PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for Oct 2006
Current virus alerts here.
Computer virus alert
   
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Latest Virus Alert Sober worm info

Most recent malware, computer viruses, worms, Trojan horses, spyware and adware.

Backdoor.Wualess - Bloodhound.Exploit.92 - Bloodhound.Exploit.91 Bloodhound.Exploit.89 - Trojan.Radropper - Backdoor.Haxdoor.R Bloodhound.Exploit.87 - Bloodhound.Exploit.86 - Bloodhound.Exploit.85
Bloodhound.Exploit.84 - W32.Beagle.FN@mm - Trojan.Linkmediac
W32.Imaut.C - W32.Imaut.B - Bloodhound.Exploit.82 - W32.Imaut.A
W32.Looked.AO - Trojan.Ruspy!doc - Trojan.Ruspy - Infostealer.Blurax.B
Infostealer.Wowcraft.E - Backdoor.Haxdoor.Q - Infostealer.Blurax - W32.Stration!dam

Confused? What is malware? Click here for the definition.

Backdoor.Wualess October 12, 2006

Type: Trojan Horse

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Once Backdoor.Wualess isexecuted, it performs the following actions:

1. Creates the following file:

%System%\wuauclt.dll

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

2. Adds the value:

"Start" = "2"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

if the wuauserv service is not present.

3. Adds the value:

"ServiceDll" = "%System%\wuauclt.dll"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv\Parameters

if the wuauserv service is not present.

4. Modifies registry entries in the above subkeys, if the service is present.

5. Creates the mutex "New20060922", so only one instance of the back door is running.

6. Connects to an IRC Server running on tcp port 5202 on the domain NameLess.3322.org using the following channel:

#NL-VNC

7. Opens a back door on the compromised computer allowing a remote attacker to perform some of the following actions:

* Download and execute a file
* Gather some basic system information
* Test speed of connection
* Update the back door
* Flush the DNS cache
* Access files on the compromised computer

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

September 26 2006 Bloodhound.Exploit.77

Also Known As: WORM_STRATION.BB [Trend], W32/Stration-X [Sophos], Warezov.U [F-Secure], Warezov.W [F-Secure]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Stration.AC@mm is a mass-mailing worm that gathers email addresses from the compromised computer.

When W32.Stration.AC@mm is executed, it performs the following actions:

1. Creates the following files:

* %Windir%\tsrv.exe
* %Windir%\tsrv.dll
* %Windir%\tsrv.s
* %Windir%\tsrv.wax
* %System%\cmut449c14b7.dll
* %System%\hpzl449c14b7.exe
* %System%\msji449c14b7.dll

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

2. Opens notepad and displays random characters in a text file when it is first executed.

3. Adds the value:

"AppInit_DLLs" = "msji449c14b7.dll daniwshb.dll msv1nv4_.dll"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

4. Adds the value:

"tsrv"="%Windir%\tsrv.exe s"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the threat starts when Windows starts.

5. Gathers email addresses by scanning files with the following extensions:

* .adb
* .asp
* .cfg
* .cgi
* .dbx
* .dhtm
* .eml
* .htm
* .html
* .jsp
* .mbx
* .mdx
* .mht
* .mmf
* .msg
* .nch
* .ods
* .oft
* .php
* .pl
* .sht
* .shtm
* .stm
* .tbb
* .txt
* .uin
* .wab
* .wsh
* .xls
* .xml

6. Saves the emails it finds into the %Windir%\tsrv.wax file.

7. Uploads gathered email addresses to [http://]yuhadefunjinsa.com/cgi-bin/p[REMOVED]

8. Sends itself to the email addresses it gathers. The email has the following characteristics:

From:
The from address will have one of a series of predetermined names, followed by 4 random characters. For example:

* Moore2005@mail.com
* Susan1952@yahoo.com
* Greenpxjzx@fastmail.fm
* Jennifer_ukawo@mail.com

Subject:
One of the following:

* Good Day
* Server Report
* hello
* picture
* Status
* test
* Error
* Mail Delivery System
* Mail Transaction Failed

Message:
One of the following:

* The message contains Unicode characters and has been sentas a binary attachment.
* Mail transaction failed. Partial message is available.
* The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment

Attachment:
One of the following:

* body
* data
* doc
* docs
* document
* file
* message
* readme
* test
* text
* Update-KB[RANDOM NUMBER]-x86

followed by one of the following extensions:

* .log
* .elm
* .msg
* .txt
* .dat

followed by blank spaces and then one of the following extensions:

* .bat
* .cmd
* .scr
* .exe
* .pif

9. Connects to the following URL and downloads the file, lt.exe:

[http://]yuhadefunjinsa.com/chr/grw[REMOVED]

10. Attempts to save the downloaded file to %Windir%\tsrv.z.

11. Attempts to download a file from the following URL as %System%\acac.exe:

[http://]yuhadefunjinsa.com/chr/grw/s.e[REMOVED]

Note: At the time of writing, this URL was unavailable.

12. Appends the following lines to the hosts file:

127.0.0.1 download.microsoft.com
127.0.0.1 go.microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 office.microsoft.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 [http://]www.microsoft.com/downloads/Search.aspx?displaylang=en
127.0.0.1 avp.ru
127.0.0.1 www.avp.ru
127.0.0.1 [http://]avp.ru
127.0.0.1 [http://]www.avp.ru
127.0.0.1 kaspersky.ru
127.0.0.1 www.kaspersky.ru
127.0.0.1 [http://]kaspersky.ru
127.0.0.1 kaspersky.com
127.0.0.1 www.kaspersky.com
127.0.0.1 [http://]kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 [http://]kaspersky-labs.com
127.0.0.1 avp.ru/download/
127.0.0.1 www.avp.ru/download/
127.0.0.1 [http://]www.avp.ru/download/
127.0.0.1 [http://]www.kaspersky.ru/updates/
127.0.0.1 [http://]www.kaspersky-labs.com/updates/
127.0.0.1 [http://]kaspersky.ru/updates/
127.0.0.1 [http://]kaspersky-labs.com/updates/
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 [http://]downloads1.kaspersky-labs.com
127.0.0.1 [http://]downloads2.kaspersky-labs.com
127.0.0.1 [http://]downloads3.kaspersky-labs.com
127.0.0.1 [http://]downloads4.kaspersky-labs.com
127.0.0.1 [http://]downloads5.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads1.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads2.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads3.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads4.kaspersky-labs.com/products/
127.0.0.1 [http://]downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads1.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads2.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads3.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads4.kaspersky-labs.com/updates/
127.0.0.1 [http://]downloads5.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads1.kaspersky-labs.com
127.0.0.1 [ftp://]downloads2.kaspersky-labs.com
127.0.0.1 [ftp://]downloads3.kaspersky-labs.com
127.0.0.1 [ftp://]downloads4.kaspersky-labs.com
127.0.0.1 [ftp://]downloads5.kaspersky-labs.com
127.0.0.1 [ftp://]downloads1.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads2.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads3.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads4.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads5.kaspersky-labs.com/products/
127.0.0.1 [ftp://]downloads1.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads2.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads3.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads4.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]downloads5.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates1.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates2.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates3.kaspersky-labs.com/updates/
127.0.0.1 [http://]updates4.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates1.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates2.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates3.kaspersky-labs.com/updates/
127.0.0.1 [ftp://]updates4.kaspersky-labs.com/updates/
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 [http://]viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 www.viruslist.ru
127.0.0.1 [http://]viruslist.ru
127.0.0.1 [ftp://]ftp.kasperskylab.ru/updates/
127.0.0.1 symantec.com
127.0.0.1 www.symantec.com
127.0.0.1 [http://]symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 [http://]customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 [http://]liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 [http://]liveupdate.symantecliveupdate.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 [http://]securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 [http://]service1.symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 [http://]symantec.com/updates
127.0.0.1 updates.symantec.com
127.0.0.1 [http://]updates.symantec.com
127.0.0.1 eset.com/
127.0.0.1 www.eset.com/
127.0.0.1 [http://]www.eset.com/
127.0.0.1 eset.com/products/index.php
127.0.0.1 www.eset.com/products/index.php
127.0.0.1 [http://]www.eset.com/products/index.php
127.0.0.1 eset.com/download/index.php
127.0.0.1 www.eset.com/download/index.php
127.0.0.1 [http://]www.eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 www.eset.com/joomla/
127.0.0.1 [http://]www.eset.com/joomla/
127.0.0.1 u3.eset.com/
127.0.0.1 [http://]u3.eset.com/
127.0.0.1 u4.eset.com/
127.0.0.1 [http://]u4.eset.com/
127.0.0.1 www.symantec.com/updates

13. Creates the following files:

* C:\WINDOWS\system32\acac.dll
* C:\WINDOWS\system32\daniwshb.dll
* C:\WINDOWS\system32\dsoukbda.exe
* C:\WINDOWS\system32\msv1nv4_.dll
* C:\WINDOWS\system32\msvfjspr.dll

14. Adds the values:

"DllName" = "C:\WINDOWS\system32\acac.dll"
"Startup" = "WlxStartupEvent"
"Shutdown" = "WlxShutdownEvent"
"Impersonate" = "0"
"Asynchronous" = "0"
"Image" = "C:\INF\lt.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acac

15. Creates the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wuapx9tt

16. May disable certain security related applications.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

What is malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from October 01 2006 to October 12)

Backdoor.Wualess
Bloodhound.Exploit.92
Bloodhound.Exploit.91
Bloodhound.Exploit.89
Trojan.Radropper
Backdoor.Haxdoor.R
Bloodhound.Exploit.87
Bloodhound.Exploit.86
Bloodhound.Exploit.85
Bloodhound.Exploit.84
W32.Beagle.FN@mm
Trojan.Linkmediac
W32.Imaut.C
W32.Imaut.B
Bloodhound.Exploit.82
W32.Imaut.A
W32.Looked.AO
Trojan.Ruspy!doc
Trojan.Ruspy
Infostealer.Blurax.B
Infostealer.Wowcraft.E
Backdoor.Haxdoor.Q
Infostealer.Blurax
W32.Stration!dam

Most Prevalent Global Malware
(from September 07 2006 to September 16)

Bloodhound.Exploit.77 09-15-2006
Bloodhound.Exploit.76 09-15-2006
W32.Looked.AH 09-14-2006
Infostealer.Uprungam.B 09-13-2006
Trojan.Bankem.B 09-12-2006
W32.Stration.AC@mm 09-10-2006
Infostealer.Uprungam 09-10-2006
W32.Kiner 09-08-2006
W32.Woredbot.C 09-07-2006
Trojan.Hiween 09-07-2006

Most Prevalent Global Malware
(from August 27 2006 to September 07 2006)

Trojan.Wesber 09-06-2006
Downloader.Dowdec.B 09-06-2006
W32.Areses.Q@mm 09-05-2006
W32.Areses.Q!vbs 09-05-2006
Trojan.Schoeberl.D 09-05-2006
Downloader.Dowdec 09-02-2006
Trojan.Mdropper.Q 09-01-2006
W32.Bacalid!inf 09-01-2006
W32.Mobler.A 09-01-2006
W32.Bacalid 09-01-2006
W97M.Blackurs 08-31-2006
W32.Bustoy 08-31-2006
Trojan.MDropper.P 08-30-2006
W32.Stration!gen 08-30-2006
W32.Dasher.G 08-30-2006
W32.Stration.D@mm 08-29-2006
Trojan.Schoeberl.C 08-29-2006
Trojan.Agentdoc.D 08-29-2006
W32.Spybot.AKNO 08-28-2006
W32.Womble.A@mm 08-28-2006
W32.Woredbot 08-28-2006
Trojan.Flush.H 08-28-2006
W32.Stration.C@mm 08-27-2006

Most Prevalent Global Malware
(from August 17 2006 to August 26 2006)

Trojan.Mdropper.O 08-25-2006
Trojan.Linkoptimizer 08-24-2006
Backdoor.Lassrv.B 08-24-2006
W32.Rungbu 08-23-2006
W32.Spybot.AKKC 08-22-2006
W32.Rahack.H 08-22-2006
Trojan.Bakloma 08-21-2006
W32.Stration.B@mm 08-20-2006
W32.Randex.GEL 08-18-2006
W32.Stration.A@mm 08-18-2006
Backdoor.Haxdoor.P 08-17-2006
W32.Toyep.A@mm 08-16-2006
Trojan.Mdropper.N 08-16-2006
Backdoor.Papi 08-16-2006
Trojan.Tarodrop 08-16-2006