PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for Sep 2006
Current virus alerts here.
Computer virus alert
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert Sober worm info

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

Bloodhound.Exploit.77 - Bloodhound.Exploit.76 - W32.Looked.AH - Infostealer.Uprungam.B - Trojan.Bankem.B - W32.Stration.AC@mm - Infostealer.Uprungam - W32.Kiner - W32.Woredbot.C - Trojan.Hiween

Confused? What is malware? Click here for the definition.

September 26 2006 Bloodhound.Exploit.77

Also Known As: WORM_STRATION.BB [Trend], W32/Stration-X [Sophos], Warezov.U [F-Secure], Warezov.W [F-Secure]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Stration.AC@mm is a mass-mailing worm that gathers email addresses from the compromised computer.

When W32.Stration.AC@mm is executed, it performs the following actions:

1. Creates the following files:

* %Windir%\tsrv.exe
* %Windir%\tsrv.dll
* %Windir%\tsrv.s
* %Windir%\tsrv.wax
* %System%\cmut449c14b7.dll
* %System%\hpzl449c14b7.exe
* %System%\msji449c14b7.dll

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

2. Opens notepad and displays random characters in a text file when it is first executed.

3. Adds the value:

"AppInit_DLLs" = "msji449c14b7.dll daniwshb.dll msv1nv4_.dll"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows

4. Adds the value:

"tsrv"="%Windir%\tsrv.exe s"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run

so that the threat starts when Windows starts.

5. Gathers email addresses by scanning files with the following extensions:

* .adb
* .asp
* .cfg
* .cgi
* .dbx
* .dhtm
* .eml
* .htm
* .html
* .jsp
* .mbx
* .mdx
* .mht
* .mmf
* .msg
* .nch
* .ods
* .oft
* .php
* .pl
* .sht
* .shtm
* .stm
* .tbb
* .txt
* .uin
* .wab
* .wsh
* .xls
* .xml

6. Saves the emails it finds into the %Windir%\tsrv.wax file.

7. Uploads gathered email addresses to [http://]yuhadefunjinsa.com/cgi-bin/p[REMOVED]

8. Sends itself to the email addresses it gathers. The email has the following characteristics:

From:
The from address will have one of a series of predetermined names, followed by 4 random characters. For example:

* Moore2005@mail.com
* Susan1952@yahoo.com
* Greenpxjzx@fastmail.fm
* Jennifer_ukawo@mail.com

Subject:
One of the following:

* Good Day
* Server Report
* hello
* picture
* Status
* test
* Error
* Mail Delivery System
* Mail Transaction Failed

Message:
One of the following:

* The message contains Unicode characters and has been sentas a binary attachment.
* Mail transaction failed. Partial message is available.
* The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment

Attachment:
One of the following:

* body
* data
* doc
* docs
* document
* file
* message
* readme
* test
* text
* Update-KB[RANDOM NUMBER]-x86

followed by one of the following extensions:

* .log
* .elm
* .msg
* .txt
* .dat

followed by blank spaces and then one of the following extensions:

* .bat
* .cmd
* .scr
* .exe
* .pif

9. Connects to the following URL and downloads the file, lt.exe:

[http://]yuhadefunjinsa.com/chr/grw[REMOVED]

10. Attempts to save the downloaded file to %Windir%\tsrv.z.

11. Attempts to download a file from the following URL as %System%\acac.exe:

[http://]yuhadefunjinsa.com/chr/grw/s.e[REMOVED]

Note: At the time of writing, this URL was unavailable.

12. Appends the following lines to the hosts file:

127.0.0.1 download.microsoft.com
127.0.0.1 go.microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 office.microsoft.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 [http://]www.microsoft.com/downloads/
Search.aspx?displaylang=en
127.0.0.1 avp.ru
127.0.0.1 www.avp.ru
127.0.0.1 [http://]avp.ru
127.0.0.1 [http://]www.avp.ru
127.0.0.1 kaspersky.ru
127.0.0.1 www.kaspersky.ru
127.0.0.1 [http://]kaspersky.ru
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 [http://]kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 [http://]kaspersky-labs.com
127.0.0.1 avp.ru/download/
127.0.0.1 www.avp.ru/download/
127.0.0.1 [http://]www.avp.ru/download/
127.0.0.1 [http://]www.kaspersky.ru/updates/
127.0.0.1 [http://]www.kaspersky-labs.com/updates/
127.0.0.1 [http://]kaspersky.ru/updates/
127.0.0.1 [http://]kaspersky-labs.com/updates/
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 [http://]downloads1.kaspersky-labs.com
127.0.0.1 [http://]downloads2.kaspersky-labs.com
127.0.0.1 [http://]downloads3.kaspersky-labs.com
127.0.0.1 [http://]downloads4.kaspersky-labs.com
127.0.0.1 [http://]downloads5.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads1.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads2.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads3.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads4.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads1.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads2.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads3.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads4.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads5.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads1.kaspersky-labs.com
127.0.0.1 [ftp://]downloads2.kaspersky-labs.com
127.0.0.1 [ftp://]downloads3.kaspersky-labs.com
127.0.0.1 [ftp://]downloads4.kaspersky-labs.com
127.0.0.1 [ftp://]downloads5.kaspersky-labs.com
127.0.0.1 [ftp://]downloads1.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads2.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads3.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads4.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads5.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads1.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads2.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads3.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads4.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads5.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates1.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates2.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates3.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates4.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates1.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates2.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates3.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates4.kaspersky-labs.com/updates/
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 [http://]viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 www.viruslist.ru
127.0.0.1 [http://]viruslist.ru
127.0.0.1 [ftp://]ftp.kasperskylab.ru/updates/
127.0.0.1 symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 [http://]symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 [http://]customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 [http://]liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 [http://]liveupdate.symantecliveupdate.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 [http://]securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 [http://]service1.symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 [http://]symantec.com/updates
127.0.0.1 updates.symantec.com
127.0.0.1 [http://]updates.symantec.com
127.0.0.1 eset.com/
127.0.0.1 www.eset.com/
127.0.0.1 [http://]www.eset.com/
127.0.0.1 eset.com/products/index.php
127.0.0.1 www.eset.com/products/index.php
127.0.0.1 [http://]www.eset.com/products/index.php
127.0.0.1 eset.com/download/index.php
127.0.0.1 www.eset.com/download/index.php
127.0.0.1 [http://]www.eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 www.eset.com/joomla/
127.0.0.1 [http://]www.eset.com/joomla/
127.0.0.1 u3.eset.com/
127.0.0.1 [http://]u3.eset.com/
127.0.0.1 u4.eset.com/
127.0.0.1 [http://]u4.eset.com/
127.0.0.1 www.symantec.com/updates

13. Creates the following files:

* C:\WINDOWS\system32\acac.dll
* C:\WINDOWS\system32\daniwshb.dll
* C:\WINDOWS\system32\dsoukbda.exe
* C:\WINDOWS\system32\msv1nv4_.dll
* C:\WINDOWS\system32\msvfjspr.dll

14. Adds the values:

"DllName" = "C:\WINDOWS\system32\acac.dll"
"Startup" = "WlxStartupEvent"
"Shutdown" = "WlxShutdownEvent"
"Impersonate" = "0"
"Asynchronous" = "0"
"Image" = "C:\INF\lt.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac

15. Creates the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wuapx9tt

16. May disable certain security related applications.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

September 07 2006 W32.Areses.Q@mm

Type: Worm

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Areses.Q@mm is a mass-mailing worm that opens a back door on the compromised computer and may download files.

When W32.Areses.Q@mm is executed, it performs the following actions:

1. Copies itself as the following file:

%Windir%\csrss.exe

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

2. Adds the value:

"Debugger" = "%Windir%\csrss.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion
\Image File Execution Options\explorer.exe

so that it runs every time Windows starts.

3. Adds the value:

"Application" = "[VARIABLE DWORD VALUE]"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT
\CurrentVersion\Devices

so that it runs every time Windows starts.

4. Attempts to create a mutex named Numen#Syscall@ and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.

5. Attempts to inject its code into the svchost.exe and sevices.exe processes.

6. Checks for the presence of the 127.0.0.1 string in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Services\Tcpip
\Parameters\Interface\[INTERFACE CLSID]\"NameServer"

7. Stops the mass-mailing routing if the above value is found.

8. Creates the file %Temp%\Message.hta (A copy of W32.Areses.Q!vbs.)

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

9. Gathers email addresses from files with the following extensions:

* .adb
* .asp
* .cfg
* .cgi
* .mra
* .dbx
* .dhtm
* .eml
* .htm
* .html
* .jsp
* .mbx
* .mdx
* .mht
* .mmf
* .msg
* .nch
* .ods
* .oft
* .php
* .pl
* .sht
* .shtm
* .stm
* .tbb
* .txt
* .uin
* .wab
* .wsh
* .xls
* .xml
* .dhtml

10. Avoids email addresses that contain any of the following strings:

* @example.
* 2003
* 2004
* 2005
* 2006
* @microsoft
* rating@
* f-secur
* news
* update
* .qmail
* .gif
* anyone@
* bugs@
* contract@
* feste
* gold-certs@
* help@
* info@
* nobody@
* noone@
* 0000
* Mailer-Daemon@
* @subscribe
* kasp
* admin
* icrosoft
* support
* ntivi
* unix
* bsd
* linux
* listserv
* certific
* torvalds@
* sopho
* @foo
* @iana
* free-av
* @messagelab
* winzip
* google
* winrar
* samples
* spm111@
* ..
* -0
* .00
* @.
* ---
* abuse
* panda
* cafee
* spam
* pgp
* @avp.
* noreply
* local
* root@
* postmaster@
* .0
* .1
* .2
* .3
* .4
* .5
* .6
* .7
* .8
* .9

11. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics:

From: Spoofed

Subject:
One of the following:

* Hi, what's up?
* He, where are you?
* Hi, drop me a line!!!
* Hi! Please write to me urgently!
* Hi! I'm waiting you online today!
* Will you be online today?
* When you're gonna answer me?
* Re: write to me!
* Re: Call me!
* Re: Where are you?
* Re: When you're gonna answer me?
* Hi!!! How's the mood?
* Re: How's the mood?
* Re: Where have you been?

Message:
One of the following:

* Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye

* Hi, what's up? Will you show up online today?
Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?

* Hi!
I'm coming to you tomorrow, ok? When you are going to be home?
You remember, you've asked some docs. Please find them attached. Check and see what's inside. That's it. Bye, till tomorrow...

* Hi!
You disappeared again. If you come online, drop me a line, ok?
Btw, I sent you those docs that you've been looking for. Check them out. Bye!

* Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!

* Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.

* Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read them out... Bye!

* Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!

* Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!

* Hi, I found that program you asked for. Find it attached. Bye.

* Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...

* What's up! You haven't been writing for a long time
I got news. I've finally that program you needed
I'm sending it out. Use it. Bye!

* Hi, drop me a line today, ok? And see the program I'm sending. Bye!

* Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.

* Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.

Attachment:
One of the following with a .hta extension:

* Message
* File
* Document
* README
* Passwords
* Readme
* Important
* New
* COOL
* Archive
* Fotos
* private
* confidential
* secret
* images
* your_documents
* backup

12. Attempts to contact the following remote site and may download a file:

[http://]xeseretuo.com/m2/g[REMOVED]

13. May open a back door on a random TCP port.

14. May search for folders that contain the following strings:

* bear
* donkey
* download
* ftp
* htdocs
* http
* icq
* kazaa
* lime
* morpheus
* mule
* shar
* source
* upload
* pub

15. If the above folders are found, it attempts to copy itself as one of the following files with a .exe, .pif or .scr extension:

* 1
* 1001 Sex and more.rtf
* 3D Studio Max 6 3dsmax
* ACDSee 10 full
* Adobe Photoshop 10 full
* Adobe Premiere 10
* Ahead Nero 8
* Altkins Diet.doc
* American Idol.doc
* Arnold Schwarzenegger.jpg
* Best Matrix Screensaver new
* Britney sex xxx.jpg
* Britney Spears and Eminem porn.jpg
* Britney Spears blowjob.jpg
* Britney Spears cumshot.jpg
* Britney Spears fuck.jpg
* Britney Spears full album.mp3
* Britney Spears porn.jpg
* Britney Spears Sexy archive.doc
* Britney Spears Song text archive.doc
* Britney Spears.jpg
* Britney Spears.mp3
* Clone DVD 6
* Cloning.doc
* Cracks & Warez Archiv
* Dark Angels new
* Dictionary English 2004 - France.doc
* DivX 8.0 final
* Doom 3 release 2
* E-Book Archive2.rtf
* Eminem blowjob.jpg
* Eminem full album.mp3
* Eminem Poster.jpg
* Eminem sex xxx.jpg
* Eminem Sexy archive.doc
* Eminem Spears porn.jpg
* Eminem.mp3
* Full album all.mp3
* Gimp 1.8 Full with Key
* Harry Potter 1-6 book.txt
* Harry Potter 5.mpg
* Harry Potter all e.book.doc
* Harry Potter e book.doc
* Harry Potter game
* Harry Potter.doc
* Harry Potter and the Sorcerer',27h,'s Stone game
* How to hack new.doc
* Internet Explorer 9 setup
* Kazaa Lite 4.0 new
* Kazaa new
* Keygen 4 all new
* Learn Programming 2004.doc
* Lightwave 9 Update
* Magix Video Deluxe 5 beta
* Matrix 3 .mpg
* Microsoft Office 2003 Crack best
* Microsoft WinXP Crack full
* MS Service Pack 6
* source code
* Norton Antivirus 2005 beta
* Opera 11 free
* Partitionsmagic 10 beta
* Porno Screensaver britney
* RFC compilation.doc
* Ringtones.doc
* Nostradamus.doc
* World Trade Center last video.mpeg
* anthrax.doc
* Osama Bin Laden.jpg
* Taliban
* Osama bin Laden.mpg
* Yellow Pages
* Ringtones.mp3
* Saddam Hussein.jpg
* Screensaver2
* Serials edition.txt
* Smashing the stack full.rtf
* Star Office 9
* Teen Porn 15.jpg
* The Sims 4 beta
* Ulead Keygen 2004
* Visual Studio Net Crack all
* Vista review.doc
* WinAmp 13 full with sources
* Windows Vista Sourcecode.doc
* Windows 2003 crack
* Windows XP crack
* WinXP eBook newest.doc
* XXX hardcore pics.jpg

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

August 26 2006 Trojan.Linkoptimizer

Trojan.Linkoptimizer
Type: Trojan Horse
Infection Length: Varies.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Trojan.Linkoptimizer is a detection for a family of Trojan horse programs that use rootkit and stealthing techniques to hide their presence. The Trojan may download and display pop-up advertisements.

It has been reported that Trojan.Linkoptimizer may be installed by visiting the Web site [http://]gromozon.com.

The Trojan installs itself on the compromised computer by exploiting certain vulnerabilities in Internet Explorer and Mozilla Firefox, including:

* The Microsoft Internet Explorer Modal Dialog Zone Bypass Vulnerability (as described in Microsoft Security Bulletin MS04-025)
* The Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (as described in Microsoft Security Bulletin MS03-011).
* The Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-006).
* The Microsoft Windows Media Player Plugin Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-001).
* The Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (as described in Microsoft Security Bulletin MS06-013).

When the Trojan is being installed, the browser may show the following prompt and ask the user to save a file named www.google.com:

The browser may also ask for confirmation to install the file FreeAccess.ocx.

Once executed, Trojan.Linkoptimizer performs the following actions:

1. Creates the following files:

* %Temp%\[RANDOM NAME]1.exe
* %Windir%\[RANDOM NAME]1.dll

Note:
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
* %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

2. Downloads files from the following hard coded IP addresses:

* [http://]81.227.219.29/1/pic[REMOVED]
* [http://]166.65.130.116/1/pic[REMOVED]
* [http://]120.19.148.181/1/pic[REMOVED]
* [http://]195.225.177.145/1/pic[REMOVED]

3. Tries to resolve the following domain name:

shiptrop.com

4. Registers the dropped DLL as a Browser Helper Object by creating the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
\Browser Helper Objects\[RANDOM CLASSID]
HKEY_CLASSES_ROOT\CLSID\[RANDOM CLASSID]

5. Adds the value:

"AppInit_DLLs" = "[TROJAN .DLL FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

6. Downloads and installs some additional components, which includes the Rootkit component.

7. Creates the following files:

* %System%\[RANDOM NAME]aa.dll
* %System%\[RESERVED DOS NAME].[RANDOM EXT]

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

8. May store the above files inside the following Alternate Data Streams (ADS):

* %System%:[RANDOM NAME]aa.dll
* %System%:[RESERVED DOS NAME].[RANDOM EXT]

Note: [RESERVED DOS NAME] can be one of the following reserved DOS device names:

* com1
* com2
* com3
* com4
* tty
* prn
* nul
* lpt1

9. Uses Rootkit techniques to hide its files and registry subkeys.

10. Adds a new administrator account on the compromised computer using a random user name.

11. May lower the privileges of the current logged user in order to disable the functioning of some security-related software.

12. Creates the following encrypted files associated to the new administrator account and stores them using the Windows Encrypted File System (EFS):

* %ProgramFiles%\Common Files\System\[RANDOM LETTERS].exe
* %ProgramFiles%\Common Files\System\[RANDOM LETTERS].exe

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

13. Creates a registry subkey and a system service associated to the new administrator account:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]

14. Attempt to download the following file:

%ProgramFiles%\LinkOptimizer\linkoptimizer.dll

15. Displays advertisements.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

What is malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from September 07 2006 to September 16)

Bloodhound.Exploit.77 09-15-2006
Bloodhound.Exploit.76 09-15-2006
W32.Looked.AH 09-14-2006
Infostealer.Uprungam.B 09-13-2006
Trojan.Bankem.B 09-12-2006
W32.Stration.AC@mm 09-10-2006
Infostealer.Uprungam 09-10-2006
W32.Kiner 09-08-2006
W32.Woredbot.C 09-07-2006
Trojan.Hiween 09-07-2006

Most Prevalent Global Malware
(from August 27 2006 to September 07 2006)

Trojan.Wesber 09-06-2006
Downloader.Dowdec.B 09-06-2006
W32.Areses.Q@mm 09-05-2006
W32.Areses.Q!vbs 09-05-2006
Trojan.Schoeberl.D 09-05-2006
Downloader.Dowdec 09-02-2006
Trojan.Mdropper.Q 09-01-2006
W32.Bacalid!inf 09-01-2006
W32.Mobler.A 09-01-2006
W32.Bacalid 09-01-2006
W97M.Blackurs 08-31-2006
W32.Bustoy 08-31-2006
Trojan.MDropper.P 08-30-2006
W32.Stration!gen 08-30-2006
W32.Dasher.G 08-30-2006
W32.Stration.D@mm 08-29-2006
Trojan.Schoeberl.C 08-29-2006
Trojan.Agentdoc.D 08-29-2006
W32.Spybot.AKNO 08-28-2006
W32.Womble.A@mm 08-28-2006
W32.Woredbot 08-28-2006
Trojan.Flush.H 08-28-2006
W32.Stration.C@mm 08-27-2006

Most Prevalent Global Malware
(from August 17 2006 to August 26 2006)

Trojan.Mdropper.O 08-25-2006
Trojan.Linkoptimizer 08-24-2006
Backdoor.Lassrv.B 08-24-2006
W32.Rungbu 08-23-2006
W32.Spybot.AKKC 08-22-2006
W32.Rahack.H 08-22-2006
Trojan.Bakloma 08-21-2006
W32.Stration.B@mm 08-20-2006
W32.Randex.GEL 08-18-2006
W32.Stration.A@mm 08-18-2006
Backdoor.Haxdoor.P 08-17-2006
W32.Toyep.A@mm 08-16-2006
Trojan.Mdropper.N 08-16-2006
Backdoor.Papi 08-16-2006
Trojan.Tarodrop 08-16-2006