Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - November 7, 2008

Nov 6, 2008 2:10PM PST

Discussion is locked

- Collapse -
Troj/PDFJs-B
Nov 7, 2008 6:16AM PST
- Collapse -
Troj/FakeAle-JP
Nov 7, 2008 6:17AM PST
- Collapse -
Troj/DNSChan-MN
Nov 7, 2008 6:18AM PST

Aliases DNSChanger.gen

Category Viruses and Spyware

Type Trojan

Troj/DNSChan-MN is a Trojan for the Windows platform.

When first run Troj/DNSChan-MN copies itself to <System>\kd<xxx>.exe

where <xxx> are random characters.

The following registry entry is changed to run kdvia.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
kd<xxx>.exe

The Trojan may change the computer settings for the default Domain Name Service servers so that all DNS requests are forwarded to a compromised host i.e. predefined host.

The following registry entries may be set:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer
<malicious_DNS_server_IP>

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface_ID&gtMischief
NameServer
<malicious_DNS_server_IP>

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface_ID&gtMischief
DhcpNameServer
<malicious_DNS_server_IP>

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdnschanmn.html?_log_from=rss

- Collapse -
Troj/Agent-IEJ
Nov 7, 2008 6:19AM PST
- Collapse -
Troj/Agent-IEI
Nov 7, 2008 6:20AM PST
- Collapse -
Troj/Agent-IEH
Nov 7, 2008 6:21AM PST
- Collapse -
Troj/Agent-IEG
Nov 7, 2008 6:22AM PST
- Collapse -
Troj/Agent-IEF
Nov 7, 2008 6:23AM PST
- Collapse -
Troj/Agent-IEE
Nov 7, 2008 6:24AM PST

Category Viruses and Spyware

Type Trojan

Troj/Agent-IEE is a Trojan for the Windows platform.

Troj/Agent-IEE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When Troj/Agent-IEE is installed the following files are created, both of which are also detected as Troj/Agent-IEE:

<Temp>\ixp000.tmp\burimis.exe
<Windows>\fxstaller.exe

The following registry entry is created to run fxstaller.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows UDP Control Center
fxstaller.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiee.html?_log_from=rss

- Collapse -
Spagent SoftProbe
Nov 7, 2008 6:25AM PST

Category Adware or PUA

Type System Monitor

Spagent SoftProbe is an application which can be used to monitor system activity.

When first installed Spagent SoftProbe copies itself to the following locations:

<System>\spsvc.exe
<Windows>\svcsp32.exe

Spagent SoftProbe creates the following registry entry to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
spsvc
<System>\spsvc.exe

http://www.sophos.com/security/analyses/adware-and-puas/spagentsoftprobe.html?_log_from=rss

- Collapse -
Mal/DelpDldr-C
Nov 7, 2008 6:27AM PST

7 November 2008

Spammed banking malware masquerading as Symantec software
Earlier this morning, we noticed Portuguese spam messages attempting to dupe victims into downloading and installing a fake Symantec product. The spam messages were constructed using two images hosted on the popular imageshack.us site.

More: http://www.sophos.com/security/blog/2008/11/1947.html

- Collapse -
The Code is dead. Long live the Code!
Nov 7, 2008 6:28AM PST

7 November 2008

Three years ago internet banking Trojans, along with their associated downloader Trojans, began to proliferate: samples started flooding in by the thousands. The poor way to deal with these would be to wait for them to come in then issue thousands of specific signatures. A much more effective approach was to search for definitive characteristics within early samples, identify the main families, and detect them pro-actively.

One of the easier downloader families to detect was Troj/SmDown-Fam. Shortly after some standard initialization code from their Borland Delphi compiler, these contained a distinctive decryption loop:

More: http://www.sophos.com/security/blog/2008/11/1490.html

- Collapse -
Bloodhound.Exploit.213
Nov 7, 2008 6:31AM PST
- Collapse -
Trojan.Pidief.D
Nov 7, 2008 6:32AM PST
- Collapse -
Troj/Zbot-AS
Nov 7, 2008 6:36AM PST
- Collapse -
Troj/Zbot-AT
Nov 7, 2008 6:37AM PST

Alert ID : FrSIRT/ALRT-2008-06871
Aliases : GenericPWS.y - Trojan-Spy.Win32.Zbot.crl - Win32/Spy.Agent.PZ
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07


Description

Troj/Zbot-AT is a Trojan for the Windows platform. When Troj/Zbot-AT is installed it creates the file <System>\ntos.exe.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotat.html

Credits

Reported by Sophos

- Collapse -
Troj/Banker-EOC
Nov 7, 2008 6:38AM PST

Alert ID : FrSIRT/ALRT-2008-06874
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07


Description

Troj/Banker-EOC is a Trojan for the Windows platform that attempts to steal information about the infected computer. When Troj/Banker-EOC is installed, it creates the following files: <Windows>svchost.exe, also detected as Troj/Banker-EOC <System>\wowformf<random numbers>_<random numbers>.dll, also detected as Troj/Banker-EOC <System>\syscheck3, clean data file The file wowformf<random numbers>_<random numbers>.dll is installed as a service named "newpay" with a display name of "Remote TCP/IP" and a description of "Network TCP/IP", set to run automatically on startup.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankereoc.html

Credits

Reported by Sophos

- Collapse -
Troj/Dloadr-BYT
Nov 7, 2008 6:40AM PST
- Collapse -
Troj/Psyme-KK
Nov 7, 2008 6:42AM PST
- Collapse -
Troj/Psyme-KL
Nov 7, 2008 6:43AM PST
- Collapse -
W32/Autorun-NR
Nov 7, 2008 6:44AM PST
- Collapse -
Troj/Agent-IDY
Nov 7, 2008 6:46AM PST
- Collapse -
Troj/Dloadr-BYS
Nov 7, 2008 6:47AM PST
- Collapse -
Troj/FakeVir-HA
Nov 7, 2008 6:48AM PST
- Collapse -
Troj/FakeVir-HB
Nov 7, 2008 6:49AM PST
- Collapse -
Troj/OnlinG-Fam
Nov 7, 2008 6:49AM PST
- Collapse -
Troj/VBDown-H
Nov 7, 2008 6:50AM PST

Alert ID : FrSIRT/ALRT-2008-06886
Aliases : Trojan.Win32.VB.gmp - Generic.dx
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07


Description

Troj/VBDown-H is a Trojan for the Windows platform. Troj/VBDown-H includes functionality to access the internet and communicate with a remote server via HTTP.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbdownh.html

Credits

Reported by Sophos

- Collapse -
W32/Koobfa-Gen
Nov 7, 2008 9:12AM PST

Aliases Net-Worm.Win32.Koobface
W32/Koobface.worm virus
Worm:Win32/Koobface.A

Category Viruses and Spyware

Type Worm

W32/Koobfa-Gen is a family of worms for the Windows platform that target Facebook and may attempt to send messages to users on Facebook pointing to a copy of themselves.

When first run, members of W32/Koobfa-Gen often display an error message saying:

Error installing Codec. Please contact support.

Members of W32/Koobfa-Gen often create a clean .dat data file called in the Windows folder, for example <Windows>\fmark2.dat.

Members of W32/Koobfa-Gen may create registry entries similar to the folowing:

HKLM\SYSTEM\ControlSet001\Control\Session manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>

http://www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html?_log_from=rss

- Collapse -
W32/Auexject-A
Nov 7, 2008 9:13AM PST

Aliases HIDDENEXT/Worm.Gen
Trojan:Win32/Emold.gen!C

Category Viruses and Spyware

Type Worm

W32/Auexject-A is a worm for the Windows platform.

When first run W32/Auexject-A injects some of it's code into Explorer.exe and copies itself to:
<Program Files>\Microsoft Common\wuauclt.exe

and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger
<Program Files>\Microsoft Common\wuauclt.exe

W32/Auexject-A spreads by copying itself to removable drives.


http://www.sophos.com/security/analyses/viruses-and-spyware/w32auexjecta.html?_log_from=rss

- Collapse -
Troj/BHO-HU
Nov 7, 2008 9:14AM PST