General discussion

VIRUS \ SPYWARE ALERTS - September 18, 2009

Discussion is locked
Follow
Reply to: VIRUS \ SPYWARE ALERTS - September 18, 2009
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VIRUS \ SPYWARE ALERTS - September 18, 2009
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Troj/Dldr-BO
- Collapse -
Troj/BredoZp-F
- Collapse -
Troj/Banker-EUK
- Collapse -
Troj/Agent-LEU
- Collapse -
Troj/Agent-LET
- Collapse -
Troj/Agent-LES
- Collapse -
Troj/Agent-LER
- Collapse -
Mal/Suceret-A
- Collapse -
Mal/EncPk-KI
- Collapse -
Avert Labs Low-Profiled Threat Notice: JS/FakeAlert.dldr.a

Notice
This is a Low-Profiled Threat Notice for JS/FakeAlert.dldr.a

Justification
JS/FakeAlert.dldr.a has been deemed Low-Profiled due to media attention at link: http://www.eweek.com/c/a/Security/Botnet-Discovered-as-Source-of-Click-Fraud-Surge-496555/?kc=rss

Read About It
Information about JS/FakeAlert.dldr.a is located on VIL at: http://vil.nai.com/vil/content/v_231998.htm

Detection
JS/FakeAlert.dldr.a was first discovered on September 18, 2009 and detection will be added to the 5745 dat files (Release Date: September 18, 2009).

If you suspect you have JS/FakeAlert.dldr.a, please submit a sample to <http://www.webimmune.net>

- Collapse -
W32/Autorun-ARF
- Collapse -
Troj/Frink-Gen
- Collapse -
Troj/Bckdr-QYJ
- Collapse -
Troj/Agent-LEQ
- Collapse -
Troj/Agent-LEP
- Collapse -
Mal/Scribble-D
- Collapse -
Mal/Sasfis-A
- Collapse -
Mal/FakeAV-BH
- Collapse -
TROJ_FAKEAV.FGR

The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim?s PC. It has a dedicated component which actually installs the FAKEAV onto the user?s system. However, the Koobface gang has added a new twist to its fake Facebook page.

When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here?s a video that illustrates this behavior:

More: http://blog.trendmicro.com/

- Collapse -
AdVantage
- Collapse -
Jhoos
- Collapse -
Adware-OptServe!c69285034654

Type
Program
SubType
Adware
Discovery Date
09/17/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following registry elements have been created:

http://vil.nai.com/vil/content/v_231827.htm

- Collapse -
Adware-abetterintrnt!a3d17cedd1a0

Type
Program
SubType
Adware
Discovery Date
09/17/2009

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

File Property Property Value
FileName 7f6e3b3022a97e9894e91b2c2f44de657cff2f3d.exe
McAfee Artemis Artemis!a3d17cedd1a0
McAfee Detection Adware-abetterintrnt
Length 217,088 bytes
CRC 0D79CA9A
MD5 A3D17CEDD1A037E99FEB0CF18963DF16
SHA1 7F6E3B3022A97E9894E91B2C2F44DE657CFF2F3D

Other Common Detection Aliases

Company Name Detection Name
avast Win32:Adan-046 [Adw]
AVG (GriSoft) Generic.UBZ (Adware)
Avira ADSPY/BetterInternet.C.2
BitDefender Trojan.Spybi
clamav Adware.BBuddy-13
Dr.Web Trojan.Spybi
Eset Win32/Adware.BetterInternet (application)
F-Prot W32/Heuristic-257!Eldorado (suspicious)
Kaspersky not-a-virus:AdWare.Win32.BetterInternet.c
microsoft adware:win32/abetterinternet.g
norman W32/BetterInternet.CO
panda Adware/Transponder (spyware)
Sophos BetterInternet (PUA)
Symantec Adware.Aurora
vba32 Adware.Win32.BetterInternet.c
V-Buster Adware.BetterInternet.EX (trojan)

Avert

- Collapse -
Troj/Scar-A
- Collapse -
Troj/LnkZip-A
- Collapse -
Troj/FakeAV-ABM
- Collapse -
Troj/FakeAV-ABL
- Collapse -
Troj/FakAVZp-A
- Collapse -
Troj/Agent-LEX
- Collapse -
Troj/Agent-LEW

CNET Forums