- home
- reviews
- news
- downloads
- cnet tv
HOLIDAY HELP DESK: Broadcasting live at 1:00 p.m., PT
- log in
- join CNET
- welcome,
- my profile
- log out

Spyware, viruses, & security : VIRUS \ SPYWARE ALERTS - August 24, 2009

by Marianna Schmudlach

- 8/24/09 7:36 AM

Total posts: 53

Back to Spyware, viruses, & security forum

Track this thread

Post 16 of 53

VBS.Runauto.G

by Marianna Schmudlach

- 8/24/09 7:51 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Discovered: August 24, 2009
Updated: August 24, 2009 1:26:17 PM
Type: Worm
Infection Length: 152,018 Bytes (minimum)
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

VBS.Runauto.G is a worm that spreads through removable drives and network shares. The worm also opens a back door on the compromised computer.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-082410-4817-99

Permalink

Report offensive post

Post 17 of 53

PE_INDUC.A

by Marianna Schmudlach

- 8/24/09 7:52 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

File Infector Targets Delphi Compilers

A new threat targeting Borland Delphi Compilers is fast becoming a global concern, as we have been receiving reports of increased infection incidents. The file infector, detected by Trend Micro as PE_INDUC.A, tampers with Borland Delphi Compilers installed in targeted systems, causing all files compiled using the compromised Delphi compiler to be infected. Borland Delphi Compiler is a tool used to compile several popular enterprise database and desktop applications.

Upon execution, the malware checks if a Borland Delphi Compiler is installed on the system by checking a certain registry entry. Once the existence of the said compiler on the system is confirmed, it modifies the file SysConst.pas, by appending code. Through this routine, it compiles a new copy of the file SysConst.dcu which is detected by Trend Micro as TROJ_INDUC.AA. It then renames the original SysConst.dcu to SysConst.bak and deletes the modified SysConst.pas.

More: http://blog.trendmicro.com/

Permalink

Report offensive post

Post 18 of 53

SizeExplorer4 False positive?

by robkluver - 8/26/09 11:05 AM In reply to: PE_INDUC.A by Marianna Schmudlach

This one came up for SizeExplorer4. Their website says it is a false apositive and asks people to upgrade to a later version.

Permalink

Report offensive post

Post 19 of 53

Which Anti Virus detected it?

by Marianna Schmudlach

- 8/26/09 11:32 AM In reply to: SizeExplorer4 False positive? by robkluver

Here is the description from Trend Micro:

Description:

Trend Micro has flagged this file infector as noteworthy due to the increased potential for damage, propagation, or both, that it possesses. Specifically, it compromises a Borland Delphi Compiler to infect other files.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

More: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FINDUC%2EA&VSect=P

Permalink

Report offensive post

Post 20 of 53

Worm:W32/Autorun

by Marianna Schmudlach

- 8/24/09 7:53 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Name : Worm:W32/Autorun
Category: Malware
Type: Worm
Platform: W32

Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Additional Details
This is the Worm:W32/AutoRun family description.

AutoRun worms spread by copying themselves into the root directories of hard drives and other writable media such as USB memory sticks.

These worms create an autorun.inf file in the root directories of drives they want to infect.

More: http://www.f-secure.com/v-descs/worm_w32_autorun.shtml

Permalink

Report offensive post

Post 21 of 53

Other:HTML/Fraud

by Marianna Schmudlach

- 8/24/09 7:54 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Name : Other:HTML/Fraud
Detection Names : Trojan-spy.html.fraud.gen
Category: Malware
Type: Other
Platform: HTML

Summary
A malicious program which does not easily fit into any other malware category.

Additional Details
Other:HTML/Fraud detects fraudulent e-mail messages and website HTML.

Detections are typically the result of a mismatch in HREF tags used by hyperlinks. The fraudulent message or site is attempting to disguise or obfuscate the hyperlink. Disguised links are used by phishers attempting to lure victims to fraudulent sites in order to steal personal account details.

Example

Example of a HREF mismatch:

More: http://www.f-secure.com/v-descs/other_html_fraud.shtml

Permalink

Report offensive post

Post 22 of 53

Win32/WindowsAntivirusPro Family

by Marianna Schmudlach

- 8/24/09 7:55 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Type : Trojan

Category : Win32

Also known as: Trojan.Fakeavalert (Symantec), Trojan:Win32/FakeScanti (MS OneCare)

Description
Win32/WindowsAntivirusPro is rogue security software that displays deceptive information about the infected system. It also blocks access to the infected system by terminating processes not included in its predefined list. This trojan is commonly known as "Windows Antivirus Pro".

Method of Infection

To the unsuspecting user, Windows Antivirus Pro appears to be a legitimate program. The image below shows its Graphical User Interface.

More: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79458

Permalink

Report offensive post

Post 23 of 53

W32/Autorun-APR

by Marianna Schmudlach

- 8/24/09 8:57 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Aliases

* WORM/Nurk
* Backdoor.Win32.IRCBot.jgd

Category

* Viruses and Spyware

Type

* Worm

Affected operating systems Windows
Characteristics

* Drops more malware
* Installs itself in the registry

W32/Autorun-APR is a worm for the windows platform.

When W32/Autorun-APR is installed it copies itself to the following location and connects to a server on the internet:

<System>\lsass.exe

W32/Autorun-APR is also installed onto the root of any removable media:

<Root>\Key-Installer.exe

When W32/Autorun-APR is installed the following file detected as W32/Autorun-AMP is created:

<System>\drivers\sysdrv32.sys

The following registry entry is created to run lsass.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ilasss
<System>\lsass.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/w32autorunapr.html?_log_from=rss

Permalink

Report offensive post

Post 24 of 53

Troj/Zbot-HF

by Marianna Schmudlach

- 8/24/09 8:58 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Category

* Viruses and Spyware

Type

* Trojan

Affected operating systems Windows

http://www.sophos.com/security/analyses/viruses-and-spyware/trojzbothf.html?_log_from=rss

Permalink

Report offensive post

Post 25 of 53

Troj/PDFJs-BG

by Marianna Schmudlach

- 8/24/09 8:59 AM In reply to: VIRUS \ SPYWARE ALERTS - August 24, 2009 by Marianna Schmudlach

Category

* Viruses and Spyware

Type

* Trojan

How it spreads

* Web browsing

Affected operating systems Windows

Troj/PDFJs-BG is a PDF file containing malicious JavaScript.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfjsbg.html?_log_from=rss