PRODUCTS > Computer Virus Alerts - Archive
Virus alerts
Current virus alerts here.
Computer virus alert

By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.
Free trial antivirus

Latest Virus Alert  

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

Bloodhound.Exploit.192 - W32.Tufik.E!inf - W32.Tufik.E - Trojan.Cymdos - Trojan.Installscash - Bloodhound.Exploit.189 - Bloodhound.Exploit.190 - Infostealer.Fertippy - Packed.Generic.119 - Trojan.Virantix.C - W32.Mariofev.A - W32.Zapinit - JS.Faizal - W32.Wowinzi.A - VBS.Solow.F - W32.Madag.A - Downloader.Lozavita -W32.Bassyl!inf - W32.Zatyudi.A - Trojan.Garntet - Trojan.Qipian - Trojan.Asnoms!inf - W32.Mandaph - Infostealer.Gamler

Confused? What is a virus or trojan or malware? Click here for the definition.

Bloodhound.Exploit.192 May 24, 2008

Type: Trojan, Virus
Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Bloodhound.Exploit.192 is a heuristic detection for the files which exploit the Microsoft Word RTF Malformed String Handling Memory Corruption Remote Code Execution Vulnerability (BID 29104).

Files that are detected as Bloodhound.Exploit.192 may be malicious. Please read our recommendations.

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus

W32.Zatyudi.A April 30, 2008

Type: Worm
Infection Length: 57,603 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the worm is executed, it creates the following files:

* C:\WINDOWS\system32\[8-DIGIT HEXADECIMAL NUMBER]\services.exe
* C:\WINDOWS\system32\[8-DIGIT HEXADECIMAL NUMBER]\services.dat
* C:\WINDOWS\winlogon.exe

It then creates the following registry entry, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\"NTservices" = "C:\WINDOWS\system32\
[8-DIGIT HEXADECIMAL NUMBER]\services.exe -update"

The worm also modifies the following registry entries, so that it starts when Windows starts:

* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\winlogon.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\"AlternateShell" = "winlogon.exe -safemode"
* HKEY_USERS\.DEFAULT\Microsoft\Windows NT\
CurrentVersion\Winlogon\"Shell" = "Explorer.exe C:\WINDOWS\winlogon.exe"

The worm may then harvest email addresses from files with the following extensions:

* .exe
* .scr
* .com
* .pif
* .cmd
* .wab
* .asp
* .dbx
* .eml
* .htm
* .html
* .jsp
* .msg
* .php
* .shtm
* .shtml
* .txt
* .xml
* .js
* .xml
* .aspx

It will ignore email addresses that contain the following strings:

* @microsoft
* rating@
* anti
* secur
* news
* update
* kasp
* admin
* icrosoft
* support
* ntivi
* unix
* bsd
* nux
* listserv
* certific
* sopho
* avas
* @foo
* @iana
* desk
* free-av
* @messagelab
* winzip
* google
* winrar
* samples
* abuse
* panda
* cafee
* spam
* pgp
* @avp.
* noreply
* local
* root@
* .org
* @sys
* premium
* titanium
* viruz
* virus
* support
* orman
* aladin
* groups
* anyone@
* bugs@
* contract@
* feste
* gold-certs@
* help@
* info@
* nobody@
* noone@
* @sun
* master
* project
* ternal
* fbi
* gmx
* crack
* hack
* code
* ware
* trojan
* clean
* spy
* movsd
* masm
* @pc
* source
* h4ck
* compu
* sales
* catch
* mantec
* defen
* viri
* kill
* cisco
* labs
* trust
* sweep
* winrar
* winzip
* submit
* l0pht
* phreak

The email addresses gathered may be stored in the following file:
C:\Recycled.[8-DIGIT HEXADECIMAL NUMBER]\yudizat.zat

The worm may copy itself to shared folders and removable drives using the following file names:

* Bank mini Games.exe
* Apache_server_831.exe
* Internet Explorer Vista.exe
* Nation Instinct.exe
* Crack Windows vista final release.exe
* Gorilaz complete album lyrics.exe
* Winamp Deluxe pro.exe
* Bank Mini Games complete 2007.exe
* Nero final version 8.exe
* PHP nuke hack 3.exe
* Guitar XP studio.exe
* war games.exe
* Splinter Cell.exe
* e-Gold auto hack v2.1.exe
* New yahoo messenger vista.exe
* Update windows media player 10.exe
* full complete codec pack.exe
* XP Update.exe
* Hawai Beach screen saver.exe
* Britney Screensaver (live).exe
* Defacer tool.exe
* Trojan removal
* eBay userID.exe
* full AVG update 2007 pack.exe
* eBay password.exe
* Yahoo! password.exe
* Soccer Manager 2007.exe
* DeepFreeze Pro full.exe
* Deep_freeze enterprise.exe
* Games Cheats DataBase.exe
* Californian Food v3.exe
* Complete password cracker tool.exe
* GameHouse Collection.exe

Note: These files may also be dropped in random locations.



The worm may also randomly create .zip files in various folders on the compromised computer with the any of the following file names:

* Entertainment.zip
* don't touch this!.zip
* my briefcase.zip
* Photo Album Packed.zip
* Deep_freeze_pro8.zip
* Always in memory.rar
* Billing_13_professional.zip
* AVP_N_license.zip
* XP anti hacker.zip


The .zip files contain a copy of the worm with the file name SETUP.exe. It may then copy these .zip files to shared folders and removable drives.

The worm may attempt to connect to the following IP addresses to check network connectivity (using ping.exe) and then send a notification of infection:

* 69.73.169.9
* 216.177.77.9



It may then attempt to download one of the following images:

* [http://]www.imageshack.us/images_[REMOVED]
* [http://]www.ghostspell.com/freak[REMOVED]
* [http://]www.wilkipedia.com/logo[REMOVED]
* [http://]www.geocities.com/paleztinezgr/hack[REMOVED]
* [http://]www.globalframe.com/global_[REMOVED]
* [http://]www.vbstuff.com/yudizat/sour[REMOVED]
* [http://]www.geocities.com/huseindam1/hack[REMOVED]
* [http://]www.geocities.com/rinkdal3/hack[REMOVED]
* [http://]www.zone-h.com/defacer/view[REMOVED]
* [http://]yz_black.cjb.net/yz_black/blac[REMOVED]
* [http://]yz_red.cjb.net/yz_red/red[REMOVED]
* [http://]yz_green.cjb.net/yz_green/gree[REMOVED]
* [http://]yz_yellow.cjb.net/yz_yellow/yello[REMOVED]
* [http://]yz_white.cjb.net/yz_white/whit[REMOVED]
* [http://]yz_gray.cjb.net/yz_gray/gray[REMOVED]
* [http://]yz_violet.cjb.net/yz_violet/viole[REMOVED]
* [http://]yz_silver.cjb.net/yz_silver/silve[REMOVED]
* [http://]yz_hot.cjb.net/yz_hot/hot[REMOVED]
* [http://]yz_cool.cjb.net/yz_cool/cool[REMOVED]
* [http://]yz_freeze.cjb.net/yz_freeze/freez[REMOVED]
* [http://]yz_slow.cjb.net/yz_slow/slow[REMOVED]
* [http://]yz_fast.cjb.net/yz_fast/fast[REMOVED]
* [http://]yz_strong.cjb.net/yz_strong/stron[REMOVED]
* [http://]yz_happy.cjb.net/yz_happy/happ[REMOVED]
* [http://]yz_sad.cjb.net/yz_sad/sad[REMOVED]
* [http://]yz_cry.cjb.net/yz_cry/cry[REMOVED]



The worm then attempts to end all processes and services whose name, associated window, or description contain the following strings:

* SysMech
* PDFIND
* avtask
* mav
* process
* ccapp
* avgemc
* snaps
* rstrui
* syslove
* sstray
* thread
* mcvsescn
* poproxy
* xpshare
* systray
* ashmaisv
* aswupdsv
* nvc
* cclaw
* njeeves
* nipsvc
* update
* vptray
* opscan
* nopdb
* ccapp
* ctfmon
* zlh
* avgupsvc
* removal
* virus
* AGENTSVR
* ANTI
* MONITOR
* APLICA32
* APVXDWIN
* ATCON
* GUARD
* ATRO55EN
* WATCH
* AUTODOWN
* AUTOTRACE
* AUTOUPDATE
* AVCONSOL
* AVGSERV9
* AVLTMAIN
* AVPUPD
* AVSYNMGR
* AVWUPD32
* AVXQUAR
* AVprotect9x
* BD_PROFESSIONAL
* BIDEF
* BIDSERVER
* BIPCP
* BIPCPEVALSETUP
* BISP
* BLACKD
* BLACKICE
* BOOTWARN
* BORG2
* BS120
* CDP
* CFGWIZ
* CFIADMIN
* CFIAUDIT
* CFINET
* CFINET32
* CLEAN
* CLEAN32
* CLEANER
* CLEANER3
* CLEANPC
* CMGRDIAN
* CMON016
* CPD
* CPF9X206
* CWNB181
* CWNTDWMO
* config
* killbox
* hijackthis
* DEFWATCH
* DEPUTY
* DPF
* DPFSETUP
* DRWATSON
* DRWEBUPW
* ENT
* ESCANH95
* ESCANHNT
* ESCANV95
* EXANTIVIRUS-CNET
* FAST
* FIREWALL
* FLOWPROTECTOR
* FP-WIN_TRIAL
* FRW
* FSAV
* FSAV530STBYB
* GBMENU
* GBPOLL
* GUARD
* GUARDDOG
* HACKTRACERSETUP
* HTLOG
* HWPE
* IAMAPP
* IAMSERV
* ICLOAD95
* ICLOADNT
* ICMON
* ICMON32
* sysmech6
* sysmech5
* ICSSUPPNT
* ICSUPP95
* ICSUPPNT
* IFW2000
* IPARMOR
* IRIS
* JAMMER
* KAVLITE40ENG
* KAVPERS40ENG
* KERIO-PF-213-EN-WIN
* KERIO-WRL-421-EN-WIN
* KERIO-WRP-421-EN-WIN
* KILLPROCESSSETUP161
* LDPRO
* LOCALNET
* LOCKDOWN
* LOCKDOWN2000
* LSETUP
* LUALL
* LUCOMSERVER
* LUINIT
* MCAGENT
* MCUPDATE
* MFW2EN
* MFWENG3.02D30
* MGUI
* MINILOG
* MOOLIVE
* MRFLUX
* CONFIG32
* MSINFO32
* MSSMMC32
* MU0311AD
* NAV80TRY
* NAVAPW32
* NAVDX
* NAVSTUB
* NAVW32
* NC2000
* NCINST4
* admin
* NDD32
* NEOMONITOR
* NETARMOR
* NETINFO
* NETMON
* NETSCANPRO
* HUNTER
* NISSERV
* NMAIN
* NORTON
* NPF
* NPROTECT
* NSCHED32
* NTVDM
* NUPGRADE
* NVARCH16
* NWINST4
* NWTOOL16
* NavShExt.dll
* OSTRONET
* OUTPOST
* OUTPOST
* PADMIN
* PANIXK
* PAVPROXY
* PCC2002S902
* PCC2K_76_1436
* PCCIOMON
* PCDSETUP
* PCFWALLICON
* PCIP10117_0
* PDSETUP
* PERISCOPE
* PERSFW
* PF2
* PFWADMIN
* PINGSCAN
* PLATIN
* PROTECTX
* PSPF
* QCONSOLE
* QSERVER
* RESCUE
* watch
* watcher
* RRGUARD
* RSHELL
* RULAUNCH
* SAFEWEB
* SAVSCAN
* SBSERV
* SETUPVAMEEVAL
* SETUP_FLOWPROTECTOR_US
* SFC
* SGSSFW32
* SHELLSPYINSTALL
* SYSEDIT
* SymWSC
* TAUMON
* TAUSCAN
* TRACERT
* TRJSCAN
* TRJSETUP
* TROJANTRAP
* UNDOBOOT
* VBCMSERV
* VBCONS
* VBUST
* VIRUSMDPERSONALFIREWALL
* W32DSM
* WEBSCANX
* WHOSWATCHINGME
* WINRECON
* WNT
* WRADMIN
* WRCTRL
* WSBGATE
* WYVERNWORKSFIREWALL
* XPF202EN
* ZONEALARM
* ccApp
* ccEvtMgr
* navapsvc
* norman
* workstation
* autoupdate
* avast
* internals
* ContactKeeper129
* antivir
* avg
* aawsepersonal
* avgwb.dat
* ultraedit
* hiew
* memhack
* systemhack
* finder
* engine
* cracker
* cheat
* anti
* hacker
* killer
* machine
* fix
* fixer
* ner
* er44
* er40
* er10
* er5
* spy
* Dump
* fusion
* virus
* system
* f10
* er10
* jack
* rip
* guard
* diskmon
* regmon
* monitor
* debug
* MEMGUTT
* nmap
* rminstall
* ator
* secure
* security
* center
* control
* panda
* sophos
* prot
* protex
* protect
* regmonnt
* ware
* view
* viewer
* washer
* admin
* administrator
* secret
* show
* stealth
* hide
* awake
* visible
* dump
* api
* crc
* procexp
* hex
* workshop
* ver
* licode
* codeli
* hacking
* mfwenu3.02r
* vsc601ai
* vs0602AU
* upswplug
* rescue
* RShelln
* shield
* stealth
* scrubber
* LUSETUP
* scan
* NavDX
* NU2002
* Pavjobs
* PAVSRV50
* Pavw
* Repairnt
* zapSetup3026
* anty
* Pavsched
* Pavclshe
* pavcl.msg
* pavcl
* Inicio
* Iface
* Avengine
* Apvxdwin
* upgrader
* TRJSETUP
* wgsetup
* WINPROXY
* maker
* crack
* hack
* procviewer
* lyze
* yzer
* yzing
* pest
* patrol
* viruz
* virii
* viren
* stop
* attack
* defend
* stoper
* stoped
* exploit
* monitoring
* scan
* sav
* rav
* lav
* known
* pav
* kav
* yav
* tav
* nav
* hidden
* hidding
* die
* admin
* netcat
* nmap
* softice
* softice32
* tools
* xav
* abuse
* abuser
* tactic
* weapon
* rock
* strike
* special
* ddos
* flicker
* sniff
* access
* proc
* proce
* memory
* frog
* trap
* catch
* frogging
* grabber
* graber
* grabbing
* kick
* kicker
* stole
* aware
* freeze
* freezing
* struct
* death
* Avast
* ashBug
* ashDisp
* ashChest
* ashLogV
* ashMaiSv
* ashPopWz
* ashQuick
* ashSimpl
* ashSkPcc
* ashSkPck
* aswBoot
* aswUpdSv
* sched
* ccsetmgr
* pavprsrv
* navsetup
* lrsetup
* lucoms~1
* nprotect
* cfgwiz
* symlcsvc
* luall
* navapsvc
* navw32
* wisptis
* inocit
* stopper
* realmon
* monxp
* avconsol
* alogserv
* webscanx
* mcshield
* vshwin32
* vsstat
* avsynmgr
* netstat
* ipconfig
* nmap
* wmiprvse
* toolz
* hacker
* cracker
* snipper
* avengine
* pavprsrv
* pavsrv51
* apvxdwin
* LordPE

Recommendations

We encourage all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the Current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus

What is a virus or trojan or malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from December 2007 to February 2008)

Bloodhound.Exploit.174 - W32.Agnido.A@mm - W32.Mdmbot - Bloodhound.Exploit.172 - Bloodhound.Exploit.175 - Trojan.Ozdok - W32.Botou - Trojan.Pidief.C - Trojan.Gtaskup - W32.Mumawow.Y!inf - W32.Barten@mm - W32.Mumawow.Y - Trojan.Daymay - Bloodhound.Exploit.171 - SymbOS.Hatihati.A - Trojan.Selex - Trojan.Arposon - W32.Joydotto - W32.Yalove.F - W32.Tufik.B - W32.Tufik.B!inf - Bloodhound.Bancos.1 - W32.Korron.A - W32.Uporesc - SymbOS.Beselo.A - SymbOS.Beselo.B - Trojan.Waytostr - Bloodhound.Exploit.170 - W32.Degnax@mm - W32.Dranyam - W32.Gudek

Most Prevalent Global Malware
(from October 2007 to December 2007)

Bloodhound.Exploit.167 W32.Pagipef.I W32.Drowor.B W32.Pagipef.I!inf W32.Drowor.B!inf W32.Likasimal Trojan.Voterai Trojan.Quimkids W32.Heular W32.Baki.C Trojan.Quimkit Backdoor.Pharvest!inf Backdoor.Pharvest W32.HLLP.Arcer W32.Dawin W32.Shangxing.A O97M.Dropper W32.Tvido.A Trojan.Astry Backdoor.Bandock.A W32.Motsys W32.Mabezat.A VBS.Invadesys.A W32.Imaut.BH Bloodhound.Exploit.166 W32.Baki.A Trojan.Pidief.B W32.Linkfars VBS.Runauto.E W32.Proyo

Most Prevalent Global Malware
(from September 2007 to October 2007)

Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage

Most Prevalent Global Malware
(from 20 July 2007 to 18 August 2007)

Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage

Most Prevalent Global Malware
(from June 2007 to July 2007)

W32.Phoney.A W97M.Mupps Bloodhound.Exploit.158 Trojan.Gpcoder.E W32.Himu.A@mm Trojan.Retvorp W32.Atnas.A W32.Fubalca.N!html W32.Fubalca.N W32.Tisandr.A@mm VBS.Pusia Trojan.Maliframe!html Bloodhound.Exploit.155 Bloodhound.Exploit.157 Bloodhound.Exploit.156 W32.Vispat.A@mm Trojan.Botvoice Trojan.Duganss!inf W32.Cassel W32.Netsky.BG@mm W32.Piffle W32.Weakling W32.Hairy.A W32.Tupofse.B!inf W32.Tupofse.B Trojan.Riler.G W32.Daxijesh Trojan.Trickanclick W32.Svich W32.Espoleo W32.Espoleo!inf W32.Pifio W32.Gexin.A Backdoor.Fonamebot W32.Amca WHS.Vred W32.Nujama.B W32.Stration!dldr W32.Schting.A XF.Helpopy W32.Chiko W32.Ogleon.A Trojan.Flogash W32.Vediance Trojan.Lhdropper W32.Fubalca.I!html W32.Fubalca.I

Most Prevalent Global Malware
(from May 2007 to June 2007)

W32.Tupofse W32.Dizan.D W32.Mubla Trojan.Tooso.S VBS.Nokrupt W32.Alnuh TIOS.Divo W32.Mumawow!gen Trojan.Smallprox Backdoor.Robofo Trojan.Packed.NsAnti W32.Dotex TIOS.Tigraa W32.Quadrule.A W32.Ganbate.A Trojan.Spoofive!html W32.Nomvar Trojan.Mpkit!html Infostealer.Banker.D Bloodhound.Packed.29 W32.Sachy.A W32.Lecivio JS.Badbunny Perl.Badbunny Ruby.Badbunny W32.Sibaru.A SymbOS.Viver.A Trojan.Perfcoo IRC.Badbunny SB.Badbunny!inf Python.Badbunny SB.Badbunny W32.Drom VBS.Lido W32.Autosky VBS.Lido!html W32.Danber W32.Rahiwi.B W32.Amend.A@mm W32.Posse W32.Naplik!inf W32.Naplik W32.Condown.A W32.Uisgon.A W32.Fubalca.E Trojan.Usbsteal W32.Mumawow.D!inf W32.Mumawow.D W32.Neela Trojan.Haradong.C W32.Popwin Backdoor.Graybird!gen W32.Kenety W32.Stration.IZ@mm W32.Pitin.C W32.Odelud Infostealer.Snifula.C Hacktool.Sipbot Bloodhound.Exploit.147 Bloodhound.Exploit.146 Bloodhound.Exploit.141 W32.Tupse W32.Lobekad!inf Backdoor.Coreflood.C Trojan.Zlob.N Bloodhound.Exploit.139 Bloodhound.Exploit.140 Bloodhound.Exploit.142 Bloodhound.Exploit.143 Bloodhound.Exploit.144 Bloodhound.Exploit.145

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus