Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - September 15, 2008

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - September 15, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - September 15, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Zlob-Gen

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Category Viruses and Spyware

Type Trojan

Troj/Zlob-Gen detects members of the Zlob family of Trojan downloaders.

The Troj/Zlob-Gen family of Trojans usually attempt to stealth themselves by injecting themselves into another system process or by registering themselves as a service process.

The typical Troj/Zlob-Gen Trojan may create folders in the <System> folder and store downloaded files in these folders and set the following registry entries to run on user startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobgen.html?_log_from=rss

Collapse -
Troj/PWS-ATP

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Category Viruses and Spyware

Type Trojan

Troj/PWS-ATP is a Trojan for the Windows platform.

When run Troj/PWS-ATP creates the files:
<Windows>\Debug\winhlp.dll - detectedd as Mal/LineDLL-B

and copies itself to <System>\helpme.exe.

The following registry entries are set:

HKCR\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}
(default)
url

HKCR\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32
(default)
<Windows>\Debug\winhlp.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}

Troj/PWS-ATP also drops a non-malicious GIF image which is then opened by the default image viewer application.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsatp.html?_log_from=rss

Collapse -
Troj/FakeVir-FV

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Agent-HQU

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Istbar-DR

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Category Viruses and Spyware

Type Trojan

Troj/Istbar-DR is a Trojan downloader for the Windows platform.

Troj/Istbar-DR has the functionality to:
-download files from preconfigured URLs to C:\program files\RapidBlaster\<filename> then run them.

The following registry entries are created to run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
rb32
C:\program files\RapidBlaster\<filename>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
rb32
C:\program files\RapidBlaster\<filename>

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
rb32
C:\program files\RapidBlaster\<filename>

http://www.sophos.com/security/analyses/viruses-and-spyware/trojistbardr.html?_log_from=rss

Collapse -
Troj/Gamania-CH

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/FakeVir-FW

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/DwnLdr-HHU

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Rootkit:W32/Agent.TZ

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Detection Names : Rootkit:W32/Agent.TZ
Rootkit:W32/Agent.TZ
Trojan-Clicker.Win32.VB.ath

Type: Rootkit
Category: Malware
Platform: W32

Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.

http://www.f-secure.com/v-descs/rootkit_w32_agent_tz.shtml

Collapse -
Troj/PWS-ATP - Jokes on you

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

15 September 2008

Malware often utilizes distraction techniques such as audio or video clips to both appear harmless and draw the unsuspecting users attention away from what might really be happening.

Today?s sample of yet another password stealer Troj/PWS-ATP is no different. Arriving as a scriptable WinRar self extractor (SFX) the Trojan drops two components to the temporary folder and launches them. Of these two components, one is the real malware and the other is the ?distraction?. The malware installs a DLL into %WINDOWS%\Debug\winhlp.dll and sets it to auto-load by registering it as a ShellExecute hook. Once installed, only this dll need be present, all other components are discardable and serve only as delivery vechicles.

More: http://www.sophos.com/security/blog/2008/09/1785.html

Collapse -
W32/SillyFDC-CQ

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
W32/AutoRun-JH

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/YTKit-A

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Lineag-FX

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Category Viruses and Spyware

Type Trojan

Troj/Lineag-FX is a password stealing Trojan for the Windows platform.

Troj/Lineag-FX includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Lineag-FX copies itself to:

<System>\fafegoubu.exe
<System>\hypoo.exe

The following registry entry is created to run fafegoubu.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
boowudo
<System>\fafegoubu.exe

The file hypoo.exe is registered as a new system driver service named "suqgpyxali", with a display name of "Websense CPM Report Scheduler" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\suqgpyxali

Random file, registry entry and system driver service names may be used.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojlineagfx.html?_log_from=rss

Collapse -
Troj/FakeAV-DK

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Agent-HQV

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Aliases Trojan-Dropper.Win32.Agent.sie

Category Viruses and Spyware

Type Trojan

Troj/Agent-HQV is a Trojan for the Windows platform.

When Troj/Agent-HQV is installed the following files are created:

<Windows>\Config\csrss.exe
<System>\mswinsck.ocx

The following registry entry is changed to run Troj/Agent-HQV on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\Config\csrss.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthqv.html?_log_from=rss

Collapse -
August Malware Roundup

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Notable Malware

WORM_KOOBFACE.E, WORM_KOOBFACE.D

These worms used the famous social networking site Facebook in their propagation routines. While executing on an affected user?s system, these worms search for cookies related to Facebook. Once a match is found, the worms access the user?s Facebook profile using the credentials contained in the cookie files. The worms then modify the user?s Facebook profile to include a link to pointing to the malware to infect more systems.

The attack places at risk the great number of Facebook users, which the social networking claims to have grown to over one hundred million.

TROJ_FAKEAV.CX

As its name implies, TROJ_FAKEAV.CX poses as an antivirus product. Like other malware of this type, it could be downloaded from malicious links contained in spammed email messages. TROJ_FAKEAV.CX displays several messages alerting the user about malware threats. To further convince users, it drops another Trojan on the system detected by Trend Micro as TROJ_RENOS.ACG. The dropped Trojan has visual payloads that readily alert users to the presence of malware on the system.

Furthermore, the payload for this type of attack goes beyond the damage on affected system; it also causes unnecessary panic and waste of time for the users.

More: http://blog.trendmicro.com/

Collapse -
VBS/Sasan-H

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Drop-AV

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Agent-HQW

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/AdClck-Gen

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Scrods-Gen

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Aliases TR/Crypt.FKM.Gen

Category Viruses and Spyware

Type Trojan

Troj/Scrods-Gen is a family of Trojans for the Windows platform.

Members of Troj/Scrods-Gen usually attempt to download and execute files from remote locations.

Members of Troj/Scrods-Gen may attempt to copy itself to the Windows folder, often with the filename csrss.scr, and may set the following registry entry:

HKCR\.key
(default)

http://www.sophos.com/security/analyses/viruses-and-spyware/trojscrodsgen.html?_log_from=rss

Collapse -
Troj/Lineag-FY

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Bckdr-QPH

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Collapse -
Troj/Agent-HQY

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Aliases Rootkit.Win32.Agent.io
Win32/Rootkit.Agent.IO

Category Viruses and Spyware

Type Trojan


Troj/Agent-HQY is a Trojan for the Windows platform.

When first run Troj/Agent-HQY copies itself to <System>\regsvc.exe and creates the following files:

<Startup>\_.lnk (This file may be deleted)
<System>\drivers\ohctusb.sys (detected as Troj/Agent-HQY)
<System>\drivers\ohctusb.syt (detected as Troj/Agent-HQY, but may also be deleted)

The file ohctusb.sys is registered as a new system driver service named "ohctusb", with a display name of "Open Host Controller Miniport USB Driver" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ohctusb

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthqy.html?_log_from=rss

Collapse -
PWS-Banker.gen.b!D078AA07 Information

In reply to: VIRUS \ Spyware ALERTS - September 15, 2008

Alert ID : FrSIRT/ALRT-2008-05377
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-09-15


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_150190.htm

Credits

Reported by McAfee

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

REVIEW

Sublime suburban chariot

High on style and technology, the 2019 Volvo XC90 is an incredibly satisfying everyday crossover.