Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 29, 2008

by Marianna Schmudlach Oct 28, 2008 12:02PM PDT

W32/Sality-AM


Aliases Win32/Sality.gen
W32/Sality.dll
New Win32.s

Category Viruses and Spyware

Type Virus

W32/Sality-AM is a virus for the Windows platform.

The virus includes the functionality to download additional files from a remote location.

When first run, the virus may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

W32/Sality-AM may install the following file:

<System&gtMischief<random>.sys

This file is detected as Troj/RkSal-A

http://www.sophos.com/security/analyses/viruses-and-spyware/w32salityam.html?_log_from=rss

Discussion is locked

31 - 60 of 57 Posts
- Collapse + Expand Details
- Collapse -
Mal/Renos-C
by Marianna Schmudlach Oct 29, 2008 3:17AM PDT

Category Viruses and Spyware

Type Malicious Behavior

Mal/Renos-C is a malicious program for the Windows platform.

Mal/Renos-C attempts to connect to a remote computer to download further malicious code. It is likely that these downloaded components will display fake warning and error messages when executed.

Detection for members of Mal/Renos-C is behavior based. It is extremely important that customers report detections of Mal/Renos-C to Sophos and send a sample for analysis.

http://www.sophos.com/security/analyses/viruses-and-spyware/malrenosc.html?_log_from=rss

- Collapse -
Mal/BHO-M
by Marianna Schmudlach Oct 29, 2008 3:18AM PDT
- Collapse -
W32/Dloadr-BXJ
by Marianna Schmudlach Oct 29, 2008 6:46AM PDT

Category Viruses and Spyware

Type Worm

When first run, W32/Dloadr-BXJ deletes itself and makes copies in the following locations:

<Program Files>\Common Files\System
opajqxn.exe

<Program Files>\Common Files\Microsoft Shared
vknaotn.exe

<Program Files>
meex.exe

C:
softlsy.exe

Additionally, the following file is created:

C:
autorun.inf

W32/Dloadr-BXJ creates the following registry entry to ensure it loads when Windows is run:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
qtgfcql
<Program Files>\Common Files\System\opajqxn.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32dloadrbxj.html?_log_from=rss

- Collapse -
Troj/PWS-AVH
by Marianna Schmudlach Oct 29, 2008 6:47AM PDT
- Collapse -
Troj/Fuzfle-A
by Marianna Schmudlach Oct 29, 2008 6:49AM PDT
- Collapse -
Troj/Dloadr-BXK
by Marianna Schmudlach Oct 29, 2008 6:51AM PDT
- Collapse -
Troj/Agent-ICC
by Marianna Schmudlach Oct 29, 2008 6:52AM PDT
- Collapse -
Troj/Agent-IBG
by Marianna Schmudlach Oct 29, 2008 6:53AM PDT
- Collapse -
AL/Bursted-Fam
by Marianna Schmudlach Oct 29, 2008 6:54AM PDT

Category Viruses and Spyware

Type Virus

AL/Bursted-Fam is a family of AutoCAD LISP (AutoLISP) virus. If an infected
file is received as ACAD.LSP and an AutoCAD Drawing is loaded from the same
folder the virus becomes resident within AutoCAD.

AL/Bursted-Fam edits the existing global ACAD.LSP or creates one to load
itself at AutoCAD startup from another LSP file in the same folder.

When an AutoCAD drawing (DWG file) is editted an ACAD.LSP will be created in
the same folder as the drawing.

http://www.sophos.com/security/analyses/viruses-and-spyware/alburstedfam.html?_log_from=rss

- Collapse -
Cutwail.dll.gen!D9F27F40
by Marianna Schmudlach Oct 29, 2008 7:02AM PDT

Alert ID : FrSIRT/ALRT-2008-06519
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-29


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152999.htm

Credits

Reported by McAfee

- Collapse -
Troj/WSHack-A
by Marianna Schmudlach Oct 29, 2008 7:05AM PDT
- Collapse -
Troj/Sysdel-C
by Marianna Schmudlach Oct 29, 2008 7:07AM PDT
- Collapse -
W32/IRCBot-ACV
by Marianna Schmudlach Oct 29, 2008 7:08AM PDT

Alert ID : FrSIRT/ALRT-2008-06580
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-29


Description

W32/IRCBot-ACV sets the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableTaskMgr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system DisableRegistryTools W32/IRCBot-ACV copies itself to <Windows>\service.exe W32/IRCBot-ACV creates the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Service <Windows>\service.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Windows Service <Windows>\service.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx Windows Service <Windows>\service.exe.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32ircbotacv.html

Credits

Reported by Sophos

- Collapse -
Troj/Renos-BI
by Marianna Schmudlach Oct 29, 2008 7:09AM PDT
- Collapse -
W32/Autorun-NC
by Marianna Schmudlach Oct 29, 2008 7:28AM PDT
- Collapse -
Troj/Telemot-B
by Marianna Schmudlach Oct 29, 2008 7:29AM PDT

Aliases BackDoor-CLZ

Category Viruses and Spyware

Type Trojan

Troj/Telemot-B is a backdoor Trojan for the Windows platform.

When first run Troj/Telemot-B copies itself to <System>\chkdsk64.exe.

The file CHKDSK64.exe is registered as a new system driver service named "Logical Users Disk Manager Service", with a display name of "Disk management service for users requests" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Logical Users Disk Manager Service\

Troj/Telemot-B injects code into svchost.exe which listens for incoming TCP connections. An attacker connecting to the Trojan will be given a shell from which they can run commands that will:

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojtelemotb.html?_log_from=rss

- Collapse -
Troj/FakeAl-B
by Marianna Schmudlach Oct 29, 2008 7:31AM PDT
- Collapse -
Troj/Dloadr-BXL
by Marianna Schmudlach Oct 29, 2008 7:32AM PDT
- Collapse -
Troj/WSHack-A
by Marianna Schmudlach Oct 29, 2008 7:35AM PDT
- Collapse -
Troj/OnLineG-BK
by Marianna Schmudlach Oct 29, 2008 11:35AM PDT
- Collapse -
Troj/Fanbot-M
by Marianna Schmudlach Oct 29, 2008 11:36AM PDT

Category Viruses and Spyware

Type Trojan

W32/Fanbot-M is a Trojan for the Windows platform.

W32/Fanbot-M includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Fanbot-M copies itself to <System>\llwzjy081029.exe and creates the following files:

<User>\jjjydf16.ini
<Root>\dfDelmlljy.bat
<System>\mvjaj32dla.dll

The file mvjaj32dla.dll is detected as Mal/Behav-236. The file jjjydf16.ini is detected as Troj/Fanbot-M. The batch file may be deleted.

The following registry entry is created to run llwzjy081029.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
dlnajjbdfa
<System>\llwzjy081029.exe

More: http://www.sophos.com/security/analyses/viruses-and-spyware/trojfanbotm.html?_log_from=rss

- Collapse -
Troj/Bckdr-QQE
by Marianna Schmudlach Oct 29, 2008 11:37AM PDT
- Collapse -
Troj/AgLght-A
by Marianna Schmudlach Oct 29, 2008 11:38AM PDT
- Collapse -
Troj/Agent-IBT
by Marianna Schmudlach Oct 29, 2008 11:43AM PDT
- Collapse -
Mal/Zlob-AA
by Marianna Schmudlach Oct 29, 2008 11:44AM PDT
- Collapse -
Mal/EncPk-FR
by Marianna Schmudlach Oct 29, 2008 11:45AM PDT
- Collapse -
Mal/BHO-N
by Marianna Schmudlach Oct 29, 2008 11:46AM PDT
Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info