Threats

FakeAlert IS2010 aka Internet Security 2010
IS2010, aka Internet Security 2010, is something we have seen lots of at ZolexPC recently. This malicious program pretends to be legitimate antivirus software, but basically holds important parts of your system for ransom until you pay them for software that not only does not work, but also seriously compromises your control of the system. Symptoms include constant warning messages of infection, the inability to launch basic system tools like taskmgr.exe or cmd.exe, restrictive policy implementation, and finding yourself frequently redirected to the IS2010 web site to purchase the software. While taskmgr.exe will not run, 2 processes named IS2010.EXE and SMSS32.EXE will be running. They will also be files in the %System%\system32\ folder, bearing the same names. Regedit will also not likely run, but the following registry keys are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internet-security10.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internet-security10.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-soft-download.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com]

Other registry modifications are made to prevent the user from undoing the changes made. While many important, basic tools that could be used are disabled by this threat, changing the names of executables needed to combat it work effectively. For instance, renaming a copy of taskmgr.exe to dog.exe, for example, will allow task manager to run, which in turn lets you at least kill the processes so that you may begin to clear out the problem. The same principle can be used to call up other system tools, facilitating a manual removal.
Top of Page

Owlforce
Owlforce is adware, and its goal is to flood you with advertisements. It monitors your browsing behavior and reports it back to Owlforce’s web site in order to feed you targeted advertising, generally in the form of annoying pop-ups. It seems to like FireFox, as it creates files specific for it, as well as other files, as follows: %ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\chrome\content\OFoxb.xul

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\chrome.manifest

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\components\IFoxB.xpt

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\components\OFoxB.dll

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\install.rdf

%ProgramFiles%\Ofb1\Ofb1.dll

%ProgramFiles%\Ofb1\sites.ini

%ProgramFiles%\Ofb1\Uninstall.exe

It also creates these registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E1500AC-87A5-416b-A211-82E848649DA9}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9504AE8F-1019-4258-A047-C04CCC5301E6}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1BC108B-B3EF-4E18-8EE6-CF3C381E3783}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ofb1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ofb1.1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E1500AC-87A5-416B-A211-82E848649DA9}

This adware is Trojan-like and is manually installed. It may come bundled with free screen saver applications or other freeware.
Top of Page

Sasfis
A Trojan horse, Sasfis is a malicious downloader. It can also execute files. It creates a TMP file at %Temp%\1.tmp. It adds a key to the registry: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\"AccessVBOM" = "1" and the subkey HKEY_CLASSES_ROOT\idid. It sets itself to run whenever windows starts by creating the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = " Explorer.exe rundll32.exe %System%\[RANDOMLY NAMED FILE] [5 OR 6 RANDOM CHARACTERS]" It will run MS Word, if installed, and execute a VBA script to load and run the %Temp%\1.tmp file. It attaches itself to an instance of svchost process and deletes the original executable. A randomly named DLL file with a name that contains 4 random letters for the file name, and a random 3 letter extension, gets created in the %System% folder. Once it is set up, it attempts to connect to an HTTP address, typically using port 90. If it succeeds, it then begins downloading and running other malicious content.
Top of Page

Spyeye
Spyeye is a Trojan that attempts to mine information from the infected system. It opens a backdoor for remote access. When it executes, it creates a configuration file to %SystemDrive%\cleansweep.exe\config.bin, which is a compressed and encrypted file. It also creates a decryption file to %SystemDrive%\cleansweep.exe\cleansweep.exe. It loads itsel fin the registry to run when Windows starts under HKCU\Software\Microsoft\Windows\CurrentVersion\Run\”cleansweep.exe” = “SystemDrive%\cleansweep.exe\cleansweep.exe, so the infection may be user profile specific. This Trojan also attaches to running system processes to capture network trffic and send/receive data around the firewall. It may work as a rootkit, hiding its own processes and possibly implement restrictive permissions policies. It steals information from Internet Explorer and Firefox browsers. The attacker may also execute code remotely, download and run files, log keystrokes and modify the infection.
Top of Page

W32.Arbormen
This virus injects malicious code to files with the extensions .EXE and .SCR. It first tries to infect any process with the word "explorer" in to and any process with "TibiaClient". It seeks out files to infect along these paths - %Windir%

%UserProfile%\Application Data

%UserProfile%\Movie Maker

%UserProfile%\Local Settings\Application Data

%ProgramFiles%\Internet Explorer

%ProgramFiles%\Outlook Express

%ProgramFiles%\MSN Gaming Zone

%ProgramFiles%\NetMeeting

%ProgramFiles%\Windows Media Player

%ProgramFiles%\Windows NT

%ProgramFiles%\Windows Update

%ProgramFiles%\Common Files

It also tries to download other malicious code and/or files as well as send out information on the infected system.
Top of Page

Ircbrute
A worm, Ircbrute spreads itself using removable drives, such as USB flash drives, camera cards and other removable media. Once active on the system, it opens a back door for the attacker. It creates 2 files, %SystemDrive%\RESTORE\[SID]\Desktop.ini and %SystemDrive%\RESTORE\[SID]\ise32.exe. It sets itself up to run at windows startup using the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C967120}\"StubPath" = "%SystemDrive%\RESTORE\[SID]\ise32.exe". It also creates an autorun.inf file on te root of drives, so that it will run when the drive is accessed. It tries to connect to an IRC server using port 9890.
Top of Page

Backdoor.Bapkri
This is a general detection for DLL files that try to avoid detection by encryption, and opens a back door to the affected machine. This detection tells you a malicious DLL is encoding data in an effort to conceal the back door and/or its related activities. Any file with this detection may be considered malicious.
Top of Page

Backdoor.Revird
This Trojan not only opens a back door but also tries to steal personal information from the affected machine. When it is activated, it creates files in the %system%\ called nwwwks.dll, rdisk.dll, skeys.dll, SvcHost.DLL.exe and SvcHost.DLL.log. It also makes a folder %SystemDrive%\drivers\own\ and starts %System%\nwwwsk.dll as a new service, disguised as a gateway service for netware. It adds a registry key as part of service creation: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCworkstation and gathers information about the system it has infected. It then copies all files with .DOC, .PDF, .PPT, .RAR and .ZIP files to a remote location affter gathering them to the folder it created %SystemDrive%\drivers\own.
Top of Page

Trojan.Avalanec
This Trojan opens a back door on the affected system, allowing remote access. Once activated, it copies itself to %System%\sysservice.exe and creates a configuration file called %System%\sysservice.dll. It adds a registry key so that it will start whenever windows starts. That key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Startup Manager" = "%System%\sysservice.exe". It adds itself to the Windows Firewall allow list using the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\sysservice.exe" = "%System%\sysservice.exe:*:Enabled:DNS client". It then tries to connect to remote siets to download configuration updates, and allow the remote attacker into the system to execute commands.
Top of Page

Bloodhound.Exploit.30x
This infection relates to files that are attempting to use known vulnerabilities in Microsoft Excel installations. Vulerabilities include a field parsing remote code execution weakness, malformed BIFF remote code execution and a 'FEATEADER' record remote code execution weaknesses. Files showing this heuristic can be assumed to be malicious.
Top of Page

AdShortcuts
A potentially unwanted program, AdShortcuts redirects web page traffic to a series of sites other than the one you wanted, before finally allowing you to go where you intended to browse. Usually it is bundled in with installers from some "free" applications.
Top of Page

Trojan.Tdlload
This Trojan horse modifies legitimate system files. The modifications allow it to install malicious content on the affected machine. This trojan can damage Windows systems up to Vista, as well as some servers, such as Windows Server 2003.
Top of Page

OSX.Loosemaque
This trojan horse pretends to be a video game. However, it deletes files from the home folder when you play it. When launched, you get what looks like the old school game Galaxa, and each time you destroy an enemy, a file or folder in the user's home folder gets deleted. When you finally die, the trojan sends your score to a remote location and deletes itself.
Top of Page

W32.Akannuna
This virus infects EXE files. Once executed, it will infect any EXE files in the folder where it resides.
Top of Page

W32.SillyFDC.BDD
This is a worm that spreads itself using removable drives. It creates a registry entry to let it run when windows starts "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987892}\"StubPath" = "%SystemDrive%\RECYCLER\[SID]\TsGh.exe" and hides desktop.ini and TsGh.exe files in the %SystemDrive%\RECYCLER\ folder, which it copies to any connected removable drive. It will drop an autorun,inf file on removable drives it manages to infect.
Top of Page

Backdoor.Pfinet
A Trojan horse, Backdoor.pfinet opens backdoor access to the affected machine and might try to gather personal information. A device driver called %SystemDrive%\temp\acpimem32.sys is dropped on the machine, and it drops 2 log files labeled windbg.dat and windbg2.dat in there as well. A service labeled usblink is started by the driver file. If you find a file in the Temp directory labeled fixdata.dat, then it has succeeded in creating a virtual disk image, and hides uninstall information.
Top of Page

Trojan.Whitewell
A Trojan horse program, Whitewell opens a back door connection on the affected machine. It also can get its configuration information from social networking sites such as FaceBook. It also drops an EXE file called runinfo.exe into the %temp% directory. It tries to disguise itself as a McAfee component in the registry, dropping the following key into the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"MCAFEEIPS" = "%UserProfie%\local settings\temp\setup.exe"
Top of Page

Trojan.Bredolab!genX
This group of Trojan signatures mean the file in question has been tampered with to avoid detection by antivirus engines.
Top of Page

Infostealer.Banker.F
This is a Trojan horse, meaning it tries to fool you into running it. It attempts to steal personal information from the affected machine, and can be part of a combined threat, pu tin place by another piece of spyware. It patches hte iexplore.exe process in order to monitor network traffic, gathers any personal information it can, and tries to send it to a remote location.
Top of Page

Spyware.AoboKeyLogger
This spyware attempts to steal information from the affected machine via keylogging. It can also store passwords and take screen shots, and runs in a stealth mode. It sends the captured information to a pre-set FTP site or email address.
Top of Page

W32.Kasticyz
This virus infects EXE files at random, including anything accessible via network share and removable drives. Its goal is simply to spread itself.
Top of Page

Downloader.Ergrun
A Trojan horse, Dlownloader.Ergrun can download other items to your machine. It creates a false svchost.exe in the %temp% directory and sets itself to start whenever Windows does.
Top of Page

W32.Exkowen
This virus attaches itself to exe's on the infected system. It can invite other malware, and spreads via any connected drives on the infected system, including removable drives.
Top of Page

Trojan.Ransomlock.C
This incredibly annoying Trojan horse locks down the infected system, making it totally unusable. It prompts the victim to purchase a license in order to regain access to the computer. it changes the file attributes of explorer.exe, regedit.exe, cmd.exe and taskmgr.exe to hidden system read only. It also deletes registry keys related to safe mode, effectively disabling it. The KEY for disabling the error message is 13616, and is hard coded into the Trojan.
Top of Page

Trojan.Zbot!gen1
This is a heuristic detection, indicating the file in question was compressed or otherwise disguised in order to avouid detection. It is a good indication of other infection on the affected system.
Top of Page

Trojan.Pandex!gen1
This is a heuristic detection for variants of the Trojan.Pandex infection, which generates spam and attempts to mine email addresses from the infected system.
Top of Page

Trojan.FakeAV!gen2
This detection indicates a file signature that shows the file has been encrypted or compacted in order to hide it from anti-virus detections. It indicates the likely presence of other infections.
Top of Page

Trojan.Kissderfrom
Kissderfrom is a trojan horse that attempts to steal personal information from the infected system. It may also open a back door and allow remote commands to be executed.
Top of Page

W32.Pilleuz
A worm, Pilleuz spreads itself using file sharing programs, instant messaging clients by Microsoft, and removable drives. It also may open a back door allowing remote commands to be executed on the infected system.
Top of Page

Infostealer.Bzup.B
This is a Trojan horse that tries to steal personal information on the infected system, such as passwords, email accounts, TAN and PIN numbers for banking, and other information.
Top of Page

VBS.Invadesys.B
A worm that copies itself to all drives on the infected system. It embeds itself into the legitimate explorer.exe and smss.exe files, compromising the integrity of the operating system.
Top of Page

AntiVirus2010
This is a misleading application we like to call Ransom-Ware. It infects your system and gives lots of false and super-exaggerated infection reports.
Top of Page

W32.Lafee
A virus that affects EXE and SCR files, which may connect to an external web address to download additional malicious content.
Top of Page

Trojan.Opachki
This trojan horse injects HTML code into web pages, leading to a malicious URL
Top of Page

Packed.Generic.254
A heuristic detection, this means that files may have been encrypted or otherwise spoofed to conceal them from antivirus software.
Top of Page

Downloader.Kuaiput
A trojan horse, this infection downloads and executes malicious code from an FTP site
Top of Page

W32.Perz
This worm spreads through file sharing networks. It is unclear what the worm does at this time, but if you use file sharing applications, you are vulnerable.
Top of Page

SillyFDC Variants
This worm family spreads itself through removable and share drives, such as jump drives. It adds itself to the infected system to infect new drives as well as adding itself to the removable drive.
Top of Page

Sopiclick
A Trojan Horse, Sopiclick can manipulate certain web statistics and download files on the infected system. Payloads may vary.
Top of Page

Fnumbot
Another removable drive worm, Fnumbot also opens back doors on the infected computer that others can use to access the infected system.
Top of Page

WindowsAntivirusPro
A misleading application we like to call Ransom-Ware. This alleged antivirus package gives false and exaggerated reports. the trial version also nags with pop-ups until purchased.
Top of Page

Trojan.Fsearch
A Trojan application that modifies search results when searching the web. It redirects any search queries to alternate domains, and affects both Internet Explorer and FireFox.
Top of Page

W32.Stealsmth
Another information stealer, W32.Stealsmth infects files and attempts to steal personal information from the affected system.
Top of Page

Spyware.WinSupervisor
is a spyware application that records the activities of users on the affected system. When programs open, this application takes a screenshot of your desktop and logs all keystrokes. It saves this information to a report that can be sent to a predetermined email address for review.
Top of Page

NortelAntivirus
A misleading application, this “antivirus” program gives exaggerated reports of threats in the affected machine.
Top of Page

AsteriskLogger
This is a potentially unwanted program. It reveals passwords that are typed in that otherwise would be masked by a dot or asterisk in standard login text boxes.
Top of Page

Infostealer.Ebod
This is a Trojan that attempts to steal personal information from the affected machine. The information may include logins, passwords, banking information and the like.
Top of Page

VBS.Runauto.G
This is a worm that opens back doors on the infected computer. It spreads itself via network shares and removable drives.
Top of Page

JS.Frienren
This work spreads through social networking sites. It spreads itself by sending this message to all members of the infected user's Renren friend list: Subject: Pink Floyd - Wish You Were Here Body: Wish You Were Here @ 2016 Summary:[http://]o.99081.com/xnxss/[REMOVED]
Top of Page

Packed.Generic.X
This is a heuristic set that indicates a file that may have been modified to hide it from anti-virus detection.
Top of Page

Trojan.Fakeavalert!Gen
This family of Trojans pretends to be an antivirus alert. This is sometimes referred to as ransom-ware. It plagues the infected system with pop-up ads and malware.
Top of Page

Adware.DoubleD
This is adware. It poses as a smiley toolbar and causes random ads to appear on the infected system.
Top of Page

W32.Feberr
This is a virus that infects executable files on the affected system, and tries to download more malicious content to the affected system. Discovered August 2009
Top of Page

W32.SillyFDC.BCT
This is a worm that spreads through removable drives and can download files on the affected system. Discovered August 2009
Top of Page

Hacktool.PstorRevealer
This is a hacker tool that tries to collect stored passwords on your system. Discovered August 2009
Top of Page

W32.Stiraut
This is a worm that spreads via use of removable drives, and opens a back door on the affected system. It attempts to send messages to random users on social networking sites. Discovered August 2009
Top of Page

W32.Trats.B
This worm and its variants spread by use of removable drives, like flash drives, and also by sending instant messages with links to copies of itself. It also attaches itself to executables and tries to download items on the affected system. Discovered August 2009
Top of Page

W32.Screentief
This is a worm that spreads itself around via removable drives, such as flash drives. It can also take screen shots of whatever is on your screen and tries to send these to the attacker. Discovered August 2009
Top of Page

Downloader.Sninfs
This is a trojan horse that can download other malicious content on the affected PC. One of the associated pieces is called Infostealer.Bancos, a piece of spyware. Discovered August 2009
Top of Page

Koobface worm
Koobface and its variants spreads through social networking sites such as FaceBook and MySpace. It reports confidential information it finds, such as saved user name and password info in your system, to remote locations.
Top of Page

Downadup/Conficker worm
First version of this worm is known from december 2008. Nowadays it has 300+ several variants. More information could be found in Virus Lab Blog. January 22, 2009
Top of Page

I-Worm/Nuwar
Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R. March 31, 2008
Top of Page

I-Worm/Nuwar
New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N February 14, 2008
Top of Page

I-Worm/Nuwar
We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L. February 14, 2008
Top of Page

Win32/Mabezat.A
In last few days we've registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia. November 14, 2007
Top of Page

Downloader.Tibs
A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs. February 14, 2008
Top of Page

Trojan Downloader.Agent.UZM
A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit. November 10, 2007
Top of Page

I-Worm/Stration downloader
Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia. November 5, 2007
Top of Page

I-Worm/Stration downloader
Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia. November 1, 2007