Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - November 14, 2008

by Marianna Schmudlach Nov 13, 2008 10:43AM PST

Discussion is locked

31 - 60 of 52 Posts
- Collapse + Expand Details
- Collapse -
Troj/Cmjspy-AM
by Marianna Schmudlach Nov 14, 2008 2:05AM PST

Category Viruses and Spyware

Type Trojan

Troj/Cmjspy-AM is a Trojan for the Windows platform.

On execution Troj/Cmjspy-AM copies itself to <System>\csrcs.exe and creates the following file:
<Temp>\suicide.bat

The following registry entry is created to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs
<System>\csrcs.exe

The following registry entry is changed to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe csrcs.ex

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojcmjspyam.html?_log_from=rss

- Collapse -
Troj/BHO-IC
by Marianna Schmudlach Nov 14, 2008 2:06AM PST

Category Viruses and Spyware

Type Trojan

The Troj/BHO-IC DLL is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{7555B36A-0015-36EF-A863-1533B32A92AF}
HKCR\Interface\{8585F58F-26F3-3C4D-BEA9-30C913337FE7}
HKCR\TypeLib\{A01B2D4F-864C-3A9D-BC27-2D567A929CC2}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7555B36A-0015-36EF-A863-1533B32A92AF}

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhoic.html?_log_from=rss

- Collapse -
TROJ_PIDIEF.DN
by Marianna Schmudlach Nov 14, 2008 2:08AM PST
- Collapse -
PWS-Mmorpg.gen!4F4835C5
by Marianna Schmudlach Nov 14, 2008 2:09AM PST

Alert ID : FrSIRT/ALRT-2008-07053
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-14


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_153356.htm

Credits

Reported by McAfee

- Collapse -
Virus Alerts [Panda Security's weekly report on viruses and
by Marianna Schmudlach Nov 14, 2008 3:58AM PST

Virus Alerts [Panda Security's weekly report on viruses and intruders - 11/14/0Cool

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

A new fake antivirus (the AntivirusPro 2009 adware), and the Gimmiv.C
and Boface.C worms designed to spread on social networks such as
Facebook and MySpace are the subjects of this week's PandaLabs report.

AntivirusPro 2009 is a malicious code that passes itself off as a trial
anti-malware solution. Once installed on the computer, it makes users
believe their computer is infected to make them purchase the full, pay
version of the fake antivirus. This way, cyber-crooks gain financial
benefits from their infections. According to data collected by
PandaLabs, over 30 million computers worldwide could be infected by fake
antiviruses
(http://www.pandasecurity.com/spain/homeusers/media/press-releases/viewn
ews?noticia=9393)

Gimmiv.C is a worm designed to exploit one of the latest Microsoft
Windows vulnerabilities (MS08-067). When run on the computer, it drops
two malicious files onto the system.

One of the malicious files is vista.exe, an IP scanner that scans the
subnet range of the local network searching for computers with port 445
open. Then, the worm runs another file downloaded (Mrosconfig.exe),
which is used to exploit the MS08-067 vulnerability. Gimmiv.C uses this
malicious code on the vulnerable computers found in the scan. It also
makes one of the computers download other malware by connecting to a
certain URL.

Finally, Boface.G is a worm designed to spread on social networks such
as MySpace or Facebook.

This worm posts a link to a fake YouTube video on the infected user's
profile or contacts panel, or sends the contacts a private message with
the link. When they try to watch the video (which seems to come from one
of their friends) they are taken to a Web page where they are encouraged
to download a Flash Player update to watch it. However, if they do so,
they will let a copy of the worm into their computers and will infect
all of their contacts.

For further information about this worm, go to
http://www.pandasecurity.com/spain/homeusers/media/press-releases/viewne
ws?noticia=9434&sitepanda=particulares

- Collapse -
Mal/EncPk-GA
by Marianna Schmudlach Nov 14, 2008 4:24AM PST
- Collapse -
Troj/Agent-IGK
by Marianna Schmudlach Nov 14, 2008 4:25AM PST
- Collapse -
Troj/BHO-ID
by Marianna Schmudlach Nov 14, 2008 4:26AM PST
- Collapse -
Troj/Boaxxe-G
by Marianna Schmudlach Nov 14, 2008 4:27AM PST
- Collapse -
Troj/Dloadr-BZO
by Marianna Schmudlach Nov 14, 2008 4:28AM PST
- Collapse -
Troj/FakeAle-JV
by Marianna Schmudlach Nov 14, 2008 4:29AM PST
- Collapse -
Troj/PWS-AWB
by Marianna Schmudlach Nov 14, 2008 4:30AM PST

Category Viruses and Spyware

Type Trojan

Troj/PWS-AWB is an information stealing Trojan for the Windows platform.

When run Troj/PWS-AWB creates the following file in the users temp folder.:-

<Temp>\Exploner.exe

The following registry entry is set to run Troj/PWS-AWB on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
explozer
C:\Documents and Settings\user\Local Settings\Temp\exploner.exe

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsawb.html?_log_from=rss

- Collapse -
Troj/Renos-BO
by Marianna Schmudlach Nov 14, 2008 4:31AM PST
- Collapse -
Troj/RKDrop-B
by Marianna Schmudlach Nov 14, 2008 4:32AM PST
- Collapse -
Troj/ServU-FO
by Marianna Schmudlach Nov 14, 2008 4:34AM PST
- Collapse -
Troj/Renos-BP
by Marianna Schmudlach Nov 14, 2008 6:56AM PST

Aliases Hoax.Win32.Renos.fel
FakeAlert-BI
Win32/TrojanDownloader.FakeAlert.PN

Category Viruses and Spyware

Type Trojan

Troj/Renos-BP is a Trojan for the Windows platform.

When first run Troj/Renos-BP creates the following file:

<System&gtMischief<random>.dll

This file is detected as Mal/FakeAlert-A.

Registry entries are created under:

HKCR\CLSID\{d54f12f7-4d76-4c39-a096-e51ef5d33f2b}\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup\

HKLMSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
"{d54f12f7-4d76-4c39-a096-e51ef5d33f2b}"
"displume"

http://www.sophos.com/security/analyses/viruses-and-spyware/trojrenosbp.html?_log_from=rss

- Collapse -
Troj/Mdrop-BWV
by Marianna Schmudlach Nov 14, 2008 6:57AM PST
- Collapse -
Troj/IRCBot-ACZ
by Marianna Schmudlach Nov 14, 2008 6:59AM PST
- Collapse -
Troj/DwnLdr-HKP
by Marianna Schmudlach Nov 14, 2008 7:00AM PST

Aliases Downloader-BKM trojan
Win32/TrojanDownloader.FakeAlert.PY

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HKP is a Trojan for the Windows platform.

Troj/DwnLdr-HKP includes functionality to access the internet and communicate with a remote server via HTTP.

The following registry entry is created to run Troj/DwnLdr-HKP on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSFox
<pathname of the Trojan executable>

Registry entries are created under:

HKLM\SOFTWARE\Mozilla\MSFox

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhkp.html?_log_from=rss

- Collapse -
Troj/Bdoor-APX
by Marianna Schmudlach Nov 14, 2008 7:01AM PST
- Collapse -
Troj/Agent-IGM
by Marianna Schmudlach Nov 14, 2008 7:02AM PST
- Collapse -
Troj/Agent-IGL
by Marianna Schmudlach Nov 14, 2008 7:03AM PST
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info