Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - October 1st, 2009

by Marianna Schmudlach / September 30, 2009 11:30 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - October 1st, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - October 1st, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/BredoZp-H
by Marianna Schmudlach / September 30, 2009 11:31 PM PDT
Collapse -
Troj/PDFJs-DL
by Marianna Schmudlach / September 30, 2009 11:31 PM PDT
Collapse -
Troj/PDFJs-DM
by Marianna Schmudlach / September 30, 2009 11:32 PM PDT
Collapse -
Troj/Poison-BM
by Marianna Schmudlach / September 30, 2009 11:33 PM PDT
Collapse -
W32/SillyFDC-DY
by Marianna Schmudlach / September 30, 2009 11:34 PM PDT
Collapse -
W32/SillyFDC-DZ
by Marianna Schmudlach / September 30, 2009 11:34 PM PDT
Collapse -
Troj/Agent-LIB
by Marianna Schmudlach / September 30, 2009 11:35 PM PDT
Collapse -
Troj/Buzus-BC
by Marianna Schmudlach / September 30, 2009 11:36 PM PDT
Collapse -
Troj/Buzus-BD
by Marianna Schmudlach / September 30, 2009 11:36 PM PDT
Collapse -
W32/Autorun-ASB
by Marianna Schmudlach / September 30, 2009 11:37 PM PDT
Collapse -
Troj/Mdrop-CGN
by Marianna Schmudlach / September 30, 2009 11:38 PM PDT
Collapse -
Troj/Dloadr-CUQ
by Marianna Schmudlach / September 30, 2009 11:39 PM PDT
Collapse -
Troj/Capa-Gen
by Marianna Schmudlach / September 30, 2009 11:40 PM PDT
Collapse -
Troj/Agent-LIA
by Marianna Schmudlach / September 30, 2009 11:40 PM PDT
Collapse -
Mal/ZipMal-C
by Marianna Schmudlach / September 30, 2009 11:41 PM PDT
Collapse -
Troj/Clomp-L
by Marianna Schmudlach / September 30, 2009 11:42 PM PDT
Collapse -
Troj/Bckdr-QZA
by Marianna Schmudlach / September 30, 2009 11:43 PM PDT
Collapse -
Mal/FakeAV-AX
by Marianna Schmudlach / September 30, 2009 11:44 PM PDT
Collapse -
Troj/Zbot-II
by Marianna Schmudlach / September 30, 2009 11:44 PM PDT
Collapse -
Troj/Zbot-IH
by Marianna Schmudlach / September 30, 2009 11:45 PM PDT
Collapse -
Troj/VkKont-A
by Marianna Schmudlach / September 30, 2009 11:46 PM PDT
Collapse -
Troj/FakeAV-AEB
by Marianna Schmudlach / September 30, 2009 11:47 PM PDT
Collapse -
Troj/BHO-NW
by Marianna Schmudlach / September 30, 2009 11:48 PM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/BHO-NW is a Browser Helper Object for the Windows platform.

Once installed, Troj/BHO-NW injects itself into the process space of Internet Explorer and sets the following registry entries:

HKCR\AppID\webperform.DLL
AppID
{B9FD8E0A-17E0-48de-AB1D-70DDAA35D577}

HKCR\AppID\{B9FD8E0A-17E0-48de-AB1D-70DDAA35D577}
(default)
WebPerform

HKCR\CLSID\{AB692F9B-27FE-4511-8885-ED62BB45197B}
(default)
WebPerform Object

HKCR\CLSID\{AB692F9B-27FE-4511-8885-ED62BB45197B}
AppID
{B9FD8E0A-17E0-48de-AB1D-70DDAA35D577}

HKCR\Interface\{E498D54B-8307-483A-8CA0-55E4573DD63A}
(default)
IWebPerform

HKCR\TypeLib\{B9FD8E0A-17E0-48DE-AB1D-70DDAA35D577}
(default)
WebPerform 1.0 Type Library

Registry entries are also created under:

HKCR\Interface\{E498D54B-8307-483A-8CA0-55E4573DD63A}\

HKCR\TypeLib\{B9FD8E0A-17E0-48DE-AB1D-70DDAA35D577}\

HKCR\Web.Perform.1
HKCR\Web.Perform

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AB692F9B-27FE-4511-8885-ED62BB45197B}
(default)
WebPerform

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhonw.html?_log_from=rss

Collapse -
Troj/Banker-EUN
by Marianna Schmudlach / September 30, 2009 11:48 PM PDT
Collapse -
Troj/Agent-LHS
by Marianna Schmudlach / September 30, 2009 11:49 PM PDT
Collapse -
Avert Labs Low-Profiled Threat Notice: FakeAlert-EA
by Marianna Schmudlach / September 30, 2009 11:50 PM PDT

Notice
This is a Low-Profiled Threat Notice for FakeAlert-EA

Justification
FakeAlert-EA has been deemed Low-Profiled due to media attention at link: http://www.netguide.co.nz/200910011177/latest-malware-exploit-tsunami-warnings.php

Read About It
Information about FakeAlert-EA is located on VIL at: http://vil.nai.com/vil/content/v_162829.htm

Detection
FakeAlert-EA was first discovered on September 30, 2009 and detection will be added to the 5758 dat files (Release Date: October 1, 2009).

If you suspect you have FakeAlert-EA, please submit a sample to <http://www.webimmune.net>

Collapse -
Avert Labs Low-Profiled Threat Notice: Downloader-BQZ.a
by Marianna Schmudlach / September 30, 2009 11:51 PM PDT

Notice
This is a Low-Profiled Threat Notice for Downloader-BQZ.a

Justification
Downloader-BQZ.a has been deemed Low-Profiled due to media attention at http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592

Read About It
Information about Downloader-BQZ.a is located on VIL at: http://vil.nai.com/vil/content/v_237377.htm

Detection
Downloader-BQZ.a was first discovered on October 1, 2009 and detection will be added to the 5759 dat files (Release Date: October 2, 2009).

If you suspect you have Downloader-BQZ.a, please submit a sample to <http://www.webimmune.net>

Collapse -
Trojan.Kissderfrom
by Marianna Schmudlach / September 30, 2009 11:52 PM PDT
Collapse -
Another embassy site hit in Fake AV attack
by Marianna Schmudlach / September 30, 2009 11:54 PM PDT

Earlier on today I noticed that the web site for one of the embassies in Paris has been hit by malware. This continues the ?YAE? (yet another embassy) series we introduced in previous blogs [1,2,3].

This current attack provides a classic example of some of the techniques that the rogue AV criminals are using.

1. SEO techniques. The attackers appear to have exploited a content management system (CMS) being used on the embassy site, in order to upload numerous keyword-stuffed pages (typically called ?doorway? or SEO pages). Users searching for popular terms may end up clicking through to one of these pages, starting the infection process.
2. Traffic redirection. The SEO pages load a malicious JavaScript that has also been uploaded to the embassy site. This in turn loads another script, this time from a remote server. This second script is responsible for redirection of the user to the relevant payload. Checking the referrer, the script redirects the user if they have come via a search engine.
3. Fake AV payload. The redirection script checks the referrer before redirecting the user to the appropriate payload.

Digging deeper on the embassy site it is not surprising they have been hit. The version of the CuteNews CMS application they are using is out of date (v1.4.6 appears to the latest version).

More: http://www.sophos.com/blogs/sophoslabs/

Collapse -
Win32/Bredolab.LT
by Marianna Schmudlach / September 30, 2009 11:56 PM PDT

Date Published:
1 Oct 2009

Last Updated:
1 Oct 2009


Type : Trojan

Category : Win32

Also known as: Troj/Agent-KVM (Sophos), Backdoor.Win32.Bredolab.gx (Kaspersky), TrojanDownloader:Win32/Bredolab.X (MS OneCare)


Description
Win32/Bredolab.LT is a trojan that downloads malicious files from a remote server and executes them on the affected machine. It arrives as an attachment to an email message that uses social engineering techniques to encourage recipients to open it.

Method of Infection

Win32/Bredolab.LT usually arrives as a malicious attachment on a spammed email message masquerading as a notification email from UPS.

The email contains the following Subject:

UPS Tracking Number {Random Code}

where "Random Code" is a code generated by the trojan.

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79698

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!