Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - November 4, 2009

by Marianna Schmudlach / November 4, 2009 12:16 AM PST
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - November 4, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - November 4, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/FakeAV-AHA
by Marianna Schmudlach / November 4, 2009 12:17 AM PST
Collapse -
Troj/FakeAV-AGY
by Marianna Schmudlach / November 4, 2009 12:18 AM PST
Collapse -
Troj/FakeAl-Q
by Marianna Schmudlach / November 4, 2009 12:19 AM PST
Collapse -
Troj/Buzus-BN
by Marianna Schmudlach / November 4, 2009 12:19 AM PST
Collapse -
Troj/Buzus-BM
by Marianna Schmudlach / November 4, 2009 12:20 AM PST
Collapse -
Troj/Bdoor-AYD
by Marianna Schmudlach / November 4, 2009 12:21 AM PST
Collapse -
Troj/Agent-LRL
by Marianna Schmudlach / November 4, 2009 12:22 AM PST
Collapse -
Troj/Agent-LRE
by Marianna Schmudlach / November 4, 2009 12:22 AM PST
Collapse -
Mal/Krap-A
by Marianna Schmudlach / November 4, 2009 12:23 AM PST
Collapse -
W32/Vago-A
by Marianna Schmudlach / November 4, 2009 12:24 AM PST

Aliases

* BAT/Agent.eej

Category

* Viruses and Spyware

Type

* Worm


How it spreads

* Removable storage devices
* Network shares

Affected operating systems Windows

W32/Vago-A is a worm for the Windows platform.

W32/Vago-A attempts to copy files with filenames that match "gova*" and "auto*.inf" from the same folder as itself to the <Temp>\win\ folder, and also to a number of mapped network drives and devices.

W32/Vago-A attempts to delete all files in the <Temp>\tampa\ folder, as well as files on mapped drives with filenames that match "myeclass.*".

W32/Vago-A may attempt to run the files paygova.vbs, paygova.bat and gova.vbs.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32vagoa.html?_log_from=rss

Collapse -
W32/SillyFDC-EF
by Marianna Schmudlach / November 4, 2009 12:25 AM PST
Collapse -
W32/Autorun-AUD
by Marianna Schmudlach / November 4, 2009 12:26 AM PST
Collapse -
Troj/Mdrop-CHM
by Marianna Schmudlach / November 4, 2009 12:27 AM PST
Collapse -
Troj/Bancos-BGJ
by Marianna Schmudlach / November 4, 2009 12:28 AM PST
Collapse -
Troj/Agent-LRB
by Marianna Schmudlach / November 4, 2009 12:29 AM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Agent-LRB is a Trojan for the Windows platform.

Troj/Agent-LRB creates the following files in logical drives found on the infected computer.

<Recycled>\sysdrv.exe - Copy of itself.

The following registry entry is changed to run Troj/Agent-LRB on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman
<Recycled>\sysdrv.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlrb.html?_log_from=rss

Collapse -
Troj/Agent-LRA
by Marianna Schmudlach / November 4, 2009 12:29 AM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-LRA is a Trojan for the Windows platform.

Troj/Agent-LRA includes functionality to:

- run automatically
- steal confidential information
- access the internet and communicate with a remote server via HTTP

When Troj/Agent-LRA is installed it creates the file <Windows>\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job.

Registry entries are created under:

HKCU\Software\PopRock
HKCU\Software

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlra.html?_log_from=rss

Collapse -
Troj/Agent-LQV
by Marianna Schmudlach / November 4, 2009 12:30 AM PST
Collapse -
Mal/Swizzor-G
by Marianna Schmudlach / November 4, 2009 12:31 AM PST
Collapse -
Super Silent Manager Installer
by Marianna Schmudlach / November 4, 2009 12:33 AM PST
Collapse -
Super Silent Manager
by Marianna Schmudlach / November 4, 2009 12:34 AM PST
Collapse -
Starbar Searchbar
by Marianna Schmudlach / November 4, 2009 12:34 AM PST
Collapse -
W32.Akannuna
by Marianna Schmudlach / November 4, 2009 12:36 AM PST

Discovered: November 4, 2009
Updated: November 4, 2009 12:41:16 PM
Type: Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Akannuna is a virus that infects .exe files.

Symantec Security Response is currently investigating this threat and will post more information as it becomes available.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-110412-1415-99

Collapse -
Opachki.a
by Marianna Schmudlach / November 4, 2009 12:38 AM PST

Type
Trojan
SubType
Trojan

Overview -

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -

-- Update November 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://isc.sans.org/diary.html?storyid=7519

--

Upon execution, this trojan drops a dll component detected as Opachki.a at the following location:

* %UserProfile%\ntuser.dll
* %UserProfile%\local settings\temp\rundll32.dll
* %UserProfile%\Start Menu\Programs\Startup\scandisk.dll
* %UserProfile%\start menu\programs\startup\scandisk.lnk
* %SystemDir%\calc.dll

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

It also creates the following registry entries to automatically execute at startup

More: http://vil.nai.com/vil/content/v_240488.htm

Collapse -
Whitewell
by Marianna Schmudlach / November 4, 2009 12:39 AM PST

Type
Trojan
SubType
Remote Access
Discovery Date
11/04/2009

Overview -

This description is for a backdoor trojan, which when executed provides an attacker with unauthorized remote access to the compromised machine.

The characteristics of this Trojan with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it. Hence, this is a general description.
Aliases

* Mal/Emogen-Y [Sophos]

* Trojan.Whitewell [Symantec]

* Trojan.Win32.Scar.agqx [Kaspersky]

Characteristics
Characteristics -

-- Update November 4, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2009/11/03/trojan_cnc_pokes_facebook/

More: http://vil.nai.com/vil/content/v_240489.htm

Collapse -
BKDR_CLICKER.EYE
by Marianna Schmudlach / November 4, 2009 12:40 AM PST

Malware type: Backdoor

Aliases: No Alias Found

In the wild: Yes

Description:

This backdoor has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Threat Diagram shown below.

Malware Overview

This backdoor application may be downloaded from remote sites by other malware. It may arrive bundled with malware packages as a malware component.

This backdoor application connects to a certain URL to download its component file also detected by Trend Micro as BKDR_CLICKER.EYE. It then saves the downloaded file.

This backdoor application is being injected to several running processes found on the affected system to remain memory resident.

It opens a hidden Internet Explorer window. It connects to a certain Web site to send and receive information.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_CLICKER.EYE

Collapse -
TROJ_FAKEAV.TUL
by Marianna Schmudlach / November 4, 2009 12:41 AM PST

Malware type: Trojan

Aliases: No Alias Found

In the wild: Yes

Description:

This Trojan has received attention from independent media sources and/or other security firms.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Threat Diagram shown below.


Malware Overview

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

This Trojan drops a file/component. This Trojan registers itself as a system service to ensure its automatic execution at every system startup.

It displays a Graphical User Interface (GUI). It eventually displays a form asking for the user's personal imformation.

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAV.TUL

Collapse -
Troj/Zbot-KB
by Marianna Schmudlach / November 4, 2009 1:43 AM PST

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Zbot-KB is a Trojan for the Windows platform.

When Troj/Zbot-KB is installed the following files are created:

<System>\bootlist32.exe
<System>\zad32and\boot.pop
<System>\zad32and\codec.dll

The following registry entry is changed to run bootlist32.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- C:\WINDOWS\system32\userinit.exe,
+ C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\bootlist32.exe,

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotkb.html?_log_from=rss

Collapse -
Troj/PDFJs-EN
by Marianna Schmudlach / November 4, 2009 1:44 AM PST
Collapse -
Troj/PDFJs-EI
by Marianna Schmudlach / November 4, 2009 1:44 AM PST
Collapse -
Troj/DogBot-Gen
by Marianna Schmudlach / November 4, 2009 1:45 AM PST
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?