VIRUYS \ Spyware ALERTS - October 22, 2008

Aliases Worm.Win32.AutoRun.rab
WORM_SPYBOT.MCS

Category Viruses and Spyware

Type Worm

How it spreads Removable storage devices

Affected operating systems Windows
Characteristics Installs itself in the registry

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmk.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbdownf.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/VBDown-E is a downloader Trojan for the Windows platform.

The following registry entry is created to run Troj/VBDown-E on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<filename of the Trojan executable>
<pathname of the Trojan executable>

http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbdowne.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakevirgo.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbckdrqpy.html?_log_from=rss

Category Viruses and Spyware

Type Trojan


Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzv.html?_log_from=rss

Aliases Trojan.Win32.Inject.jci

Category Viruses and Spyware

Type Trojan

Troj/Agent-HZS is a Trojan for the Windows platform.

Troj/Agent-HZS includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Agent-HZS is installed it creates the file <System32>\Ir32_a.exe.

Ir32_a.exe is also detected as Troj/Agent-HZS.

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System32>\userinit.exe,Ir32_a.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzs.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/ObfJS-BF is an obfuscated JavaScript within a web page intended to exploit vulnerabilities in the browser in order to infect the victim with malware.

http://www.sophos.com/security/analyses/viruses-and-spyware/malobfjsbf.html?_log_from=rss

Category Viruses and Spyware

Type Worm

W32/AutoRun-MO is a Trojan for the Windows platform.

When first run W32/AutoRun-MO copies itself to <System>\XP-078F2E4E.EXE and creates the following files:

<System>\RegEx.fne
<System>\com.run
<System>\dp1.fne
<System>\eAPI.fne
<System>\internet.fne
<System>\krnln.fnr
<System>\shell.fne
<System>\spec.fne
<System>\ul.dll
<System>\og.dll
<System>\og.edt
<Temp>\e_4\RegEx.fne
<Temp>\e_4\com.run
<Temp>\e_4\dp1.fne
<Temp>\e_4\eAPI.fne
<Temp>\e_4\internet.fne
<Temp>\e_4\krnln.fnr
<Temp>\e_4\shell.fne
<Temp>\e_4\spec.fne

The files <System>\ul.dll, og.dll, og.edt are data files and can be safely removed. The file eAPI.fne is detected as Mal/Behav-027, all the other files are detected as W32/AutoRun-MO.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmo.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfexab.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojkeygenco.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavfd.html?_log_from=rss

Aliases Application-Generic PUP.x
Trojan.Win32.Buzus.jql

Category Viruses and Spyware

Type Trojan

Troj/Buzus-U is a Trojan for the Windows platform.

When first run Troj/Buzus-U copies itself to <System>\dump-k.exe.

The following registry entries are created to run dump-k.exe on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A1AAD1A7-09B0-59C0-BF51-4C4FB4152DCD}
StubPath
<System>\dump-k.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dumprep
<System>\dump-k.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbuzusu.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/BHO-HL is a Trojan for the Windows platform.

Troj/BHO-HL is a Browser Helper Object that is used to display fake alert messages.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhohl.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzx.html?_log_from=rss

Category Adware or PUA

Type Unspecified PUA

ProxyPlus is a proxy application for servers including mail, web, telnet and DNS.

http://www.sophos.com/security/analyses/adware-and-puas/proxyplus.html?_log_from=rss

Category Adware or PUA

Type Remote Administration Tool

"Tz0 Remote Control" is a remote control application from www.ivirtua.com.

http://www.sophos.com/security/analyses/adware-and-puas/tz0remotecontrol.html?_log_from=rss

Category Suspicious behavior and files

Type Suspicious behavior

Sus/ObfJS-BF is an obfuscated JavaScript within a web page that is likely to exploit vulnerabilities in the browser in order to infect the victim with malware.

http://www.sophos.com/security/analyses/suspicious-behavior-and-files/susobfjsbf.html?_log_from=rss

Alert ID : FrSIRT/ALRT-2008-06247
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted.

References

http://vil.nai.com/vil/content/v_152771.htm

Credits

Reported by McAfee

Alert ID : FrSIRT/ALRT-2008-06248
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzj.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06249
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzr.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06250
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzt.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06251
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdldbgen.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06252
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdropbd.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06253
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdspyagen.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06254
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhjl.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06255
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavfb.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06256
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfluxeh.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06257
Aliases : Backdoor.Win32.InCommander - BDC/InCommander - BKDR_INCOMDER
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Troj/InComm-B is a backdoor Trojan for the Windows platform.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojincommb.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06258
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Technical details and description are not available at this time.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojoscorn.html

Credits

Reported by Sophos