HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - May 11, 2008

by Marianna Schmudlach / May 10, 2008 11:18 AM PDT

W32/Thili-A


Category Viruses and Spyware

Type Worm


W32/Thili-A is a worm for the Windows platform.

W32/Thili-A may attempt to copy itself to random filenames with a number of extensions, in particular replacing files from the following location in order to run itself automatically on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

W32/Thili-A may also drop a clean data file to a number of random filenames.

The following registry entry is set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskmgr
1

Affected operating systems Windows
Characteristics Installs itself in the registry


Protection available since 11 May 2008

http://www.sophos.com/security/analyses/viruses-and-spyware/w32thilia.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - May 11, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - May 11, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
W32/Socks-F
by Marianna Schmudlach / May 11, 2008 12:56 AM PDT
Collapse -
Troj/Dropr-I
by Marianna Schmudlach / May 11, 2008 12:57 AM PDT
Collapse -
Troj/Agent-GYZ
by Marianna Schmudlach / May 11, 2008 12:58 AM PDT
Collapse -
W32/VirtInf-A
by Marianna Schmudlach / May 11, 2008 12:59 AM PDT

Category Viruses and Spyware

Type Virus

W32/VirtInf-A is a virus for the Windows platform.

When run W32/VirtInf-A creates a DLL in the system folder using a random name. The DLL file is detected as W32/VirtInf-A.

W32/VirtInf-A also creates a file in the current folder with the same name as the infected file except for an extra space character at the end of the name. For example, if the viral file is named 'test.exe' the dropped file is named 'test .exe'. The dropped file is a copy of the original, uninfected file.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32virtinfa.html?_log_from=rss

Collapse -
W32/Autorun-DW
by Marianna Schmudlach / May 11, 2008 1:01 AM PDT

Category Viruses and Spyware

Type Worm

W32/Autorun-DW is a worm which spreads by copying itself to removable devices as the file setup.exe.

W32/Autorun-DW copies itself to <System>\svchost32.exe and creates the following registry entry to run itself on restart:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MyApp
<System>\SVCHOST32.EXE

The worm also creates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
MyDate
09-Aug-08

How it spreads Removable storage devices

Affected operating systems Windows
Characteristics Installs itself in the registry

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorundw.html?_log_from=rss

Collapse -
Troj/Pushdo-Gen
by Marianna Schmudlach / May 11, 2008 1:02 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Pushdo-Gen is a family of Trojans for the Windows platform.

When members of Troj/Pushdo-Gen are installed they drop and run a further file in memory, usually detected as Troj/Pushu-Gen or Mal/Basine-C. This may then drop further files, including some of the following:

<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys

These files are used to provide stealthing for the Trojan.

The dropped file in memory will also often attempt to inject further code into Internet Explorer.

Affected operating systems Windows
Characteristics Drops more malware

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpushdogen.html?_log_from=rss

Collapse -
Troj/Psyme-IU
by Marianna Schmudlach / May 11, 2008 1:03 AM PDT
Collapse -
Troj/Psyme-IT
by Marianna Schmudlach / May 11, 2008 1:04 AM PDT
Collapse -
Troj/Iframe-AC
by Marianna Schmudlach / May 11, 2008 1:05 AM PDT
Collapse -
Troj/FakeVir-BB
by Marianna Schmudlach / May 11, 2008 6:31 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeVir-BB claims to be an anti-virus scanner called "XP antivirus protection". Troj/FakeVir-BB scans the computer and reports clean files as being infected with malware.

When Troj/FakeVir-BB is installed the following files are created:

<User>\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk - can be safely deleted
<Desktop>\XP Antivirus 2008.lnk - can be safely deleted
<User>\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk - can be safely deleted
<User>\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk - can be safely deleted

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Internet Explorer
UserSession
5C2F7C663FF054B7E092381A7908D41A

Registry entries are created under:

HKCU\Software\5C2F7C663FF054B7E092381A7908D41A\Options


Affected operating systems Windows
Characteristics Installs itself in the registry

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirbb.html?_log_from=rss

Collapse -
TROJ_DNSCHANG.CS
by Marianna Schmudlach / May 11, 2008 11:14 AM PDT

Malware type: Trojan

Malware Overview

This Trojan may be dropped by other malware. It may be installed manually by a user. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It creates folders.

It creates registry entries to enable its automatic execution at every system startup. It creates registry key(s)/entry(ies) as part of its installation routine.

It accesses Web sites to download file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

It drops component files. Trend Micro detects one of the dropped files as ADW_ISMONITOR. As a result, routines of the dropped adware are also exhibited on the affected system.

It connects to Web sites.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FDNSCHANG%2ECS

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.