Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUYS \ Spyware ALERTS - October 22, 2008

Oct 21, 2008 12:59PM PDT

Discussion is locked

- Collapse -
W32/Autorun-MK
Oct 21, 2008 1:00PM PDT
- Collapse -
Troj/VBDown-F
Oct 21, 2008 1:01PM PDT
- Collapse -
Troj/VBDown-E
Oct 21, 2008 1:02PM PDT
- Collapse -
Troj/FakeVir-GO
Oct 21, 2008 1:03PM PDT
- Collapse -
Troj/Bckdr-QPY
Oct 21, 2008 1:04PM PDT
- Collapse -
Troj/Agent-HZV
Oct 22, 2008 1:36AM PDT
- Collapse -
Troj/Agent-HZS
Oct 22, 2008 1:37AM PDT

Aliases Trojan.Win32.Inject.jci

Category Viruses and Spyware

Type Trojan

Troj/Agent-HZS is a Trojan for the Windows platform.

Troj/Agent-HZS includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Agent-HZS is installed it creates the file <System32>\Ir32_a.exe.

Ir32_a.exe is also detected as Troj/Agent-HZS.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System32>\userinit.exe,Ir32_a.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzs.html?_log_from=rss

- Collapse -
Mal/ObfJS-BF
Oct 22, 2008 1:40AM PDT
- Collapse -
W32/AutoRun-MO
Oct 22, 2008 1:41AM PDT

Category Viruses and Spyware

Type Worm

W32/AutoRun-MO is a Trojan for the Windows platform.

When first run W32/AutoRun-MO copies itself to <System>\XP-078F2E4E.EXE and creates the following files:

<System>\RegEx.fne
<System>\com.run
<System>\dp1.fne
<System>\eAPI.fne
<System>\internet.fne
<System>\krnln.fnr
<System>\shell.fne
<System>\spec.fne
<System>\ul.dll
<System>\og.dll
<System>\og.edt
<Temp>\e_4\RegEx.fne
<Temp>\e_4\com.run
<Temp>\e_4\dp1.fne
<Temp>\e_4\eAPI.fne
<Temp>\e_4\internet.fne
<Temp>\e_4\krnln.fnr
<Temp>\e_4\shell.fne
<Temp>\e_4\spec.fne

The files <System>\ul.dll, og.dll, og.edt are data files and can be safely removed. The file eAPI.fne is detected as Mal/Behav-027, all the other files are detected as W32/AutoRun-MO.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmo.html?_log_from=rss

- Collapse -
Troj/PDFEx-AB
Oct 22, 2008 1:43AM PDT
- Collapse -
Troj/KeyGen-CO
Oct 22, 2008 1:43AM PDT
- Collapse -
Troj/FakeAv-FD
Oct 22, 2008 1:44AM PDT
- Collapse -
Troj/Buzus-U
Oct 22, 2008 1:45AM PDT

Aliases Application-Generic PUP.x
Trojan.Win32.Buzus.jql

Category Viruses and Spyware

Type Trojan

Troj/Buzus-U is a Trojan for the Windows platform.

When first run Troj/Buzus-U copies itself to <System>\dump-k.exe.

The following registry entries are created to run dump-k.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A1AAD1A7-09B0-59C0-BF51-4C4FB4152DCD}
StubPath
<System>\dump-k.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dumprep
<System>\dump-k.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbuzusu.html?_log_from=rss

- Collapse -
Troj/BHO-HL
Oct 22, 2008 1:46AM PDT
- Collapse -
Troj/Agent-HZX
Oct 22, 2008 1:47AM PDT
- Collapse -
ProxyPlus
Oct 22, 2008 1:49AM PDT
- Collapse -
Tz0 Remote Control
Oct 22, 2008 1:50AM PDT
- Collapse -
Sus/ObfJS-BF
Oct 22, 2008 1:51AM PDT
- Collapse -
PWS-OnlineGames.y.dr!D5BDE733
Oct 22, 2008 1:53AM PDT

Alert ID : FrSIRT/ALRT-2008-06247
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152771.htm

Credits

Reported by McAfee

- Collapse -
Troj/Agent-HZJ
Oct 22, 2008 1:54AM PDT
- Collapse -
Troj/Agent-HZR
Oct 22, 2008 1:55AM PDT
- Collapse -
Troj/Agent-HZT
Oct 22, 2008 1:56AM PDT
- Collapse -
Troj/DldB-Gen
Oct 22, 2008 1:57AM PDT
- Collapse -
Troj/Drop-BD
Oct 22, 2008 1:58AM PDT
- Collapse -
Troj/DSpyA-Gen
Oct 22, 2008 1:59AM PDT
- Collapse -
Troj/Dwnldr-HJL
Oct 22, 2008 2:00AM PDT
- Collapse -
Troj/FakeAv-FB
Oct 22, 2008 2:01AM PDT
- Collapse -
Troj/Flux-EH
Oct 22, 2008 2:02AM PDT
- Collapse -
Troj/InComm-B
Oct 22, 2008 2:02AM PDT
- Collapse -
Troj/Oscor-N
Oct 22, 2008 2:03AM PDT