Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - November 3, 2008

Nov 2, 2008 9:16AM PST

Discussion is locked

- Collapse -
Troj/Arinj-A
Nov 2, 2008 9:17AM PST
- Collapse -
Troj/Mdrop-BWN
Nov 2, 2008 1:40PM PST
- Collapse -
Troj/Dwnldr-HJY
Nov 2, 2008 1:41PM PST
- Collapse -
Troj/Dloadr-BXT
Nov 2, 2008 1:42PM PST
- Collapse -
Troj/BHO-HN
Nov 2, 2008 1:43PM PST
- Collapse -
Troj/Agent-ICU
Nov 2, 2008 1:44PM PST
- Collapse -
JS/Dload-EB
Nov 2, 2008 1:45PM PST
- Collapse -
W32/Autorun-NM
Nov 2, 2008 1:46PM PST
- Collapse -
Troj/Rootkit-EB
Nov 2, 2008 1:47PM PST
- Collapse -
Troj/Mdrop-BWO
Nov 2, 2008 1:48PM PST
- Collapse -
Troj/Zlob-ALO
Nov 2, 2008 11:35PM PST
- Collapse -
Troj/PWS-AVL
Nov 2, 2008 11:36PM PST
- Collapse -
Troj/PWS-AVK
Nov 2, 2008 11:37PM PST
- Collapse -
Troj/BHO-FY
Nov 2, 2008 11:38PM PST

Category Viruses and Spyware

Type Trojan

Troj/BHO-FY is a Trojan for the Windows platform.

Troj/BHO-FY has the functionalities to:
-download a file from preconfigured URL to <windows&gtMischief<9 random characters>
-read data from <windows&gtMischief<9 random characters>
-delete <windows&gtMischief<9 random characters>

The following registry entry is created:
HKCU\Software\Microsoft\ppp\c
tm
180

HKCU\Software\Microsoft\ppp\c
u
<preconfigured URL>

HKCU\Software\Microsoft\ppp\c
k
url,field2,homepage,hp,internet,website,reg_home_page


http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhofy.html?_log_from=rss

- Collapse -
Troj/Agent-ICV
Nov 2, 2008 11:39PM PST
- Collapse -
Troj/PWS-AVO
Nov 2, 2008 11:40PM PST
- Collapse -
Troj/Agent-ICW
Nov 2, 2008 11:41PM PST
- Collapse -
Avert Labs Low-Profiled Threat Notice: StealthMBR
Nov 3, 2008 12:45AM PST
- Collapse -
Worm Exploiting MS08-067 in the Wild
Nov 3, 2008 12:46AM PST

Monday, November 3, 2008

Code building on the proof of concept binaries that were mentioned last week has moved into the wild.

We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.

The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration.

The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.

http://www.f-secure.com/weblog/

- Collapse -
We have received a report of a wild MS08-067 worm
Nov 3, 2008 1:01AM PST
- Collapse -
MS08-067 - follow up and video
Nov 3, 2008 1:22AM PST

It is unusually quiet on the MS08-067 front, despite a number of stable and public exploits freely available.

As expected, experienced security researchers like Alexander Sotirov published a very good analysis of the vulnerability. So far we have seen a simple worm we generically detect as Mal/Generic-A and several samples of Troj/Gimmiv-A. Both worms exploit the vulnerability to spread, though they do not use it in the same way as worms like Blaster or Sasser, at the beginning of the decade.

The worms rely on a small set of hard-coded IP addresses to download additional modules or a copy of itself. From my somewhat limited analysis of the Troj/Gimmiv-A replication module it seems like the code responsible for local network propagation also exists and has a hard-coded IP address to retrieve a file using HTTP from a server on 192.168.0.0/16 network. It is quite possible that the self-replicating code was in the early stage of development when the malware was discovered in the wild. Once the servers were taken down the activity has decreased.

More: http://www.sophos.com/security/blog/2008/11/1923.html

- Collapse -
UPDATE 1: The "Worm" appears to be spreading over local net
Nov 3, 2008 3:20AM PST

UPDATE 1: The "Worm" appears to be spreading over local network. Port 445.


Speaking from a Snort perspective, as pointed out in the VRT blog, not only does this worm trigger off of the new rules that Sourcefire has written for Snort for the newest 08-067 vulnerability, but this particular variant of the worm triggers an older rule that VRT wrote for 06-040. (Since this worm uses one of the milw0rm exploits). 1:7224.

I took a pcap that we received of the worm traffic on port 445 ran it through Snort. The following rules alerted:

[1:7224:Cool NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt

[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt

[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt

More: http://isc.sans.org/

- Collapse -
Trojan steals access data for 300,000 bank accounts
Nov 3, 2008 12:59AM PST

3 November 2008

RSA FraudAction Research Lab reports that Sinowal, alias Torpig and Mebroot, currently the most devious banking trojan, has over the last six months succeeded in stealing the login data for more than one hundred thousand accounts. Among virus specialists, Sinowal is known as a highly developed trojan that intercepts credit-card data and FTP accounts, as well as information about bank accounts. During the past three years, using various versions of Sinowal, the authors of the trojan are reported to have succeeded in grabbing data relating to more than 300,000 different accounts and sending them to a database.

More: http://www.heise-online.co.uk/security/Trojan-steals-access-data-for-300-000-bank-accounts--/news/111858

- Collapse -
Trojan.Reglirer
Nov 3, 2008 1:03AM PST
- Collapse -
W32.Wecorl
Nov 3, 2008 1:04AM PST
- Collapse -
W32.Wecorl!inf
Nov 3, 2008 1:05AM PST
- Collapse -
W32.Kernelbot.A
Nov 3, 2008 1:06AM PST

Discovered: November 3, 2008
Updated: November 3, 2008 4:17:56 PM
Type: Worm

W32.Kernelbot.A is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It may also download files on to the compromised computer.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110315-4059-99

- Collapse -
Troj/FakeAle-JJ
Nov 3, 2008 1:08AM PST
- Collapse -
Troj/FakeAle-JI
Nov 3, 2008 1:09AM PST
- Collapse -
Troj/Dwnldr-HKA
Nov 3, 2008 1:10AM PST