Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - September 15, 2008

by Marianna Schmudlach / September 14, 2008 2:35 PM PDT
Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - September 15, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - September 15, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Troj/Zlob-Gen
by Marianna Schmudlach / September 15, 2008 12:45 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Zlob-Gen detects members of the Zlob family of Trojan downloaders.

The Troj/Zlob-Gen family of Trojans usually attempt to stealth themselves by injecting themselves into another system process or by registering themselves as a service process.

The typical Troj/Zlob-Gen Trojan may create folders in the <System> folder and store downloaded files in these folders and set the following registry entries to run on user startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzlobgen.html?_log_from=rss

Collapse -
Troj/PWS-ATP
by Marianna Schmudlach / September 15, 2008 12:46 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/PWS-ATP is a Trojan for the Windows platform.

When run Troj/PWS-ATP creates the files:
<Windows>\Debug\winhlp.dll - detectedd as Mal/LineDLL-B

and copies itself to <System>\helpme.exe.

The following registry entries are set:

HKCR\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}
(default)
url

HKCR\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32
(default)
<Windows>\Debug\winhlp.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}

Troj/PWS-ATP also drops a non-malicious GIF image which is then opened by the default image viewer application.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpwsatp.html?_log_from=rss

Collapse -
Troj/FakeVir-FV
by Marianna Schmudlach / September 15, 2008 12:47 AM PDT
Collapse -
Troj/Agent-HQU
by Marianna Schmudlach / September 15, 2008 12:48 AM PDT
Collapse -
Troj/Istbar-DR
by Marianna Schmudlach / September 15, 2008 12:49 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Istbar-DR is a Trojan downloader for the Windows platform.

Troj/Istbar-DR has the functionality to:
-download files from preconfigured URLs to C:\program files\RapidBlaster\<filename> then run them.

The following registry entries are created to run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
rb32
C:\program files\RapidBlaster\<filename>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
rb32
C:\program files\RapidBlaster\<filename>

HKCR\Software\Microsoft\Windows\CurrentVersion\Run
rb32
C:\program files\RapidBlaster\<filename>

http://www.sophos.com/security/analyses/viruses-and-spyware/trojistbardr.html?_log_from=rss

Collapse -
Troj/Gamania-CH
by Marianna Schmudlach / September 15, 2008 12:50 AM PDT
Collapse -
Troj/FakeVir-FW
by Marianna Schmudlach / September 15, 2008 12:51 AM PDT
Collapse -
Troj/DwnLdr-HHU
by Marianna Schmudlach / September 15, 2008 12:52 AM PDT
Collapse -
Rootkit:W32/Agent.TZ
by Marianna Schmudlach / September 15, 2008 1:15 AM PDT

Detection Names : Rootkit:W32/Agent.TZ
Rootkit:W32/Agent.TZ
Trojan-Clicker.Win32.VB.ath

Type: Rootkit
Category: Malware
Platform: W32

Summary
A program or set of programs which hides itself by subverting or evading the computer's security mechanisms, then allows remote users to secretly control the computer's operating system.

http://www.f-secure.com/v-descs/rootkit_w32_agent_tz.shtml

Collapse -
Troj/PWS-ATP - Jokes on you
by Marianna Schmudlach / September 15, 2008 1:28 AM PDT

15 September 2008

Malware often utilizes distraction techniques such as audio or video clips to both appear harmless and draw the unsuspecting users attention away from what might really be happening.

Today?s sample of yet another password stealer Troj/PWS-ATP is no different. Arriving as a scriptable WinRar self extractor (SFX) the Trojan drops two components to the temporary folder and launches them. Of these two components, one is the real malware and the other is the ?distraction?. The malware installs a DLL into %WINDOWS%\Debug\winhlp.dll and sets it to auto-load by registering it as a ShellExecute hook. Once installed, only this dll need be present, all other components are discardable and serve only as delivery vechicles.

More: http://www.sophos.com/security/blog/2008/09/1785.html

Collapse -
W32/SillyFDC-CQ
by Marianna Schmudlach / September 15, 2008 1:29 AM PDT
Collapse -
W32/AutoRun-JH
by Marianna Schmudlach / September 15, 2008 1:30 AM PDT
Collapse -
Troj/YTKit-A
by Marianna Schmudlach / September 15, 2008 1:32 AM PDT
Collapse -
Troj/Lineag-FX
by Marianna Schmudlach / September 15, 2008 1:37 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Lineag-FX is a password stealing Trojan for the Windows platform.

Troj/Lineag-FX includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Lineag-FX copies itself to:

<System>\fafegoubu.exe
<System>\hypoo.exe

The following registry entry is created to run fafegoubu.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
boowudo
<System>\fafegoubu.exe

The file hypoo.exe is registered as a new system driver service named "suqgpyxali", with a display name of "Websense CPM Report Scheduler" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\suqgpyxali

Random file, registry entry and system driver service names may be used.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojlineagfx.html?_log_from=rss

Collapse -
Troj/FakeAV-DK
by Marianna Schmudlach / September 15, 2008 1:38 AM PDT
Collapse -
Troj/Agent-HQV
by Marianna Schmudlach / September 15, 2008 1:39 AM PDT

Aliases Trojan-Dropper.Win32.Agent.sie

Category Viruses and Spyware

Type Trojan

Troj/Agent-HQV is a Trojan for the Windows platform.

When Troj/Agent-HQV is installed the following files are created:

<Windows>\Config\csrss.exe
<System>\mswinsck.ocx

The following registry entry is changed to run Troj/Agent-HQV on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\Config\csrss.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthqv.html?_log_from=rss

Collapse -
August Malware Roundup
by Marianna Schmudlach / September 15, 2008 2:05 AM PDT

Notable Malware

WORM_KOOBFACE.E, WORM_KOOBFACE.D

These worms used the famous social networking site Facebook in their propagation routines. While executing on an affected user?s system, these worms search for cookies related to Facebook. Once a match is found, the worms access the user?s Facebook profile using the credentials contained in the cookie files. The worms then modify the user?s Facebook profile to include a link to pointing to the malware to infect more systems.

The attack places at risk the great number of Facebook users, which the social networking claims to have grown to over one hundred million.

TROJ_FAKEAV.CX

As its name implies, TROJ_FAKEAV.CX poses as an antivirus product. Like other malware of this type, it could be downloaded from malicious links contained in spammed email messages. TROJ_FAKEAV.CX displays several messages alerting the user about malware threats. To further convince users, it drops another Trojan on the system detected by Trend Micro as TROJ_RENOS.ACG. The dropped Trojan has visual payloads that readily alert users to the presence of malware on the system.

Furthermore, the payload for this type of attack goes beyond the damage on affected system; it also causes unnecessary panic and waste of time for the users.

More: http://blog.trendmicro.com/

Collapse -
VBS/Sasan-H
by Marianna Schmudlach / September 15, 2008 6:31 AM PDT
Collapse -
Troj/Drop-AV
by Marianna Schmudlach / September 15, 2008 6:32 AM PDT
Collapse -
Troj/Agent-HQW
by Marianna Schmudlach / September 15, 2008 6:33 AM PDT
Collapse -
Troj/AdClck-Gen
by Marianna Schmudlach / September 15, 2008 6:34 AM PDT
Collapse -
Troj/Scrods-Gen
by Marianna Schmudlach / September 15, 2008 9:43 AM PDT

Aliases TR/Crypt.FKM.Gen

Category Viruses and Spyware

Type Trojan

Troj/Scrods-Gen is a family of Trojans for the Windows platform.

Members of Troj/Scrods-Gen usually attempt to download and execute files from remote locations.

Members of Troj/Scrods-Gen may attempt to copy itself to the Windows folder, often with the filename csrss.scr, and may set the following registry entry:

HKCR\.key
(default)

http://www.sophos.com/security/analyses/viruses-and-spyware/trojscrodsgen.html?_log_from=rss

Collapse -
Troj/Lineag-FY
by Marianna Schmudlach / September 15, 2008 9:44 AM PDT
Collapse -
Troj/Bckdr-QPH
by Marianna Schmudlach / September 15, 2008 9:46 AM PDT
Collapse -
Troj/Agent-HQY
by Marianna Schmudlach / September 15, 2008 9:47 AM PDT

Aliases Rootkit.Win32.Agent.io
Win32/Rootkit.Agent.IO

Category Viruses and Spyware

Type Trojan


Troj/Agent-HQY is a Trojan for the Windows platform.

When first run Troj/Agent-HQY copies itself to <System>\regsvc.exe and creates the following files:

<Startup>\_.lnk (This file may be deleted)
<System>\drivers\ohctusb.sys (detected as Troj/Agent-HQY)
<System>\drivers\ohctusb.syt (detected as Troj/Agent-HQY, but may also be deleted)

The file ohctusb.sys is registered as a new system driver service named "ohctusb", with a display name of "Open Host Controller Miniport USB Driver" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ohctusb

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthqy.html?_log_from=rss

Collapse -
PWS-Banker.gen.b!D078AA07 Information
by Marianna Schmudlach / September 15, 2008 12:05 PM PDT

Alert ID : FrSIRT/ALRT-2008-05377
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-09-15


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_150190.htm

Credits

Reported by McAfee

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?