Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 27, 2008

by Marianna Schmudlach Oct 26, 2008 2:52PM PDT

Discussion is locked

31 - 60 of 48 Posts
- Collapse + Expand Details
- Collapse -
New kit, but with an achilles heel
by Marianna Schmudlach Oct 27, 2008 6:45AM PDT

27 October 2008

For the last couple of weeks, I have been watching a series of new, related web attack sites surfacing. All follow a similar modus operandi, with an attack site exploiting a bundle of client-side vulnerabilities, some of which are pretty old:

MDAC (MS06-014)
NCTAudioFile2.AudioFile ActiveX control (CVE-2007-001Cool
Snapshot Viewer (MS08-041)
MSDDS (MS05-052)
Visual Studio MSMask32 (CVE-2008-3704)
Adobe Acrobat Reader (CVE-2007-5659)
Nothing hugely interesting or novel then, just another batch of attack sites popping up, most likely thanks to the creation and sale of some new attack toolkit. At this point I have not identified the specific kit that has been used to construct the attack sites we are seeing. There is a pretty diverse range of malware being installed from these sites, ranging from banking Trojans to stealthing backdoors (including Troj/Agent-IAT, Troj/Ambler-F and Mal/EncPk-BU). An example attack is illustrated below (click to view larger image with details):

More: http://www.sophos.com/security/blog/2008/10/1885.html

- Collapse -
Troj/Tiotua-U.
by Marianna Schmudlach Oct 27, 2008 6:47AM PDT

27 October 2008 17:05 GMT

HIPS HIPS Hooray for proactive detection
This morning looking through the customer submissions to Sophos (how to submit samples). I saw a sample with the ?Rule or identity name triggered by this file (if applicable)? form filled in as HIPS/RegMon-009.

Looking at SophosLabs automated scans of this sample it was a malicious AutoIT file. Running the file through the automated replication rigs here in SophosLabs it also hit the following HIPS rules:

HIPS/RegMod-001
HIPS/RegMod-002
HIPS/RegMod-009
HIPS/RegMod-012
HIPS/FileMod-004

More: http://www.sophos.com/security/blog/2008/10/1884.html

- Collapse -
W32/Imaut-D
by Marianna Schmudlach Oct 27, 2008 7:15AM PDT
- Collapse -
Troj/Agent-IBJ
by Marianna Schmudlach Oct 27, 2008 7:16AM PDT
- Collapse -
Troj/Agent-IBI
by Marianna Schmudlach Oct 27, 2008 7:17AM PDT
- Collapse -
Troj/Fanbot-L
by Marianna Schmudlach Oct 27, 2008 9:30AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Fanbot-L is a Trojan for the Windows platform.

Troj/Fanbot-L includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Fanbot-L copies itself to <System>\llwzjy081027.exe and creates the following files:

<User>\jjjydf16.ini
<Root>\dfDelmlljy.bat
<System>\mvjaj32dla.dll

The file mvjaj32dla.dll is detected as Mal/Behav-236.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfanbotl.html?_log_from=rss

- Collapse -
Troj/FakeAV-FL
by Marianna Schmudlach Oct 27, 2008 9:31AM PDT
- Collapse -
Troj/DwnLdr-HJS
by Marianna Schmudlach Oct 27, 2008 9:33AM PDT

Category Viruses and Spyware

Type Trojan

Troj/DwnLdr-HJS is a Trojan for the Windows platform.

Troj/DwnLdr-HJS includes functionality to access the internet and communicate with a remote server via HTTP.

When first run, Troj/DwnLdr-HJS copies itself to:

<All Users>\Application Data\<random>
<random>.exe

The Trojan will also copy itself to ihidebox.exe.bak in the location where it was executed.

Troj/DwnLdr-HJS creates the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
<random>
<path to Trojan>

HKCU\Uninstall
<random>
1226588034

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhjs.html?_log_from=rss

- Collapse -
Troj/Drop-BF
by Marianna Schmudlach Oct 27, 2008 9:34AM PDT

Category Viruses and Spyware

Type Trojan

When first run, Troj/Drop-BF creates the following files:

<System>\siemens.dll
<System>\sfl.txt
<Windows>\inform.dat

The file siemens.dll, which is already detected as Mal/Generic-A, is installed as a Browser Helper Object, and made to start when Windows is started with the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Browser Helper Objects
{47D92EB6-E52C-4cda-92A6-2369963F4913}

HKCR\CLSID\{47D92EB6-E52C-4cda-92A6-2369963F4913}
InprocServer32
siemens32.dll

The files sfl.txt and inform.dat are related to the keylogging activities of the siemens.dll file and can be safely deleted.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdropbf.html?_log_from=rss

- Collapse -
Troj/Agent-IBL
by Marianna Schmudlach Oct 27, 2008 9:35AM PDT
- Collapse -
Troj/Agent-IBK
by Marianna Schmudlach Oct 27, 2008 9:36AM PDT
- Collapse -
Troj/Agent-IBE
by Marianna Schmudlach Oct 27, 2008 9:37AM PDT
- Collapse -
Mal/Veneb-A
by Marianna Schmudlach Oct 27, 2008 9:38AM PDT
- Collapse -
Mal/Delf-P
by Marianna Schmudlach Oct 27, 2008 9:39AM PDT
- Collapse -
Mal/Behav-302
by Marianna Schmudlach Oct 27, 2008 9:40AM PDT
- Collapse -
WORM_AUTORUN.PB
by Marianna Schmudlach Oct 27, 2008 9:43AM PDT
- Collapse -
Trojan.Fakeavalert.B
by Marianna Schmudlach Oct 27, 2008 9:44AM PDT
- Collapse -
W32.Patched!gen
by Marianna Schmudlach Oct 27, 2008 9:45AM PDT
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info