PRODUCTS > Computer Virus Alerts - Archive
Virus alerts for Oct 2008
Current virus alerts here.
Computer virus alert
   
By the time you receive the e-mail 'virus alert' it can be too late!
We stock the most efficient anti virus program which checks for updates hourly.

Contact Us for a free antivirus trial to the end of this month.
Add "Virus Trial" to the Comments area.Free trial antivirus

Latest Virus Alert  

Confused? What is a virus or trojan or malware? Click here for the definition.

Backdoor:W32/IRCBot Oct 2, 2008

Name : Backdoor:W32/IRCBot
Detection Names : Backdoor,Win32.IRCBot
Type: Backdoor
Category: Malware
Platform: W32

Summary
Backdoors are Remote Administration Tools (RAT) that expose infected machines to external control via the Internet.

IRCBots are a type of "bot" that receive commands and are controlled via Internet Relay Chat (IRC).

Botnets have been used for sending spam remotely, installing more malware without consent, and other illicit purposes.

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus

Trojan-Dropper:W32/Hoaxer.B Sep 30, 2008

Name : Trojan-Dropper:W32/Hoaxer.B
Detection Names : Trojan-Downloader.Win32.Hoaxer.a
Aliases : TrojanDownloader:HTML/Renos.C (Microsoft)
W32/Dorf.A!tr.dldr (Other)
Size: 333780
Type: Trojan-Dropper
Category: Malware
Platform: W32

Summary
This type of trojan contains one or more malicious files, which it will secretly install on the system.

File System Changes
Create these directories:

* %programfiles%\PCHealthCenter

Process Changes
Creates these processes:

* %programfiles%\PCHealthCenter\0.exe
* %programfiles%\PCHealthCenter\1.exe
* %programfiles%\PCHealthCenter\2.exe
* %programfiles%\PCHealthCenter\3.exe
* %programfiles%\PCHealthCenter\4.exe
* %programfiles%\PCHealthCenter\5.exe
* %programfiles%\PCHealthCenter\7.exe

Registry Modifications
Sets these values:

* HKCU\SOFTWARE\Microsoft\Windows
VRSIN = 1221124757
* HKCU\SOFTWARE\Microsoft\Windows
AIM = 0000000000005378
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR.exe = C:\Windows\system32\YUR.exe

Additional Details
This malware drops and installs multiple files in the system. The cumulative effect of the malware is to produce a fake infection warning, which aims to frighten the user into purchasing a rogue antivirus program.

Installation
The malware installs a variety of files on the system.

These files are all detected as Trojan-Downloader.Win32.Hoaxer.a:

* %programfiles%\PCHealthCenter\0.exe
* %programfiles%\PCHealthCenter\1.exe
* %programfiles%\PCHealthCenter\2.exe
* %programfiles%\PCHealthCenter\3.exe
* %programfiles%\PCHealthCenter\4.exe
* %programfiles%\PCHealthCenter\5.exe
* %programfiles%\PCHealthCenter\7.exe

These files are all image files used by the sc.html file:

* %programfiles%\PCHealthCenter\0.gif
* %programfiles%\PCHealthCenter\1.gif
* %programfiles%\PCHealthCenter\2.gif
* %programfiles%\PCHealthCenter\3.gif

This file is the fake Windows Security Center warning:

* %programfiles%\PCHealthCenter\sc.html

These icons are for links to pornography sites:

* %programfiles%\PCHealthCenter\1.ico
* %programfiles%\PCHealthCenter\2.ico

In addition to icons for links, the malware also adds actual links to the megafreeporn website:

* %desktop%\QUALITY PORN.url
* %desktop%\BEST ZOO PORN.url

These files are essentially duplicates of files which have been previously installed:

* c:\x - same file as %programfiles%\PCHealthCenter\7.ex
* %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\1.exe
* %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\2.exe
* %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\3.exe
* %windir%\system32\YUR.exe - same file as %programfiles%\PCHealthCenter\4.exe
* %windir%\system32\1.ico - same as %programfiles%\PCHealthCenter\1.ico
* %windir%\system32\2.ico - same as %programfiles%\PCHealthCenter\2.ico

Finally, the malware installs a file which is detected as Fraudtool:W32/SpywarePreventer.A:

* http://first-reason.com/data/x7/[...]/0000005378.exe

Registry

The malware also makes a number of registry changes in order to display the installed files. Sample registry values would be:

* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR1.exe = C:\Windows\system32\YUR1.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR1.exe = C:\Windows\system32\YUR1.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR2.exe = C:\Windows\system32\YUR2.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR2.exe = C:\Windows\system32\YUR2.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR3.exe = C:\Windows\system32\YUR3.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR3.exe = C:\Windows\system32\YUR3.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR4.exe = C:\Windows\system32\YUR4.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\YUR4.exe = C:\Windows\system32\YUR4.exe

Execution
Upon execution, the malware will immediately display the sc.html file, which appears to be a Windows Security Center warning that the system is infected.

hoaxer.b displays fake Windows Security Center warning

The user is asked if they would like to scan and remove the (supposed) threats detected, which is the recommended option. If the user clicks on the "Yes" option in the dialog box, the malware will open this link in the browser:

* http://scanner.vav-x-scanner.com/34/?advid=[...]5378&dsbndbinj&

The page opened contains the product that the malware is promoting.

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus

Recommendations

We encourage all users and administrators to adhere to the following basic security "best practices":

* Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the Current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus

What is a virus or trojan or malware?

Malware is software designed to infiltrate or damage a computer system, without the owner's consent. The term is a combination of "mal-" (or perhaps "malicious") and "software", and describes the intent of the creator, rather than any particular features. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. In law, malware is sometimes known as a computer contaminant.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains errors or bugs.

Most Prevalent Global Malware
(from December 2007 to February 2008)

Bloodhound.Exploit.174 - W32.Agnido.A@mm - W32.Mdmbot - Bloodhound.Exploit.172 - Bloodhound.Exploit.175 - Trojan.Ozdok - W32.Botou - Trojan.Pidief.C - Trojan.Gtaskup - W32.Mumawow.Y!inf - W32.Barten@mm - W32.Mumawow.Y - Trojan.Daymay - Bloodhound.Exploit.171 - SymbOS.Hatihati.A - Trojan.Selex - Trojan.Arposon - W32.Joydotto - W32.Yalove.F - W32.Tufik.B - W32.Tufik.B!inf - Bloodhound.Bancos.1 - W32.Korron.A - W32.Uporesc - SymbOS.Beselo.A - SymbOS.Beselo.B - Trojan.Waytostr - Bloodhound.Exploit.170 - W32.Degnax@mm - W32.Dranyam - W32.Gudek

Most Prevalent Global Malware
(from October 2007 to December 2007)

Bloodhound.Exploit.167 W32.Pagipef.I W32.Drowor.B W32.Pagipef.I!inf W32.Drowor.B!inf W32.Likasimal Trojan.Voterai Trojan.Quimkids W32.Heular W32.Baki.C Trojan.Quimkit Backdoor.Pharvest!inf Backdoor.Pharvest W32.HLLP.Arcer W32.Dawin W32.Shangxing.A O97M.Dropper W32.Tvido.A Trojan.Astry Backdoor.Bandock.A W32.Motsys W32.Mabezat.A VBS.Invadesys.A W32.Imaut.BH Bloodhound.Exploit.166 W32.Baki.A Trojan.Pidief.B W32.Linkfars VBS.Runauto.E W32.Proyo

Most Prevalent Global Malware
(from September 2007 to October 2007)

Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage

Most Prevalent Global Malware
(from 20 July 2007 to 18 August 2007)

Trojan.Randsom.B W32.Scrimge.G W32.Lashplay W32.Scrimge!gen Trojan.Lazdropper W32.Hauxi Infostealer.Monstres W32.Scrimge.E W32.Drowor.A!inf Trojan.Bankpatch!inf Bloodhound.Exploit.152 Bloodhound.Exploit.159 Trojan.Bankpatch W32.Drowor.A Backdoor.Ginwui.F W32.Mimbot.A Bloodhound.Exploit.148 W32.Versie.A W32.Scrimge.A W97M.Necro.A Trojan.Tarodrop.D W32.Vispat.B@mm W32.Romariory@mm W32.Imaut.AS W32.Kibtos W32.Falsu.E Trojan.Peacomm.B!inf Trojan.Virantix W32.Deletemusic Trojan.Farfli W32.Imcontactspam@mm W32.Whybo.U Linux.Backdoor.Rexob Infostealer.Winotim W32.Imautorun W32.Bratsters Trojan.Firpage

Most Prevalent Global Malware
(from June 2007 to July 2007)

W32.Phoney.A W97M.Mupps Bloodhound.Exploit.158 Trojan.Gpcoder.E W32.Himu.A@mm Trojan.Retvorp W32.Atnas.A W32.Fubalca.N!html W32.Fubalca.N W32.Tisandr.A@mm VBS.Pusia Trojan.Maliframe!html Bloodhound.Exploit.155 Bloodhound.Exploit.157 Bloodhound.Exploit.156 W32.Vispat.A@mm Trojan.Botvoice Trojan.Duganss!inf W32.Cassel W32.Netsky.BG@mm W32.Piffle W32.Weakling W32.Hairy.A W32.Tupofse.B!inf W32.Tupofse.B Trojan.Riler.G W32.Daxijesh Trojan.Trickanclick W32.Svich W32.Espoleo W32.Espoleo!inf W32.Pifio W32.Gexin.A Backdoor.Fonamebot W32.Amca WHS.Vred W32.Nujama.B W32.Stration!dldr W32.Schting.A XF.Helpopy W32.Chiko W32.Ogleon.A Trojan.Flogash W32.Vediance Trojan.Lhdropper W32.Fubalca.I!html W32.Fubalca.I

Most Prevalent Global Malware
(from May 2007 to June 2007)

W32.Tupofse W32.Dizan.D W32.Mubla Trojan.Tooso.S VBS.Nokrupt W32.Alnuh TIOS.Divo W32.Mumawow!gen Trojan.Smallprox Backdoor.Robofo Trojan.Packed.NsAnti W32.Dotex TIOS.Tigraa W32.Quadrule.A W32.Ganbate.A Trojan.Spoofive!html W32.Nomvar Trojan.Mpkit!html Infostealer.Banker.D Bloodhound.Packed.29 W32.Sachy.A W32.Lecivio JS.Badbunny Perl.Badbunny Ruby.Badbunny W32.Sibaru.A SymbOS.Viver.A Trojan.Perfcoo IRC.Badbunny SB.Badbunny!inf Python.Badbunny SB.Badbunny W32.Drom VBS.Lido W32.Autosky VBS.Lido!html W32.Danber W32.Rahiwi.B W32.Amend.A@mm W32.Posse W32.Naplik!inf W32.Naplik W32.Condown.A W32.Uisgon.A W32.Fubalca.E Trojan.Usbsteal W32.Mumawow.D!inf W32.Mumawow.D W32.Neela Trojan.Haradong.C W32.Popwin Backdoor.Graybird!gen W32.Kenety W32.Stration.IZ@mm W32.Pitin.C W32.Odelud Infostealer.Snifula.C Hacktool.Sipbot Bloodhound.Exploit.147 Bloodhound.Exploit.146 Bloodhound.Exploit.141 W32.Tupse W32.Lobekad!inf Backdoor.Coreflood.C Trojan.Zlob.N Bloodhound.Exploit.139 Bloodhound.Exploit.140 Bloodhound.Exploit.142 Bloodhound.Exploit.143 Bloodhound.Exploit.144 Bloodhound.Exploit.145

Contact Us for a free antivirus trial to the end of this month.
Free trial antivirus