Attention: The forums will be placed on read only mode this Saturday (Oct. 20, 2018)

During this outage (6:30 AM to 8 PM PDT) the forums will be placed on read only mode. We apologize for this inconvenience. Click here to read details

Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - November 2, 2009

by Marianna Schmudlach / November 1, 2009 11:26 PM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - November 2, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - November 2, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
JS/Dload-GZ
by Marianna Schmudlach / November 1, 2009 11:27 PM PST
Collapse -
JS/XIfr-Gen
by Marianna Schmudlach / November 1, 2009 11:27 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

JS/XIfr-Gen is a malicious JavaScript Trojan embedded in web pages.

When a page containing JS/XIfr-Gen is viewed in a browser, the script attempts to load further malicious content, typically for the purpose of exploiting browser vulnerabilities in order to install malware.

http://www.sophos.com/security/analyses/viruses-and-spyware/jsxifrgen.html?_log_from=rss

Collapse -
Troj/Agent-LPX
by Marianna Schmudlach / November 1, 2009 11:28 PM PST
Collapse -
Troj/Agent-LPY
by Marianna Schmudlach / November 1, 2009 11:29 PM PST
Collapse -
Troj/Agent-LPZ
by Marianna Schmudlach / November 1, 2009 11:30 PM PST
Collapse -
Troj/Agent-LQB
by Marianna Schmudlach / November 1, 2009 11:31 PM PST
Collapse -
Troj/Agent-LQC
by Marianna Schmudlach / November 1, 2009 11:32 PM PST
Collapse -
Troj/Drop-EC
by Marianna Schmudlach / November 1, 2009 11:32 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Drop-EC is a Trojan for the Windows platform.

When Troj/Drop-EC is installed the following files are created:

<System>\2l7b.dll
<System>\7i91.exe
<System>\9ae9.dll
<System>\s.exe
<System>\tmp.exe
<Windows>\79e7.bmp
<Windows>\92b7.flv
<Windows>\e7df.exe

The file 7i91.exe is registered as a new service named "conims", with a display name of "conims". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\conims

The file s.exe is registered as a new service named "OSEvent", with a display name of "OSEvent". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\OSEvent

The file 2l7b.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{16936DCC-E13D-48c4-9B38-64666E52D898}
HKCR\Interface\{6C466962-2C35-44FE-8AB3-AE2C4C5681B8}
HKCR\TypeLib\{F2AD11A8-2B88-4542-84ED-59C0C8A7F2DD}
HKCR\IEHpr.Invoke
HKCR\IEHpr.Invoke.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16936DCC-E13D-48c4-9B38-64666E52D898}

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\DownloadManager

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdropec.html?_log_from=rss

Collapse -
W32/Autorun-ATL
by Marianna Schmudlach / November 1, 2009 11:33 PM PST
Collapse -
Target Marketing Agent Installer
by Marianna Schmudlach / November 1, 2009 11:34 PM PST
Collapse -
Target Marketing Agent
by Marianna Schmudlach / November 1, 2009 11:35 PM PST
Collapse -
Troj/Agent-LOB
by Marianna Schmudlach / November 1, 2009 11:36 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Agent-LOB is a Trojan for the Windows platform.

Troj/Agent-LOB attempts to communicate with the following HTTP servers:

foodtoss . com
auditsun . com
dalytown . com
flytakes . com

Troj/Agent-LOB sets itself to run on system startup with the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PopRock
<Path to executable>

Registry entries are created under:

HKCU\Software\XML
HKCU\Software\PopRock

Troj/Agent-LOB may create a Scheduled Task to run itself periodically.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlob.html?_log_from=rss

Collapse -
Troj/KeyLog-LV
by Marianna Schmudlach / November 1, 2009 11:37 PM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/KeyLog-LV is a Trojan for the Windows platform.

The following registry entries are created to run DivXx.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6}
StubPath
<Program Files>\DivX\DivXx.exe Restart

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Cerb
<Program Files>\DivX\DivXx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Cerb
<Program Files>\DivX\DivXx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Cerb
<Program Files>\DivX\DivXx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Cerb
<Program Files>\DivX\DivXx.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojkeyloglv.html?_log_from=rss

Collapse -
Troj/Bckdr-QZW
by Marianna Schmudlach / November 1, 2009 11:38 PM PST
Collapse -
TROJ_CUTWAIL.GT
by Marianna Schmudlach / November 1, 2009 11:40 PM PST

Trend Micro threat analysts found spammed messages that pretend to be a letter coming from the ?boss?. It bears the subject ?get back to my office for more details? and instructs users to read the attached ZIP file, which contains a letter. The ZIP attachment is, of course, not a letter but an .EXE file (info.exe) detected by Trend Micro as TROJ_CUTWAIL.GT.

Upon execution, TROJ_CUTWAIL.GT creates registry entries to automatically execute at every system startup. It also drops a Trojan dropper detected as TROJ_DROPR.ST. Cutwail is known as the ?spam engine? of the notorious botnet, PUSHDO, which spammed around 7.7 billion spam a day last Q2.

More: http://blog.trendmicro.com/

Collapse -
Virus:DOS/Rogue
by Marianna Schmudlach / November 1, 2009 11:41 PM PST

Name : Virus:DOS/Rogue
Category: Malware
Type: Virus
Platform: DOS
Origin: Spain?

Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.


Additional Details
Virus:DOS/Rogue (also known as Peligro) infects COM and EXE files when they are executed.

There are several variants, most of them sized around 1200 bytes.

More: http://www.f-secure.com/v-descs/virus_dos_rogue.shtml

Collapse -
PWS-CuteMoon
by Marianna Schmudlach / November 1, 2009 11:43 PM PST

Type
Trojan
SubType
Password Stealer
Discovery Date
11/02/2009

Overview -

This description is for a password stealing malware, which attempts to steal user information and post them to a pre defined site.

The characteristics of this password stealer with regards to passwords stolen, sites accessed, files downloaded etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.
Aliases

* Trj/CI.A [Panda]

* Trojan-Downloader.Win32.FakeRean [Sunbelt]

* TrojWare.Win32.PSW.LdPinch.Gen [Comodo]

* Win32/TrojanDropper.Agent.OKG [Nod32]


Characteristics -


-- Update November 2, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://blog.threatexpert.com/2009/11/new-moon-trojan.html

--

When executed, this malware displays an erotic image to distract the user, and then drops the following files:

* %Windir%\exploree.exe [Detected as PWS-CuteMoon]
* %Windir%\svcoost.exe [Detected as PWS-CuteMoon]
* %System%\154.bat [Non malicious batch file]

Note:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt

It then modifies the host file located in "C:\Windows\System32\drivers\etc\hosts" with the following URL to IP mappings:

More: http://vil.nai.com/vil/content/v_240279.htm

Collapse -
Generic.dx!gfb!3AEA288C07DB
by Marianna Schmudlach / November 1, 2009 11:44 PM PST

Type
Trojan

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

File Properties

* File Name : dllhost.exe
* Size : 8,984 bytes
* MD5 : 3AEA288C07DB42761E7BD83431FFE1D4
* SHA1 : EBFACF13962C9AFE32DB58B6AB4849DEEDD39C4D

Aliases

* Kaspersky : Trojan.Win32.Pincav.jbs
* Microsoft : Backdoor:Win32/Poison.M
* Symantec : Backdoor.Ciadoor
* Ikarus : Packed.Win32.Klone

Characteristics -

This is a generic detection for Trojans. Trojan behavior can be found in various malware families like "downloader", "dropper", "backdoor", "password stealer", etc. They are standalone applications that might call other malware or infect your machine on executing.

They can act in various ways to steal your data, private information, or resources.

It enables backdoor functionalities by connecting to a remote site and performing actions as programmed by a remote attacker.

The following registry is used:

* HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Active Setup\Installed Components\{04D76A86-B759-FCF9-9BF3-BFB1C189EAC8}
"Stubpath" = "Path and File name of the sample"

More: http://vil.nai.com/vil/content/v_240031.htm

Collapse -
McAfee Labs Low-Profiled Threat Notice: PWS-CuteMoon
by Marianna Schmudlach / November 1, 2009 11:51 PM PST

Notice
This is a Low-Profiled Threat Notice for PWS-CuteMoon

Justification
PWS-CuteMoon has been deemed Low-Profiled due to media attention at: http://blog.threatexpert.com/2009/11/new-moon-trojan.html


Read About It
Information about PWS-CuteMoon is located on VIL at: http://vil.nai.com/vil/content/v_240279.htm

Detection
PWS-CuteMoon was first discovered on November 2, 2009 and detection will be added to the 5791 dat files (Release Date: November 3, 2009).

If you suspect you have PWS-CuteMoon, please submit a sample to <http://www.webimmune.net>

Collapse -
Troj/Dloadr-CWG
by Marianna Schmudlach / November 2, 2009 1:02 AM PST
Collapse -
Troj/BredoZp-R
by Marianna Schmudlach / November 2, 2009 1:02 AM PST
Collapse -
Troj/BHO-OF
by Marianna Schmudlach / November 2, 2009 1:03 AM PST
Collapse -
Troj/BHO-OE
by Marianna Schmudlach / November 2, 2009 1:04 AM PST
Collapse -
Troj/Agent-LQG
by Marianna Schmudlach / November 2, 2009 1:04 AM PST
Collapse -
Troj/Agent-LQF
by Marianna Schmudlach / November 2, 2009 1:05 AM PST
Collapse -
Troj/Agent-LQD
by Marianna Schmudlach / November 2, 2009 1:06 AM PST
Collapse -
Troj/Agent-LPV
by Marianna Schmudlach / November 2, 2009 1:07 AM PST
Collapse -
Mal/EncPK-LL
by Marianna Schmudlach / November 2, 2009 1:07 AM PST
Collapse -
Mal/DogKil-A
by Marianna Schmudlach / November 2, 2009 1:08 AM PST
Collapse -
Troj/Spy-EH
by Marianna Schmudlach / November 2, 2009 5:20 AM PST

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!