VIRUS \ Spyware ALERTS - October 8, 2008

Category Viruses and Spyware

Type Trojan

When first run, Troj/Agent-HVW copies itself to the following location:

<Windows>\service.exe

Troj/Agent-HVW attempts to download files from the internet.

The following registry entries are created in order to start Troj/Agent-HVW when Windows starts:

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthvw.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/JSShell-B is a script that may be embedded in web pages. When the page is viewed, Troj/JSShell-B attempts to exploit vulnerable browsers in order to download an executable file and run it.


http://www.sophos.com/security/analyses/viruses-and-spyware/trojjsshellb.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Gina-AN is a password stealing Trojan.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojginaan.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows
Characteristics Installs itself in the registry
Opens links to websites

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealeid.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvc.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvb.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthwe.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows
Characteristics Drops more malware
Installs itself in the registry

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthwd.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows
Characteristics Installs itself in the registry

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthwc.html?_log_from=rss

Fake SSL Certificates Seen Again

Online banks use cryptographic protocols to secure the exchange of information on the Web, and hackers do not hesitate to adapt to this technology too. A new case of fake SSL (Secure Sockets Layer) certificates appeared again, following phishing threats we?ve seen last April and May (see our blog posts about fake digital certificates, rock phishing, and a similar attack on Merrill Lynch).

This time, the website of Open Banks Enterprises was faked by malware authors using Rock Phish Kit. The spoofed website, shown in the following screenshot, displays multiple banks that are included in the open bank community:

More: http://blog.trendmicro.com/

Category Viruses and Spyware

Type Worm

W32/Autorun-LD is a worm for the Windows platform.

The worm spreads via removable media devices. W32/Autorun-LD also can be controlled by a remote attacker over IRC channels.

When run, the worm copies itself to

<Root>\RESTORE\<S-numbers>\ROX.exe

and creates the file

<Root>\RESTORE\<S-numbers>\Desktop.ini

This file is not malicious and may be deleted.

W32/Autorun-LD also creates the file autorun.inf on removable media devices. This file is detected as W32/Autorun-LD.

W32/Autorun-LD sets the following registry entry:

HKCR\.key
""
regfile

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunld.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Iframe-BA is a malicious script within a web page that downloads other malware.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojiframeba.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvf.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvd.html?_log_from=rss