Spyware, viruses, & security : VIRUS \ SPYWARE ALERTS - November 7, 2009
- 11/7/09 6:45 AM
VIRUS \ SPYWARE ALERTS - November 7, 2009
by Marianna Schmudlach - 11/7/09 6:45 AM
Troj/VbInject-R
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
Characteristics
* Installs itself in the registry
Troj/VbInject-R includes functionality to run automatically.
When Troj/VbInject-R copies itself to <Windows>\conmsyrtl.exe.
The following registry entries are created to run conmsyrtl.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sistema de Comm
conmsyrtl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Sistema de Comm
conmsyrtl.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
<Root>\sample.exe:*:Enabled:Sistema de Comm
http://www.sophos.com/security/analyses/viruses-and-spyware/trojvbinjectr.html?_log_from=rss
Troj/SpefZp-A
by Marianna Schmudlach - 11/7/09 6:46 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
Troj/SpefZp-A is an archive that contains malware.
Troj/SpefZp-A is sent in spam messages which try to trick the user into executing the malware inside the archive.
http://www.sophos.com/security/analyses/viruses-and-spyware/trojspefzpa.html?_log_from=rss
Troj/Inject-KQ
by Marianna Schmudlach - 11/7/09 6:46 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
Troj/Inject-KQ is a Trojan for the Windows platform.
When Troj/Inject-KQ is installed the following files are created:
<System>\updtr.bat (can be safely deleted)
<System>\updtr.exe (also deteced as Troj/Inject-KQ)
The following registry entry is created to run updtr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
updtr.exe
<System>\updtr.exe
http://www.sophos.com/security/analyses/viruses-and-spyware/trojinjectkq.html?_log_from=rss
Troj/Farfli-Gen
by Marianna Schmudlach - 11/7/09 6:47 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojfarfligen.html?_log_from=rss
Troj/Ramag-A
by Marianna Schmudlach - 11/7/09 6:48 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojramaga.html?_log_from=rss
NirSoft
by Marianna Schmudlach - 11/7/09 6:49 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Adware or PUA
Type
* Hacking Tool
Affected operating systems Windows
http://www.sophos.com/security/analyses/adware-and-puas/nirsoft.html
W32/Akbot.gen.a
by Marianna Schmudlach - 11/7/09 6:52 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Type
Trojan
SubType
Win32
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
When executed, this malware drops a copy of itself or other malicious files in the following locations:
* %AllUsersProfile%\qbothome\_qbotinj.exe
* %AllUsersProfile%\qbothome\_qbotnti.exe
* %AllUsersProfile%\qbothome\_qbot.dll
* %Userprofile%\Start Menu\Programs\Startup\startup.bat
Note: %AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
The malware creates a mutex with one the following names, to ensure that only one copy of the worm runs on the infected machine:
* ~agbdw28sjhisad3
* ~e5d1417.tmp
* ~e5d141a.tmp
* ~e198ac781b.tmp
* ~e439125sl.tmp
* ~efd9452.tmp
The malware creates the following registry entry, to ensure its execution at system startup:
More: http://vil.nai.com/vil/content/v_240819.htm
Bredolab.gen.h
by Marianna Schmudlach - 11/7/09 6:52 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Type
Trojan
SubType
Win32
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
This is Trojan detection for a Bredolab variant.
When executed, this malware drops the following files:
* %UserDirectory%\qbothome\_qbotinj.exe
* %UserDirectory%\qbothome\_qbotnti.exe
* %UserDirectory%\qbothome\_qbot.dll
* %UserDirectory%\Start Menu\Programs\Startup\startup.bat
* %Root%\Tasks\*.job
(Where %UserDirectory% is the name of a user's home directory and %Root% is the root directory such as C:\)
The malware may also attempt to download the following files:
* q2l.exe
* iedw.exe
* si.txt
* seclog.txt
* _qbotnti.exe
* _qbotinj.exe
* nbl.txt
* removeme.txt
* irclog.txt
The following registry entry is created to allow itself to run at startup:
* Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
{Original Value} = "%UserDirectory%\qbothome\_qbotinj.exe"
"%UserDirectory%\qbothome\_qbot.dll" /c {Original Data}
Connections may be made with the following domains:
More: http://vil.nai.com/vil/content/v_240818.htm
Troj/Agent-LSW
by Marianna Schmudlach - 11/7/09 7:33 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlsw.html?_log_from=rss
Troj/Agent-LNS
by Marianna Schmudlach - 11/7/09 7:34 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
Characteristics
* Installs itself in the registry
Troj/Agent-LNS is a Trojan for the Windows platform.
Troj/Agent-LNS includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/Agent-LNS copies itself to:
<Program Files>\Adobe\acrotray.exe
<System>\ctfmon.exe
The following registry entry is created to run acrotray.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe_Reader
<Program Files>\adobe\acrotray.exe
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentlns.html?_log_from=rss
WhenU
by Marianna Schmudlach - 11/7/09 8:40 AM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Adware or PUA
Type
* Application
How it spreads
* Web downloads
Affected operating systems Windows
WhenU is adware supported software from whenu.com, consisting of the following applications:
SearchBar
SaveNow
Save
WeatherCast
ICE
WhenU may be installed as part of the installation for other software, such as shareware or freeware downloaded from the internet.
WhenU displays advertising links and pop-up ads when the browser is active.
WhenU runs continously in the background, periodically communicating with a remote server via HTTP. WhenU may download and install updates of its software without notification.
The default installation folders are:
<Program Files>\Save
<Program Files>\WeatherCast
<Program Files>\WhenUSearch
<Program Files>\VVSN
When the aforementioned applications are installed the following files are typically created:
<Start Menu\Programs>\WeatherCast
<Start Menu\Programs>\WeatherCast\WeatherCast.lnk
<Start Menu\Programs>\WhenU
<Start Menu\Programs>\WhenU\Learn More About WhenU Save.url
<Start Menu\Programs>\WhenU\Learn More About WhenU SaveNow.url
<Start Menu\Programs>\WhenU\Uninstall.lnk
<Start Menu\Programs>\WhenU\WhenU.com Website.url
<Start Menu\Programs>\WhenUSearch
<Start Menu\Programs>\WhenUSearch\WhenUSearch Desktop Toolbar.lnk
<Common Files>\WhenU
<Common Files>\WhenU\EmbedSE.dll
<Program Files>\Save
<Program Files>\Save\ACM.dll
<Program Files>\Save\save.cch
<Program Files>\Save\save.db
<Program Files>\Save\Save.exe
<Program Files>\Save\save.htm
<Program Files>\Save\SaveUninst.exe
<Program Files>\Save\store.db
<Program Files>\WeatherCast
<Program Files>\WeatherCast\Uninst.exe
<Program Files>\WeatherCast\Weather.exe
<Program Files>\WhenUSearch\search.cch
<Program Files>\WhenUSearch\search.db
<Program Files>\WhenUSearch\search.dll
<Program Files>\WhenUSearch\Search.exe
<Program Files>\WhenUSearch\search.htm
<Program Files>\WhenUSearch\Uninst.exe
<Program Files>\WhenUSearch\whse.exe
<Program Files>\WhenUSearch\Content
<Program Files>\WhenUSearch\Content\images
<Program Files>\VVSN\VVSN.EXE
The following registry entries are created to run Save.exe, Weather.exe, Search.exe, VVSN.EXE and whse.exe on startup:
More: http://www.sophos.com/security/analyses/adware-and-puas/whenu.html
Troj/SmallDl-AD
by Marianna Schmudlach - 11/7/09 3:01 PM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojsmalldlad.html?_log_from=rss
Troj/NTRootK-FO
by Marianna Schmudlach - 11/7/09 3:02 PM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojntrootkfo.html?_log_from=rss
Troj/Daptdei-A
by Marianna Schmudlach - 11/7/09 3:03 PM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
Troj/Daptdei-A is a Trojan for the Windows platform.
Troj/Daptdei-A includes functionality to:
- run automatically
- copy itself to the <WINDOWS>\system32 folder
- create files in the <WINDOWS>\system32 folder
- access the internet and communicate with a remote server via HTTP
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdaptdeia.html?_log_from=rss
Troj/Banker-EUX
by Marianna Schmudlach - 11/7/09 3:04 PM
In reply to: VIRUS \ SPYWARE ALERTS - November 7, 2009 by Marianna Schmudlach
Category
* Viruses and Spyware
Type
* Trojan
Affected operating systems Windows
http://www.sophos.com/security/analyses/viruses-and-spyware/trojbankereux.html?_log_from=rss
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
