VIRUS \ Spyware ALERTS - October 23, 2008

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojautoitab.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentiah.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/Autorun-D is a program which displays characteristics unique to worms which spread by copying themselves to removable devices.

http://www.sophos.com/security/analyses/viruses-and-spyware/malautorund.html?_log_from=rss

Alert ID : FrSIRT/ALRT-2008-06372
Aliases : N/A
Size : 3320 bytes
Rated as : Low Risk
Release Date : 2008-10-23


Description

This Trojan's infection routine starts from an email message spammed by another malware or a malicious user. Clicking a link in the spammed message leads a user to download this Trojan into the system. It connects to a certain URL to download a file. The downloaded file is detected by Trend Micro as TSPY_SNIFF.KAX. It then executes the downloaded file. As a result, malicious routines of the downloaded file are exhibited on the affected system.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.HR

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06373
Aliases : N/A
Size : 128000 bytes
Rated as : Low Risk
Release Date : 2008-10-23


Description

This Trojan arrives as attachment to email messages spammed by another malware or a malicious user.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.HD

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06374
Aliases : N/A
Size : 1266688 bytes
Rated as : Low Risk
Release Date : 2008-10-23


Description

This Trojan arrives as attachment to email messages spammed by another malware or a malicious user.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAV.KX

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06375
Aliases : N/A
Size : 1244127 bytes
Rated as : Low Risk
Release Date : 2008-10-23


Description

Upon execution, it creates a folder and drops a copy of itself on the created folder. It also drops non-malicious files on the affected system.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RUNAUTO.AF

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06376
Aliases : N/A
Size : 50688 bytes
Rated as : Low Risk
Release Date : 2008-10-23


Description

This Trojan arrives as a file downloaded from a certain URL. Upon execution, it drops a copy of itself and its components on the system. It modifies the system registry to enable its automatic execution at every system startup. It then attempts to access a certain Web site to download its configuration file. The said file contains information on where the malware can download an updated copy of itself, and on where it can send its stolen data. This configuration file also contains a list of targeted bank-related Web sites to monitor from which it steals information.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZBOT.OU

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06377
Aliases : N/A
Size : 36954 bytes
Rated as : Low Risk
Release Date : 2008-10-23


Description

This Trojan arrives as a file downloaded from a certain URL. Upon execution, it drops a copy of itself and its components on the system. It modifies the system registry to enable its automatic execution at every system startup. It then attempts to access a certain Web site to download its configuration file. The said file contains information on where the malware can download an updated copy of itself, and on where it can send its stolen data. This configuration file also contains a list of targeted bank-related Web sites to monitor from which it steals information.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_VB.JBG

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06378
Aliases : N/A
Size : Varies
Rated as : Low Risk
Release Date : 2008-10-23


Description

This Trojan arrives as a file downloaded from a remote URL.

References

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ZBOT.US

Credits

Reported by Trend Micro

Alert ID : FrSIRT/ALRT-2008-06362
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

Troj/Ifgif-A is an image file that attempts to redirect users to remote websites.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojifgifa.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06363
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

Troj/Nettroj-B copies itself as <UserProfile>\Temp\WinUpdter.exe Troj/Nettroj-B creates following registry entries to run itself on the startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ WindowsUpdater <UserProfile>\Temp\WinUpdter.exe .

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojnettrojb.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06366
Aliases : Infostealer.Bancos - TrojanSpy:Win32/Banker - PWS-Banker.gen.q - TR/Spy.Banker.acn
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

Troj/Bank-E is a password stealing Trojan for the Windows platform that targets internet banking usernames and passwords.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbanke.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06367
Aliases : Trojan-Banker.Win32.Banker.oi - TrojanSpy:Win32/Banker - Infostealer.Bancos - Infostealer.Banpaes
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

Troj/Bank-F is a password stealing Trojan for the Windows platform that targets internet banking usernames and passwords.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankf.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06371
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmp.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06322
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152886.htm

Credits

Reported by McAfee

Alert ID : FrSIRT/ALRT-2008-06323
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152858.htm

Credits

Reported by McAfee

Alert ID : FrSIRT/ALRT-2008-06325
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-23


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152842.htm

Credits

Reported by McAfee

Category Viruses and Spyware

Type Trojan

Troj/Sub7-Gen is a family of backdoor Trojans.

A server program is installed on the target computer, which allows remote clients to take control of the infected computer.

Additionally, it is typical that keystrokes and passwords can be recorded and the registry edited.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojsub7gen.html?_log_from=rss

Aliases Trojan-Spy.Win32.Delf.x
TROJ_KEYLOGF.A
TrojanSpy:Win32/Pesko
TrojanSpy:Win32/Banker
TR/Spy.Banker.Gen
PWS-Banker.gen.b
nfostealer.Bancos.gen

Category Viruses and Spyware

Type Trojan

Troj/PWS-AVA is a password stealing Trojan for the Windows platform.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsava.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojinjectdb.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirgp.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/AutoInf-A is a malicious file that may cause malware to be executed when the media containing the file is accessed by a computer running Windows. It is typically used by worms for the Windows platform.

http://www.sophos.com/security/analyses/viruses-and-spyware/malautoinfa.html?_log_from=rss

Notice
This is a Low-Profiled Threat Notice for Spy-Agent.da

Justification
Spy-Agent.da has been deemed a Low-Profiled threat due to it's association with a Critical Microsoft Windows vulnerability. Spy-Agent.da has been observed as a payload to active exploits of the MS08-067 vulnerability.

Read About It
Information about Spy-Agent.da is located on VIL at: http://vil.mcafeesecurity.com/vil/content/v_152898.htm
See Also: http://vil.nai.com/vil/content/v_vul40728.htm (MS08-067 vulnerability)

Detection
Spy-Agent.da was first discovered on October 23, 2008 and detection will be added to the 5414 Dat files (Release Date: October 23, 200.

Though we consider this Low Profiled threat assessment, users can obtain an extra.dat for protection and cleaning via the following site:
https://www.webimmune.net/extra/getextra.aspx

If you suspect you have Spy-Agent.da, please submit a sample to <http://www.webimmune.net>

Name : Trojan-Spy:W32/Gimmiv.A
Type: Trojan-Spy
Category: Malware
Platform: W32

Summary
This type of trojan secretly installs spy programs and/or keylogger programs.

Registry Modifications
Creates these keys:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr
DisplayName = System Maintenance Service ErrorControl = 0
ImagePath = [System Folder]\svchost.exe -k sysmgr
ObjectName = LocalSystem
Start = 0x00000002(2)
type = 0x00000110(272)

http://www.f-secure.com/v-descs/trojan-spy_w32_gimmiv_a.shtml

Discovered: October 23, 2008
Updated: October 24, 2008 12:00:33 AM
Type: Trojan, Virus

Bloodhound.Exploit.212 is a heuristic detection for files attempting to exploit Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-102323-4508-99