PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for July 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly
.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

W32.Dbit ; Backdoor.Tricker ; Trojan.PPDropper.D ; Trojan.Acdropper.B
Backdoor.Mulim ; Backdoor.Scarycrow ; W32.Amirecivel.H@mm
Infostealer.Snifula ; Downloader.Traus ; W32.Darjen ; Trojan.Agentdoc.C

Confused? What is malware? Click here for the definition.

July 29 2006 W32.Dbit

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the virus is executed, it performs the following actions:

1. Creates files.

2. Creates one of the following registry subkeys to set itself up as a service:

HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\WmdmPmSN
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\IrMon

The above service has the following characteristic:

Name: "Portable Media Serial Number Service"

3. Injects the dropped .dll file into running processes.

4. Opens a back door that allows the attacker to perform the following functions:

* Hide network traffic from the user
* Download files
* Upload files
* Execute files
* Delete files
* Search files
* Log keystrokes
* Capture screenshots
* Steal passwords
* Start proxy
* Check network connectivity
* Create Autorun.inf files
* Infect files

5. Sends system information to the remote attacker at the following address:

211.99.117.202:80

6. Attempts to block processes from running with any of the following names:

* ethereal.exe
* aports.exe
* tcpview
* windump.exe
* iris.exe
* CV.exe
* sniffer.exe

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 25 2006 Backdoor.Tervserv

Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Backdoor.Tervserv is a Trojan horse that opens a back door on the compromised computer by injecting itself into Internet Explorer. It allows a remote attacker to download files, start a command prompt, and other unauthorised actions.

Backdoor.Haxdoor.O
Also Known As: Backdoor.Haxdoor.I
Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Backdoor.Haxdoor.O is a Trojan horse program that opens a back door on the compromised computer and allows a remote attacker to have unauthorized access. It also logs keystrokes, steals passwords, and drops rootkits that run in safe mode.

This Trojan appears to have been spammed through email to multiple users in a .zip file attachment.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 18 2006 Backdoor.Bifrose.FRisk

Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
SUMMARY
Backdoor.Bifrose.F is a Trojan horse that opens a back door on the compromised computer.

Payload: Opens a back door on the compromised computer.

TECHNICAL DETAILS

When the Trojan runs, it performs the following actions:

Creates some of the following files:

%UserProfile%\LOCALS~1\systemlogin.exe
%UserProfile%\LOCALS~1\jiasvt.exe
%Windir%\explorer.scf

Note:
%UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Adds the following values:

"StartUpDate" = "[PATH TO TROJAN]"
"ShutdownWithoutLjiasvt.exe" = "[PATH TO TROJAN]"

to the following registry subkey:

HKEY_CURRENT_USER\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run

so that it executes whenever Windows starts.

Connects to some of the following remote servers:

movieonlinewatch.45z.com
climbing.2myip.com
203.132.205.114

using one of the following TCP ports:

443
1863
8080

Allows an attacker to send and execute shell commands through the back door.

Sends system information to the remote attacker.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 12 2006 Backdoor Sdbot.AU

Backdoor.Sdbot.AU is a backdoor which allows a remote attacker to control the compromised computer and performs various malicious actions. It also drops a kernel rootkit, lowers or disables security settings, and spreads via network shares.

Type: Worm
Infection Length: 1201664 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Backdoor.Sdbot.AU is first executed, it performs the following actions:

Copies itself to the following location:

%Windir%\juchecd.exe

Note:

%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Deletes the original file.

Registers itself as a system service. The service is set to be started automatically when Windows starts up.

Creates the following registry subkey after service registration:

HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\Java Platform 10.1

Adds the following registry values:

"AutoShareWks" = "0"
"AutoShareServer" = "0"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\lanmanserver\parameters

to prevent administrative shares.

Adds the following registry values:

"AutoShareWks" = "0"
"AutoShareServer" = "0"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\lanmanworkstation\parameters

to prevent administrative shares.

Modifies the following registry entry:

"EnableDCOM" = "N"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

to disable Distributed Component Object Model communication protocol:

Modifies the following registry entries:

"AntiVirusDisableNotify = "1"
"UpdatesDisableNotify" = "1"
"FirewallOverride" = "1"
"FirewallDisableNotify" = 1

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

to lower Windows security settings.

Modifies the following registry entry:

"EnableFirewall" = "0"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Microsoft\WindowsFirewall\DomainProfile

to disable the Windows firewall.

Modifies the following registry entry:

"EnableFirewall" = "0"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Microsoft\WindowsFirewall\StandardProfile

to disable the Windows firewall.

Modifies the following registry entry:

"DoNotAllowXPSP2" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE
\Policies\Microsoft\Windows\WindowsUpdate

to block Windows XP SP2 delivery.

Modifies the following registry entry:

"Restrictanonymous" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\Lsa

to restrict access over anonymous connections.

Modifies the following registry entry:

"WaitToKillServiceTimeout" = "7000"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\

to decrease waiting time before killing services when Windows is shut down.

Modifies the following registry entry:

"Start" = "4"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Messenger
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\TlntSvr

to stop Windows services such as Security Center, Messenger, Remote Registry and Telnet:

Installs a commerical security mechanism called Themida which protects the back door.

Drops and installs a system driver in the following location:

%System%\Drivers\oreans32.sys

Registers the driver and the following registry subkey is created:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\oreans32

Opens a back door on the compromised computer which runs in the background and allows an attacker to perform several malicious actions, including the following:

Opening ports
Connecting to remote IRC servers
Starting denial of service attacks

Spreads by copying itself to shared folders.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

July 05 2006 Trojan.Mdropper.K

Trojan.Mdropper.K is a Trojan horse that drops a variant of another threat on the compromised computer. The threat exploits the Microsoft Word Unspecified Remote Code Execution Vulnerability (BID 18037)

Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

The Trojan may arrive as a Microsoft Word file attachment to a spoofed email with the following name:
sample.doc

When the malicious Microsoft Word document is opened, the Trojan exploits Microsoft Word Unspecified Remote Code Execution Vulnerability (BID: 18037) and performs the following actions:

Drops and executes the following file:

%System%\.exe
%Temp%\sample.doc - a nonmalicious document
%Temp%\winword.exe - Backdoor.Pcclient.B (MCID 8260)

Opens the Microsoft Word file to make it appear that it is a legitimate document.

Drops the following files:

%System%\drivers\[RANDOM LETTERS].sys - Backdoor.Pcclient.B (MCID 8260)
%System%\[RANDOM LETTERS].dll - Backdoor.Pcclient.B (MCID 8260)
%System%\[RANDOM LETTERS].drv - Backdoor.Pcclient.B (MCID 8260)

Starts Backdoor.Pcclient.B (MCID 8260).

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

What is malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from June 25 to June 29 2006)

W32.Dbit
Backdoor.Tricker
Trojan.PPDropper.D
Trojan.Acdropper.B
Backdoor.Mulim
Backdoor.Scarycrow
W32.Amirecivel.H@mm
Infostealer.Snifula
Downloader.Traus
W32.Darjen
Trojan.Agentdoc.C

Most Prevalent Global Malware
(from June 17 to June 24 2006)

Backdoor.Tervserv
Backdoor.Haxdoor.O
Fer.Kruel
VBS.Asplux
Backdoor.Glupzy
JS.StartPage.B
Trojan.Schoeberl.B
Trojan.Mdropper.L
Trojan.Gobrena.B
Trojan.Clagger.B
ACTS.Spaceflash
W32.Stong.A
Trojan.Riler.F
Trojan.PPDropper.C

Most Prevalent Global Malware
(from June 10 to June 16 2006)

VBS.Birhip July 10, 2006
SymbOS.Mabir.B July 8, 2006
W32.Jalabed.B@mm July 7, 2006
SymbOS.Doomboot.X July 7, 2006
SymbOS.Commdropper.H July 7, 2006
W32.Banwarum.G@mm July 6, 2006
W32.Yawmo July 6, 2006
Trojan.Nakani July 6, 2006
SymbOS.Cabir.X
Cabir.AF [F-Secure] July 6, 2006
SymbOS.Ruhag.E July 6, 2006
SymbOS.Ruhag.D July 5, 2006
Infostealer.Svcstor July 5, 2006
Backdoor.Rustock.B July 5, 2006
Trojan.Lodeight.C July 5, 2006
Trojan.Hongmosa July 4, 2006
W32.Esbot.E
W32/Cuebot-K [Sophos] July 4, 2006
SymbOS.Doomboot.W July 4, 2006
SymbOS.Doomboot.V
Doomboot.B [F-Secure] July 4, 2006
W32.Audio July 4, 2006
W32.Sixem.C@mm July 2, 2006
W32.Amirecivel.F@mm July 2, 2006
W32.Gatt July 2, 2006