Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - November 5, 2008

Nov 4, 2008 1:50PM PST

Discussion is locked

- Collapse -
Troj/Dloadr-BYJ
Nov 5, 2008 5:05AM PST
- Collapse -
Troj/FakeVir-GY
Nov 5, 2008 5:06AM PST
- Collapse -
Troj/PWS-AVS
Nov 5, 2008 5:06AM PST
- Collapse -
Troj/Startp-BN
Nov 5, 2008 5:07AM PST
- Collapse -
Troj/Zlob-AQM
Nov 5, 2008 5:11AM PST
- Collapse -
Troj/Zlob-AQL
Nov 5, 2008 5:12AM PST

Aliases Win32/TrojanDownloader.Zlob.CUH
Puper trojan

Category Viruses and Spyware

Type Trojan

Troj/Zlob-AQL is a Trojan for the Windows platform.

Troj/Zlob-AQL includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Zlob-AQL is installed it creates the file <Current Folder>\wcm.exe. This file is also detected as Troj/Zlob-AQL.

The following registry entry is created to run Troj/Zlob-AQL on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
smile
<pathname of the Trojan executable>

Registry entries are created under:

HKCU\Software\Applications

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobaql.html?_log_from=rss

- Collapse -
Troj/PWS-AVU
Nov 5, 2008 5:13AM PST
- Collapse -
Troj/Kango-F
Nov 5, 2008 5:14AM PST

Category Viruses and Spyware

Type Trojan

Troj/Kango-F is a Trojan for the Windows platform.

When first run Troj/Kango-F copies itself to <System>\Setupw.exe and creates the file <System>\494596162.dat.

The file Setupw.exe is registered as a new system driver service named "WZCSVCRpcLocator", with a display name of "Wireless Zero Configuration WZCSVCRpcLocator" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCRpcLocator

http://www.sophos.com/security/analyses/viruses-and-spyware/trojkangof.html?_log_from=rss

- Collapse -
Troj/FakeAle-JN
Nov 5, 2008 5:15AM PST
- Collapse -
Troj/Agent-IDP
Nov 5, 2008 5:16AM PST
- Collapse -
Troj/Agent-IDO
Nov 5, 2008 5:17AM PST
- Collapse -
Troj/Agent-IDN
Nov 5, 2008 5:18AM PST
- Collapse -
Troj/Agent-IDM
Nov 5, 2008 5:19AM PST
- Collapse -
PHP/C99Shell-B
Nov 5, 2008 5:20AM PST
- Collapse -
W32/Jolly-A
Nov 5, 2008 7:49AM PST
- Collapse -
W32/Autorun-NQ
Nov 5, 2008 7:50AM PST
- Collapse -
Troj/Zlob-AQN
Nov 5, 2008 7:51AM PST
- Collapse -
Troj/WPHack-A
Nov 5, 2008 7:52AM PST
- Collapse -
Troj/FakeVir-GZ
Nov 5, 2008 7:53AM PST
- Collapse -
Troj/Dloadr-BYL
Nov 5, 2008 7:54AM PST
- Collapse -
Troj/Dloadr-BYK
Nov 5, 2008 7:55AM PST
- Collapse -
Troj/Agent-IDQ
Nov 5, 2008 7:56AM PST
- Collapse -
Mal/ObfJS-BL
Nov 5, 2008 7:57AM PST
- Collapse -
Sus/ObfJS-BL
Nov 5, 2008 7:58AM PST
- Collapse -
Avert Labs Low-Profiled Threat Notice: Generic PWS.y!6F93935
Nov 5, 2008 10:00AM PST

Notice
This is a Low-Profiled Threat Notice for Generic PWS.y!6F939359

Justification
Generic PWS.y!6F939359 has been deemed Low-Profiled due to media attention at http://voices.washingtonpost.com/securityfix/2008/11/malware_piggybacks_on_obama_wi.html.

Generic PWS.y!6F939359 is referred to as "adobe_flash9.exe", in the voices.washingtonpost.com article.

Read About It
Information about Generic PWS.y!6F939359 is located on VIL at: http://vil.nai.com/vil/content/v_153274.htm

Detection
Generic PWS.y!6F939359 was first discovered on November 5, 2008 and detection will be added to the 5426 dat files (Release Date: November 06, 200Cool.