Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - October 9, 2008

Oct 8, 2008 3:03PM PDT

Discussion is locked

- Collapse -
Troj/KeyGen-Gen
Oct 8, 2008 3:05PM PDT
- Collapse -
Troj/FakeAV-EN
Oct 8, 2008 3:06PM PDT
- Collapse -
Troj/Dloadr-BVE
Oct 8, 2008 3:07PM PDT
- Collapse -
Troj/Bdoor-AOL
Oct 8, 2008 3:09PM PDT
- Collapse -
Troj/Agent-HWF
Oct 8, 2008 3:16PM PDT
- Collapse -
W32/Autorun-LF
Oct 9, 2008 12:58AM PDT
- Collapse -
Troj/Agent-HWH
Oct 9, 2008 12:59AM PDT
- Collapse -
Troj/Agent-HWG
Oct 9, 2008 1:00AM PDT
- Collapse -
Packed.Generic.189
Oct 9, 2008 1:02AM PDT
- Collapse -
Packed.Generic.190
Oct 9, 2008 1:03AM PDT
- Collapse -
UI redress attacks (aka Clickjacking)
Oct 9, 2008 2:26AM PDT

9 October 2008

Recently there has been quite a bit of noise about attacks involving a technique dubbed ?Clickjacking?. The tale starts back in September when a talk planned for the OWASP conference was pulled at the last minute, due to concerns about disclosing details of the attack [1, 2].

The combination of the cancelled talk and scant attack details was sufficient to pique the interest of many, and speculation over the last few weeks about how the attack worked has been rife [3,4,5]. Earlier this week, the cat escaped its bag - a proof of concept demonstration of the attack was released [6]. Since then, the original researchers have published full details [7,Cool.

So, exactly what is clickjacking? And what can you do to prevent being hit by it?

More: http://www.sophos.com/security/blog/2008/10/1850.html

- Collapse -
Troj/Pushdo-X
Oct 9, 2008 6:01AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Pushdo-X is a Trojan for the Windows platform.

When Troj/Pushdo-X is installed it creates the file <System>\drivers\ati7xbxx.sys, which is detected as Troj/Pushu-Gen.

The file ati7xbxx.sys is registered as a new system driver service named "ati7xbxx". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ati7xbxx
HKLM\SYSTEM\CurrentControlSet\SafeBoot\Minimal\ati7xbxx.sys
HKLM\SYSTEM\CurrentControlSet\SafeBoot\Network\ati7xbxx.sys
HKLM\SYSTEM\ControlSet002\Services\ati7xbxx

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpushdox.html?_log_from=rss

- Collapse -
Troj/Iframe-BC
Oct 9, 2008 6:02AM PDT
- Collapse -
Troj/Iframe-BB
Oct 9, 2008 6:03AM PDT
- Collapse -
Troj/Dloadr-BVG
Oct 9, 2008 6:04AM PDT

Aliases VirTool:Win32/DelfInject.gen!AF

Category Viruses and Spyware

Type Trojan

Troj/Dloadr-BVG is a downloader Trojan for the Windows platform.

When first run Troj/Dloadr-BVG copies itself to <Windows>\service.exe with the hidden, system and read-only attributes set and creates the following registry entries to run service.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
Messenger Service
service.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Messenger Service
service.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Messenger Service
service.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbvg.html?_log_from=rss

- Collapse -
Troj/Agent-HWN
Oct 9, 2008 6:05AM PDT
- Collapse -
Troj/Agent-HWM
Oct 9, 2008 6:07AM PDT
- Collapse -
Troj/Agent-HWL
Oct 9, 2008 6:08AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Agent-HWL is a Trojan for the Windows platform.

When first run Troj/Agent-HWL copies itself to <System>\qq.exe and creates the file <Root>\bot.txt.

The file QQ.exe is registered as a new system driver service named "windows XP", with a display name of "windows XP" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\windows XP

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthwl.html?_log_from=rss

- Collapse -
Troj/Agent-HWK
Oct 9, 2008 6:09AM PDT
- Collapse -
Troj/Agent-HWJ
Oct 9, 2008 6:10AM PDT
- Collapse -
Mal/FakeAV-I
Oct 9, 2008 6:11AM PDT
- Collapse -
Adzgalore
Oct 9, 2008 6:42AM PDT

Category Adware or PUA

Type Adware

Adzgalore is an adware plugin for Microsoft Internet Explorer.

When the application is installed the following files are created:

<System>\cont_adzgalore-remove.exe
<System>\nsxB.dll

The file nsxB.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d22a17ff-9f1f-6cd5-74e4-64d841b2339b}
HKCR\CLSID\{d22a17ff-9f1f-6cd5-74e4-64d841b2339b}

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cont_adzgalore

Adzgalore provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "Contextual Tool Adzgalore".

http://www.sophos.com/security/analyses/adware-and-puas/adzgalore.html?_log_from=rss

- Collapse -
Trojan-Downloader:W32/Tibs.VX
Oct 9, 2008 6:54AM PDT

Detection Names : Trojan-Downloader:W32/Tibs.VX
Trojan-Downloader.Win32.Agent.ajbg

Aliases : TrojanDownloader:Win32/Tibs (Microsoft)

Size: 14336
Type: Trojan-Downloader
Category: Malware
Platform: W32

Summary
This malware downloads files into the system and executes them.

http://www.f-secure.com/v-descs/trojan-downloader_w32_tibs_vx.shtml

- Collapse -
W32.Bluven
Oct 9, 2008 9:29AM PDT