Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 13, 2008

Oct 12, 2008 1:59PM PDT

Discussion is locked

- Collapse -
Trojan.JS.IFrame.ACN
Oct 13, 2008 6:05AM PDT

SYMPTOMS:

The malware script doesn't have any obvious symptoms because it is a "gateway" towards other web-based malware : Trojan.Exploit.ANNZ.

TECHNICAL DESCRIPTION:

The malware javascript has an invisible iframe which leads to Trojan.Exploit.ANNZ, that has malicious actions - downloads a backdoor (Backdoor.Generic.76302).

http://www.bitdefender.com/VIRUS-1000418-en--Trojan.JS.IFrame.ACN.html

- Collapse -
Trojan.Downloader.WMA.Wimad.S
Oct 13, 2008 6:06AM PDT

SYMPTOMS:

While accessing the ".wma" which is a media file extension the following behavior is noticed :

A browser page opens to a certain webpage ( fastmp3player.com )
It tries to download (trough an exploit to the asf format) and execute (when the user hits run on IE ) a piece of malware from the mentioned site.
The prompted file to download is named "Codec.exe" which has the Windows Media Player icon (the name could vary ("PLAY_MP3.exe" or another).


Take notice that the file could have any other extension that Windows Media Player can handle such as ".asf", ".wmw" , ".aiff", ".midi" or others.

Here is a screenshot of the malware in action.

http://www.bitdefender.com/VIRUS-1000414-en--Trojan.Downloader.WMA.Wimad.S.html

- Collapse -
not-a-virus:NetTool.Win32.Transmit.a
Oct 13, 2008 6:08AM PDT

not-a-virus:NetTool.Win32.Transmit.a (Kaspersky Lab) is also known as: SPR/Transmit.A (H+BEDV)

This is a potentially unwanted program (PUP). It is a Windows PE EXE file. It is 32768 bytes in size. It is packed using PECompact. The unpacked file is approximately 192KB in size.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=88746

- Collapse -
Trojan-Spy:W32/Goldun.RR
Oct 13, 2008 6:10AM PDT

Detection Names : Trojan-Spy:W32/Goldun.RR
Trojan-Spy.Win32.Goldun.axt

Aliases : Trojan:Win32/Agent.PX (Microsoft)
TROJ_MEREDROP.GJ (Trend Micro)
Trojan.Goldun (Symantec)

Type: Trojan-Spy
Category: Malware

Summary
A type of trojan that includes a variety of spy programs and keyloggers.
Back to the Top



Additional Details
Goldun.RR drops the following files:


C:\WINDOWS\system32\cabpck.dll
C:\WINDOWS\system32\krnlcab.sys

The file called cabpck.dll is detected as Trojan-Spy.Win32.Goldun.axn.
The file called krnlcab.sys is detected as Trojan-Spy.Win32.Goldun.axr.

The main file create this process and terminate itself:


C:\WINDOWS\system32\rundll32.exe cabpck.dll,cabpck

http://www.f-secure.com/v-descs/trojan-spy_w32_goldun_rr.shtml

- Collapse -
Trojan-Dropper:W32/Hoaxer.B
Oct 13, 2008 6:11AM PDT

Name : Trojan-Dropper:W32/Hoaxer.B
Detection Names : Trojan-Downloader.Win32.Hoaxer.a

Aliases : TrojanDownloader:HTML/Renos.C (Microsoft)
W32/Dorf.A!tr.dldr (Other)

Size: 333780
Type: Trojan-Dropper
Category: Malware
Platform: W32

Summary
This type of trojan contains one or more malicious files, which it will secretly install on the system.

Details


File System Changes
Create these directories:


%programfiles%\PCHealthCenter

http://www.f-secure.com/v-descs/trojan-dropper_w32_hoaxer_b.shtml

- Collapse -
Trojan-Downloader:W32/Agent.HSM
Oct 13, 2008 6:13AM PDT

Name : Trojan-Downloader:W32/Agent.HSM
Type: Trojan-Downloader
Category: Malware
Platform: W32

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Back to the Top



Additional Details
This trojan may be downloaded from a malicious website. It may also arrive as an e-mail attachment.

Known e-mail subjects associated with this malware are:


Really cool photos
Exclusive photos, you'll be happy
Spam: Great photos for you
Great photos for you
The best photos for you

http://www.f-secure.com/v-descs/trojan-downloader_w32_agent_hsm.shtml

- Collapse -
BackDoor-DOM
Oct 13, 2008 6:14AM PDT

Type Trojan SubType Remote Access

Characteristics -

This detection is for a Backdoor remote access Trojan.

The Trojan is dropped by Backdoor-DOM.DR, a specially crafted PDF document that contains the Backdoor-DOM trojan embedded within.

UPCOMING_CONFERENCE_LIST.PDF (Backdoor-DOM.DR), When opened the PDF file causes vulnerable versions of the Adobe Acrobat Reader program to crash passing control to the trojan.

The trojan hooks the system by adding itself to:

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

The Trojan uses Microsoft sounding names like the following:

WIUPDATE.EXE

WINSRV.EXE

WINDOWS.HLP

AcroRD32.EXE

Typically dropped into the following directory c:\windows\system32

http://vil.mcafeesecurity.com/vil/content/v_144408.htm

- Collapse -
BtDr.StelBoot
Oct 13, 2008 6:16AM PDT

Type Virus SubType Boot dropper

Characteristics -

This detection is for a standard boot sector infector.






Symptoms
Symptoms -
Booting the machine from infected media, like floppy disks.

Method of Infection
Method of Infection -
Boot Sector viruses copy themselves to all available boot sectors.


http://vil.mcafeesecurity.com/vil/content/v_121607.htm

- Collapse -
W32/VB-EBI
Oct 13, 2008 6:19AM PDT
- Collapse -
W32/Autorun-LM
Oct 13, 2008 6:20AM PDT
- Collapse -
W32/Autorun-LL
Oct 13, 2008 6:21AM PDT
- Collapse -
W32/Autorun-LK
Oct 13, 2008 6:22AM PDT

Aliases Trojan-Downloader.Win32.Delf.bvl

Category Viruses and Spyware

Type Worm

W32/Autorun-LK is a worm for the Windows platform.

W32/Autorun-LK includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Autorun-LK copies itself to <System>\winl0gon.exe and creates the file <System>\0.txt.

The file WINL0GON.exe is registered as a new system driver service named "KSD2Service", with a display name of "KSD2Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\KSD2Service

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunlk.html?_log_from=rss

- Collapse -
Troj/Zlob-APE
Oct 13, 2008 6:23AM PDT
- Collapse -
Troj/Istbar-EA
Oct 13, 2008 6:25AM PDT

Aliases Trojan-Dropper.Win32.Agent.xtc
trojan

Category Viruses and Spyware

Type Trojan

Troj/Istbar-EA is a Trojan for the Windows platform.

Troj/Istbar-EA includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Istbar-EA is installed the following files are created:

<Desktop>\Cheap Pharmacy Online.url
<Desktop>\Search Online.url
<Desktop>\VIP Casino.url
<Favorites>\Cheap Pharmacy Online.url
<Favorites>\Search Online.url
<Favorites>\VIP Casino.url
<User>\Start Menu\Cheap Pharmacy Online.url
<User>\Start Menu\Search Online.url
<User>\Start Menu\VIP Casino.url
<System>\c.ico
<System>\lsystipl64.dll
<System>\m.ico
<System>\s.ico
<System>\sv.exe

The file lsystipl64.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojistbarea.html?_log_from=rss

- Collapse -
Troj/Dwnldr-HJD
Oct 13, 2008 6:26AM PDT
- Collapse -
Troj/Bckdr-QPU
Oct 13, 2008 6:27AM PDT
- Collapse -
Troj/Agent-HXC
Oct 13, 2008 6:28AM PDT
- Collapse -
JS/Exploit-QVOD
Oct 13, 2008 9:17AM PDT

Type Trojan SubType Exploit

Overview -
JS/Exploit-QVOD.gen is a detection for Qvod Player. QvodCtrl Class ActiveX Control buffer overflow vulnerability.

Characteristics
Characteristics -

This detection is an exploit detection for the QVOD player from Task Technology.

JS/Exploit-QVOD is a detection for QvodCtrl Class ActiveX Control buffer overflow vulnerability.

The Buffer Overflow occurs while supplying a long string as a parameter to the 'URL' Property. This vulnerability could be exploited by a malicious user to cause remote code execution.


http://vil.mcafeesecurity.com/vil/content/v_144077.htm

- Collapse -
Perl/Generic Exploit.e
Oct 13, 2008 9:18AM PDT

Type Trojan SubType Script

Characteristics -

This is a Trojan detection for multiple Perl based exploits:

The exploits include the following:

Remote Command Execution Vulnerability

DtPrintinfo/Session exploit

Local Buffer Overflow exploits generator

PHP Zener

String sploiter

PHP-Fusion exploit

Boomshell

SQL Injection exploit


http://vil.mcafeesecurity.com/vil/content/v_142681.htm

- Collapse -
Tool-Hacksaw.vbs
Oct 13, 2008 9:20AM PDT

Type Trojan SubType Script

Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics
Characteristics -

This detection is for a Visual Basic Script that processes a list of folder items and pushes there contents to the screen.

This could be used to access or redirect a users favourites or recently visited websites etc....

Symptoms -
Presence of DUH.VBS on the system.

http://vil.mcafeesecurity.com/vil/content/v_144590.htm