VIRUS \ Spyware ALERTS - October 13, 2008

SYMPTOMS:

The malware script doesn't have any obvious symptoms because it is a "gateway" towards other web-based malware : Trojan.Exploit.ANNZ.

TECHNICAL DESCRIPTION:

The malware javascript has an invisible iframe which leads to Trojan.Exploit.ANNZ, that has malicious actions - downloads a backdoor (Backdoor.Generic.76302).

http://www.bitdefender.com/VIRUS-1000418-en--Trojan.JS.IFrame.ACN.html

SYMPTOMS:

While accessing the ".wma" which is a media file extension the following behavior is noticed :

A browser page opens to a certain webpage ( fastmp3player.com )
It tries to download (trough an exploit to the asf format) and execute (when the user hits run on IE ) a piece of malware from the mentioned site.
The prompted file to download is named "Codec.exe" which has the Windows Media Player icon (the name could vary ("PLAY_MP3.exe" or another).


Take notice that the file could have any other extension that Windows Media Player can handle such as ".asf", ".wmw" , ".aiff", ".midi" or others.

Here is a screenshot of the malware in action.

http://www.bitdefender.com/VIRUS-1000414-en--Trojan.Downloader.WMA.Wimad.S.html

not-a-virus:NetTool.Win32.Transmit.a (Kaspersky Lab) is also known as: SPR/Transmit.A (H+BEDV)

This is a potentially unwanted program (PUP). It is a Windows PE EXE file. It is 32768 bytes in size. It is packed using PECompact. The unpacked file is approximately 192KB in size.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=88746

Detection Names : Trojan-Spy:W32/Goldun.RR
Trojan-Spy.Win32.Goldun.axt

Aliases : Trojan:Win32/Agent.PX (Microsoft)
TROJ_MEREDROP.GJ (Trend Micro)
Trojan.Goldun (Symantec)

Type: Trojan-Spy
Category: Malware

Summary
A type of trojan that includes a variety of spy programs and keyloggers.
Back to the Top



Additional Details
Goldun.RR drops the following files:


C:\WINDOWS\system32\cabpck.dll
C:\WINDOWS\system32\krnlcab.sys

The file called cabpck.dll is detected as Trojan-Spy.Win32.Goldun.axn.
The file called krnlcab.sys is detected as Trojan-Spy.Win32.Goldun.axr.

The main file create this process and terminate itself:


C:\WINDOWS\system32\rundll32.exe cabpck.dll,cabpck

http://www.f-secure.com/v-descs/trojan-spy_w32_goldun_rr.shtml

Name : Trojan-Dropper:W32/Hoaxer.B
Detection Names : Trojan-Downloader.Win32.Hoaxer.a

Aliases : TrojanDownloader:HTML/Renos.C (Microsoft)
W32/Dorf.A!tr.dldr (Other)

Size: 333780
Type: Trojan-Dropper
Category: Malware
Platform: W32

Summary
This type of trojan contains one or more malicious files, which it will secretly install on the system.

Details


File System Changes
Create these directories:


%programfiles%\PCHealthCenter

http://www.f-secure.com/v-descs/trojan-dropper_w32_hoaxer_b.shtml

Name : Trojan-Downloader:W32/Agent.HSM
Type: Trojan-Downloader
Category: Malware
Platform: W32

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Back to the Top



Additional Details
This trojan may be downloaded from a malicious website. It may also arrive as an e-mail attachment.

Known e-mail subjects associated with this malware are:


Really cool photos
Exclusive photos, you'll be happy
Spam: Great photos for you
Great photos for you
The best photos for you

http://www.f-secure.com/v-descs/trojan-downloader_w32_agent_hsm.shtml

Type Trojan SubType Remote Access

Characteristics -

This detection is for a Backdoor remote access Trojan.

The Trojan is dropped by Backdoor-DOM.DR, a specially crafted PDF document that contains the Backdoor-DOM trojan embedded within.

UPCOMING_CONFERENCE_LIST.PDF (Backdoor-DOM.DR), When opened the PDF file causes vulnerable versions of the Adobe Acrobat Reader program to crash passing control to the trojan.

The trojan hooks the system by adding itself to:

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

The Trojan uses Microsoft sounding names like the following:

WIUPDATE.EXE

WINSRV.EXE

WINDOWS.HLP

AcroRD32.EXE

Typically dropped into the following directory c:\windows\system32

http://vil.mcafeesecurity.com/vil/content/v_144408.htm

Type Virus SubType Boot dropper

Characteristics -

This detection is for a standard boot sector infector.






Symptoms
Symptoms -
Booting the machine from infected media, like floppy disks.

Method of Infection
Method of Infection -
Boot Sector viruses copy themselves to all available boot sectors.


http://vil.mcafeesecurity.com/vil/content/v_121607.htm

Category Viruses and Spyware

Type Worm

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/w32vbebi.html?_log_from=rss

Category Viruses and Spyware

Type Worm

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunlm.html?_log_from=rss

Category Viruses and Spyware

Type Worm

W32/Autorun-LL is a worm for windows.

W32/Autorun-LL creates a file in the root of C called autorun.inf detected as W32/Autorun-KO

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunll.html?_log_from=rss

Aliases Trojan-Downloader.Win32.Delf.bvl

Category Viruses and Spyware

Type Worm

W32/Autorun-LK is a worm for the Windows platform.

W32/Autorun-LK includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Autorun-LK copies itself to <System>\winl0gon.exe and creates the file <System>\0.txt.

The file WINL0GON.exe is registered as a new system driver service named "KSD2Service", with a display name of "KSD2Service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\KSD2Service

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunlk.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobape.html?_log_from=rss

Aliases Trojan-Dropper.Win32.Agent.xtc
trojan

Category Viruses and Spyware

Type Trojan

Troj/Istbar-EA is a Trojan for the Windows platform.

Troj/Istbar-EA includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Istbar-EA is installed the following files are created:

<Desktop>\Cheap Pharmacy Online.url
<Desktop>\Search Online.url
<Desktop>\VIP Casino.url
<Favorites>\Cheap Pharmacy Online.url
<Favorites>\Search Online.url
<Favorites>\VIP Casino.url
<User>\Start Menu\Cheap Pharmacy Online.url
<User>\Start Menu\Search Online.url
<User>\Start Menu\VIP Casino.url
<System>\c.ico
<System>\lsystipl64.dll
<System>\m.ico
<System>\s.ico
<System>\sv.exe

The file lsystipl64.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojistbarea.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhjd.html?_log_from=rss

Aliases Win32.Obfuscated.gx

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows
Characteristics Installs itself in the registry

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqpu.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxc.html?_log_from=rss

Type Trojan SubType Exploit

Overview -
JS/Exploit-QVOD.gen is a detection for Qvod Player. QvodCtrl Class ActiveX Control buffer overflow vulnerability.

Characteristics
Characteristics -

This detection is an exploit detection for the QVOD player from Task Technology.

JS/Exploit-QVOD is a detection for QvodCtrl Class ActiveX Control buffer overflow vulnerability.

The Buffer Overflow occurs while supplying a long string as a parameter to the 'URL' Property. This vulnerability could be exploited by a malicious user to cause remote code execution.


http://vil.mcafeesecurity.com/vil/content/v_144077.htm

Type Trojan SubType Script

Characteristics -

This is a Trojan detection for multiple Perl based exploits:

The exploits include the following:

Remote Command Execution Vulnerability

DtPrintinfo/Session exploit

Local Buffer Overflow exploits generator

PHP Zener

String sploiter

PHP-Fusion exploit

Boomshell

SQL Injection exploit


http://vil.mcafeesecurity.com/vil/content/v_142681.htm

Type Trojan SubType Script

Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics
Characteristics -

This detection is for a Visual Basic Script that processes a list of folder items and pushes there contents to the screen.

This could be used to access or redirect a users favourites or recently visited websites etc....

Symptoms -
Presence of DUH.VBS on the system.

http://vil.mcafeesecurity.com/vil/content/v_144590.htm