Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 15, 2008

Oct 14, 2008 2:47PM PDT

Discussion is locked

- Collapse -
W32/Antinny-BH
Oct 15, 2008 7:22AM PDT

Aliases Win32/Antinny worm
Worm.Win32.Antinny.ai
virus
W32/Antinny.BH

Category Viruses and Spyware

Type Worm

W32/Antinny-BH is a worm for the Windows platform.

When first run W32/Antinny-BH copies itself to:

<Program Files>\Messenger\spoolsv.exe
<Program Files>\bearshare\bearshare965.exe

The following registry entries are created to run W32/Antinny-BH on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
spoolsv
<Program Files>\Messenger\spoolsv.exe" /start

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ara-key
<Program Files>\bearshare\bearshare965.exe" /startup

http://www.sophos.com/security/analyses/viruses-and-spyware/w32antinnybh.html?_log_from=rss

- Collapse -
Troj/Zlob-APH
Oct 15, 2008 7:23AM PDT
- Collapse -
Troj/Small-EMM
Oct 15, 2008 7:24AM PDT
- Collapse -
Troj/Iframe-BF
Oct 15, 2008 7:27AM PDT
- Collapse -
Troj/FakeAV-ER
Oct 15, 2008 7:28AM PDT
- Collapse -
Troj/DownLd-AA
Oct 15, 2008 7:29AM PDT
- Collapse -
Troj/Dloadr-BVU
Oct 15, 2008 7:30AM PDT
- Collapse -
Troj/CHMDrop-C
Oct 15, 2008 7:31AM PDT

Category Viruses and Spyware

Type Trojan

When Troj/CHMDrop-C is run, it drops the following files:

- <Windows>\Downloaded Program Files\svchost.exe
- <Temporary internet files>\svchost.exe
- <Application data>\Adobe\reader_sl.exe

All the above files are detected as Troj/CHMDrop-C.

The following registry entry is created:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Adobe Reader Speed Launcher
<path to executable>\reader_sl.exe


http://www.sophos.com/security/analyses/viruses-and-spyware/trojchmdropc.html?_log_from=rss

- Collapse -
Troj/ByteV-B
Oct 15, 2008 7:32AM PDT
- Collapse -
Troj/Agent-HXQ
Oct 15, 2008 7:33AM PDT

Aliases PWS:Win32/Yahoopass.H

Category Viruses and Spyware

Type Trojan

Troj/Agent-HXQ is a Trojan for the Windows platform.

When Troj/Agent-HXQ is installed the following files are created:

<System>\googlejd.dll
<System>\sys.dat

Both these files are also detected as Troj/Agent-HXQ. The file googlejd.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DA58FB5-AADE-4E31-8E63-BCB33D59E8E2}
HKCR\CLSID\{2DA58FB5-AADE-4E31-8E63-BCB33D59E8E2}

Troj/Agent-HXQ changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxq.html?_log_from=rss

- Collapse -
Alot Toolbar Installer
Oct 15, 2008 7:34AM PDT
- Collapse -
Sus/Sality-A
Oct 15, 2008 7:35AM PDT

Category Suspicious behavior and files

Type Suspicious behavior

What's been detected Sus/Sality-A exhibits characteristics commonly, but not exclusively, found in malware.

Sus/Sality-A is a file that displays characteristics or behavior typically associated with malware.

Sus/Sality-A is a file that may have been infected by W32/Sality-AM.

Please send a sample to Sophos support to assist in improving our technology.

http://www.sophos.com/security/analyses/suspicious-behavior-and-files/sussalitya.html?_log_from=rss

- Collapse -
Sus/ObfJS-BD
Oct 15, 2008 7:36AM PDT
- Collapse -
WORM_AUTORUN.CTO
Oct 15, 2008 7:38AM PDT
- Collapse -
TROJ_RENOS.AMC
Oct 15, 2008 7:39AM PDT

Alert ID : FrSIRT/ALRT-2008-06106
Aliases : N/A
Size : 184832 bytes
Rated as : Low Risk
Release Date : 2008-10-15


Description

This worm drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_RENOS.AMC

Credits

Reported by Trend Micro

- Collapse -
TROJ_ROOTKIT.BI
Oct 15, 2008 7:40AM PDT
- Collapse -
Email-VBS/Gedza.B
Oct 15, 2008 7:42AM PDT

Alert ID : FrSIRT/ALRT-2008-06064
Aliases : N/A
Size : 274380 bytes
Rated as : Low Risk
Release Date : 2008-10-15


Description

This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

References

http://www.f-secure.com/v-descs/email-worm_vbs_gedza_b.shtml

Credits

Reported by F-Secure

- Collapse -
Troj/DelReg-D
Oct 15, 2008 7:44AM PDT

Alert ID : FrSIRT/ALRT-2008-06094
Aliases : TROJ_DELREG.Y - TR/Vundo.Gen
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-15


Description

Troj/DelReg-D is a a Trojan for the Windows platform that attempts to delete the following registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelregd.html

Credits

Reported by Sophos

- Collapse -
Troj/Clckr-LH
Oct 15, 2008 7:45AM PDT

Alert ID : FrSIRT/ALRT-2008-06093
Aliases : AdClicker-GO.dll
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-15


Description

Troj/Clckr-LH is a Trojan for the Windows platform. Troj/Clckr-LH includes functionality to access the internet and communicate with a remote server via HTTP.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojclckrlh.html

Credits

Reported by Sophos

- Collapse -
Troj/BHO-HI
Oct 15, 2008 7:47AM PDT

Alert ID : FrSIRT/ALRT-2008-06092
Aliases : Trojan.Win32.Agent.aguj
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-15


Description

Troj/BHO-HI is a Trojan for the Windows platform. The Troj/BHO-HI is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under: HKCR\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D} HKCR\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D} Registry entries are set as follows: HKCR\XML.XML.1\CLSID (default) {500BCA15-57A7-4eaf-8143-8C619470B13D} HKCR\XML.XML\CLSID (default) {500BCA15-57A7-4eaf-8143-8C619470B13D} Registry entries are created under: HKCR\XML.XML.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhohi.html

Credits

Reported by Sophos