Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 11, 2008

Oct 11, 2008 1:30AM PDT

W32/AutoRun-LI


Category Viruses and Spyware

Type Worm


W32/AutoRun-LI is a worm for the Windows platform.

When W32/AutoRun-LI is installed the following files are created:

<User>\Application Data\autorun.inf

The file autorun.inf is detected as W32/AutoRun-ER.

W32/AutoRun-LI changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\


http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunli.html?_log_from=rss

Discussion is locked

- Collapse -
W32/AutoRun-LH
Oct 11, 2008 1:31AM PDT

Category Viruses and Spyware

Type Worm

W32/AutoRun-LH is a worm for the Windows platform.

When first run W32/AutoRun-LH copies itself to:

<Root>\rejoice46.exe
<System>\_rejoice46.exe
<System>\rejoice46.exe

and creates the following files:

<Root>\AutoRun.inf - detected as W32/AutoRun-LH
<System>\SgotoDel.bat - can be safely removed

The file rejoice46.exe is registered as a new system driver service named "Windows_rejoice46", with a display name of "Windows_rejoice46" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows_rejoice46


http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunlh.html?_log_from=rss

- Collapse -
Troj/Agent-HTL
Oct 11, 2008 1:32AM PDT
- Collapse -
Troj/PWS-AUF
Oct 11, 2008 5:18AM PDT

Aliases Trojan:Win32/Helpud.A
Trojan-PSW.Win32.OnLineGames.ajlf
PWS-OnlineGames.y.dll trojan

Category Viruses and Spyware

Type Trojan

Troj/PWS-AUF is a password stealing Trojan for the Windows platform.

When Troj/PWS-AUF is installed the following files are created:

<Windows>\Help\<variable>.dll
<Windows>\Help\<variable>.exe

where <variable> is a filename consisting of upper-case letters and digits. Both files have the hidden and system attributes set.

The file <variable>.dll is registered as a COM object and shell extension, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCR\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsauf.html?_log_from=rss

- Collapse -
Troj/Poison-AG
Oct 11, 2008 5:19AM PDT

Aliases Backdoor.Win32.Agent.mrv
BDS/Poison.CPD
Backdoor:Win32/Poisonivy.E

Category Viruses and Spyware

Type Trojan

Troj/Poison-AG is an IRC backdoor Trojan for the Windows platform.

When Troj/Poison-AG is installed the following files are created:

<Temp>\tm32.dll
<Temp>\tm32.exe
<Windows>\t.bat
<System>\x32.exe

The following registry entries are created to run tm32.exe and x32.exe on startup:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpoisonag.html?_log_from=rss

- Collapse -
Troj/Gamania-CJ
Oct 11, 2008 5:20AM PDT

Aliases PWS:Win32/Gamania.gen!B

Category Viruses and Spyware

Type Trojan

Troj/Gamania-CJ is a password stealing Trojan for the Windows platform.

When Troj/Gamania-CJ is installed the following files are created:

<Windows>\Debug\<VARIABLE>.DLL
<Windows>\Debug\<VARIABLE>.EXE
<Temp&gtMischief<variable>.vmp.exe

where <variable> is a string of randomly generated lower-case characters and digits and <VARIABLE> is a string of randomly generated upper-case characters and digits.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojgamaniacj.html?_log_from=rss

- Collapse -
Troj/FakeAV-EP
Oct 11, 2008 5:21AM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-EP is a fraudulent application that poses as anti-virus software. Infections will always be reported by Troj/FakeAV-EP even when none exist, and the user is asked to pay money to remove them.

Troj/FakeAV-EP cannot remove any genuine malware.

When first run Troj/FakeAV-EP downloads addditional components from the internet.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavep.html?_log_from=rss

- Collapse -
Troj/Dwnldr-HIY
Oct 11, 2008 5:22AM PDT
- Collapse -
Troj/PWS-AUF
Oct 11, 2008 10:06AM PDT

Aliases Trojan:Win32/Helpud.A
Trojan-PSW.Win32.OnLineGames.ajlf
PWS-OnlineGames.y.dll trojan

Category Viruses and Spyware

Type Trojan

Troj/PWS-AUF is a password stealing Trojan for the Windows platform.

When Troj/PWS-AUF is installed the following files are created:

<Windows>\Help\<variable>.dll
<Windows>\Help\<variable>.exe

where <variable> is a filename consisting of upper-case letters and digits. Both files have the hidden and system attributes set.

The file <variable>.dll is registered as a COM object and shell extension, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCR\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsauf.html?_log_from=rss

- Collapse -
Troj/Agent-HWU
Oct 11, 2008 10:07AM PDT
- Collapse -
Troj/PWS-AUF
Oct 11, 2008 2:48PM PDT

Aliases Trojan:Win32/Helpud.A
Trojan-PSW.Win32.OnLineGames.ajlf
PWS-OnlineGames.y.dll trojan

Category Viruses and Spyware

Type Trojan

Troj/PWS-AUF is a password stealing Trojan for the Windows platform.

When Troj/PWS-AUF is installed the following files are created:

<Windows>\Help\<variable>.dll
<Windows>\Help\<variable>.exe

where <variable> is a filename consisting of upper-case letters and digits. Both files have the hidden and system attributes set.

The file <variable>.dll is registered as a COM object and shell extension, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKCR\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsauf.html?_log_from=rss

- Collapse -
Troj/Bckdr-QPT
Oct 11, 2008 2:51PM PDT