Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - March 5, 2010

by Marianna Schmudlach / March 4, 2010 11:14 PM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - March 5, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - March 5, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Agent-MQE
by Marianna Schmudlach / March 4, 2010 11:14 PM PST
Collapse -
Troj/Agent-MQT
by Marianna Schmudlach / March 4, 2010 11:15 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry

Protection available since 5 March 2010 10:34:54 (GMT)

Troj/Agent-MQT is a Trojan for the Windows platform.

When run Troj/Agent-MQT copies itself to:
<System>\<random numbers1>.exe
<System>\<random numbers1>.exe

The following registry entries are set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\<random numbers1>.exe,<System>\<random numbers1>.exe,"

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmqt.html?_log_from=rss

Collapse -
Troj/FakeAV-AYQ
by Marianna Schmudlach / March 4, 2010 11:16 PM PST
Collapse -
Troj/FakeAV-AYR
by Marianna Schmudlach / March 4, 2010 11:16 PM PST
Collapse -
W32/Autorun-BAL
by Marianna Schmudlach / March 4, 2010 11:17 PM PST

Aliases

* Worm.Win32.AutoRun.bdpe
* Worm:Win32/Autorun.UO

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Autorun-BAL is a worm for the Windows platform.

W32/Autorun-BAL includes functionality to:

- run automatically
- access the internet and communicate with a remote server via HTTP

W32/Autorun-BAL communicates via HTTP with the following locations:

msn . com
thepiratebay . org

When W32/Autorun-BAL is installed the following files are created:

<User>\uilogon.exe
<User>\WindowsLive.exe

The following registry entries are created to run WindowsLive.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Live
<User>\WindowsLive.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Live
<User>\WindowsLive.exe

Registry entries are created under:

HKLM\SOFTWARE\WindowsLive

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunbal.html?_log_from=rss

Collapse -
Mal/DelpBanc-A
by Marianna Schmudlach / March 4, 2010 11:18 PM PST
Collapse -
Mal/Koobface-B
by Marianna Schmudlach / March 4, 2010 11:19 PM PST
Collapse -
Troj/Agent-MQS
by Marianna Schmudlach / March 4, 2010 11:19 PM PST
Collapse -
Troj/DwnLdr-IBU
by Marianna Schmudlach / March 4, 2010 11:20 PM PST
Collapse -
Mal/Behav-024
by Marianna Schmudlach / March 4, 2010 11:21 PM PST
Collapse -
Troj/FakeAV-AYN
by Marianna Schmudlach / March 4, 2010 11:22 PM PST
Collapse -
Troj/FakeAV-AYO
by Marianna Schmudlach / March 4, 2010 11:23 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAV-AYO is a Trojan for the Windows platform.

Troj/FakeAV-AYO includes functionality to access the internet and communica
te with a remote server via HTTP.

Troj/FakeAV-AYO communicates via HTTP with the following locations:

alibondagork . com

When Troj/FakeAV-AYO is installed it creates the file <User>\Local Settings\Application Data\av.exe.

The following registry entries are set, affecting internet security:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavayo.html?_log_from=rss

Collapse -
Troj/QbotArc-A
by Marianna Schmudlach / March 4, 2010 11:24 PM PST
Collapse -
W32/Polipos-A
by Marianna Schmudlach / March 4, 2010 11:24 PM PST
Collapse -
W32/VB-ENM
by Marianna Schmudlach / March 4, 2010 11:25 PM PST
Collapse -
Troj/Dloadr-CYV
by Marianna Schmudlach / March 4, 2010 11:26 PM PST
Collapse -
Troj/FakeAV-AYM
by Marianna Schmudlach / March 4, 2010 11:27 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAV-AYM is a Trojan for the Windows platform.

Troj/FakeAV-AYM includes functionality to:

- run automatically
- steal confidential information
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-AYM communicates via HTTP with the following locations:

av-guru . net


When Troj/FakeAV-AYM is installed it creates the file <User>\Local Settings\Application Data\klrbrl\ufrrsftav.exe.

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer
Download
RunInvalidSignatures

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Attachments
SaveZoneInformation

HKCU\Software\Microsoft\Internet Explorer
Download
CheckExeSignatures

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
Associations
LowRiskFileTypes

Registry entries are created under:

HKLM\SOFTWARE\avsoft
HKCU\Software\Microsoft\Windows Script
HKCU\Software\avsoft
HKCU\Software

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavaym.html?_log_from=rss

Collapse -
Troj/PDFJs-II
by Marianna Schmudlach / March 4, 2010 11:27 PM PST
Collapse -
Backdoor.Arugizer
by Marianna Schmudlach / March 4, 2010 11:29 PM PST

Discovered: March 4, 2010
Updated: March 5, 2010 9:56:19 AM
Type: Trojan
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Backdoor.Arugizer is a Trojan horse that opens a back door on the compromised computer.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2010-030502-0150-99

Collapse -
WORM_AUTORUN.ZRO
by Marianna Schmudlach / March 4, 2010 11:30 PM PST

Following the shutdown of the Mariposa botnet recently, three alleged members of the group behind the said botnet were finally arrested last week by the Spanish Police, although they are still pursuing another suspect that may still be at large somewhere in South America.

The Mariposa botnet was one of the largest botnets to date. It was reportedly responsible for attacking millions of businesses around the world, including Fortune 1000 companies, in a mission to steal online banking, business, and personal information from compromised systems.

Mariposa was discovered in 2009 by the Mariposa Working Group, an informal group of volunteers from the security industry and law enforcement agencies, formed to specifically investigate and to eventually eliminate the said botnet. The group was also responsible for giving out pertinent information on the botnet, which led to the arrest of three of its perpetrators.

Throughout its lifetime, Mariposa was able to launch several bot variants that were able to compromise up to 12.7 million computers from all over the world. Trend Micro detects malware related to this botnet as WORM_AUTORUN.ZRO.

More: http://blog.trendmicro.com/

Collapse -
Win32/Bancdido
by Marianna Schmudlach / March 4, 2010 11:31 PM PST
Collapse -
Exploit:W32/PDF-Payload.Gen
by Marianna Schmudlach / March 4, 2010 11:32 PM PST

Name : Exploit:W32/PDF-Payload.Gen
Detection Names : Pdf-payload
Exploit.PDF-Payload.Gen
Category: Malware
Type: Exploit
Platform: W32

Summary
A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.


Additional Details
Exploit:W32/PDF-Payload.Gen is a Generic Detection for Portable Document Format (PDF) files that attempt to exploit vulnerabilities in Adobe Acrobat Reader. This type of malware may also be identified with the detection 'Exploit.PDF-Payload.Gen' or 'PDF-Payload'.

The specific vulnerability targeted by the malicious PDF files varies depending on the specific variant. For more information, please see the Vulnerability Descriptions Database.

This malware typically arrives as a PDF document sent as a e-mail attachment, usually with a title related to current events or purporting to be some sort of form.

More: http://www.f-secure.com/v-descs/exploit_w32_pdf-payload_gen.shtml

Collapse -
Rootkit:W32/Xanti.gen!A
by Marianna Schmudlach / March 4, 2010 11:33 PM PST

Name : Rootkit:W32/Xanti.gen!A
Category: Malware
Type: Rootkit
Platform: W32

Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.


Additional Details
Rootkit:W32/Xanti.gen!A is a Generic Detection that identifies malware attempting to create a device file on the computer named \Device\Beep.

More: http://www.f-secure.com/v-descs/rootkit_w32_xanti_gen!a.shtml

Collapse -
McAfee Labs Low-Profiled Threat Notice: JS/Redirector.k
by Marianna Schmudlach / March 4, 2010 11:34 PM PST

Notice
This is a Low-Profiled Threat Notice for JS/Redirector.k

Justification
JS/Redirector.k has been deemed Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=8344

Read About It
Information about JS/Redirector.k is located on VIL at: http://vil.nai.com/vil/content/v_259864.htm

Detection
JS/Redirector.k was first discovered on March 3, 2010 and detection will be added to the 5911 dat files (Release Date: March 5, 2010).

Collapse -
McAfee Labs Low-Profiled Threat Notice: W32/Rimecud
by Marianna Schmudlach / March 4, 2010 11:34 PM PST
Collapse -
Trojan:Win32/Agent.GA
by Marianna Schmudlach / March 4, 2010 11:35 PM PST
Collapse -
Trojan:Win32/AgentOff
by Marianna Schmudlach / March 4, 2010 11:36 PM PST
Collapse -
Trojan:Win32/Alureon.BK
by Marianna Schmudlach / March 4, 2010 11:37 PM PST

Aliases
Rootkit.Win32.TDSS.pqo (Kaspersky)
Trojan.TDss.BG (BitDefender)
Win32/Kryptik.FZ (ESET)
DNSChanger.gen (McAfee)
:Trj/Agent.LOY (Panda)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.77.388.0
Released: Mar 05, 2010

Summary
Trojan:Win32/Alureon.BK is a component Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.

Technical Information (Analysis)
Trojan:Win32/Alureon.BK is a component Win32/Alureon - a family of data-stealing trojans. These trojans allow an attacker to intercept incoming and outgoing Internet traffic to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon trojan may also allow an attacker to transmit malicious data to the infected computer. The trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. As a result, it may be necessary to reconfigure DNS settings after Win32/Alureon is removed from the computer.
Installation

Trojan:Win32/Alureon.BK may arrive in a computer as an installer disguised as the video codec HDExtreme. A user who visits a compromised Web site may be prompted to download this codec.

When installed, it creates the following registry keys:
HKCR\videoshow
HKCU\HDExtremeSoft
HKCU\HDExtrem

It also creates the following folders:
%ProgramFiles%\hdextrem
<Start Menu>\programs\hdextrem

Note - <Start Menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista, the default location is ''%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'.

Once this malware has performed its routines, it deletes itself to avoid detection.

More: https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Alureon.BK&ThreatID=-2147344583

Collapse -
Worm:Win32/Autorun.NN
by Marianna Schmudlach / March 4, 2010 11:38 PM PST
Collapse -
Backdoor:Win32/Bandok
by Marianna Schmudlach / March 4, 2010 11:38 PM PST

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.77.388.0
Released: Mar 05, 2010

Summary
This threat is classified as a Trojan - Backdoor. A backdoor trojan provides remote, usually surreptitious, access to affected systems. A backdoor trojan may be used to conduct distributed denial of service (DDoS) attacks, or it may be used to install additional trojans or other forms of malicious software. For example, a backdoor trojan may be used to install a downloader or dropper trojan, which may in turn install a proxy trojan used to relay spam or a keylogger trojan which monitors and sends keystrokes to remote attackers. A backdoor Trojan may also open ports on the affected system and thus potentially lead to further compromise by other attackers. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available.

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bandok&ThreatID=-2147399695

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.