Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - October 15, 2009

by Marianna Schmudlach / October 15, 2009 12:07 AM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - October 15, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - October 15, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/FakeVir-PK
by Marianna Schmudlach / October 15, 2009 12:08 AM PDT
Collapse -
Troj/PWS-BEW
by Marianna Schmudlach / October 15, 2009 12:09 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Drops more malware
* Installs itself in the registry


Troj/PWS-BEW is a Trojan for the Windows platform.

Troj/PWS-BEW includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/PWS-BEW communicates via HTTP with the following locations:

http://[removed].yourtrap.com/ed.jpg

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsbew.html?_log_from=rss

Collapse -
Troj/SWFExp-S
by Marianna Schmudlach / October 15, 2009 12:09 AM PDT
Collapse -
Troj/VB-EJD
by Marianna Schmudlach / October 15, 2009 12:10 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/VB-EJD is a Trojan for the Windows platform.

Troj/VB-EJD includes functionality to run automatically.

When Troj/VB-EJD is installed the following files are created:

<System>\plugin1.dat
<System>\regsrv32.exe

The following registry entries are created to run regsrv32.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath
<System>\regsrv32.exe s

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Server Registry
<System>\regsrv32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Server Registry
<System>\regsrv32.exe

Registry entries are created under:

HKLM\SOFTWARE\Wget
HKCU\Software\Wget

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbejd.html?_log_from=rss

Collapse -
Troj/Agent-LKZ
by Marianna Schmudlach / October 15, 2009 12:11 AM PDT

Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Agent-LKZ is a Trojan for the Windows platform.

Troj/Agent-LKZ includes functionality to run automatically and create files in the <WINDOWS>\system32 folder.

When Troj/Agent-LKZ is installed the following files are created:

<User>\reader_s.exe
<System>\reader_s.exe

The following registry entry is created to run reader_s.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reader_s
<System>\reader_s.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlkz.html?_log_from=rss

Collapse -
Troj/Agent-LKJ
by Marianna Schmudlach / October 15, 2009 12:12 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-LKJ is a Trojan for the Windows platform.

Troj/Agent-LKJ has functionality to communicate with a remote server via HTTP.

When run Troj/Agent-LKJ copies itself to the <Temp> folder as svchost.exe and creates the following files:

<Temp>\system.exe (also detected as Troj/Agent-LKJ)
<System>\sdra64.exe (also detected as Troj/Agent-LKJ)
<System>\lowsec\local.ds (can be safely deleted)
<System>\lowsec\user.ds.lll (can be safely deleted)

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\<Temp>
svchost.exe
<Temp>\svchost.exe:*:Enabled:svchost.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlkj.html?_log_from=rss

Collapse -
Troj/Delf-FDQ
by Marianna Schmudlach / October 15, 2009 12:13 AM PDT
Collapse -
Troj/PDFJs-EA
by Marianna Schmudlach / October 15, 2009 12:13 AM PDT
Collapse -
Troj/PWS-BES
by Marianna Schmudlach / October 15, 2009 12:14 AM PDT
Collapse -
Troj/PSW-HH
by Marianna Schmudlach / October 15, 2009 12:15 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry
* Monitors browser activity
* Opens links to websites


Troj/PSW-HH attempts to steal usernames and passwords for the following online services and accounts:

MSN Live
World of Warcraft
Yahoo
battle.net
Comcast
Google
AOL
Web.de

Troj/PSW-HH is installed as a DLL file that is run via svchost on the infected PC. It specifically checks to see if it is running on XP or Vista.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpswhh.html?_log_from=rss

Collapse -
Troj/FakeAV-AFI
by Marianna Schmudlach / October 15, 2009 12:16 AM PDT
Collapse -
Troj/Dloadr-CVK
by Marianna Schmudlach / October 15, 2009 12:17 AM PDT
Collapse -
Troj/BHO-OB
by Marianna Schmudlach / October 15, 2009 12:18 AM PDT
Collapse -
Troj/Agent-LLD
by Marianna Schmudlach / October 15, 2009 12:19 AM PDT
Collapse -
Mal/EncPk-KY
by Marianna Schmudlach / October 15, 2009 12:19 AM PDT
Collapse -
Bloodhound.Exploit.274
by Marianna Schmudlach / October 15, 2009 12:20 AM PDT

Discovered: October 15, 2009
Updated: October 15, 2009 3:19:17 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2009-2518

Bloodhound.Exploit.274 is a heuristic detection for files attempting to exploit the Microsoft GDI+ Malformed Office BMP File Integer Overflow Remote Code Execution Vulnerability (BID 36651).

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-101502-2805-99

Collapse -
TROJ_PIDIEF.ASP
by Marianna Schmudlach / October 15, 2009 12:21 AM PDT

A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to have infected several Indian, Thai, and New Zealand websites.

The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates.

The Trojan belongs to an old but notable malware family known as ?ASProx,? which plagued the Web last year. It was so notable that it made its way to Trend Micro?s Top 8 in 2008 list.

Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files.

More: http://blog.trendmicro.com/

Collapse -
Troj/FakeAV-AFK
by Marianna Schmudlach / October 15, 2009 2:33 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/FakeAV-AFK is a Trojan for the Windows platform.

Troj/FakeAV-AFK includes functionality to:

- run automatically
- access the internet and communicate with a remote server via HTTP

Troj/FakeAV-AFK communicates via HTTP with the following locations:

http://okaveanubares DOT com/<random>
http://erubamerkafdolo DOT com/<random>
http://buleropihdertan DOT com/<random>
http://uvgadferbotario DOT com/<random>
http://dabertugabusrav DOT com/<random>
http://tsarbunerkadosa DOT com/<random>
http://ofaderhpabewuit DOT com/<random>
http://linkertaguboert DOT com/<random>
http://konitorswabure DOT com/<random>


When Troj/FakeAV-AFK is installed the following files are created:

<User>\Application Data\seres.exe
<User>\Application Data\svcst.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Internet Explorer\Download
CheckExeSignatures
no

HKCU\Software\Microsoft\Internet Explorer\Download
RunInvalidSignatures
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes
zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
SaveZoneInformation
0x00000001

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\DownloadManager

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavafk.html?_log_from=rss

Collapse -
Troj/DownLnk-I
by Marianna Schmudlach / October 15, 2009 2:33 AM PDT
Collapse -
Troj/Buzus-BK
by Marianna Schmudlach / October 15, 2009 2:34 AM PDT
Collapse -
Troj/Agent-LLO
by Marianna Schmudlach / October 15, 2009 2:35 AM PDT
Collapse -
Troj/Agent-LLM
by Marianna Schmudlach / October 15, 2009 2:36 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-LLM is a Trojan for the Windows platform.

Troj/Agent-LLM includes functionality to run automatically.

Troj/Agent-LLM changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

Registry entries are set as follows:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentllm.html?_log_from=rss

Collapse -
Mal/FakeAV-BN
by Marianna Schmudlach / October 15, 2009 2:37 AM PDT
Collapse -
Mal/FakeAV-AD
by Marianna Schmudlach / October 15, 2009 7:00 AM PDT
Collapse -
Mal/FakeAV-BM
by Marianna Schmudlach / October 15, 2009 7:01 AM PDT

Category

* Viruses and Spyware

Type

* Malicious Behavior


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Mal/FakeAV-BM is an application for the Windows platform that exhibits malicious behavior.

Mal/FakeAV-BM is a fake security application that fraudulently reports a users system as infected and will not clean up these fraudulent reports until the users pays and registers the application.

http://www.sophos.com/security/analyses/viruses-and-spyware/malfakeavbm.html?_log_from=rss

Collapse -
Troj/Agent-LLN
by Marianna Schmudlach / October 15, 2009 7:02 AM PDT
Collapse -
Troj/Agent-LLP
by Marianna Schmudlach / October 15, 2009 7:03 AM PDT
Collapse -
Troj/Bdoor-AXT
by Marianna Schmudlach / October 15, 2009 7:03 AM PDT
Collapse -
Troj/BredoZp-H
by Marianna Schmudlach / October 15, 2009 7:04 AM PDT
Collapse -
Troj/Delf-FDR
by Marianna Schmudlach / October 15, 2009 7:05 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/Delf-FDR is a Trojan for the Windows platform.

Troj/Delf-FDR includes functionality to run automatically.

When Troj/Delf-FDR is installed it creates the file <System>\algs.exe.

The following registry entry is created to run algs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Application Layer Gateway Service
<System>\algs.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelffdr.html?_log_from=rss

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.