VIRUYS \ Spyware ALERTS - October 22, 2008

Alert ID : FrSIRT/ALRT-2008-06259
Aliases : N/A
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

Troj/PDFEx-AA is a PDF exploit.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfexaa.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06283
Aliases : W32/Mydoom.j@MM
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

W32/Bugbear-D is an internet worm which spreads via file sharing on Kazaa P2P networks and by emailing itself to contacts in the Windows address book and to addresses found within files on local and network drives that have extensions of HTM, ***, PHP, ASP, DBX, TBB, ADB or WAB. When first run W32/Bugbear-D copies itself to the Windows system folder as taskmon.exe and creates the following registry entry, so that taskmon.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ TaskMon = %SYSTEM%\taskmon.exe W32/Bugbear-D copies itself to the Kazaa Transfer folder specified by the registry entry HKCU\Kazaa\Transfer\DlDir0 using a filename randomly selected from the list: winamp5 icq2004-final activation_crack strip-girl-2.0bdcom_patches rootkitXP office_crack nuke2004 with a random extension of EXE, SCR, PIF or BAT.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32bugbeard.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06284
Aliases : W32/Mytob.FI@mm - W32/Mytob.cg@MM
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

W32/Mytob-AT is a mass-mailing worm and IRC backdoor Trojan. W32/Mytob-AT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32mytobat.html

Credits

Reported by Sophos

Alert ID : FrSIRT/ALRT-2008-06285
Aliases : W32/Mytob.em@MM - Infection:W32/Mytob.IE@mm
Size : N/A
Rated as : Low Risk
Release Date : 2008-10-21


Description

W32/Mytob-DP is a worm and IRC backdoor Trojan for the Windows platform. W32/Mytob-DP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

References

http://www.sophos.com/security/analyses/viruses-and-spyware/w32mytobdp.html

Credits

Reported by Sophos

?Halloween Costumes? Bring More Fright Than Expected

October 22, 2008

With Halloween just a few weeks away, you can bet everyone?s preparing. Kids, and also adults, are probably looking for the perfect costume they?ll wear to scare each other off in the spirit of the holiday.

Unfortunately, just searching for the perfect costume might render users the victim of a quite more grave type of scare tactic.

Advanced Threats Researcher Ivan Macalintal reported of search results to queries for ?halloween costumes? yielding compromised legitimate webpages.

Webpages seems to have been inserted onto legitimate websites as part of another SEO manipulation plot. As Threat Researcher Lennard Galang explains, ?Usually in SEO Poisoning Attacks, malware authors compromise websites that are already top ranked in search engines, which may not be related to one another. Once compromised, they insert a specially crafted webpage on the compromised website so as upon using search engines or site searches, they can easily be visited or referred to.?

More: http://blog.trendmicro.com/

Category Viruses and Spyware

Type Worm

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmp.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Mdrop-BWJ is a Trojan for the Windows platform.

When Troj/Mdrop-BWJ is installed the following files are created:

<Temp>\Flasher.exe - detected as Troj/Geezo-F
<System>\winemx32.dll - detected as Troj/Mdrop-BWJ

The following registry entries are created to run code exported by winemx32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winemx32
DllName
winemx32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winemx32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winemx32
Startup
BulStartup

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\MSSMGR

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmdropbwj.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows
Characteristics Drops more malware

http://www.sophos.com/security/analyses/viruses-and-spyware/trojmdropbwi.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojdwnldrhjm.html?_log_from=rss

Aliases Trojan-Banker.Win32.Banker.oi
TrojanSpy:Win32/Banker
Infostealer.Bancos
Infostealer.Banpaes

Category Viruses and Spyware

Type Trojan

Troj/Bank-F is a password stealing Trojan for the Windows platform that targets internet banking usernames and passwords.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankf.html?_log_from=rss

Aliases Infostealer.Bancos
TrojanSpy:Win32/Banker
PWS-Banker.gen.q
TR/Spy.Banker.acn

Category Viruses and Spyware

Type Trojan

Troj/Bank-E is a password stealing Trojan for the Windows platform that targets internet banking usernames and passwords.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbanke.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojagenthzy.html?_log_from=rss

Aliases Worm.Win32.AutoRun.rad

Category Viruses and Spyware

Type Worm

W32/AutoRun-MR is a worm for the Windows platform.

W32/AutoRun-MR includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/AutoRun-MR copies itself to <System>\lljyn081020.exe and creates the following files:

<User>\lljyndf16.ini
<System>\llbjyn32bb.dll

The file llbjyn32bb.dll is detected as Mal/DelpDldr-F and the file lljyndf16.ini is detected as W32/AutoRun-MQ.

The following registry entry is created to run lljyn081020.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
llajyn_df
<System>\lljyn081020.exe

W32/AutoRun-MR changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunmr.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Nettroj-B copies itself as <UserProfile>\Temp\WinUpdter.exe

Troj/Nettroj-B creates following registry entries to run itself on the startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WindowsUpdater
<UserProfile>\Temp\WinUpdter.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojnettrojb.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Troj/Ifgif-A is an image file that attempts to redirect users to remote websites.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojifgifa.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavfe.html?_log_from=rss

Category Viruses and Spyware

Type Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakealeiq.html?_log_from=rss

Category Viruses and Spyware

Type Malicious Behavior

Mal/ObfJS-BH is a malicious JavaScript within a web page.

http://www.sophos.com/security/analyses/viruses-and-spyware/malobfjsbh.html?_log_from=rss