Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 7, 2008

Oct 6, 2008 2:39PM PDT

Discussion is locked

- Collapse -
Troj/Dropr-AI
Oct 6, 2008 2:40PM PDT
- Collapse -
Troj/Agent-HVT
Oct 6, 2008 2:41PM PDT
- Collapse -
Troj/Agent-HVS
Oct 6, 2008 2:42PM PDT
- Collapse -
Win32/Starimp.AX
Oct 6, 2008 2:50PM PDT

Type : Trojan

Category : Win32

Also known as: FakeAlert-AB.dr (McAfee), Troj/Agent-HRF (Sophos), Trojan.Fakeavalert (Symantec)

Description
Win32/Starimp.AX is a trojan that steals sensitive information from a system and posts it to a remote server. It also downloads and executes additional files.

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=73444

- Collapse -
JS/Generic Exploit.h
Oct 6, 2008 2:51PM PDT
- Collapse -
Trojan.Exploit.ANNZ
Oct 6, 2008 2:53PM PDT
- Collapse -
Trojan.Win32.Agent.bve
Oct 6, 2008 2:54PM PDT

This Trojan has a malicious payload. The program itself is a Windows PE DLL file. It is approximately 100KB in size.

The Trojan also creates the following registry key, and save its configuration to this key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\StrtdCfg]
The Trojan also creates the following files:

%WinDir%\1.txt
%System%\__1.dat
%WinDir%\system32\mswmpdat.tlb
%WinDir%\system32\winview.ocx
The Trojan gets network configuration via the following link:

http://livenews.*****.cx/update

http://www.viruslist.com/en/viruses/encyclopedia?virusid=220267

- Collapse -
Trojan-Downloader.JS.Psyme.ali
Oct 6, 2008 2:55PM PDT

Technical details

This Trojan downloads another program via the Internet without the user?s knowledge or consent. It is a Visual Basic Script file. It is 10881 bytes in size.

The Trojan downloads a file from the following link:

www.game*****.com/mian.exe
The downloaded file is saved to the Windows root directory as follows:

%WinDir%\svchost.exe
The file is then launched for execution.

At the time of writing, the link was not active.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782517

- Collapse -
Email-Worm.Win32.Joleee.ak
Oct 6, 2008 2:56PM PDT

Technical details

This malicious program is a Windows PE EXE file. It is 45056 bytes in size.

Installation
When launched, the worm copies its executable file to the Windows root directory:

[%WinDir%\services.exe
In order to ensure that the worm is launched automatically each time the system is booted, it adds a link to its executable file in the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Services" = "%WinDir%\services.exe"

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782512

- Collapse -
ServU-Daemon
Oct 6, 2008 2:57PM PDT

Type Program SubType Remote Access

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

The Serv-U FTP daemon is a popular commercial FTP server. This application has been used by many trojans for malicious purposes, where files are renamed to try to fool people into thinking that they are Windows system files. These renamed files will be picked up with regular detection within the on-access or on-demand scanners.

http://vil.mcafeesecurity.com/vil/content/v_101206.htm

- Collapse -
Adware-BrowsingHancer.dldr!99A9146E
Oct 6, 2008 2:58PM PDT

Type Program SubType Adware

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File Property Property Value
FileName play_mp3.exe
McAfee Detection Adware-BrowsingHancer.dldr

http://vil.mcafeesecurity.com/vil/content/v_152205.htm

- Collapse -
Troj/Dloadr-BUQ
Oct 7, 2008 1:49AM PDT
- Collapse -
Troj/Bckdr-QPP
Oct 7, 2008 1:50AM PDT

Aliases BKDR_HUPIGON.AZF
Backdoor.Win32.Hupigon.ccu

Category Viruses and Spyware

Type Trojan

Troj/Bckdr-QPP is a Trojan for the Windows platform.

When Troj/Bckdr-QPP is installed the following files are created:

<Temp>\e_4\console.fne
<Temp>\e_4\eAPI.fne
<Temp>\e_4\krnln.fnr
<Temp>\e_4\shell.fne

The file eAPI.fne is detected as Mal/Behav-010, shell.fne is detected as Troj/PWS-ANE and krnln.fnr is detected as AldHack.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqpp.html?_log_from=rss

- Collapse -
Troj/Bckdr-QPO
Oct 7, 2008 1:51AM PDT
- Collapse -
Troj/Banhost-AA
Oct 7, 2008 1:52AM PDT
- Collapse -
Troj/AOL-Buddy
Oct 7, 2008 1:53AM PDT
- Collapse -
Mal/RarMal-B
Oct 7, 2008 1:56AM PDT
- Collapse -
W32/Sality-AM
Oct 7, 2008 1:57AM PDT

Aliases Win32/Sality.gen
W32/Sality.dll
New Win32.s

Category Viruses and Spyware

Type Virus

W32/Sality-AM is a virus for the Windows platform.

The virus includes the functionality to download additional files from a remote location.

When first run, the virus may infect executables in the root folder, files on network shares, and files it may find based on the following registry locations:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache

http://www.sophos.com/security/analyses/viruses-and-spyware/w32salityam.html?_log_from=rss

- Collapse -
Troj/IEInject-A
Oct 7, 2008 1:58AM PDT
- Collapse -
Troj/Agent-HVV
Oct 7, 2008 1:59AM PDT
- Collapse -
Mal/FakeVir-B
Oct 7, 2008 2:00AM PDT
- Collapse -
Trojan-Downloader:W32/Agent.HSM
Oct 7, 2008 2:01AM PDT

Name : Trojan-Downloader:W32/Agent.HSM
Type: Trojan-Downloader
Category: Malware
Platform: W32

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Back to the Top



Additional Details
This trojan may be downloaded from a malicious website. It may also arrive as an e-mail attachment.

Known e-mail subjects associated with this malware are:


Really cool photos
Exclusive photos, you'll be happy
Spam: Great photos for you
Great photos for you
The best photos for you

http://www.f-secure.com/v-descs/trojan-downloader_w32_agent_hsm.shtml

- Collapse -
Trojan-Dropper:W32/Hoaxer.B
Oct 7, 2008 2:02AM PDT

Name : Trojan-Dropper:W32/Hoaxer.B
Detection Names : Trojan-Downloader.Win32.Hoaxer.a

Aliases : W32/Dorf.A!tr.dldr (Other)
TrojanDownloader:HTML/Renos.C (Microsoft)

Size: 333780
Type: Trojan-Dropper
Category: Malware

Summary
This type of trojan contains one or more malicious files, which it will secretly install on the system.

http://www.f-secure.com/v-descs/trojan-dropper_w32_hoaxer_b.shtml

- Collapse -
Trojan-Spy:W32/Goldun.RR
Oct 7, 2008 2:03AM PDT

Name : Trojan-Spy:W32/Goldun.RR
Detection Names : Trojan-Spy:W32/Goldun.RR
Trojan-Spy.Win32.Goldun.axt

Aliases : Trojan:Win32/Agent.PX (Microsoft)
TROJ_MEREDROP.GJ (Trend Micro)
Trojan.Goldun (Symantec)

Type: Trojan-Spy
Category: Malware

Summary
A type of trojan that includes a variety of spy programs and keyloggers.

http://www.f-secure.com/v-descs/trojan-spy_w32_goldun_rr.shtml

- Collapse -
HKTL_FAKEYOUT
Oct 7, 2008 3:02AM PDT

A new hacking tool circulating on the Internet allows malicious users to create fake YouTube pages designed to deliver malware.

The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a Spanish-language user-friendly console that a hacker could use to create a pair of Web pages that look eerily identical to legitimate YouTube pages.

More: http://blog.trendmicro.com/

- Collapse -
Troj/Doc-Zip
Oct 7, 2008 5:29AM PDT
- Collapse -
Troj/Dloadr-BUS
Oct 7, 2008 5:30AM PDT
- Collapse -
W95/Chiton-F
Oct 7, 2008 6:14AM PDT

Alert ID : FrSIRT/ALRT-2008-05901
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-07


Description

W95/Chiton-F is a virus which may spread via network shares and by emailing itself via SMTP. The virus drops the dropper version of itself within the Windows folder as EXPIORER.EXE and changes entries in the registry at HKCR\comfile\shell\open\command, HKCR\pifile\shell\open\command and HKCR\exefile\shell\open\command so that the virus is run before files with the extensions COM, PIF or EXE.


http://www.sophos.com/security/analyses/viruses-and-spyware/w95chitonf.html

- Collapse -
W32/Dugert-A
Oct 7, 2008 6:16AM PDT

Alert ID : FrSIRT/ALRT-2008-05911
Aliases : Win32.HLLP.Dugert.a
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-07


Description

W32/Dugert-A is a virus for the Windows platform, not including Windows 95, 95, ME or earlier. W32/Dugert-A infects executable files with an extension of EXE located on drives C: Z:.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32dugerta.html

- Collapse -
Troj/PcClien-MJ
Oct 7, 2008 6:33AM PDT