Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - November 17, 2008

by Marianna Schmudlach / November 16, 2008 2:15 PM PST

W32/Koobfa-Gen


Aliases Net-Worm.Win32.Koobface
W32/Koobface.worm virus
Worm:Win32/Koobface.A

Category Viruses and Spyware

Type Worm


W32/Koobfa-Gen is a family of worms for the Windows platform that target Facebook and may attempt to send messages to users on Facebook pointing to a copy of themselves. Some members of the family also target other social networking sites, including Myspace.

When first run, members of W32/Koobfa-Gen often display an error message saying:

Error installing Codec. Please contact support.

Members of W32/Koobfa-Gen often create a clean .dat data file called in the Windows folder, for example <Windows>\fmark2.dat.

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html?_log_from=rss

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - November 17, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - November 17, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/SkinTrim-E
by Marianna Schmudlach / November 16, 2008 2:16 PM PST
Collapse -
Troj/Banker-EOJ
by Marianna Schmudlach / November 16, 2008 2:17 PM PST
Collapse -
Mal/TDSS-A
by Marianna Schmudlach / November 16, 2008 2:18 PM PST
Collapse -
W32/Autorun-PB
by Marianna Schmudlach / November 16, 2008 2:19 PM PST
Collapse -
Troj/FakeAV-GP
by Marianna Schmudlach / November 16, 2008 2:20 PM PST
Collapse -
Troj/Agent-IGR
by Marianna Schmudlach / November 16, 2008 2:21 PM PST
Collapse -
Troj/Agent-IFZ
by Marianna Schmudlach / November 16, 2008 2:22 PM PST
Collapse -
Troj/Agent-IFY
by Marianna Schmudlach / November 16, 2008 2:23 PM PST
Collapse -
BetterInternet-Installer
by Marianna Schmudlach / November 16, 2008 2:24 PM PST
Collapse -
Troj/Banloa-GA
by Marianna Schmudlach / November 17, 2008 12:03 AM PST
Collapse -
Mal/ExpJS-E
by Marianna Schmudlach / November 17, 2008 12:04 AM PST
Collapse -
FraudTool.Win32.Agent.eh.
by Marianna Schmudlach / November 17, 2008 12:46 AM PST

Monday, November 17, 2008

VirusResponse Lab 2009

Last Friday, we came across a rogue application, VirusResponse Lab 2009, that used a fake 404 page as part of its social engineering attack.

Many rogue affiliate sites will use script to generate animated "online scans" and then attempt to convince the visitor into downloading the rogue installer file via a pop-up dialog.

404dnswebsite .com took a different approach. Rather than producing a fake scan and prompting for a download, it instead simply hosted a fake 404 error message:

More: http://www.f-secure.com/weblog/

Collapse -
Reference scripts - malware
by susanphelps / November 17, 2008 5:16 AM PST

You mentioned scripts creating animated on-line scans. Yesterday, the browser just shut down and in the upper corner a notation: (on-line-pro-scan was running). I shut the system down, when I re-booted, 2 icons relating to fixing registery problems were on the desktop. I deleted the files without running them - no notation on my master programs list. I checked the website, it wanted me to log in, minimal information - it didn't look right. (Like I would know, a great-grandmother learning the computer .) I have a Registry Fix program already and the free ones I've seen do not fix errors. How do you know if these are legit - the micro-antivirus-2009 had the Microsoft security shield. Also when I log into the CNET forum, it states website is believed to be a scam. Thank You, Susan

Collapse -
I would suggest.........
by Marianna Schmudlach / November 17, 2008 5:24 AM PST

Please download Malwarebytes Anti-Malware or alternate download link

* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
* - Update Malwarebytes' Anti-Malware
* - Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

* On the Scanner tab:
* - Make sure the "Perform Quick Acan" option is selected.
* - Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

* -- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Collapse -
REFERENCE SCRIPTS-MALWARE
by susanphelps / November 17, 2008 8:57 AM PST

Thank you - I will try this - it will probably take me all night and I may have some questions later. (It took be over 3-days, without sleep to eradicate MicroantivirusPro2009, can't tell you how many times went back to my previous restore point) even going by site instructions. I've been going through files since last night. I truly appreciate your assistance and step-by-step instructions - more than you know. Respectfully, Susan

Collapse -
Reference scripts - malware
by susanphelps / November 18, 2008 10:10 PM PST

Marianna - You have my undying gratitude...I ran Malwarebytes and it found and disposed of 20 adware intruders. The only problem I had was trying to disable my CA suite. I've been having a problem with it - trying to 'update my programs to an earlier one." I don't want to go backwards, but every few hours it pops up and tries to extract my files. I'm under the impression that you were only supposed to run one program for virus, one for spyware, one for spam, and one firewall. Anyway - I had to run it twice due to interference of ?something? I really appreciate your baby step instructions - that was awsome. You all are wonderful, thank you for your time and dedication. Have a wonderful Thanksgiving - I'm giving thanks for you all. Susan PS - After the first download - something hyjacked my touchpad cursor - nothing would respond - I just can't seem to get it right.

Collapse -
IF you are having any problems with CA Suite.....
by Marianna Schmudlach / November 19, 2008 1:50 AM PST

why don't you visit their forum?

http://homeofficeforum.ca.com/homeofficeforum/forumdisplay.php?s=0b9c7fe539778dbd2b8ceac686f5bbbb&f=14&order=desc

Yes, ONE Firewall, ONE Anti Virus, but you can have more than one Anti Malware program.

Did MalwareBytes Anti Malware clean up everything?

You could even give SuperAntiSpyware a try:

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".

Collapse -
W32/AutoRun-PC
by Marianna Schmudlach / November 17, 2008 1:32 AM PST

Aliases Worm.Win32.AutoRun.ryz
Win32/AutoRun.Agent.AO worm

Category Viruses and Spyware

Type Worm

W32/AutoRun-PC is a worm for the Windows platform.

W32/AutoRun-PC includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/AutoRun-PC copies itself to <Program Files>\Microsoft Common\svchost.exe.

The following registry entry is changed to run W32/AutoRun-PC on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
<Program Files>\Microsoft Common\svchost.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunpc.html?_log_from=rss

Collapse -
VBS/Sasan-J
by Marianna Schmudlach / November 17, 2008 1:33 AM PST
Collapse -
Troj/Zbot-AX
by Marianna Schmudlach / November 17, 2008 1:34 AM PST

Aliases Trojan-Spy.Win32.Zbot.gkj

Category Viruses and Spyware

Type Trojan

Troj/Zbot-AX is a Trojan for the Windows platform.

Troj/Zbot-AX includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Zbot-AX is installed the following files are created:

<System>\ntos.exe
<System>\wsnpoem\audio.dll
<System>\wsnpoem\video.dll

The following registry entry is changed to run ntos.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\ntos.exe,

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotax.html?_log_from=rss

Collapse -
Troj/PWS-AWD
by Marianna Schmudlach / November 17, 2008 1:35 AM PST
Collapse -
Troj/Buzus-X
by Marianna Schmudlach / November 17, 2008 1:35 AM PST
Collapse -
Troj/Buzus-W
by Marianna Schmudlach / November 17, 2008 1:37 AM PST
Collapse -
Troj/Agent-IGU
by Marianna Schmudlach / November 17, 2008 1:37 AM PST
Collapse -
Troj/Agent-IGT
by Marianna Schmudlach / November 17, 2008 1:38 AM PST
Collapse -
Troj/Agent-IGS
by Marianna Schmudlach / November 17, 2008 1:39 AM PST
Collapse -
Sus/ObfJS-BM
by Marianna Schmudlach / November 17, 2008 1:41 AM PST
Collapse -
Troj/FakeAle-JW
by Marianna Schmudlach / November 17, 2008 4:53 AM PST

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-JW is a Trojan for the Windows platform.

When Troj/FakeAle-JW is installed the following files are created:

<Temp>\flav.exe
<System>\brastk.exe
<System>\dllcache\figaro.sys
<System>\drivers\ctfmon.exe

The file ctfmon.exe is detected as Mal/Behav-009 and the file figaro.sys is detected as Mal/FakeAle-C.

The following registry entries are created to run Troj/FakeAle-JW on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
brastk
<System>\brastk.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
systemz
<System>\drivers\ctfmon.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
brastk
<System>\brastk.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealejw.html?_log_from=rss

Collapse -
Troj/Dwnldr-HKR
by Marianna Schmudlach / November 17, 2008 4:54 AM PST
Collapse -
Troj/Dloadr-BZW
by Marianna Schmudlach / November 17, 2008 4:55 AM PST

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!