Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 31, 2008

Oct 30, 2008 3:00PM PDT

W32/Yahlov-A


Aliases W32/Yahlover.worm.gen.f virus
TROJ_MALBEHV.AB
Trojan.Win32.Autoit.dq
W32.SillyFDC

Category Viruses and Spyware

Type Worm


W32/Yahlov-A is a worm for the Windows platform.

W32/Yahlov-A speads by copying itself to network shares and removable drives.

W32/Yahlov-A copies itself to the root folder of removeable drives with a randomly generated filename and creates an autorun.inf file in the root folder of the drive in an attempt to run the copy when the drive is loaded. Both the copy and the autorun.inf file will have the system, hidden and read-only attributes set.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32yahlova.html?_log_from=rss

Discussion is locked

- Collapse -
MH.Farfli.1
Oct 31, 2008 5:47AM PDT

Alert ID : FrSIRT/ALRT-2008-06646
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-31


Description

MH.Farfli.1 is a detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

References

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-103115-5515-99

Credits

Reported by Symantec

- Collapse -
Troj/Agent-ICI
Oct 31, 2008 5:48AM PDT
- Collapse -
Troj/Agent-ICG
Oct 31, 2008 5:49AM PDT
- Collapse -
Troj/ZipCard-B
Oct 31, 2008 5:50AM PDT
- Collapse -
Troj/FakeAle-JF
Oct 31, 2008 5:52AM PDT
- Collapse -
Troj/BHO-HO
Oct 31, 2008 5:52AM PDT
- Collapse -
Troj/Bancos-BER
Oct 31, 2008 5:54AM PDT
- Collapse -
Troj/AutoIT-AD
Oct 31, 2008 5:55AM PDT
- Collapse -
W32/Tiotua
Oct 31, 2008 5:57AM PDT

Alert ID : FrSIRT/ALRT-2008-06635
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-31


Description

W32/Tiotua-W is a Trojan for the Windows platform. W32/Tiotua-W includes functionality to access the internet and communicate with a remote server via HTTP.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32tiotuaw.html

Credits

Reported by Sophos

- Collapse -
W32/Sohana-BK
Oct 31, 2008 5:58AM PDT

Alert ID : FrSIRT/ALRT-2008-06634
Aliases : Worm.Win32.VB.ck - W32/YahLover.worm
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-31


Description

W32/Sohana-BK is a worm for the Windows platform. W32/Sohana-BK includes functionality to download, install and run new software.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32sohanabk.html

Credits

Reported by Sophos

- Collapse -
W32/Autoit-AE
Oct 31, 2008 5:58AM PDT

Alert ID : FrSIRT/ALRT-2008-06633
Aliases : IM-Worm.Win32.Sohanad.hp - W32/Autorun.worm.bz - Win32/Autoit.CWworm
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-31


Description

W32/Autoit-AE is a worm for the Windows platform. When first run W32/Autoit-AE copies itself to the Windows folder and creates the file <Windows>\pc-off.bat.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autoitae.html

Credits

Reported by Sophos

- Collapse -
Troj/Zlob-AQB
Oct 31, 2008 5:59AM PDT
- Collapse -
Troj/VB-EBK
Oct 31, 2008 6:00AM PDT
- Collapse -
Troj/Thyself-B
Oct 31, 2008 6:01AM PDT

Alert ID : FrSIRT/ALRT-2008-06630
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-31


Description

Troj/Thyself-B is a malicious JavaScript embedded in a web page.<br> <br> Troj/Thyself-B attempts to download malicious content from other remote sites when the web page is browsed.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojthyselfb.html

Credits

Reported by Sophos

- Collapse -
Troj/KeyGen-CQ
Oct 31, 2008 6:02AM PDT
- Collapse -
Troj/Iframe-BK
Oct 31, 2008 6:02AM PDT
- Collapse -
Virus Alerts [Panda Security's weekly report on viruses and
Oct 31, 2008 6:11AM PDT

Virus Alerts [Panda Security's weekly report on viruses and intruders - 10/31/0Cool

- Panda Security's weekly report on viruses and intruders -

Virus Alerts, by Panda Security (http://www.pandasecurity.com)

Two Trojans, Gimmiv.A and Aidreden.A, and theP2PShared.P worm are the
subject of this week's PandaLabs report.

Gimmiv.A allows its creator to take full control of infected systems.

Once a computer has been infected, the Trojan starts gathering the
following information:

* User names and passwords entered in web pages.
* MSN Messenger passwords
* Outlook Express passwords
* System user name
* Computer name
* Patches installed
* Information about the browser

All stolen information is encrypted using the Advanced Encryption
Standard (AES) and sent to a remote server.

Aidreden.A is a Trojan designed to dupe users into buying a fake
antivirus. To do this, it modifies the Host file on the infected
computer so that users that visit certain Web pages are taken to a fake
Microsoft web page and encouraged to download an anti-spyware software
(see image here:
http://www.flickr.com/photos/panda_security/2989258406/).

Finally, P2PShared.P is a worm with bot features that steals password
for all kinds of programs, applications, email and even banking details.
All this information is then sent to cyber-crooks.

Once run, it copies itself to the system and all the P2P file sharing
directories under names like:

Windows Live Password reveal.exe
Leona-Lewis-Bleeding-love.mp3.www-freemp3s.com
eMule-0-48a-VeryCD080902-Update.exe
MsnCleaner.exe

- Collapse -
W32/Autorun-NJ
Oct 31, 2008 6:30AM PDT

Category Viruses and Spyware

Type Worm

W32/Autorun-NJ is a worm for the Windows platform.

When first run, W32/Autorun-NJ copies itself to the following location:

<Program Files>\Microsoft Common
wuauclt.exe

The following registry entries are created to start W32/Autorun-NJ when Windows starts:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger
<Program Files>\Microsoft Common\wuauclt.exe

W32/Autorun-NJ attempts to copy itself to any removeable drives connected to the computer. These drives may then infect other computers they are later connected to.

W32/Autorun-NJ creates autorun.inf files on any drive it infects. These files are detected as Mal/AutoInf-A.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunnj.html?_log_from=rss

- Collapse -
W32/AutoRun-NI
Oct 31, 2008 6:31AM PDT
- Collapse -
Troj/FakeAV-FV
Oct 31, 2008 6:31AM PDT
- Collapse -
Troj/Dwnldr-HJW
Oct 31, 2008 6:32AM PDT
- Collapse -
Troj/Dloadr-BXO
Oct 31, 2008 6:33AM PDT
- Collapse -
Troj/Cheuko-E
Oct 31, 2008 6:34AM PDT
- Collapse -
Troj/Agent-ICS
Oct 31, 2008 6:35AM PDT
- Collapse -
Troj/Agent-ICP
Oct 31, 2008 6:36AM PDT
- Collapse -
Mal/EncPk-FR
Oct 31, 2008 6:37AM PDT
- Collapse -
Doctor Vaccine
Oct 31, 2008 6:38AM PDT
- Collapse -
Undetectable data-stealing trojan nabs 500k accounts
Oct 31, 2008 8:08AM PDT

Sinowal's evil genius

By Dan Goodin in San Francisco ? Get more from this author

Posted in Security, 31st October 2008

A well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns.

The haul of bank, credit, and debit card account numbers stolen by the Sinowal trojan is among the largest ever discovered. It was unearthed by researchers at RSA's FraudAction Research Lab. They say the program, which is also known as Torpig and Mebroot, has been operating non-stop for almost three years, an unusually long time in the fly-by-night world of cybercrime.

More: http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/

- Collapse -
Security researchers lift the lid on Torpig banking Trojan
Oct 31, 2008 8:10AM PDT

300K bank accounts compromised by backdoor code

By John Leyden ? Get more from this author

Posted in Security, 31st October 2008


Security researchers at RSA have uncovered how a banking Trojan may have stolen the login credentials of as many as 300,000 online bank accounts.

The Sinowell (AKA Torpig) trojan has also lifted email and FTP account login details. Previous attempts to track the source of the Trojan have run into blind alleys.

One popular theory is that the malware authors behind the trojan are in the same gang as the group who ran the infamous Russian Business Network (RBN). RSA's analysis suggests that the authors of Sinowell may have been at least affiliated with the Storm worm gang in the past but are now running the malware through hosting facilities unaffiliated to the RBN.

More: http://www.theregister.co.uk/2008/10/31/torpig_banking_trojan/

- Collapse -
Troj/Dloadr-BXP
Oct 31, 2008 9:32AM PDT