Marianna Schmudlach / March 5, 2009 1:07 AM PST
Collapse -
Troj/Agent-JCY
by Marianna Schmudlach / March 5, 2009 1:07 AM PST
Collapse -
FakeAlert-BX
by Marianna Schmudlach / March 5, 2009 5:00 AM PST
Collapse -
Troj/Agent-JCZ
by Marianna Schmudlach / March 5, 2009 6:10 AM PST
Collapse -
Troj/Bancban-QE
by Marianna Schmudlach / March 5, 2009 6:14 AM PST

Aliases

* PWS-Banker.gen.i

Category

* Viruses and Spyware

Type

* Trojan


Troj/Bancban-QE is an information stealing Trojan for the Windows platform..

When the application is installed Troj/Bancban-QE copies itself to the following location:

<Windows>\Media\HPMedia.exe

Also the following non-infectious data files are created which may contain data captured by Troj/Bancban-QE:

<My Documents>\Emails.dat
<My Documents>\upset1.dat
<My Documents>\user.dat
<Windows>\wnetsock08.dll

The following registry entry is created to run Troj/Bancban-QE on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DrvStart
<Windows>\Media\HPMedia.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbancbanqe.html?_log_from=rss

Collapse -
Troj/Dloadr-CHX
by Marianna Schmudlach / March 5, 2009 6:14 AM PST
Collapse -
Troj/Dloadr-CHY
by Marianna Schmudlach / March 5, 2009 6:15 AM PST

Category

* Viruses and Spyware

Type

* Trojan


Troj/Dloadr-CHY copies itself to <System>\cltmon.exe.

The following registry entry is created to run cltmon.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
cltmon
<System>\cltmon.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer\Download
RunInvalidSignatures
0x00000001

HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
iexplore.exe
0x00000000

HKCU\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures
no

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrchy.html?_log_from=rss

Collapse -
Troj/VB-ECC
by Marianna Schmudlach / March 5, 2009 6:18 AM PST

Aliases

* Trojan.Win32.VB.hbi
* VirTool:Win32/Vbinder.M

Category

* Viruses and Spyware

Type

* Trojan


Troj/VB-ECC is a Trojan for the Windows platform.

When Troj/VB-ECC is installed it copies itself to Windows folder.

The following registry entries are created to run Troj/VB-ECC on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicroMix32
WinCon.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
MicroMix32
WinCon.exe

If run with sufficient rights Troj/VB-ECC will install itself as an application authorised by Windows Firewall to communicate with the outside world.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbecc.html?_log_from=rss

Collapse -
Troj/XPPAv-A
by Marianna Schmudlach / March 5, 2009 6:19 AM PST

Category

* Viruses and Spyware

Type

* Trojan


Troj/XPPAv-A is a Trojan for the Windows platform.

Troj/XPPAv-A includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/XPPAv-A is installed the following files are created:

<Program Files>\XPPoliceAntivirus\setup.dat
<Windows>\iehost32.dll
<Windows>\regsv32.exe

The file iehost32.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}
HKCR\CLSID\{12c7290a-157b-4f43-b109-97e792c598ed}

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojxppava.html?_log_from=rss

Collapse -
W32/Autorun-AAM
by Marianna Schmudlach / March 5, 2009 6:21 AM PST
Collapse -
W32/Sdbot-DOG
by Marianna Schmudlach / March 5, 2009 6:22 AM PST
Collapse -
Troj/Inject-FB
by Marianna Schmudlach / March 5, 2009 6:23 AM PST

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!