VIRUS \ Spyware ALERTS - October 14, 2008

Name : Backdoor:W32/Hupigon.OGA
Detection Names : Backdoor:W32/Hupigon.OGA
Backdoor.Win32.Hupigon.dsbm

Type: Backdoor
Category: Malware

Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.

Details


File System Changes
Creates these files:


%windir%\temp\a.exe
%windir%\temp\b.exe

http://www.f-secure.com/v-descs/backdoor_w32_hupigon_oga.shtml

Name : Rootkit:W32/Agent.UI
Detection Names : Rootkit:W32/Agent.UI

Type: Rootkit
Category: Malware
Platform: W32

Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.

Additional Details
Rootkit:W32/Agent.UI creates a device named "\Device\IWEUFHKSEF" and sets up symbolic link named "\??\IWEUFHKSEF" to accept control codes from usermode programs.

It removes all hooked addresses corresponding to all NTFuntions (which are implemented in Ntoskrnl.exe), then restores them to their original values.

http://www.f-secure.com/v-descs/rootkit_w32_agent_ui.shtml

?Bad Blog? Can Give Facebook Users More Than a Bad Name

If you think a derogatory blog about you is bad, the real reason is worse than you think.

Recently, another fake message containing a link to a malware was reportedly being spammed to friends of compromised Facebook accounts. The message looks something like this:

{Friend?s name}, have you heard about that blog that was about you?

apparently its pretty bad

i think you and everyone should read it?

s{BLOCKED}b.cn/video/?about={Friend?s name}

(copy this link into address bar)

Accessing the URL contained in this message leads to the downloading of the malicious file, UPDATE.EXE. This malicious file is already detected by Trend Micro as TROJ_AGENT.ASLV. Downloading this Trojan may lead to the installation of other malware programs on the affected system, such as TROJ_DROPPER.FI.

The said malicious URL is now blocked by the Trend Micro Smart Protection Network.

More: http://blog.trendmicro.com/

Bogus ?MS Update? Comes With Malicious Attachment


Just in time for Microsoft?s most recent security advisory, spammers are now distributing yet another fake Microsoft Update. It arrives with the subject Security Update for OS Microsoft Windows and purports to come from the Microsoft Official Update Center. It even includes a Pretty Good Privacy (PGP) Signature block to give it more authenticity.

A sample email is shown in the following screenshot:

More: http://blog.trendmicro.com/

Alert ID : FrSIRT/ALRT-2008-06057
Aliases : N/A
Size : 33411 bytes
Rated as : Moderate Risk
Release Date : 2008-10-14

Description

This worm may be dropped or downloaded from remote site(s) by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web site(s).

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.MU

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06058
Aliases : N/A
Size : 8704 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This Trojan may be dropped by other malware. It may arrive bundled with malware packages as a malware component.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ROOTKIT.BA

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06059
Aliases : N/A
Size : 10240 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may arrive bundled with malware packages as a malware component.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_RENOS.AOH

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06060
Aliases : N/A
Size : Varies
Rated as : Low Risk
Release Date : 2008-10-14


Description

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PANDEX.HG

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06061
Aliases : N/A
Size : 12696 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OTORUN.AJ

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06062
Aliases : N/A
Size : Varies
Rated as : Low Risk
Release Date : 2008-10-14


Description

This worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_VOTERAI.N

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06056
Aliases : N/A
Size : 31744 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This worm may be dropped or downloaded from remote site(s) by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web site(s).

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SYSTEM.AP

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06055
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-14


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxc.html

Credits

Reported by Sophos

Category Viruses and Spyware

Type Trojan

Troj/Renos-BD is a Trojan for the Windows platform.

Troj/Renos-BD includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Renos-BD attempts to download additional malware to:
<Temp&gt<Random>.gif
( Downloaded files are currently also detected as Troj/Renos-BD )

The following registry entry is created to run Troj/Renos-BD on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSFox
<pathname of the Trojan executable>

Registry entries are created under:

HKLM\SOFTWARE\Mozilla\MSFox

http://www.sophos.com/security/analyses/viruses-and-spyware/trojrenosbd.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Invo-Zip is a family of zip files that contain malware.

Members of Troj/Invo-Zip are usually sent in spam pretending to relate to an invoice or receipt, often one related to a UPS transaction or to tax.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojinvozip.html?_log_from=rss

Category Viruses and Spyware

Type Trojan


Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealeik.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvs.html?_log_from=rss

Aliases TROJ_DELREG.Y
TR/Vundo.Gen

Category Viruses and Spyware

Type Trojan

Troj/DelReg-D is a a Trojan for the Windows platform that attempts to delete the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelregd.html?_log_from=rss

Aliases AdClicker-GO.dll

Category Viruses and Spyware

Type Trojan

Troj/Clckr-LH is a Trojan for the Windows platform.

Troj/Clckr-LH includes functionality to access the internet and communicate with a remote server via HTTP.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojclckrlh.html?_log_from=rss

Aliases Trojan.Win32.Agent.aguj

Category Viruses and Spyware

Type Trojan

Troj/BHO-HI is a Trojan for the Windows platform.

The Troj/BHO-HI is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}
HKCR\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhohi.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxi.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxh.html?_log_from=rss

Category Viruses and Spyware

Type Virus

OF97/Crown-E is a corrupted version of the OF97/Crown family.

http://www.sophos.com/security/analyses/viruses-and-spyware/of97crowne.html?_log_from=rss