Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - November 3, 2008

by Marianna Schmudlach Nov 2, 2008 9:16AM PST

Discussion is locked

1 - 30 of 63 Posts
- Collapse + Expand Details
- Collapse -
Troj/Arinj-A
by Marianna Schmudlach Nov 2, 2008 9:17AM PST
- Collapse -
Troj/Mdrop-BWN
by Marianna Schmudlach Nov 2, 2008 1:40PM PST
- Collapse -
Troj/Dwnldr-HJY
by Marianna Schmudlach Nov 2, 2008 1:41PM PST
- Collapse -
Troj/Dloadr-BXT
by Marianna Schmudlach Nov 2, 2008 1:42PM PST
- Collapse -
Troj/BHO-HN
by Marianna Schmudlach Nov 2, 2008 1:43PM PST
- Collapse -
Troj/Agent-ICU
by Marianna Schmudlach Nov 2, 2008 1:44PM PST
- Collapse -
JS/Dload-EB
by Marianna Schmudlach Nov 2, 2008 1:45PM PST
- Collapse -
W32/Autorun-NM
by Marianna Schmudlach Nov 2, 2008 1:46PM PST
- Collapse -
Troj/Rootkit-EB
by Marianna Schmudlach Nov 2, 2008 1:47PM PST
- Collapse -
Troj/Mdrop-BWO
by Marianna Schmudlach Nov 2, 2008 1:48PM PST
- Collapse -
Troj/Zlob-ALO
by Marianna Schmudlach Nov 2, 2008 11:35PM PST
- Collapse -
Troj/PWS-AVL
by Marianna Schmudlach Nov 2, 2008 11:36PM PST
- Collapse -
Troj/PWS-AVK
by Marianna Schmudlach Nov 2, 2008 11:37PM PST
- Collapse -
Troj/BHO-FY
by Marianna Schmudlach Nov 2, 2008 11:38PM PST

Category Viruses and Spyware

Type Trojan

Troj/BHO-FY is a Trojan for the Windows platform.

Troj/BHO-FY has the functionalities to:
-download a file from preconfigured URL to <windows&gtMischief<9 random characters>
-read data from <windows&gtMischief<9 random characters>
-delete <windows&gtMischief<9 random characters>

The following registry entry is created:
HKCU\Software\Microsoft\ppp\c
tm
180

HKCU\Software\Microsoft\ppp\c
u
<preconfigured URL>

HKCU\Software\Microsoft\ppp\c
k
url,field2,homepage,hp,internet,website,reg_home_page


http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhofy.html?_log_from=rss

- Collapse -
Troj/Agent-ICV
by Marianna Schmudlach Nov 2, 2008 11:39PM PST
- Collapse -
Troj/PWS-AVO
by Marianna Schmudlach Nov 2, 2008 11:40PM PST
- Collapse -
Troj/Agent-ICW
by Marianna Schmudlach Nov 2, 2008 11:41PM PST
- Collapse -
Avert Labs Low-Profiled Threat Notice: StealthMBR
by Marianna Schmudlach Nov 3, 2008 12:45AM PST
- Collapse -
Worm Exploiting MS08-067 in the Wild
by Marianna Schmudlach Nov 3, 2008 12:46AM PST

Monday, November 3, 2008

Code building on the proof of concept binaries that were mentioned last week has moved into the wild.

We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.

The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration.

The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.

http://www.f-secure.com/weblog/

- Collapse -
We have received a report of a wild MS08-067 worm
by Marianna Schmudlach Nov 3, 2008 1:01AM PST
- Collapse -
MS08-067 - follow up and video
by Marianna Schmudlach Nov 3, 2008 1:22AM PST

It is unusually quiet on the MS08-067 front, despite a number of stable and public exploits freely available.

As expected, experienced security researchers like Alexander Sotirov published a very good analysis of the vulnerability. So far we have seen a simple worm we generically detect as Mal/Generic-A and several samples of Troj/Gimmiv-A. Both worms exploit the vulnerability to spread, though they do not use it in the same way as worms like Blaster or Sasser, at the beginning of the decade.

The worms rely on a small set of hard-coded IP addresses to download additional modules or a copy of itself. From my somewhat limited analysis of the Troj/Gimmiv-A replication module it seems like the code responsible for local network propagation also exists and has a hard-coded IP address to retrieve a file using HTTP from a server on 192.168.0.0/16 network. It is quite possible that the self-replicating code was in the early stage of development when the malware was discovered in the wild. Once the servers were taken down the activity has decreased.

More: http://www.sophos.com/security/blog/2008/11/1923.html

- Collapse -
UPDATE 1: The "Worm" appears to be spreading over local net
by Marianna Schmudlach Nov 3, 2008 3:20AM PST

UPDATE 1: The "Worm" appears to be spreading over local network. Port 445.


Speaking from a Snort perspective, as pointed out in the VRT blog, not only does this worm trigger off of the new rules that Sourcefire has written for Snort for the newest 08-067 vulnerability, but this particular variant of the worm triggers an older rule that VRT wrote for 06-040. (Since this worm uses one of the milw0rm exploits). 1:7224.

I took a pcap that we received of the worm traffic on port 445 ran it through Snort. The following rules alerted:

[1:7224:Cool NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt

[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt

[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt

More: http://isc.sans.org/

- Collapse -
Trojan steals access data for 300,000 bank accounts
by Marianna Schmudlach Nov 3, 2008 12:59AM PST

3 November 2008

RSA FraudAction Research Lab reports that Sinowal, alias Torpig and Mebroot, currently the most devious banking trojan, has over the last six months succeeded in stealing the login data for more than one hundred thousand accounts. Among virus specialists, Sinowal is known as a highly developed trojan that intercepts credit-card data and FTP accounts, as well as information about bank accounts. During the past three years, using various versions of Sinowal, the authors of the trojan are reported to have succeeded in grabbing data relating to more than 300,000 different accounts and sending them to a database.

More: http://www.heise-online.co.uk/security/Trojan-steals-access-data-for-300-000-bank-accounts--/news/111858

- Collapse -
Trojan.Reglirer
by Marianna Schmudlach Nov 3, 2008 1:03AM PST
- Collapse -
W32.Wecorl
by Marianna Schmudlach Nov 3, 2008 1:04AM PST
- Collapse -
W32.Wecorl!inf
by Marianna Schmudlach Nov 3, 2008 1:05AM PST
- Collapse -
W32.Kernelbot.A
by Marianna Schmudlach Nov 3, 2008 1:06AM PST

Discovered: November 3, 2008
Updated: November 3, 2008 4:17:56 PM
Type: Worm

W32.Kernelbot.A is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It may also download files on to the compromised computer.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110315-4059-99

- Collapse -
Troj/FakeAle-JJ
by Marianna Schmudlach Nov 3, 2008 1:08AM PST
- Collapse -
Troj/FakeAle-JI
by Marianna Schmudlach Nov 3, 2008 1:09AM PST
- Collapse -
Troj/Dwnldr-HKA
by Marianna Schmudlach Nov 3, 2008 1:10AM PST
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info