MWBLOG.ORG

Virus Malware and Threat News for 20090111

Troj/Agent-IOV

- Troj/Agent-IOV at Sophos

Troj/Agent-IOV is a Trojan for the Windows platform. When run
Troj/Agent-IOV copies itself to <System>\digeste.dll and adds the DLL file to the following registry
entry: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders <e...

Troj/Bckdr-QRC

- Troj/Bckdr-QRC at Sophos

...

Troj/Bckdr-QRD

- Troj/Bckdr-QRD at Sophos

...

Troj/Inject-DQ

- Troj/Inject-DQ at Sophos

Troj/Inject-DQ is a Trojan for the Windows platform. When run
Troj/Inject-DQ copies itself to: <System>\wuaumqr.exe
<System>\kazaabackupfiles\download_me.exe and sets the following registry entries:
HKCU\Software\Micros...

Troj/MDrop-BXT

- Troj/MDrop-BXT at Sophos

...

Troj/Crack-Q

- Troj/Crack-Q at Sophos

Troj/Crack-Q is used to patch sattelite receiver boxes to allow for viewing of premium TV channels.
...

Troj/Keygen-BW

- Troj/Keygen-BW at Sophos

Troj/Keygen-BW is a key generator for Winamp Pro v5.x
...

Mal/WaledPak-A

- Mal/WaledPak-A at Sophos

Mal/WaledPak-A is a worm for the Windows platform. Mal/WaledPak-A includes
functionality to access the internet and communicate with a remote server via HTTP and send itself out using
built-in SMTP client.
...

Troj/Agent-IOU

- Troj/Agent-IOU at Sophos

...

Troj/DwnLdr-HMY

- Troj/DwnLdr-HMY at Sophos

Troj/DwnLdr-HMY is a Trojan for the Windows platform. Troj/DwnLdr-HMY
includes functionality to access the internet and communicate with a remote server via HTTP.
When first run Troj/DwnLdr-HMY copies itself to the Windows system folder The
following reg...

TROJ_DROPPER.TT

- TROJ_DROPPER.TT at Trend Micro

...

WORM_MYTOB.QR

- WORM_MYTOB.QR at Trend Micro

This worm arrives as attachment to mass-mailed email messages. It may also arrive via removable drives.It
drops multiple files on the affected system, including copies of itself and possibly malicious component files.
It displays an image when executed.It creates a registry entry to enable its automatic execution at every
system start...

Troj/Agent-IOY

- Troj/Agent-IOY at Sophos

...

Troj/Agent-IOT

- Troj/Agent-IOT at Sophos

...

Troj/NtRootK-EI

- Troj/NtRootK-EI at Sophos

Troj/NtRootK-EI is a Trojan for the Windows platform. Once installed,
Troj/NtRootK-EI attempts to register itself as the service name "RKHit".
...

Troj/FakeAV-IJ

- Troj/FakeAV-IJ at Sophos

Troj/FakeAV-IJ is a Trojan for the Windows platform. Troj/FakeAV-IJ
includes functionality to download, install and run new software. The following files
are created: <Desktop>\Internet Antivirus Pro.lnk <Start
Menu>Programs\Inter...

W32/Autorun-TQ

- W32/Autorun-TQ at Sophos

W32/Autorun-TQ is a worm that copies itself to removable storage devices.
W32/Autorun-TQ copies itself together with an autorun.inf file that specifies the worm should be run
automatically. The worm also copies itself to the Application Data folder and creates
the following re...

W32/Waled-J

- W32/Waled-J at Sophos

...

Troj/Agent-IOW

- Troj/Agent-IOW at Sophos

Troj/Agent-IOW is a Trojan for the Windows platform.
...

Troj/Lineag-AN

- Troj/Lineag-AN at Sophos

When first run Troj/Lineag-AN copies itself to <Windows>\help\EB6C4499B05F.exe and creates
the following files: <Root>\1.hiv <Root>\2.hiv
<Current Folder>\2.bat <Windows>\1.bat <Windows>\help\EB6C4499B05F.dll
...

W32/Conficker.worm.gen.a

- W32/Conficker.worm.gen.a at McAfee

Network portscan on port 445 as per the MS08-067 exploit. Access to the above mentioned domain. Domain
accounts being locked due to maximum login attempts. presence of the above mentioned files and registry keys
in specific files and registryy keys with empty permissions. Scheduled tasks being created. autorun.inf files
being created...

TROJ_DDOS.ISR

- TROJ_DDOS.ISR at Trend Micro

This Trojan may be installed manually by a user. It may be downloaded unknowingly by a user when visiting
malicious Web sites.It creates folders and drops several files. It creates a registry entry to enable its
automatic execution at every system startup.Upon execution, it connects to an IRC server in a certain port.
Testing shows t...

Samal.A

- Samal.A at Panda

It is designed to carry out malicious actions only on 1st January 2009, such as prevent the computer from
being started properly, among others. It spreads making copies of itself in all the system drives.
...

Troj/Agent-IPI

- Troj/Agent-IPI at Sophos

...

Troj/Agent-IPJ

- Troj/Agent-IPJ at Sophos

...

Troj/Agent-IPK

- Troj/Agent-IPK at Sophos

...

Troj/DwnLdr-HND

- Troj/DwnLdr-HND at Sophos

Troj/DwnLdr-HND is a Trojan downloader for the Windows platform. When run
the Batchfile Trojan will attemp to download components from a remote FTP server and add them to the windws
task-scheduler....

Troj/FakeAV-IK

- Troj/FakeAV-IK at Sophos

Troj/FakeAV-IK is a Windows platform trojan. When Troj/FakeAV-IK is first
run, it attempts to download an executable from a remote host and save the file under <Program
Files>\Antivirus 2009\av2009.exe Troj/FakeAV-IK creates the following registry entry:
...

Troj/FakeAV-IL

- Troj/FakeAV-IL at Sophos

...

Mal/Behav-170

- Mal/Behav-170 at Sophos

...

Troj/Dloadr-CER

- Troj/Dloadr-CER at Sophos

Troj/Dloadr-CER is a Trojan for the Windows platform. Troj/Dloadr-CER
downloads and installs Troj/FakeAle-KZ to <PROGRAM FILES>\Antivirus 2009\av2009.
exe...

Troj/DwnLdr-HMQ

- Troj/DwnLdr-HMQ at Sophos

...

Troj/FakeAle-KY

- Troj/FakeAle-KY at Sophos

...

0 writebacks [01/12/2009 23:42] [] permanent link

Virus Malware and Threat News for 20090110

Worm:W32/Downadup.gen

- Worm:W32/Downadup.gen at F-Secure

Downadup is a worm. A standalone malicious program which uses computer or network resources to make complete
copies of itself. May include code or other malware to damage both the system and the network.
...

WiniGuard

- WiniGuard at Norton Symantec

BehaviorWiniGuard is a misleading application that may give exaggerated reports of threats on the computer.
...

Exploit-MSWord.j

- Exploit-MSWord.j at McAfee

Upon opening the word document the embedded ActiveX control with the following classid is instantiated and
executed. * {AE24FDAE-03C6-11D1-8B76-0080C744F389}This control stores configuration data for
the policy setting Microsoft Scriptlet Component.The control then makes a request to the following webpage*
hxxp://61...

TROJ_INJECT.ZZ

- TROJ_INJECT.ZZ at Trend Micro

...

PasswordStealer.BJ

- PasswordStealer.BJ at Panda

It steals confidential information from the user, such as passwords, and uses a rootkit in order to make its
detection more difficult. It reaches the computer passing itself off as a Christmas greeting.
...

Troj/MDrop-BXS

- Troj/MDrop-BXS at Sophos

When run Troj/MDrop-BXS drops <Temp>\3005593.exe detected as Mal/Generic-A
...

Troj/Agent-IOQ

- Troj/Agent-IOQ at Sophos

...

Mal/Behav-148

- Mal/Behav-148 at Sophos

...

Mal/FearDoor-A

- Mal/FearDoor-A at Sophos

...

Mal/OnlineG-C

- Mal/OnlineG-C at Sophos

...

Mal/Renos-F

- Mal/Renos-F at Sophos

...

Troj/Agent-IOP

- Troj/Agent-IOP at Sophos

Troj/Agent-IOP is a Trojan for the Windows platform. Troj/Agent-IOP is
registered as a new system driver service named "Wuausurv", with a display name of "Wuausurv" and a startup
type of automatic, so that it is started automatically during system startup. Registry entries are created
under: ...

Troj/Bifrose-VI

- Troj/Bifrose-VI at Sophos

Troj/Bifrose-VI is a Trojan for the Windows platform. Troj/Bifrose-VI
copies itself to msddll.exe in the Windows system folder and registers itself as a service process with a
start type of "Automatic". If run with sufficient rights Troj/Bifrose-VI will install
itself as an ap...

Troj/Dloadr-CEM

- Troj/Dloadr-CEM at Sophos

...

Troj/FakeAle-KX

- Troj/FakeAle-KX at Sophos

...

Troj/Agent-IOV

Troj/Bckdr-QRC

- Troj/Bckdr-QRC at Sophos

...

Troj/Bckdr-QRD

- Troj/Bckdr-QRD at Sophos

...

Troj/Inject-DQ

Troj/MDrop-BXT

- Troj/MDrop-BXT at Sophos

...

Troj/Crack-Q

- Troj/Crack-Q at Sophos

Troj/Crack-Q is used to patch sattelite receiver boxes to allow for viewing of premium TV channels.
...

Troj/Keygen-BW

- Troj/Keygen-BW at Sophos

Troj/Keygen-BW is a key generator for Winamp Pro v5.x
...

Mal/WaledPak-A

Troj/Agent-IOU

- Troj/Agent-IOU at Sophos

...

Troj/DwnLdr-HMY

0 writebacks [01/11/2009 06:49] [] permanent link

Virus Malware and Threat News for 20090109

W32.Grenail.D!inf

- W32.Grenail.D!inf at Norton Symantec

W32.Grenail.D!inf is a detection for files infected to run other threats when executed.
...

W32.Grenail.C!inf

- W32.Grenail.C!inf at Norton Symantec

W32.Grenail.C!inf is a detection for files infected to run other threats when executed.
...

W32/Conficker.worm.gen.b

- W32/Conficker.worm.gen.b at McAfee

When executed, the worm copies itself using a random name to the %Sysdir% folder.(Where %Sysdir% is the
Windows system folder; e.g. C:\Windows\System32)It modifies the following registry key to create a
randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\ServiceD...

TROJ_DLOADR.QK

- TROJ_DLOADR.QK at Trend Micro

This Trojan may arrive on a system as attachment to spammed email messages.Upon execution, it downloads and
executes a malicious file from a certain URL. The downloaded file is detected by Trend Micro as TROJ_INJECT.ZZ.
As a result, routines of the related Trojan may also be exhibited on the affected system.
...

WORM_IRCBOT.CAV

- WORM_IRCBOT.CAV at Trend Micro

This worm may be dropped by other malware. It creates folders and drops several copies of itself. It then
creates registry entries to enable its automatic execution at every system startup.It modifies registry
entires to disable automatic Windows Update, various Security Center functions, and firewall settings; to hide
files with bot...

TROJ_KRYPTIK.YN

- TROJ_KRYPTIK.YN at Trend Micro

This Trojan may be downloaded from remote sites by other malware. It may be dropped by other malware.It drops
a copy of itself. It creates registry entries to enable its automatic execution at every system startup. It
deletes itself after execution.
...

TROJ_INJECT.JMO

- TROJ_INJECT.JMO at Trend Micro

This Trojan may be downloaded from remote sites by other malware.It drops files on the affected system,
including a copy of itself. It stays resident in the affected system's memory and injects code.It makes
multiple changes to the Windows registry. One of these changes allows it to run at every system startup.It
logs keystrokes ente...

WORM_AUTORUN.KY

- WORM_AUTORUN.KY at Trend Micro

This worm may be dropped or downloaded by other malware.It drops copies of itself on the affected system.It
registers itself as a system service to ensure its automatic execution at every system startup. It does this
by creating several registry entries.It drops a copy of itself in all physical and removable drives. It also
drops an ...

TROJ_DLOAD.ML

- TROJ_DLOAD.ML at Trend Micro

...

Conficker.C

- Conficker.C at Panda

It exploits the vulnerability MS08-067 in the Windows Server Service in order to spread itself and
download a copy of itself to the affected computer. Additionally, it attempts to download another type of
malware, which might be a fake antimalware program.
...

ExpressAntivirus2009

- ExpressAntivirus2009 at Panda

It deceives users and warns them of unexisting threats in their computers. In order to eliminate them, they
are enticed to purchase a certain program. It can be downloaded from the website belonging to the company that
has developed it....

Mal/Sality-B

- Mal/Sality-B at Sophos

Mal/Sality-B is a file infected by the Sality family of viruses.
...

Troj/Agent-IOM

- Troj/Agent-IOM at Sophos

Troj/Agent-IOM is a Trojan for the Windows platform. Troj/Agent-IOM drops
the following files: <System>\<random letters>.dll (also detected as
Troj/Agent-IOM) <System>\<random letters>.exe (clean uninstall file)
Troj/Ag...

Troj/FakeVir-JE

- Troj/FakeVir-JE at Sophos

...

Troj/MultPs-Gen

- Troj/MultPs-Gen at Sophos

...

Troj/PcCli-C

- Troj/PcCli-C at Sophos

...

W32/Sdbot-DNR

- W32/Sdbot-DNR at Sophos

...

Mal/Banker-F

- Mal/Banker-F at Sophos

...

Mal/FakeAV-R

- Mal/FakeAV-R at Sophos

...

Mal/IRCBot-H

- Mal/IRCBot-H at Sophos

...

Mal/TinyDL-X

- Mal/TinyDL-X at Sophos

Mal/TinyDL-X is a malicious program for the Windows platform.
...

Worm:W32/Downadup.gen

WiniGuard

- WiniGuard at Norton Symantec

BehaviorWiniGuard is a misleading application that may give exaggerated reports of threats on the computer.
...

Exploit-MSWord.j

TROJ_INJECT.ZZ

- TROJ_INJECT.ZZ at Trend Micro

...

PasswordStealer.BJ

Troj/MDrop-BXS

- Troj/MDrop-BXS at Sophos

When run Troj/MDrop-BXS drops <Temp>\3005593.exe detected as Mal/Generic-A
...

Troj/Agent-IOQ

- Troj/Agent-IOQ at Sophos

...

Mal/Behav-148

- Mal/Behav-148 at Sophos

...

Mal/FearDoor-A

- Mal/FearDoor-A at Sophos

...

Mal/OnlineG-C

- Mal/OnlineG-C at Sophos

...

Mal/Renos-F

- Mal/Renos-F at Sophos

...

Troj/Agent-IOP

Troj/Bifrose-VI

Troj/Dloadr-CEM

- Troj/Dloadr-CEM at Sophos

...

Troj/FakeAle-KX

- Troj/FakeAle-KX at Sophos

...

0 writebacks [01/10/2009 06:42] [] permanent link

Virus Malware and Threat News for 20090108

Trojan:W32/Black.A

- Trojan:W32/Black.A at F-Secure

A program with potential security concerns, which does not easily fit into any other category.
...

W32.Downadup!autorun

- W32.Downadup!autorun at Norton Symantec

W32.Downadup!autorun is a detection for the autorun.inf files dropped by variants of W32.Downadup.
...

Troj/Agent-IOH

- Troj/Agent-IOH at Sophos

...

W32/Autoit-AU

- W32/Autoit-AU at Sophos

...

JS/Bofra-L

- JS/Bofra-L at Sophos

...

Troj/Bckdr-QRA

- Troj/Bckdr-QRA at Sophos

...

Troj/BHO-JC

- Troj/BHO-JC at Sophos

...

Troj/Dloadr-CEK

- Troj/Dloadr-CEK at Sophos

...

Troj/Psyme-JE

- Troj/Psyme-JE at Sophos

...

Troj/Agent-IMK

- Troj/Agent-IMK at Sophos

...

Troj/Agent-IOG

- Troj/Agent-IOG at Sophos

...

W32.Grenail.D!inf

- W32.Grenail.D!inf at Norton Symantec

W32.Grenail.D!inf is a detection for files infected to run other threats when executed.
...

W32.Grenail.C!inf

- W32.Grenail.C!inf at Norton Symantec

W32.Grenail.C!inf is a detection for files infected to run other threats when executed.
...

W32/Conficker.worm.gen.b

TROJ_DLOADR.QK

WORM_IRCBOT.CAV

TROJ_KRYPTIK.YN

TROJ_INJECT.JMO

WORM_AUTORUN.KY

TROJ_DLOAD.ML

- TROJ_DLOAD.ML at Trend Micro

...

Conficker.C

ExpressAntivirus2009

Mal/Sality-B

- Mal/Sality-B at Sophos

Mal/Sality-B is a file infected by the Sality family of viruses.
...

Troj/Agent-IOM

Troj/FakeVir-JE

- Troj/FakeVir-JE at Sophos

...

Troj/MultPs-Gen

- Troj/MultPs-Gen at Sophos

...

Troj/PcCli-C

- Troj/PcCli-C at Sophos

...

W32/Sdbot-DNR

- W32/Sdbot-DNR at Sophos

...

Mal/Banker-F

- Mal/Banker-F at Sophos

...

Mal/FakeAV-R

- Mal/FakeAV-R at Sophos

...

Mal/IRCBot-H

- Mal/IRCBot-H at Sophos

...

Mal/TinyDL-X

- Mal/TinyDL-X at Sophos

Mal/TinyDL-X is a malicious program for the Windows platform.
...

0 writebacks [01/09/2009 06:42] [] permanent link

Virus Malware and Threat News for 20090107

Other:W32/Black.A

- Other:W32/Black.A at F-Secure

A program with potential security concerns, which does not easily fit into any other category.
...

VBS/IE-Title!C71CDCDC

- VBS/IE-Title!C71CDCDC at McAfee

When executed, this malware creates the following file:%System%\killVBS.vbs(Note: %System% is a variable
location and refers to the windows system directory The dropped files may have their attributes changed to
hidden/system files)It then creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Cu...

JS/Agent-IIH

- JS/Agent-IIH at Sophos

...

Troj/Perlif-A

- Troj/Perlif-A at Sophos

Troj/Perlif-A is a Trojan for the Windows platform. Once installed,
Troj/Perlif-A attempts to steal information including system events log.
...