Spyware, Viruses, & Security forum

General discussion

VIRUS \ SPYWARE ALERTS - October 21, 2009

by Marianna Schmudlach / October 20, 2009 11:54 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ SPYWARE ALERTS - October 21, 2009
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ SPYWARE ALERTS - October 21, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Delf-FDT
by Marianna Schmudlach / October 20, 2009 11:55 PM PDT
Collapse -
Troj/DnsChg-A
by Marianna Schmudlach / October 20, 2009 11:56 PM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/DnsChg-A is a Trojan for the Windows platform.

Troj/DnsChg-A communicates via HTTP with the following locations:

dnscheckin . com


Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DnsUpdater2

Troj/DnsChg-A provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "DNS Changer (remove only)".

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdnschga.html?_log_from=rss

Collapse -
Troj/Dras-B
by Marianna Schmudlach / October 20, 2009 11:56 PM PDT
Collapse -
Troj/DwnLdr-HXT
by Marianna Schmudlach / October 20, 2009 11:57 PM PDT
Collapse -
Troj/FakeAV-AFV
by Marianna Schmudlach / October 20, 2009 11:58 PM PDT
Collapse -
Troj/PDFJs-DW
by Marianna Schmudlach / October 20, 2009 11:59 PM PDT
Collapse -
Troj/Renos-DZ
by Marianna Schmudlach / October 20, 2009 11:59 PM PDT
Collapse -
Troj/Agent-LNB
by Marianna Schmudlach / October 21, 2009 12:00 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows

Troj/Agent-LNB is a Trojan for the Windows platform.

When run, it replaces original system file "eventlog.dll" with self (dropped) copy and also leaves some original version of this ["eventlog.dll"] module in the same folder with name "logevent.dll".

As it completely replaces original file there is no way to restrain this "eventlog.dll" and User could be advised to get it from backup.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlnb.html?_log_from=rss

Collapse -
Troj/Dldr-CB
by Marianna Schmudlach / October 21, 2009 12:01 AM PDT
Collapse -
Troj/Voter-F
by Marianna Schmudlach / October 21, 2009 12:02 AM PDT
Collapse -
Troj/DwnLdr-HXR
by Marianna Schmudlach / October 21, 2009 12:03 AM PDT
Collapse -
Troj/Dloadr-CVV
by Marianna Schmudlach / October 21, 2009 12:04 AM PDT
Collapse -
Troj/Dloadr-CVU
by Marianna Schmudlach / October 21, 2009 12:04 AM PDT
Collapse -
Troj/Agent-LMY
by Marianna Schmudlach / October 21, 2009 12:05 AM PDT
Collapse -
Trojan.FakeAV!gen5
by Marianna Schmudlach / October 21, 2009 12:08 AM PDT

iscovered: October 20, 2009
Updated: October 20, 2009 9:15:04 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.FakeAV!gen5 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal themselves from antivirus software. Samples detected as Trojan.FakeAV!gen5 are likely to belong to the Trojan.FakeAV family of Trojans.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-102020-5723-99

Collapse -
Trojan.FakeAV!gen4
by Marianna Schmudlach / October 21, 2009 12:08 AM PDT

Discovered: October 20, 2009
Updated: October 20, 2009 10:51:57 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.FakeAV!gen4 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal themselves from antivirus software. Samples detected as Trojan.FakeAV!gen4 are likely to belong to the Trojan.FakeAV family of Trojans.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-102022-2733-99

Collapse -
Trojan.FakeAV!gen6
by Marianna Schmudlach / October 21, 2009 12:09 AM PDT

Discovered: October 21, 2009
Updated: October 21, 2009 11:31:42 AM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.FakeAV!gen6 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal themselves from antivirus software. Samples detected as Trojan.FakeAV!gen6 are likely to belong to the Trojan.FakeAV family of Trojans.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-102111-3142-99

Collapse -
Win32/Veebuu.BD
by Marianna Schmudlach / October 21, 2009 12:10 AM PDT

Date Published:
21 Oct 2009

Last Updated:
21 Oct 2009


Type : Worm

Category : Win32

Also known as: WORM_JER.A (Trend), W32.SillyDC (Symantec), W32/VB-DOC (Sophos), W32/Virut.n (McAfee), Virus.Win32.Virut.ce (Kaspersky), Virus:Win32/Virut.BM (MS OneCare)


Description
Win32/Veebuu.BD is a worm that propagates through mapped network drives and removable drives.

Method of Infection

When executed, Win32/Veebuu.BD drops a copy of itself to the following location:

c:\windows\SYSTEMIL.EXE

It drops a copy of itself to the Root Directory, using any of the following filenames:

Documents.exe
Pictures.exe
Photos.exe
Games.exe

Win32/Veebuu.BD also drops a copy of itself to the default Startup directory. If the operating system is WinXP or Windows Vista, the worm copies itself to the following locations.

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80030

Collapse -
Win32/AntivirusPro2010.AU
by Marianna Schmudlach / October 21, 2009 12:11 AM PDT

Date Published:
21 Oct 2009

Last Updated:
21 Oct 2009


Type : Trojan

Category : Win32

Also known as: Generic FakeAlert!cr (McAfee), TrojanDownloader:Win32/FakeRean (MS OneCare)


Description
This malware is detected by eTrust Antivirus solutions. Please see above for the relevant signature updates.

This malware is being dissected by the CA Security Advisory Team - a detailed analysis will be available shortly.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80041

Collapse -
Win32/AntiVirusPro2010.AQ
by Marianna Schmudlach / October 21, 2009 12:12 AM PDT

Date Published:
21 Oct 2009

Last Updated:
21 Oct 2009


Type : Trojan

Category : Win32

Also known as: FakeAlert-AB.dldr (McAfee), Packed.Generic.258 (Symantec), TrojanDownloader:Win32/FakeRean (MS OneCare)


Description
This malware is detected by eTrust Antivirus solutions. Please see above for the relevant signature updates.

This malware is being dissected by the CA Security Advisory Team - a detailed analysis will be available shortly.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80042

Collapse -
Win32/AdvancedVirusRemover.G
by Marianna Schmudlach / October 21, 2009 12:13 AM PDT

Type : Trojan

Category : Win32

Also known as: FakeAlert-FA (McAfee), Mal/FakeVirPk-A (Sophos), Trojan:Win32/Fakeinit (MS OneCare)


Description
Win32/AdvancedVirusRemover.G is a trojan that masquerades as legitimate security software. It displays deceptive warning messages to convince the user to buy a copy of the trojan software.

Method of Infection

Upon execution, the trojan displays its user interface, "Advanced Virus Remover", and then pretends to scan the user's machine and detect malware on the infected system.

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=80019

Collapse -
Bredolab.gen.d
by Marianna Schmudlach / October 21, 2009 12:15 AM PDT
Collapse -
McAfee Labs Low-Profiled Threat Notice: Generic FakeAlert!9F
by Marianna Schmudlach / October 21, 2009 12:19 AM PDT

Notice
This is a Low-Profiled Threat Notice for Generic FakeAlert!9F6E4576

Justification
Generic FakeAlert!9F6E4576 has been deemed Low-Profiled due to media attention at: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=220700200

Read About It
Information about Generic FakeAlert!9F6E4576 is located on VIL at: http://vil.nai.com/vil/Content/v_239164.htm

Detection
Generic FakeAlert!9F6E4576 was first discovered on October 20, 2009 and detection will be added to the 5778 dat files (Release Date: October 21, 2009).

If you suspect you have Generic FakeAlert!9F6E4576, please submit a sample to <http://www.webimmune.net>

Collapse -
W32/Mytob-KL
by Marianna Schmudlach / October 21, 2009 3:12 AM PDT

Category

* Viruses and Spyware

Type

* Worm


Affected operating systems Windows
Characteristics

* Installs itself in the registry


W32/Mytob-KL is a worm for the Windows platform.

W32/Mytob-KL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Mytob-KL copies itself to <Windows>\btnmgern.exe.

The following registry entries are created to run btnmgern.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Director Video
btnmgern.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Director Video
btnmgern.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<Current Folder>\<original filename>:*:Enabled:Director Video

http://www.sophos.com/security/analyses/viruses-and-spyware/w32mytobkl.html?_log_from=rss

Collapse -
W32/Autorun-ATK
by Marianna Schmudlach / October 21, 2009 3:13 AM PDT
Collapse -
Troj/FakeAV-AFW
by Marianna Schmudlach / October 21, 2009 3:14 AM PDT

Category

* Viruses and Spyware

Type

* Trojan


Affected operating systems Windows
Characteristics

* Installs itself in the registry


Troj/FakeAV-AFW is a Trojan for the Windows platform.

When Troj/FakeAV-AFW is installed the following files are created:

<System>\rndl64\logs.dat
<System>\rndl64\rndl64a.exe

The following registry entries are created to run rndl64a.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{782FEHF0-3R7K-X1JY-T877-7KHDBD4IU361}
StubPath
<System>\rndl64\rndl64a.exe Restart

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
rndl32as
<System>\rndl64\rndl64a.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rndl64g
<System>\rndl64\rndl64a.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
rndl32as
<System>\rndl64\rndl64a.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
rndl64f
<System>\rndl64\rndl64a.exe

Registry entries are created under:

HKLM\SOFTWARE\Licenses
HKCU\Software\SpyNet
HKCU\Software\V

Collapse -
Troj/Drop-EB
by Marianna Schmudlach / October 21, 2009 3:15 AM PDT
Collapse -
Troj/BytVrfy-C
by Marianna Schmudlach / October 21, 2009 3:15 AM PDT
Collapse -
Troj/Alure-F
by Marianna Schmudlach / October 21, 2009 3:16 AM PDT
Collapse -
Troj/Agent-LNE
by Marianna Schmudlach / October 21, 2009 8:22 AM PDT
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.