Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 14, 2008

Oct 13, 2008 11:51AM PDT

Discussion is locked

- Collapse -
Backdoor:W32/Hupigon.OGA
Oct 14, 2008 1:37AM PDT

Name : Backdoor:W32/Hupigon.OGA
Detection Names : Backdoor:W32/Hupigon.OGA
Backdoor.Win32.Hupigon.dsbm

Type: Backdoor
Category: Malware

Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer, or network.

Details


File System Changes
Creates these files:


%windir%\temp\a.exe
%windir%\temp\b.exe

http://www.f-secure.com/v-descs/backdoor_w32_hupigon_oga.shtml

- Collapse -
Rootkit:W32/Agent.UI
Oct 14, 2008 1:38AM PDT

Name : Rootkit:W32/Agent.UI
Detection Names : Rootkit:W32/Agent.UI

Type: Rootkit
Category: Malware
Platform: W32

Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.

Additional Details
Rootkit:W32/Agent.UI creates a device named "\Device\IWEUFHKSEF" and sets up symbolic link named "\??\IWEUFHKSEF" to accept control codes from usermode programs.

It removes all hooked addresses corresponding to all NTFuntions (which are implemented in Ntoskrnl.exe), then restores them to their original values.

http://www.f-secure.com/v-descs/rootkit_w32_agent_ui.shtml

- Collapse -
TROJ_AGENT.ASLV
Oct 14, 2008 6:06AM PDT

?Bad Blog? Can Give Facebook Users More Than a Bad Name

If you think a derogatory blog about you is bad, the real reason is worse than you think.

Recently, another fake message containing a link to a malware was reportedly being spammed to friends of compromised Facebook accounts. The message looks something like this:

{Friend?s name}, have you heard about that blog that was about you?

apparently its pretty bad Sad

i think you and everyone should read it?

s{BLOCKED}b.cn/video/?about={Friend?s name}

(copy this link into address bar)

Accessing the URL contained in this message leads to the downloading of the malicious file, UPDATE.EXE. This malicious file is already detected by Trend Micro as TROJ_AGENT.ASLV. Downloading this Trojan may lead to the installation of other malware programs on the affected system, such as TROJ_DROPPER.FI.

The said malicious URL is now blocked by the Trend Micro Smart Protection Network.

More: http://blog.trendmicro.com/

- Collapse -
BKDR_HAXDOOR.MX
Oct 14, 2008 6:08AM PDT

Bogus ?MS Update? Comes With Malicious Attachment


Just in time for Microsoft?s most recent security advisory, spammers are now distributing yet another fake Microsoft Update. It arrives with the subject Security Update for OS Microsoft Windows and purports to come from the Microsoft Official Update Center. It even includes a Pretty Good Privacy (PGP) Signature block to give it more authenticity.

A sample email is shown in the following screenshot:

More: http://blog.trendmicro.com/

- Collapse -
BKDR_HAXDOOR.MU
Oct 14, 2008 7:15AM PDT

Alert ID : FrSIRT/ALRT-2008-06057
Aliases : N/A
Size : 33411 bytes
Rated as : Moderate Risk
Release Date : 2008-10-14

Description

This worm may be dropped or downloaded from remote site(s) by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web site(s).

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.MU

Credits

Reported by Trend Micro

- Collapse -
TROJ_ROOTKIT.BA
Oct 14, 2008 7:17AM PDT
- Collapse -
TROJ_RENOS.AOH
Oct 14, 2008 7:18AM PDT

Alert ID : FrSIRT/ALRT-2008-06059
Aliases : N/A
Size : 10240 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware. It may arrive bundled with malware packages as a malware component.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_RENOS.AOH

Credits

Reported by Trend Micro

- Collapse -
TROJ_PANDEX.HG
Oct 14, 2008 7:19AM PDT
- Collapse -
WORM_OTORUN.AJ
Oct 14, 2008 7:20AM PDT

Alert ID : FrSIRT/ALRT-2008-06061
Aliases : N/A
Size : 12696 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OTORUN.AJ

Credits

Reported by Trend Micro

- Collapse -
WORM_VOTERAI.N
Oct 14, 2008 7:21AM PDT

Alert ID : FrSIRT/ALRT-2008-06062
Aliases : N/A
Size : Varies
Rated as : Low Risk
Release Date : 2008-10-14


Description

This worm may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_VOTERAI.N

Credits

Reported by Trend Micro

- Collapse -
WORM_SYSTEM.AP
Oct 14, 2008 7:22AM PDT

Alert ID : FrSIRT/ALRT-2008-06056
Aliases : N/A
Size : 31744 bytes
Rated as : Low Risk
Release Date : 2008-10-14


Description

This worm may be dropped or downloaded from remote site(s) by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web site(s).

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SYSTEM.AP

Credits

Reported by Trend Micro

- Collapse -
Troj/Agent-HXC
Oct 14, 2008 7:25AM PDT
- Collapse -
Troj/Renos-BD
Oct 14, 2008 11:11AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Renos-BD is a Trojan for the Windows platform.

Troj/Renos-BD includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Renos-BD attempts to download additional malware to:
<Temp&gtMischief<Random>.gif
( Downloaded files are currently also detected as Troj/Renos-BD )

The following registry entry is created to run Troj/Renos-BD on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSFox
<pathname of the Trojan executable>

Registry entries are created under:

HKLM\SOFTWARE\Mozilla\MSFox

http://www.sophos.com/security/analyses/viruses-and-spyware/trojrenosbd.html?_log_from=rss

- Collapse -
Troj/Invo-Zip
Oct 14, 2008 11:13AM PDT
- Collapse -
Troj/FakeAle-IK
Oct 14, 2008 11:14AM PDT
- Collapse -
Troj/Dloadr-BVS
Oct 14, 2008 11:15AM PDT
- Collapse -
Troj/DelReg-D
Oct 14, 2008 11:16AM PDT
- Collapse -
Troj/Clckr-LH
Oct 14, 2008 11:17AM PDT
- Collapse -
Troj/BHO-HI
Oct 14, 2008 11:18AM PDT

Aliases Trojan.Win32.Agent.aguj

Category Viruses and Spyware

Type Trojan

Troj/BHO-HI is a Trojan for the Windows platform.

The Troj/BHO-HI is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}
HKCR\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhohi.html?_log_from=rss

- Collapse -
Troj/Agent-HXI
Oct 14, 2008 11:19AM PDT
- Collapse -
Troj/Agent-HXH
Oct 14, 2008 11:20AM PDT
- Collapse -
OF97/Crown-E
Oct 14, 2008 11:21AM PDT