PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for August 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

Trojan.Mdropper.O - Trojan.Linkoptimizer - Backdoor.Lassrv.B - W32.Rungbu - W32.Spybot.AKKC - W32.Rahack.H 08 - Trojan.Bakloma - W32.Stration.B@mm
W32.Randex.GEL - W32.Stration.A@mm - Backdoor.Haxdoor.P - W32.Toyep.A@mm
Trojan.Mdropper.N - Backdoor.Papi - Trojan.Tarodrop

Confused? What is malware? Click here for the definition.

August 26 2006 Trojan.Linkoptimizer

Trojan.Linkoptimizer
Type: Trojan Horse
Infection Length: Varies.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Trojan.Linkoptimizer is a detection for a family of Trojan horse programs that use rootkit and stealthing techniques to hide their presence. The Trojan may download and display pop-up advertisements.

It has been reported that Trojan.Linkoptimizer may be installed by visiting the Web site [http://]gromozon.com.

The Trojan installs itself on the compromised computer by exploiting certain vulnerabilities in Internet Explorer and Mozilla Firefox, including:

* The Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability (as described in Microsoft Security Bulletin MS04-025)
* The Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (as described in Microsoft Security Bulletin MS03-011).
* The Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-006).
* The Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-001).
* The Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-013).

When the Trojan is being installed, the browser may show the following prompt and ask the user to save a file named www.google.com:

The browser may also ask for confirmation to install the file FreeAccess.ocx.

Once executed, Trojan.Linkoptimizer performs the following actions:

1. Creates the following files:

* %Temp%\[RANDOM NAME]1.exe
* %Windir%\[RANDOM NAME]1.dll

Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

2. Downloads files from the following hard coded IP addresses:

* [http://]81.227.219.29/1/pic[REMOVED]
* [http://]166.65.130.116/1/pic[REMOVED]
* [http://]120.19.148.181/1/pic[REMOVED]
* [http://]195.225.177.145/1/pic[REMOVED]

3. Tries to resolve the following domain name:

shiptrop.com

4. Registers the dropped DLL as a Browser Helper Object by creating the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\[RANDOM CLASSID]
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLASSID]

5. Adds the value:

"AppInit_DLLs" = "[TROJAN .DLL FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

6. Downloads and installs some additional components, which includes the Rootkit component.

7. Creates the following files:

* %System%\[RANDOM NAME]aa.dll
* %System%\[RESERVED DOS NAME].[RANDOM EXT]

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

8. May store the above files inside the following Alternate Data Streams (ADS):

* %System%:[RANDOM NAME]aa.dll
* %System%:[RESERVED DOS NAME].[RANDOM EXT]

Note: [RESERVED DOS NAME] can be one of the following reserved DOS device names:

* com1
* com2
* com3
* com4
* tty
* prn
* nul
* lpt1

9. Uses Rootkit techniques to hide its files and registry subkeys.

10. Adds a new administrator account on the compromised computer using a random user name.

11. May lower the privileges of the current logged user in order to disable the functioning of some security-related software.

12. Creates the following encrypted files associated to the new administrator account and stores them using the Windows Encrypted File System (EFS):

* %ProgramFiles%\Common Files\System\[RANDOM LETTERS].exe
* %ProgramFiles%\Common Files\System\[RANDOM LETTERS].exe

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

13. Creates a registry subkey and a system service associated to the new administrator account:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]

14. Attempt to download the following file:

%ProgramFiles%\LinkOptimizer\linkoptimizer.dll

15. Displays advertisements.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

August 16 2006 W97M.Kukudro.C

Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W97M.Kukudro.C is a Trojan horse macro for Microsoft Word that reportedly drops additional malware.

When W97M.Kukudro.C is executed, it performs the following actions:

1. Creates the following files that are a copy of Downloader: (Downloader connects to the Internet and downloads other Trojan horses or components. Note: Virus definitions dated June 1, 2006 or earlier may detect this threat as Download.Trojan.)

 

* C:\cvSecq.exe
* C:\vbftgc.exe
* C:\brtbvde.exe
* %System%\msdeco.dll
* %System%\mscodr.dll

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{7B45217C-5521-3459-2345-AB36721975AF}
HKEY_CLASSES_ROOT\CLSID\{4A26217C-5521-3459-2345-AB36721975AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B45217C-5521-3459-2345-AB36721975AF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A26217C-5521-3459-2345-AB36721975AF}

3. Attempts to download the following file:

[http://]tootenbangkok.com/pix/cis[REMOVED]

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

August 06 2006 W32.Hocgaly.A@mm

W32.Hocgaly.A@mm is a mass-mailing worm that gathers email addresses from the compromised computer. It may also perform a denial of service attack against predetermined Web sites.

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Hocgaly.A@mm is executed, it performs the following actions:

1. Creates the following files:

* %System%\winMem.exe - a copy of the worm
* %System%\WinFlag.vxd
* %System%\WinPos.vxd
* %System%\WinSrc.vxd
* %System%\WinMail.vxd

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the value:

"winMem" = "%System%\winMem.exe"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

3. Adds the value:

"winMem" = "1" to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

as an infection marker so that only instance of the worm runs on the compromised computer.

4. Adds the value:

"Zone Labs Client" = ""

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

to disable Zone Labs' security software.

5. Displays a dialog box with the following characteristics:

Title: Info
Message body: This program is expired.

6. Gathers email addresses from files with the following extensions and stores them in the file:

* wab
* htm
* dhtm
* shtm
* txt
* php
* asp
* jsp

7. Uses its own SMTP engine to send itself to all email addresses it finds. The email has the following characteristics:

From:
One of the following:
%USERNAME%@yahoo.com
Sara@yahoo.com

Subject:
Hot Girls!

Message body:
Find Somebody To F*** In Your Area Tonight !
Don't stay home alone but join us and meet other singles !

to make contact
now, download file to load Galleries.

Attachment:
One of the following:
Girls.Scr
Girls.pif

8. Stops the following service:

SmcService

9. May perform a denial of service attack against the following Web sites:

* www1.idf.il
* www.haaretz.com
* www.haaretz.co.il

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

August 02 2006 Trojan.Emcodec.G

Trojan.Emcodec.G is a Trojan horse that drops and executes a copy of Trojan.Zlob. The Trojan masquerades as an installer for IntCodec 6.0.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Trojan.Emcodec.G is executed, it performs the following actions:

1. Drops the following file, which is a copy of Trojan.Zlob:

%Temp%\isecur.dll

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

2. Adds the values:

"Path" = "%ProgramFiles%\IntCodec"
"Type" = "3"
"Removable" = "0"

to the registry subkey:

HKEY_CURRENT_USER\Software\Internet Security

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

3. Displays an EULA for the installation of IntCodec 6.0.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 29 2006 W32.Dbit

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the virus is executed, it performs the following actions:

1. Creates the following files:

* %System%\msjet62.dll
* %UserProfile%\Local Settings\Temp\NEW[RANDOM NUMBER].tmp
* %CurrentFolder%[INFECTED HOST FILE]\i\i

Notes:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
* %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.

2. Creates one of the following registry subkeys to set itself up as a service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IrMon

The above service has the following characteristic:

Name: "Portable Media Serial Number Service"

3. Injects the dropped .dll file into running processes.

4. Opens a back door that allows the attacker to perform the following functions:

* Hide network traffic from the user
* Download files
* Upload files
* Execute files
* Delete files
* Search files
* Log keystrokes
* Capture screenshots
* Steal passwords
* Start proxy
* Check network connectivity
* Create Autorun.inf files
* Infect files

5. Sends system information to the remote attacker at the following address:

211.99.117.202:80

6. Attempts to block processes from running with any of the following names:

* ethereal.exe
* aports.exe
* tcpview
* windump.exe
* iris.exe
* CV.exe
* sniffer.exe

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 25 2006 Backdoor.Tervserv

Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Backdoor.Tervserv is a Trojan horse that opens a back door on the compromised computer by injecting itself into Internet Explorer. It allows a remote attacker to download files, start a command prompt, and other unauthorised actions.

Backdoor.Haxdoor.O
Also Known As: Backdoor.Haxdoor.I
Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Backdoor.Haxdoor.O is a Trojan horse program that opens a back door on the compromised computer and allows a remote attacker to have unauthorized access. It also logs keystrokes, steals passwords, and drops rootkits that run in safe mode.

This Trojan appears to have been spammed through email to multiple users in a .zip file attachment.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 18 2006 Backdoor.Bifrose.FRisk

Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
SUMMARY
Backdoor.Bifrose.F is a Trojan horse that opens a back door on the compromised computer.

Payload: Opens a back door on the compromised computer.

TECHNICAL DETAILS

When the Trojan runs, it performs the following actions:

Creates some of the following files:

%UserProfile%\LOCALS~1\systemlogin.exe
%UserProfile%\LOCALS~1\jiasvt.exe
%Windir%\explorer.scf

Note:
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Adds the following values:

"StartUpDate" = "[PATH TO TROJAN]"
"ShutdownWithoutLjiasvt.exe" = "[PATH TO TROJAN]"

to the following registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it executes whenever Windows starts.

Connects to some of the following remote servers:

movieonlinewatch.45z.com
climbing.2myip.com
203.132.205.114

using one of the following TCP ports:

443
1863
8080

Allows an attacker to send and execute shell commands through the back door.

Sends system information to the remote attacker.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

What is malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from August 17 2006 to August 26 2006)

Trojan.Mdropper.O 08-25-2006
Trojan.Linkoptimizer 08-24-2006
Backdoor.Lassrv.B 08-24-2006
W32.Rungbu 08-23-2006
W32.Spybot.AKKC 08-22-2006
W32.Rahack.H 08-22-2006
Trojan.Bakloma 08-21-2006
W32.Stration.B@mm 08-20-2006
W32.Randex.GEL 08-18-2006
W32.Stration.A@mm 08-18-2006
Backdoor.Haxdoor.P 08-17-2006
W32.Toyep.A@mm 08-16-2006
Trojan.Mdropper.N 08-16-2006
Backdoor.Papi 08-16-2006
Trojan.Tarodrop 08-16-2006

Most Prevalent Global Malware
(from August 07 2006 to August 16 2006)

W97M.Kukudro.C 08-14-2006
Backdoor.Ranky.X 08-14-2006
W32.Wargbot 08-12-2006
Trojan.Resobon 08-11-2006
W64.Bounds 08-09-2006
W32.Bounds 08-09-2006
W32.Sality.U 08-08-2006
Bloodhound.Exploit.75 08-08-2006
W97M.Kukudro.B 08-08-2006
W32.Shufa@mm 08-07-2006

Most Prevalent Global Malware
(from August 03 2006 to August 06 2006)

W32.Munia!inf 08-05-2006
W32.Munia 08-05-2006
Infostealer.Presnet 08-04-2006
Infostealer.Bzup 08-04-2006
W32.Hocgaly.A@mm 08-03-2006

Most Prevalent Global Malware
(from June 29 to August 03 2006)

Trojan.Emcodec.G 08-02-2006
W32.Draggdor 08-01-2006
W32.Chamb 08-02-2006
Trojan.Emcodec.F08-01-2006
Trojan.Agirvab!wininet07-31-2006
Trojan.Agirvab 07-31-2006
Trojan.Firnavo 07-30-2006

Most Prevalent Global Malware
(from June 25 to June 29 2006)

W32.Dbit
Backdoor.Tricker
Trojan.PPDropper.D
Trojan.Acdropper.B
Backdoor.Mulim
Backdoor.Scarycrow
W32.Amirecivel.H@mm
Infostealer.Snifula
Downloader.Traus
W32.Darjen
Trojan.Agentdoc.C