Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 28, 2008

Oct 27, 2008 3:28PM PDT

Troj/Renos-BH


Aliases Trojan-Downloader.Win32.CodecPack.ge

Category Viruses and Spyware

Type Trojan


Troj/Renos-BH is a Trojan for the Windows platform.

Troj/Renos-BH includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Renos-BH downloads files with .gif extensions from multiple websites.
These files are actually executable files and are run once downloaded.

The following registry entry is created to run Troj/Renos-BH on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSFox
<pathname of Troj/Renos-BH>

Registry entries are created under:

HKLM\SOFTWARE\Mozilla\MSFox


http://www.sophos.com/security/analyses/viruses-and-spyware/trojrenosbh.html?_log_from=rss

Discussion is locked

- Collapse -
Troj/Invo-Zip
Oct 27, 2008 3:29PM PDT
- Collapse -
Troj/FakeAV-FN
Oct 27, 2008 3:31PM PDT

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-FN is a Trojan for the Windows platform.

When Troj/FakeAV-FN is installed the following files are created:

<Current Folder>\delself.bat
<System>\brastk.exe
<System>\dllcache\beep.sys
<System>\dllcache\figaro.sys

The files beep.sys and figaro.sys are detected as Mal/FakeAle-C.

The file delself.bat only deletes malware components and itself.
If it has remained on the system, it can safely be deleted.

The file brastk.exe is detected as Troj/FakeAV-FM.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavfn.html?_log_from=rss

- Collapse -
Troj/FakeAV-FM
Oct 27, 2008 3:32PM PDT

Aliases Win32/Wantvi.I
HASH(0xb766c0c)

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-FM is a Trojan for the Windows platform.

Troj/FakeAV-FM is a fraudulent security product that bombards the user with fake alerts in an attempt to pester the user into purchasing their software, if for no other reason, than to stop the barrage of popups.

Troj/FakeAV-FM alters the following registry entries to run itself at startup:

HKLM\SOFTWARE\Microsoft\CurrentVersion\Run
brastk

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
brastk

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavfm.html?_log_from=rss

- Collapse -
Troj/Agent-IBM
Oct 27, 2008 3:33PM PDT
- Collapse -
Troj/Bckdr-QQD
Oct 28, 2008 12:55AM PDT
- Collapse -
Troj/Agent-IBN
Oct 28, 2008 12:56AM PDT
- Collapse -
W32/Autorun-MZ
Oct 28, 2008 12:57AM PDT

Category Viruses and Spyware

Type Worm

W32/Autorun-MZ is a worm for the Windows platform.

When the worm is run, the following files are created.

\Administrator.exe
\autorun.inf
\Untitled.exe
\xz.exe
<Windows>\cetix.exe
<Windows>\racun.exe
<System>\poison.exe
<System>\toxic.exe

These files are detected as W32/Autorun-MZ

The following files are also created and they can be safely removed:

\aboutCetix.html
\infoBali.txt

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmz.html?_log_from=rss

- Collapse -
Troj/Mdrop-BWL
Oct 28, 2008 12:58AM PDT
- Collapse -
W32/Dref-AW
Oct 28, 2008 12:59AM PDT
- Collapse -
Troj/Zlob-APV
Oct 28, 2008 1:00AM PDT
- Collapse -
Troj/Freezo-D
Oct 28, 2008 1:01AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Freezo-D is a Trojan for the Windows platform.

Troj/Freezo-D includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Freezo-D copies itself to <System>\CbEvtSvc.exe.

The file CbEvtSvc.exe is registered as a new system driver service named "CbEvtSvc", with a display name of "CbEvtSvc" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfreezod.html?_log_from=rss

- Collapse -
Troj/Deca-B
Oct 28, 2008 1:02AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Deca-B is a Trojan for the Windows platform.

Troj/Deca-B includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Deca-B copies itself to <Program Files>\Microsoft Common\wuauclt.exe.

The following registry entry is changed to run wuauclt.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
<Program Files>\Microsoft Common\wuauclt.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdecab.html?_log_from=rss

- Collapse -
Troj/Agent-IBP
Oct 28, 2008 1:04AM PDT
- Collapse -
Troj/Agent-IBO
Oct 28, 2008 1:05AM PDT
- Collapse -
Trojan.Mournor
Oct 28, 2008 2:43AM PDT
- Collapse -
W32/Sdbot-DNH
Oct 28, 2008 2:49AM PDT
- Collapse -
Troj/ZipCard-A
Oct 28, 2008 2:50AM PDT
- Collapse -
Troj/Tiotua-V
Oct 28, 2008 2:51AM PDT

Aliases W32/Yahlover.worm.gen.f

Category Viruses and Spyware

Type Trojan

Troj/Tiotua-V is a Trojan for the Windows platform.

When first run Troj/Tiotua-V copies itself to <System>\csrcs.exe and creates the file <Temp>\suicide.bat.

The following registry entry is created to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs
<System>\csrcs.exe

The following registry entry is changed to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe csrcs.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojtiotuav.html?_log_from=rss

- Collapse -
Troj/Small-EMP
Oct 28, 2008 2:52AM PDT
- Collapse -
Troj/Qhost-Z
Oct 28, 2008 2:53AM PDT
- Collapse -
Troj/Keygen-CP
Oct 28, 2008 2:54AM PDT
- Collapse -
Troj/JSdload-A
Oct 28, 2008 2:55AM PDT
- Collapse -
Troj/Dload-ED
Oct 28, 2008 2:56AM PDT
- Collapse -
Troj/Agent-IBQ
Oct 28, 2008 2:57AM PDT
- Collapse -
Would you like to be a spam mule?
Oct 28, 2008 2:59AM PDT

28 October 2008 10:30 GMT

Voulez vous devenir un mule de spam?
Voulez vous devenir un mule de spam? Would you like to be a spam mule? Anatoly Nikolayev would like you to become one. SophosLabs is currently tracking a large French based mule campaign.


Now my French doesn?t normally get me beyond ordering a meal but this looking very phishy to me.


http://www.sophos.com/security/blog/2008/10/1888.html

- Collapse -
Troj/Invo-Zip
Oct 28, 2008 3:01AM PDT

28 October 2008


Return of Email Malware
Regular readers of this blog will know that I?m keen on measuring the effectiveness of the SophosLabs response to the changing threats. I use a host of metrics to measure proactive detection, response times, spam catch rates and so on. In fact the labs internal ?dashboard? (a live web based system that shows many of these metrics etc) is one of the first places I visit each morning.

As our latest report shows, there has been a significant return to malware attached to spam emails.

More: http://www.sophos.com/security/blog/2008/10/1889.html

- Collapse -
FakeAlert-AB!72FC94D3
Oct 28, 2008 6:43AM PDT

Alert ID : FrSIRT/ALRT-2008-06468
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-28


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152987.htm

Credits

Reported by McAfee

- Collapse -
FakeAlert-AB.dldr.gen.c!02C706F6
Oct 28, 2008 6:44AM PDT

Alert ID : FrSIRT/ALRT-2008-06469
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-28


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152984.htm

Credits

Reported by McAfee

- Collapse -
PWS-Mmorpg.gen!08E44191
Oct 28, 2008 6:45AM PDT

Alert ID : FrSIRT/ALRT-2008-06470
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-28


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152980.htm

Credits

Reported by McAfee

- Collapse -
PWS-Banker!97C37A9B
Oct 28, 2008 6:46AM PDT

Alert ID : FrSIRT/ALRT-2008-06471
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-28


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152978.htm

Credits

Reported by McAfee