HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

VIRUS \ Spyware ALERTS - September 5, 2008

by Marianna Schmudlach / September 4, 2008 2:42 PM PDT

Trojan-Dropper:W32/Agent.FBB


Detection Names : Trojan-Dropper.Win32.Agent.vmh
Trojan-Dropper:W32/Agent.FBB
Trojan-Dropper:W32/Agent.FBB

Size: 41472
Type: Trojan-Dropper
Category: Malware

Summary
This type of trojan contains one or more malicious programs, which it will secretly install and execute.

File System Changes
Creates these files:

On execution, Agent.FBB creates a copy of itself as %appdata%\deveinf.exe.

In addition, the following files are created:


%windir%\system32\devecl.dll
%windir%\system32\deveio.dll
%windir%\system32\drivers\devekd.sys
%appdata%\dever.tmp
Notes:

%appdata% is a variable that refers to the application data folder. By default, this is C:\Documents and Settings\[username]\Application Data.

%windir% is a variable that refers to the Windows folder in a short path form. By default, this is C:\Winnt (Windows NT/2000), C:\Windows (Windows XP)

http://www.f-secure.com/v-descs/trojan-dropper_w32_agent_fbb.shtml

Discussion is locked
You are posting a reply to: VIRUS \ Spyware ALERTS - September 5, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VIRUS \ Spyware ALERTS - September 5, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Trojan-Downloader:JS/Agent.CKL
by Marianna Schmudlach / September 4, 2008 2:44 PM PDT

Detection Names : Trojan-Downloader.JS.Agent.ckl

Type: Trojan-Downloader
Category: Malware
Platform: JS

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Upon execution, this trojan will try to take advantage of the following vulnerabilities:


Microsoft Office Snapshot Viewer ActiveX vulnerability
Sina DLoader Class ActiveX Control 'DonwloadAndInstall' Method Arbitrary File Download Vulnerability
Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)
UUSee UUUpgrade ActiveX Control 'Update' Method Arbitrary File Download Vulnerability
Ourgame 'GLIEDown2.dll' ServerList Method ActiveX Control Remote Code Execution Vulnerability
RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601)
Baidu Soba Remote Code Execute Vulnerability
DPClient.Vod (CVE-2007-6144)

http://www.f-secure.com/v-descs/trojan-downloader_js_agent_ckl.shtml

Collapse -
Trojan-Downloader:JS/Agent.CKK
by Marianna Schmudlach / September 4, 2008 2:45 PM PDT

Detection Names : Trojan-Downloader.JS.Agent.ckk

Type: Trojan-Downloader
Category: Malware
Platform: JS

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Upon execution, this trojan tries to take advantage of the following vulnerability:


Microsoft Office Snapshot Viewer ActiveX vulnerability

If this vulnerability is present on the user's system, the malware exploits it in order to download and execute a file from the URL http://down.hs7yue.cn/[Removed]/ac.css. The downloaded file is detected as the malware Trojan.Win32.Agent.wnu.

http://www.f-secure.com/v-descs/trojan-downloader_js_agent_ckk.shtml

Collapse -
Trojan-Downloader:HTML/IFrame.SU
by Marianna Schmudlach / September 4, 2008 2:47 PM PDT

Detection Names : Trojan-Downloader.HTML.IFrame.su

Type: Trojan-Downloader
Category: Malware
Platform: HTML

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Additional Details
This malware will only affect a user who is browsing a malicious website, or a legitimate website which has been compromised. Unlike more straightforward trojan-downloaders, this malware does not directly download the malicious files itself, but rather redirects the user to malicious websites which perform the actual download automatically.

Upon execution, this malware uses "Iframe" tags to redirect the user to the malicious websites. Which website the user is redirected to depends on the browser being used:


If the user is using Internet Explorer, they will be redirected to http://jzm015.cn/[Removed]link.html, then http://www.hby005.cn/[Removed]2.htm.
If the user is using any other browser, they will be redirected to http://jzm015.cn/[Removed]link.html, then http://www.hby005.cn/[Removed]2.htm


http://www.f-secure.com/v-descs/trojan-downloader_html_iframe_su.shtml

Collapse -
Troj/NTRootK-DX
by Marianna Schmudlach / September 5, 2008 12:47 AM PDT
Collapse -
Troj/KillAV-EX
by Marianna Schmudlach / September 5, 2008 12:48 AM PDT
Collapse -
Troj/Dwnldr-HHM
by Marianna Schmudlach / September 5, 2008 12:50 AM PDT

Aliases Win32/TrojanDownloader.Delf.ODS
Trojan.Win32.FraudPack.gen

Category Viruses and Spyware

Type Trojan

Troj/Dwnldr-HHM is a Trojan for the Windows platform.

Troj/Dwnldr-HHM includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Dwnldr-HHM copies itself to <System>\ieupdates.exe.

The following registry entry is created to run ieupdates.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ieupdate
<System>\ieupdates.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhhm.html?_log_from=rss

Collapse -
Troj/Agent-HOV
by Marianna Schmudlach / September 5, 2008 12:51 AM PDT
Collapse -
Troj/Agent-HOS
by Marianna Schmudlach / September 5, 2008 12:52 AM PDT
Collapse -
Trojan-Downloader:JS/Agent.CTL
by Marianna Schmudlach / September 5, 2008 12:55 AM PDT
Collapse -
Trojan-Downloader:W32/Exchanger.AJ
by Marianna Schmudlach / September 5, 2008 12:56 AM PDT

Detection Names : Trojan-Downloader:W32/Exchanger.AJ
Trojan-Downloader.Win32.Exchanger.ly
Trojan-Downloader:W32/Exchanger.AJ

Size: 78848
Type: Trojan-Downloader
Category: Malware

Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

http://www.f-secure.com/v-descs/trojan-downloader_w32_exchanger_aj.shtml

Collapse -
Sus/AVKill-B
by Marianna Schmudlach / September 5, 2008 12:57 AM PDT
Collapse -
Troj/Swizzor-OD
by Marianna Schmudlach / September 5, 2008 12:59 AM PDT
Collapse -
Troj/Gamania-BX
by Marianna Schmudlach / September 5, 2008 1:00 AM PDT
Collapse -
Troj/FakeAle-GX
by Marianna Schmudlach / September 5, 2008 1:01 AM PDT
Collapse -
Troj/Agent-HOX
by Marianna Schmudlach / September 5, 2008 1:03 AM PDT
Collapse -
Troj/Agent-HOW
by Marianna Schmudlach / September 5, 2008 1:04 AM PDT
Collapse -
Sophos DNS snafu creates update problems
by Marianna Schmudlach / September 5, 2008 1:47 AM PDT

Bad hair day nothing to do with hackers
By John Leyden
Published Friday 5th September 2008

Domain name system problems left some users of Sophos unable to get security updates on Friday. The same issue, blamed on a mistake by one of the security firm's service providers rather than hostile action, left many surfers unable to access its main sophos.com website.

Graham Cluley, senior technology consultant at Sophos, explained that an error by one of its service providers in updating DNS settings for the Sophos.com site has permeated across the internet, and will take a little while to untangle. "Some users have experienced problems getting updates because of these incorrect settings," he explained. "No kind of DNS cache poisoning or any kind of hacking attack was involved."

More: http://www.theregister.co.uk/2008/09/05/sophos_dns_snafu/

Collapse -
Troj/Sharp-AA
by Marianna Schmudlach / September 5, 2008 5:44 AM PDT
Collapse -
Troj/FakeAV-CV
by Marianna Schmudlach / September 5, 2008 5:45 AM PDT
Collapse -
Troj/Ezio-E
by Marianna Schmudlach / September 5, 2008 5:46 AM PDT

Category Viruses and Spyware

Type Trojan

Troj/Ezio-E is a Trojan for the Windows platform.

When first run Troj/Ezio-E copies itself to <System>\CbEvtSvc.exe.

The file CbEvtSvc.exe is registered as a new system driver service named "CbEvtSvc", with a display name of "CbEvtSvc" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc

http://www.sophos.com/security/analyses/viruses-and-spyware/trojezioe.html?_log_from=rss

Collapse -
Troj/Dloadr-BSI
by Marianna Schmudlach / September 5, 2008 5:47 AM PDT

Aliases Trojan.Win32.Obfuscated.abi

Category Viruses and Spyware

Type Trojan

Troj/Dloadr-BSI includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Dloadr-BSI is installed the following files are created:

<User>\Application Data\Microsoft\Crypto\rsa\S-1-5-21-854245398-413027322-725345543-1003\1c96f5e3071d2fe1fd8725ea7dbf2576_d94f23d0-c3c6-4280-a7c4-148368e4a6d9
<User>\Application Data\Microsoft\Protect\S-1-5-21-854245398-413027322-725345543-1003\6b93ae49-e30b-4770-957a-0caef1aeab5e
<User>\Application Data\Microsoft\Protect\S-1-5-21-854245398-413027322-725345543-1003\Preferred
<User>\Application Data\Microsoft\Protect\credhist
<System>\winqjn32.dll

The file winqjn32.dll is detected as Mal/Generic-A.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdloadrbsi.html?_log_from=rss

Collapse -
Troj/Banc-D
by Marianna Schmudlach / September 5, 2008 5:48 AM PDT
Collapse -
Troj/Agent-HNY
by Marianna Schmudlach / September 5, 2008 5:49 AM PDT
Collapse -
Troj/Agent-HOY
by Marianna Schmudlach / September 5, 2008 8:24 AM PDT
Collapse -
Python.Sibi!inf
by Marianna Schmudlach / September 5, 2008 8:26 AM PDT
Collapse -
Troj/Agent-HOZ
by Marianna Schmudlach / September 5, 2008 11:55 AM PDT
Collapse -
Trend Micro + Troj_Generic or Troj_Generic.ADV
by Marianna Schmudlach / September 5, 2008 3:31 PM PDT

Recent updates from Trend Micro Internet Security, pattern 5.521.50 and 5.525.50, detected the following Microsoft operating system files as Troj_Generic or Troj_Generic.ADV and quarantined them:

?
C:\Windows\System32\nlasvc.dll

?
C:\Users\?User Name?\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q2OAE1HE\prototype[1].js

?
C:\Users\?User Name?\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OLJ5OQZS\prototype[1].js

?
C:\Windows\system32\wextract.exe

?
C:\Program files\dell support center\bin\libeay32.dll

?
C:\Windows\system32\ wininit.exe


Solution:
An Official Pattern Release update (5.527.50) was released on September 5, 2008, intended to resolve this issue.


http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038089

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.