VIRUS \ Spyware ALERTS - October 16, 2008

Category Viruses and Spyware

Type Trojan

Troj/Doc-Zip is a family of zip files that contain malware.

Members of Troj/Doc-Zip are usually sent in spam pretending to contain information in an attached document, and the zip file containing the document is often password-protected.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdoczip.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfexw.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeaves.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvw.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxt.html?_log_from=rss

Thursday, October 16, 2008

This site is a sister to WiniGuard, a rogue antispyware program related to Innovagest 2000? a noted bad actor?

However, there are no downloadable binaries. Something to keep an eye on, though.

More: http://sunbeltblog.blogspot.com/index.html

Category Viruses and Spyware

Type Worm

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/w32alcrag.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobapi.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbstla.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojozloggen.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojkeylohl.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Invo-Zip is a family of zip files that contain malware.

Members of Troj/Invo-Zip are usually sent in spam pretending to relate to an invoice or receipt, often one related to a UPS transaction or to tax.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojinvozip.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-IN is a Trojan for the Windows platform.

When Troj/FakeAle-IN is installed the following file is also created:

<Current Folder>\wcm.exe - detected as Troj/FakeAle-IN

The following registry entry is created to run Troj/FakeAle-IN on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\
smile
<Path to executable>\wcs.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealein.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/FakeAle-IM is a Trojan for the Windows platform.

When Troj/FakeAle-IM is installed the following files are created:

<Current Folder>\iebt.dll - detected as Troj/FakeAle-IM
<Current Folder>\iebtmm.exe - detected as Troj/FakeAle-IM

The following registry entry is created to run Troj/FakeAle-IM on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
start
<pathname of the Trojan executable>

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealeim.html?_log_from=rss

Aliases Win32/Sinowal.gen!M
Trojan.Mebroot

Category Viruses and Spyware

Type Trojan

Troj/Agent-HXU is a Trojan for the Windows platform.

When first run, Troj/Agent-HXU copies itself to:
<Temp&gt<number>.tmp

Troj/Agent-HXU then drops and runs a second file as:
<Temp&gt<number>.tmp
This second file is a rootkit used to stealth Troj/Agent-HXU.
( The rootkit is detected as Troj/Mbroot-Gen )

Troj/Agent-HXU communicates with a remote server via HTTP.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthxu.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/EncPk-FP is a malicious packed executable file, often used by members of the Pushdo and Pushu family of Trojans.

http://www.sophos.com/security/analyses/viruses-and-spyware/malencpkfp.html?_log_from=rss

Alert ID : FrSIRT/ALRT-2008-06155
Aliases : N/A
Size : Varies
Rated as : Low Risk
Release Date : 2008-10-16


Description

This Trojan arrives on the system as a file downloaded from a certain URL.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZBOT.QT

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06156
Aliases : N/A
Size : 116489 bytes
Rated as : Low Risk
Release Date : 2008-10-16


Description

This worm may arrive via removable drives. It also propagates via removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ONLINEG.AFU

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06157
Aliases : N/A
Size : 4566589 bytes
Rated as : Low Risk
Release Date : 2008-10-16


Description

This worm may arrive via removable drives. It also propagates via removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BANKER.EDN

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06158
Aliases : N/A
Size : 2557 bytes
Rated as : Low Risk
Release Date : 2008-10-16


Description

This VBScript may be hosted on a Web site and run when a user accesses the said Web site. It takes advantage of the ADODB.STREAM Object Exploit, which causes a certain file to be downloaded from the Internet. It connects to a Web site to download a file. However, as of the time of this writing, the said Web site is currently inaccessible. It then executes the downloaded file(s). As a result, malicious routines of the downloaded files are exhibited on the affected system.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=VBS_PSYME.DJY

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06159
Aliases : N/A
Size : 28672 bytes
Rated as : Low Risk
Release Date : 2008-10-16


Description

This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPER.FV

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06124
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-16


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32sillyfdccr.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06142
Aliases : Trojan.Java.ClassLoader.ap - JAVA_BYTEVER.BQ - TROJ_JAVA.AT - Exploit:Java/ByteVerify.E
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-16


Description

Troj/ByteV-B is a Trojan for the Windows platform. Troj/ByteV-B may drop files during execution that are detected as Troj/ByteV-AC and Troj/ByteV-AD.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbytevb.html

Credits

Reported by Sophos