Spyware, Viruses, & Security forum

General discussion


by Marianna Schmudlach / May 11, 2009 11:57 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - May 12, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - May 12, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
by Marianna Schmudlach / May 11, 2009 11:58 PM PDT
Collapse -
by Marianna Schmudlach / May 11, 2009 11:58 PM PDT
Collapse -
by Marianna Schmudlach / May 11, 2009 11:59 PM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:00 AM PDT


* Viruses and Spyware


* Worm

W32/IRCBot-AEH is a worm with IRC backdoor functionality for the Windows platform.

W32/IRCBot-AEH runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/IRCBot-AEH copies itself to <System>\wmisynd.exe and creates the file <System>\drivers\sysdrv32.sys.

The file wmisynd.exe is registered as a new system driver service named "WMISYND", with a display name of "WMI Sync-DB" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:



Collapse -
by Marianna Schmudlach / May 12, 2009 12:01 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:02 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:02 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:03 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:04 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:05 AM PDT


* Viruses and Spyware


* Trojan

When first run, Troj/FakeAV-QN copies itself to the following location:

The following registry entry is created in order to start Troj/FakeAV-QN when Windows starts:
system tool

Troj/FakeAV-QN makes changes to the following file:
These changes may prevent the infected computer from connecting to websites (typically anti-virus vendor sites).

Troj/FakeAV-QN is proactively blocked by HIPS.


Collapse -
by Marianna Schmudlach / May 12, 2009 12:06 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:07 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:08 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:09 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:10 AM PDT


* Trojan-Downloader.Win32.Small


* Viruses and Spyware


* Trojan

Troj/Poncho-Gen is a Trojan for the Windows platform that attempts to download, drop or execute a number of other malicious files, usually including some of the following:


Troj/Poncho-Gen is often seen in connection with members of the W32/Koobfa-Gen family of malware.


Collapse -
by Marianna Schmudlach / May 12, 2009 12:11 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:12 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:13 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:13 AM PDT
Collapse -
Tored-A email worm for Mac OS X called "lame"
by Marianna Schmudlach / May 12, 2009 12:29 AM PDT

May 12th, 2009

Posted by Jason D. O'Grady

Last week fellow ZDNet blogger Dancho Danchev posted a piece about a new email worm that has been discovered for Mac OS X called OSX/Tored-A.

Most of the examples of Mac malware that have surfaced recently (like OSX.Trojan.iServices.A and OSX/RSPlug-F) are actually Trojan horses that are distrubed via P2P networks packaged with commercial software.

Sophos notes that Tored-A is different than the other recent Mac malware that been discovered:

More: http://blogs.zdnet.com/Apple/?p=3897

Collapse -
by Marianna Schmudlach / May 12, 2009 12:38 AM PDT
Collapse -
Pushdo/Cutwail ? The Art of Spamming
by Marianna Schmudlach / May 12, 2009 12:39 AM PDT


Unless you?ve been off the Internet for the last seven years, you?ve probably heard of the massive security problem: botnets. These networks of infected computers commanded by criminal outfits can launch coordinated attacks, host malicious websites or send spam - lots of it.

One of the biggest spamming botnets out there is Pushdo, a botnet that despite being responsible for 7.7 billion spammed emails per day worldwide, has managed to stay under the radar since 2007. It has even managed to make it consistently to the Top 5 largest botnets without ever reaching number one, and is the Top 2 largest spamming botnets worldwide. Poor Pushdo, always the bridesmaid, never the bride!

In reality the Pushdo botnet is a very fancy software distribution platform. Once the victim is infected, Pushdo phones home asking for a bunch of malware executables, a lot of which are third party malware. This is the only kind of communication with the command & control server; no P2P components, just very frequent updates from the central server, one typically hosted in the US. Pushdo seems to have missing out compared to Storm and Downad, but its complete lack of self-propagation and simple C&C structure does not seem to have hampered it in the least.

More: http://blog.trendmicro.com/

Collapse -
Fake Antivirus Targets Brazil
by Marianna Schmudlach / May 12, 2009 12:40 AM PDT

Fake/rogue antivirus strikes again, this time targeting the users in Brazil. Like in today?s malware trends, it did not come alone.

It initially starts with a spam message:

Hello, I am sending you my invitation to the graduation location, date and time

Hello, I am sending you my invitation to the graduation location, date and time.
I count on your presence.
We are there,

Collapse -
Yet More Swine Flu Attacks
by Marianna Schmudlach / May 12, 2009 12:41 AM PDT

Spammers know a thing or two about persistence, it seems. CNET reports a new Trojan?TROJ_QHOST.TB?that is the latest to take advantage of fears of swine flu. TROJ_QHOST.TB modifies the HOSTS file of any affected system, which results to the user being redirected to a spoofed banking-related website whenever they attempt to access the real ones. By which, users are placed at risk of getting their banking information stolen and having it used by an unauthorized user.

The attack is pretty similar to earlier ones that have also taken advantage of the swine flu. Spam messages with warnings contain either a link to a malicious website or an attachment to TROJ_QHOST.TB. In turn, the Trojan modifies the system?s HOSTS file to redirect users of certain Mexican banks to a specific IP address.

Fortunately, however, the said IP address doesn?t work anymore. However, there?s nothing that stops future variants?or other Trojans?from using the same lure. Users should consider themselves warned.


Collapse -
Cybercriminals Launch Tainted Windows 7 RC
by Marianna Schmudlach / May 12, 2009 12:42 AM PDT

The official launch of the Windows 7 Release Candidate last May 5 was soon followed by another version of the software, only that this other version came with a malware surprise.

A file being hosted in popular torrent sites posing as a copy of the Windows 7 RC was found to be a Trojan by security researchers. The file which arrives with the file name setup.exe is detected as TROJ_DROPPER.SPX. TROJ_DROPPER.SPX drops TROJ_AGENT.NICE. Both files are detected by the Smart Protection Network.

Windows 7 Release Candidate was leaked a couple of weeks prior to the official release, and was also hosted by and downloaded from popular torrent sites. This was followed by a reported downtime in the download page for the Windows 7 Beta, which was attributed to too many download requests.

With Windows 7 showing much promise as early as now, it isn?t really surprising that cybercriminals are using the operating system to distribute malware not necessarily as a platform, but as a social engineering technique.

Those interested in obtaining a copy of the release candidate are advised to get it from the Microsoft Windows 7 website.


Collapse -
by Marianna Schmudlach / May 12, 2009 12:43 AM PDT

Name : Rogue:W32/XPAntivirus
Detection Names : FraudTool.Win32.XPAntivirus
Category: Malware
Type: Rogue
Platform: W32

Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.

More: http://www.f-secure.com/v-descs/rogue_w32_xpantivirus.shtml

Collapse -
by Marianna Schmudlach / May 12, 2009 12:45 AM PDT
Collapse -
by Marianna Schmudlach / May 12, 2009 12:46 AM PDT

Malware type: Macro


This macro may be downloaded unknowingly by a user when visiting malicious Web site(s).

This is the detection for compromised Microsoft Excel files. Once executed, it will infect all opened excel files with its code by creating a new sheet named XL4Poppy and hides the said sheet. It also creates a new workbook Book1.xls and infects it.

It also displays cerrtain message boxes when the system time is 6:00am or 6:30pm. It changes the displayed name at the Title bar with XF.Classic.Poppy. It also displays a message in the message bar at the bottom of the application.


Collapse -
by Marianna Schmudlach / May 12, 2009 1:31 AM PDT

Type : Worm

Category : OSX

Also known as: OSX/Tored.worm (McAfee), OSX/Tored-A (Sophos)

OSX/Tored.A is a proof-of-concept worm designed to propagate through email and network shares. It can also act as a backdoor and keylogger on an infected system. This worm is written in RealBasic and compiled for Intel-base Mac. Furthermore, this threat does not properly execute due to several bug in its code.

Method of Infection

When executed, OSX/Tored.A creates a copy of itself in the ~/System/ directory with the following names:



Collapse -
by Marianna Schmudlach / May 12, 2009 2:00 AM PDT
Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?