Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - November 25, 2009

by Marianna Schmudlach / November 24, 2009 11:08 PM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - November 25, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - November 25, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Renos-EE
by Marianna Schmudlach / November 24, 2009 11:09 PM PST
Collapse -
VBS/Joint-A
by Marianna Schmudlach / November 24, 2009 11:10 PM PST
Collapse -
W32/IRCBot-AGD
by Marianna Schmudlach / November 24, 2009 11:11 PM PST
Collapse -
Mal/EncPk-MB
by Marianna Schmudlach / November 24, 2009 11:11 PM PST
Collapse -
Troj/Agent-LUZ
by Marianna Schmudlach / November 24, 2009 11:12 PM PST
Collapse -
Troj/Drop-EE
by Marianna Schmudlach / November 24, 2009 11:13 PM PST
Collapse -
Troj/Small-ENQ
by Marianna Schmudlach / November 24, 2009 11:13 PM PST
Collapse -
Troj/TDSS-BT
by Marianna Schmudlach / November 24, 2009 11:14 PM PST
Collapse -
Troj/BankDl-DY
by Marianna Schmudlach / November 24, 2009 11:15 PM PST
Collapse -
W32/AutoRun-AVS
by Marianna Schmudlach / November 24, 2009 11:16 PM PST

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices

Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/AutoRun-AVS is a worm for the Windows platform.

When run W32/AutoRun-AVS copies itself to <Documents and Settings>\Administrator\\Application Data\S85-28348346-HAT83-E3-62366-HASG-1732735\winlogon.exe

and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Windows Login Services
<Documents and Settings>\Administrator\\Application Data\S85-28348346-HAT83-E3-62366-HASG-1732735\winlogon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Login Services
<Documents and Settings>\Administrator\\Application Data\S85-28348346-HAT83-E3-62366-HASG-1732735\winlogon.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableConfig
1

More: http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunavs.html?_log_from=rss

Collapse -
W32/Autorun-AVR
by Marianna Schmudlach / November 24, 2009 11:17 PM PST
Collapse -
Troj/PDFJs-FF
by Marianna Schmudlach / November 24, 2009 11:18 PM PST
Collapse -
Troj/Lineag-GT
by Marianna Schmudlach / November 24, 2009 11:18 PM PST
Collapse -
Troj/Agent-LUL
by Marianna Schmudlach / November 24, 2009 11:19 PM PST
Collapse -
Mal/FakeAV-BU
by Marianna Schmudlach / November 24, 2009 11:20 PM PST
Collapse -
Mal/EncPk-LY
by Marianna Schmudlach / November 24, 2009 11:21 PM PST
Collapse -
Troj/PDFJs-FG
by Marianna Schmudlach / November 24, 2009 11:22 PM PST
Collapse -
Troj/FakeAV-AIN
by Marianna Schmudlach / November 24, 2009 11:22 PM PST
Collapse -
Bloodhound.Exploit.286
by Marianna Schmudlach / November 24, 2009 11:24 PM PST

Discovered: November 25, 2009
Updated: November 25, 2009 7:27:39 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2009-3762

Bloodhound.Exploit.286 is a heuristic detection for files attempting to exploit the Microsoft Internet Explorer 'Style' Object Remote Code Execution Vulnerability (BID 37085).

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-112506-2241-99

Collapse -
Worm:iPhoneOS/Ikee
by Marianna Schmudlach / November 24, 2009 11:25 PM PST

Name : Worm:iPhoneOS/Ikee
Category: Malware
Type: Worm
Platform: iPhoneOS

Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.


Additional Details
Worm:iPhoneOS/Ikee is the first worm to target the Apple iPhone. Its most notable action involves changing the background wallpaper on the device.

The details below are for the A variant of the Ikee worm. It was first reported by iPhone users in Australia and appears to have been written a hacker named 'ikex'.

Though this variant is non-malicious, it is still considered of interest as it is possible for another hacker to use code from this variant and adapt it to carry a more sinister payload - as subsequently happened with the Worm:iPhoneOs/Ikee.B outbreak. In addition, Accessing a user's computing device and changing their data without permission is illegal in many countries.

http://www.f-secure.com/v-descs/worm_iphoneos_ikee.shtml

Collapse -
Worm:iPhoneOS/Ikee.B
by Marianna Schmudlach / November 24, 2009 11:26 PM PST

Name : Worm:iPhoneOS/Ikee.B
Category: Malware
Type: Worm
Platform: iPhoneOS

Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.


More: http://www.f-secure.com/v-descs/worm_iphoneos_ikee_b.shtml

Collapse -
OSX/RRoll.A
by Marianna Schmudlach / November 24, 2009 11:28 PM PST

Type
Internet Worm
SubType
PDA Device

Overview -

OSX/RRoll.A is a worm that infects jailbroken iPhones have the root account password set to the default. The malware alters the background image/wallpaper displayed during phone calls and when the device is locked.

Aliases:

* iPhoneOS/Ikee (F-Secure)

Characteristics
Characteristics -

OSX/RRoll.A is a worm developed by an Australian malware author using the handle �ikee�. The malware author has released the source code for this variant.

OSX/RRoll.A scans the IP address ranges belonging to three mobile carriers located in Australia. The worm attempts to locate vulnerable iPhones by logging in to the SSH service using the iPhone's default root password.

Upon a successful log in, the worm will copy itself to the victim's device. The worm is set to run upon installation. OSX/RRoll.A uses a property list named com.ikey.bbot.plist to run.

When first run the worm will replace the background image/wallpaper used when the device is locked with an image containing a message from the author.

After changing the background image, OSX/RRoll.A will delete the binary of the SSH daemon(service) and terminate its process. This serves the dual purpose of closing the hole that allowed infection and also preventing reinfection by the worm or other attackers.

More: http://vil.nai.com/vil/content/v_244693.htm

Collapse -
OSX/RRoll.B
by Marianna Schmudlach / November 24, 2009 11:28 PM PST

Type
Internet Worm
SubType
PDA Device

Overview -

OSX/RRoll.B is a worm that infects jailbroken iPhones have the root account password set to the default. The malware alters the background image/wallpaper displayed during phone calls and when the device is locked.

Aliases:
iPhoneOS/Ikee (F-Secure)
Characteristics
Characteristics -

OSX/RRoll.B is a worm developed by an Australian malware author using the handle �ikee�. The malware author has released the source code for this variant.

OSX/RRoll.B scans the IP address ranges belonging to three mobile carriers located in Australia. The worm attempts to locate vulnerable iPhones by logging in to the SSH service using the iPhone's default root password.

Upon a successful log in, the worm will copy itself to the victim's device. The worm is set to run upon installation. OSX/RRoll.B overwrites the Cydia Installer program's startup files in order to run.

When first run the worm will replace the background image/wallpaper used when the device is locked with an image containing a message from the author.

More: http://vil.nai.com/vil/content/v_244694.htm

Collapse -
OSX/RRoll.C
by Marianna Schmudlach / November 24, 2009 11:29 PM PST

Type
Trojan
SubType
PDA Device

Overview -

OSX/RRoll.C is a trojan that distributes OSX/iPhDownloader.A. It is based on the source code for OSX/RRoll.B worm.

Aliases:
iPhoneOS/Ikee.B (F-Secure)
Characteristics
Characteristics -

OSX/RRoll.C is distributed as a file named �sshd�. The name is identical to that of the Secure Shell Daemon(SSHD), but the file size is significantly smaller.

The malware is produced from a modified version of the OSX/RRoll.B source code. All debugging statements have been removed and the CopyFile and infectHost subroutines have been modified to transfer and install OSX/iPhDownloader.A on vulnerable devices.

OSX/RRoll.C scans the following ranges of IP addresses:

More: http://vil.nai.com/vil/content/v_244695.htm

Collapse -
OSX/iPhDownloader.A
by Marianna Schmudlach / November 24, 2009 11:31 PM PST

Type
Virus
SubType
PDA Device

Overview -

OSX/iPhDownloader.A is malware that is used to download from an attacker's web site. It also changes user passwords on the device.

Aliases:
iPhoneOS/Ikee.B (F-Secure)
Characteristics
Characteristics -

OSX/iPhDownloader.A is distributed in a file named cydia.tgz. The archive file contains the following files:

More: http://vil.nai.com/vil/content/v_244696.htm

Collapse -
TROJ_AGENT.AWYQ.
by Marianna Schmudlach / November 24, 2009 11:49 PM PST

Trend Micro threat analysts were alerted to the discovery of spammed messages that purported to come from Media Service. The email bears the subject, ?Congratulations,? and informs users that they won a Macbook Air. It also entices users to open the attached .ZIP file, which supposedly contains the details. Of course, the attachment does not hold any details but does contain an executable file (winner.exe) detected by Trend Micro as TROJ_AGENT.AWYQ.

When executed, TROJ_AGENT.AWYQ drops another malware detected as TROJ_CUTWAIL.GO. Cutwail/Pushdo is one of the most notorious spam botnets that sends around 7.7 billion emails a day. Pushdo variants are essentially downloaders, which first infects a system then downloads the Cutwail spam module (also owned by the same criminal gang). It also normally installs one or more different ?Campaign Modules? or third-party malware from other malware groups, which account for the large number of observable differences between infections.

More: http://blog.trendmicro.com/

Collapse -
Troj/Skintrim-Z
by Marianna Schmudlach / November 25, 2009 2:06 AM PST
Collapse -
Troj/Scar-F
by Marianna Schmudlach / November 25, 2009 2:07 AM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Scar-F is a Trojan for the Windows platform.

When first run Troj/Scar-F copies itself to <System>\wgks.exe.

The file wgks.exe is registered as a new system driver service named "fsg", with a display name of "gdrg" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\fsg

http://www.sophos.com/security/analyses/viruses-and-spyware/trojscarf.html?_log_from=rss

Collapse -
Troj/Mdrop-CIL
by Marianna Schmudlach / November 25, 2009 2:07 AM PST
Collapse -
Troj/Dloadr-CXB
by Marianna Schmudlach / November 25, 2009 2:08 AM PST

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!