 | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
Troj/BHO-HT
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhoht.html?_log_from=rss
Discussion is locked
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfjsb.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealejp.html?_log_from=rss
Aliases DNSChanger.gen
Category Viruses and Spyware
Type Trojan
Troj/DNSChan-MN is a Trojan for the Windows platform.
When first run Troj/DNSChan-MN copies itself to <System>\kd<xxx>.exe
where <xxx> are random characters.
The following registry entry is changed to run kdvia.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
kd<xxx>.exe
The Trojan may change the computer settings for the default Domain Name Service servers so that all DNS requests are forwarded to a compromised host i.e. predefined host.
The following registry entries may be set:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer
<malicious_DNS_server_IP>
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface_ID>
NameServer
<malicious_DNS_server_IP>
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<Interface_ID>
DhcpNameServer
<malicious_DNS_server_IP>
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdnschanmn.html?_log_from=rss
Aliases Trojan:Win32/Emold.gen!C
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
Characteristics Installs itself in the registry
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiej.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiei.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentieh.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
When first run, Troj/Agent-IEG creates the following registry entry to start itself when Windows starts:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
GetModule27
<Path to executable>
Troj/Agent-IEG silently connects to the internet, and may have keylogging functionality.
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentieg.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentief.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
Troj/Agent-IEE is a Trojan for the Windows platform.
Troj/Agent-IEE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When Troj/Agent-IEE is installed the following files are created, both of which are also detected as Troj/Agent-IEE:
<Temp>\ixp000.tmp\burimis.exe
<Windows>\fxstaller.exe
The following registry entry is created to run fxstaller.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows UDP Control Center
fxstaller.exe
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiee.html?_log_from=rss
Category Adware or PUA
Type System Monitor
Spagent SoftProbe is an application which can be used to monitor system activity.
When first installed Spagent SoftProbe copies itself to the following locations:
<System>\spsvc.exe
<Windows>\svcsp32.exe
Spagent SoftProbe creates the following registry entry to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
spsvc
<System>\spsvc.exe
http://www.sophos.com/security/analyses/adware-and-puas/spagentsoftprobe.html?_log_from=rss
7 November 2008
Spammed banking malware masquerading as Symantec software
Earlier this morning, we noticed Portuguese spam messages attempting to dupe victims into downloading and installing a fake Symantec product. The spam messages were constructed using two images hosted on the popular imageshack.us site.
More: http://www.sophos.com/security/blog/2008/11/1947.html
7 November 2008
Three years ago internet banking Trojans, along with their associated downloader Trojans, began to proliferate: samples started flooding in by the thousands. The poor way to deal with these would be to wait for them to come in then issue thousands of specific signatures. A much more effective approach was to search for definitive characteristics within early samples, identify the main families, and detect them pro-actively.
One of the easier downloader families to detect was Troj/SmDown-Fam. Shortly after some standard initialization code from their Borland Delphi compiler, these contained a distinctive decryption loop:
More: http://www.sophos.com/security/blog/2008/11/1490.html
Discovered: November 7, 2008
Updated: November 7, 2008 7:26:50 PM
Type: Trojan, Virus
Bloodhound.Exploit.213 is a heuristic detection for files attempting to exploit the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035).
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110718-2219-99
Discovered: November 7, 2008
Updated: November 7, 2008 9:54:10 PM
Type: Trojan
Trojan.Pidief.D is a Trojan horse that exploits the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035) to download and execute files from the Internet.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110718-5133-99
Alert ID : FrSIRT/ALRT-2008-06870
Aliases : Trojan-Spy.Win32.Zbot.cyn
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Troj/Zbot-AS is a Trojan for the Windows platform. When Troj/Zbot-AS is installed it creates the file <System>\ntos.exe.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotas.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06871
Aliases : GenericPWS.y - Trojan-Spy.Win32.Zbot.crl - Win32/Spy.Agent.PZ
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Troj/Zbot-AT is a Trojan for the Windows platform. When Troj/Zbot-AT is installed it creates the file <System>\ntos.exe.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbotat.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06874
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Troj/Banker-EOC is a Trojan for the Windows platform that attempts to steal information about the infected computer. When Troj/Banker-EOC is installed, it creates the following files: <Windows>svchost.exe, also detected as Troj/Banker-EOC <System>\wowformf<random numbers>_<random numbers>.dll, also detected as Troj/Banker-EOC <System>\syscheck3, clean data file The file wowformf<random numbers>_<random numbers>.dll is installed as a service named "newpay" with a display name of "Remote TCP/IP" and a description of "Network TCP/IP", set to run automatically on startup.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankereoc.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06875
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Technical details and description are not available at this time.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbyt.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06878
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Troj/Psyme-KK is a Trojan that attempts to download and execute a file from a remote website, currently detected as Mal/Behav-009.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojpsymekk.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06879
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Troj/Psyme-KL is a Trojan for the Windows platform that attempts to download and execute a remote file, currently detected as Mal/Behav-009.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojpsymekl.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06880
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
W32/Autorun-NR is a worm for the Windows platform. W32/Autorun-NR copies itself to the system folder and creates a service called "Windows_rejoice2007_813".
References
http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunnr.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06881
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Technical details and description are not available at this time.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentidy.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06882
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Technical details and description are not available at this time.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbys.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06883
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Technical details and description are not available at this time.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirha.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06884
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Technical details and description are not available at this time.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirhb.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06885
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Technical details and description are not available at this time.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojonlingfam.html
Credits
Reported by Sophos
Alert ID : FrSIRT/ALRT-2008-06886
Aliases : Trojan.Win32.VB.gmp - Generic.dx
Size : N/A
Rated as : Low Risk
Release Date : 2008-11-07
Description
Troj/VBDown-H is a Trojan for the Windows platform. Troj/VBDown-H includes functionality to access the internet and communicate with a remote server via HTTP.
References
http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbdownh.html
Credits
Reported by Sophos
Aliases Net-Worm.Win32.Koobface
W32/Koobface.worm virus
Worm:Win32/Koobface.A
Category Viruses and Spyware
Type Worm
W32/Koobfa-Gen is a family of worms for the Windows platform that target Facebook and may attempt to send messages to users on Facebook pointing to a copy of themselves.
When first run, members of W32/Koobfa-Gen often display an error message saying:
Error installing Codec. Please contact support.
Members of W32/Koobfa-Gen often create a clean .dat data file called in the Windows folder, for example <Windows>\fmark2.dat.
Members of W32/Koobfa-Gen may create registry entries similar to the folowing:
HKLM\SYSTEM\ControlSet001\Control\Session manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
<blank>
\??\<path to worm>\??\<path to another executable>
http://www.sophos.com/security/analyses/viruses-and-spyware/w32koobfagen.html?_log_from=rss
Aliases HIDDENEXT/Worm.Gen
Trojan:Win32/Emold.gen!C
Category Viruses and Spyware
Type Worm
W32/Auexject-A is a worm for the Windows platform.
When first run W32/Auexject-A injects some of it's code into Explorer.exe and copies itself to:
<Program Files>\Microsoft Common\wuauclt.exe
and creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger
<Program Files>\Microsoft Common\wuauclt.exe
W32/Auexject-A spreads by copying itself to removable drives.
http://www.sophos.com/security/analyses/viruses-and-spyware/w32auexjecta.html?_log_from=rss
Category Viruses and Spyware
Type Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhohu.html?_log_from=rss
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic