5 Star Support Home Free Technical Support Computer Help Forums Computer Tutorials Tips, Tricks & Tweaks Troubleshooting FAQ

Web 5 Star Support

For Free Spyware scanners and other security related downloads, please visit our Virus Information Page.

---

Weekly Security News

Posted by Dave
5 Star Support Security Specialist

Week of 03/16/08 –

General -

A massive iFrame attack has compromised hundreds of thousands of web pages. Please browse carefully and do not visit untrusted sites. Be very careful of browser redirection if you are visiting a new site you are unfamiliar with.

Microsoft –

Be sure you have applied the critical updates for Microsoft Office released last week, as exploits for these vulnerabilities are active on the Internet.

Microsoft has released SP 1 for Vista in both 32bit and 64 bit versions. They have also released a beta version of IE 8.

Other Software –

Apple has released a huge set of updates for Mac OS X and a set of updates for Safari as well.

Be sure to keep all your 3rd party and applications patched and updated just as you would for Windows.

Adobe users should be running Adobe Reader v 8.1.2 and the current version of Java is v 6 update 5.

Mozilla.org has released the Beta 4 version of Firefox 3, and it is a smoking fast browser. Look for the release of Firefox 3 in the next couple of months.

New Viruses & Malware-

This section lists the new Viruses, Worms, Trojans etc. released into the wild during the past week. The discoveries come from SOPHOS, UK recognized as a world leader in computer security products, software and appliances.

1. Troj/Bifrose-VO is a Trojan for the Windows platform.

When first run Troj/Bifrose-VO copies itself to:

<System>\system32\cam.exe

and creates the following file:

<System>\system32\klog.dat - DAT file, can be safely deleted.

2. Troj/Zlob-AIY is a Trojan for Windows

3. Troj/Zlob-AIZ is a Trojan for the Windows platform.

Troj/Zlob-AIZ displays fake alerts informing the user that the victim computer is infected with Malware.

When first run Troj/Zlob-AIZ drops the file <System>\univrs32.dat, which is detected by Sophos as Troj/Agent-GPD.

4. Troj/Agent-GSM

When Troj/Agent-GSM is installed the following files are created:

<Program Files>\Microsoft Office\system\apcdli.sys
<Temp>\kzdh@webbrowser-lyrics_2043.exe

The file apcdli.sys is detected as Mal/RootKit-A. The file kzdh@webbrowser-lyrics_2043.exe is detected as a component of Troj/Agent-GSM.

The file apcdli.sys is registered as a new system driver service named "apcdli", with a display name of "apcdli" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\apcdli

5. Troj/Agent-GSN

Variant of Trojan Agent-GSM listed above

6. Troj/Bckdr-QLG

Backdoor Trojan for Windows

7. Troj/Dloadr-BJG is a Trojan for the Windows platform.

Troj/Dloadr-BJG contains functionality to communicate with a remote server via HTTP.

When first run Troj/Dloadr-BJG copies itself to <System>\CbEvtSvc.exe.

The file CbEvtSvc.exe is registered as a new system driver service named "CbEvtSvc", with a display name of "CbEvtSvc" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\CbEvtSvc

8. Troj/Mdrop-BQM is a Trojan for Windows.

When Troj/Mdrop-BQM is installed it creates the file <System>\ok1.exe.

The file ok1.exe is detected as Mal/Behav-010.

The following registry entry is changed to run ok1.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,,<System>\ok1.exe

9. Troj/Proxy-IH includes functionality to access the internet and communicate with a remote server via HTTP.

10. Troj/Agent-GSW is a Trojan for the Windows platform.

When first run Troj/Agent-GSW copies itself to <System>\cert2exe.exe and creates the following files:

<Root>\error.log
<System>\cert2app.dll
<System>\cert2dll.dll
<System>\cert2prt.dll
<System>\drivers\osapi.log

11. Troj/Agent-GSX is a Trojan for the Windows platform.

When Troj/Agent-GSX is installed it creates the file <System>\ntos.exe.

12. Troj/PcClien-LO is a Trojan for Windows

13. Troj/Zlob-AJA is another variant of the Zlob family of Trojans for the Windows platform

14. Troj/Agent-GSV is a Trojan for Windows

15. Troj/Agent-GSQ is a Trojan for the Windows platform.

16. Troj/Agent-GSR is a Trojan for Windows

17. Troj/Agent-GST is a Trojan for the Windows platform.

Troj/Agent-GST attempts to contact a remote server over the internet .

When Troj/Agent-GST is installed the following files are created:

<Temp>\78453.vbs - also detected as Troj/Agent-GST
<Temp>\finaltemp.vbs - empty file

18. Troj/Dloadr-BJH is a Trojan for the Windows platform.

When Troj/Dloadr-BJH is installed it creates the file <System>\wmdmsvc32.dll.

The file wmdmsvc32.dll is registered as a new service named "WmdmPmSn". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSn

19. Troj/PWS-AQH is a Trojan for the Windows platform.

When Troj/PWS-AQH is installed the following files are created:

<Temp>\RarSFX0\11.sfx.exe
<Temp>\RarSFX0\mm\168_325566_f54679f96e1c490 [%P].jpg
<Temp>\RarSFX0\mm\168_378561_7ccc6cb8001c00f [%P].jpg
<Temp>\RarSFX0\mm\2005610010104150 [%P].jpg
<Temp>\RarSFX0\mm\242965581_9faa239705_o [%P].jpg
<Temp>\RarSFX0\mm\Thumbs.db
<Temp>\RarSFX0\mm\harajuku-15 [%P].jpg
<Temp>\RarSFX0\mm\harajuku-6 [%P].jpg
<Current Folder>\2.bat
<Windows>\help\F3C74E3FA248.dll
<Windows>\help\F3C74E3FA248.xe

The file F3C74E3FA248.dll is detected as Mal/LineDLL-B and the file F3C74E3FA248.xe is detected as Mal/EncPk-AZ.

The file F3C74E3FA248.dll is registered as a COM object.

20. Troj/Banloa-FA is a Trojan for the Windows platform that attempts to download a file from a remote location to <Temp>\WindowsUpdate.exe and execute it. This file is currently detected as Mal/DelpBanc-A.

21. Troj/Mdrop-BQR is a Trojan dropper for MS Word

22. Troj/PcClien-LQ is a Trojan for the Windows platform.

Troj/PcClien-LQ includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/PcClien-LQ is installed the following files are created:

<System>\<random filename>.log
<System>\<random filename>.dll

The file <random filename>.dll is detected as Troj/PcClien-LO and is registered as a new service named "eltkit".

23. Troj/Prorat-DO is a Trojan for the Windows platform.

When first run, Troj/Prorat-DO attempts to copy itself to <Program Files>\Update\winkey.exe and drops the file winkey.dll to the same folder. This dropped file is detected as Mal/Behav-119.

Troj/Prorat-DO attempts to create a service to run itself automatically on startup.

24. Troj/PcClien-LU is a Trojan for the Windows platform.

Troj/PcClien-LU includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/PcClien-LU is installed the following files are created:

<System>\<random filename>.dll.

This file is detected as Mal/Behav-024 and is registered as a new service with the same name as itself. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\<dllname>

Troj/PcClien-LU also attempts to download files from a remote website.

25. Troj/Zlob-AJB is another variant of the Zlob family of Trojans for Windows

26. W32-AutoRun-CA is a Worm for the Windows platform.

27. Troj/PcClein-LW is a Trojan for Windows

28. W32/Rbot-GWN is a worm for the Windows platform.

When first run W32/Rbot-GWN copies itself to <Windows>\windows\mosadl.exe and creates the following files:

<Startup>\mosadl.exe.lnk
<Windows>\windows\mosad.sys

The file mosad.sys is detected as Mal/Behav-010.

29. Troj/Crypdrop-A is a Trojan for the Windows platform.

Troj/Crypdrop-A claims to be an executable encrypter called "Cryptic v2.3".

Troj/Crypdrop-A includes functionality to access the internet and communicate with a remote server via HTTP.

When run Troj/Crypdrop-A drops the following files:

<System>\Cryptic v2.3 (mod).exe - detected as Troj/Crypdrop-A
<System>\stu.exe - detected as Troj/Crypdrop-A
<System>\dlg.exe - detected as Mal/Emogen-Z
<System>\dlls1.txt - text file, can be deleted
<Windows>\scomdlg32.exe - detected as Mal/Emogen-Z
<Windows>\scomdlg32 - data file, can be deleted.

30. W32/SillyFDC-CC is a Worm for Windows

31. Troj/Dloadr-BJP is a Trojan for the Windows platform.

Troj/Dloadr-BJP includes functionality to download, install and run new software.

32. Troj/Mdrop-BQX is a Trojan dropper for the Windows platform.

Troj/Mdrop-BQX is a Microsoft Word document that typically arrives as an email attachment (the subject and message text of these email messages vary widely).

Troj/Mdrop-BQX attempts to exploit a known vulnerability associated with Microsoft Word (MS06-027) in order to execute shell code when the Word document is opened.

This shell code attempts to drop and run a malicious Windows executable (detected separately).

33. Troj/Mdrop-BQY is a Trojan dropper for the Windows platform.

Troj/Mdrop-BQY is a Microsoft Excel document that typically arrives as an email attachment (the subject and message text of these email messages vary widely).

Troj/Mdrop-BQY attempts to exploit a known vulnerability associated with Microsoft Excel in order to drop and run a malicious Windows executable (detected separately).

34. Troj/Sanji-A is a backdoor Trojan for the Window platform which allows a remote intruder to gain access and control over the computer.

Troj/Sanji-A may be installed by a Trojan such as Troj/Mdrop-BQX. Trojans such as Troj/Mdrop-BQX are Microsoft Office files (PowerPoint, Word, Access or Excel) that typically arrive as email attachments. When the malicious Microsoft Office file is opened it attempts to exploit a vulnerability associated with the handling of the Microsoft Office file format in order to drop and run an executable file.

When Troj/Sanji-A is installed the following files are created:

<Temp>\kb<number>.tmp
<System>\rdpdrv.sys
<System>\msvmjeet\glp.uin

The file rdpdrv.sys is registered as a system driver service

35. Troj/Zlob-AJK is a new variant of the Zlob family of Trojans

36. W32/IRCBot-AAS is a worm with IRC backdoor functionality for the Windows platform.

W32/IRCBot-AAS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/IRCBot-AAS copies itself to <System>\msmsgs.exe.

37. Troj/Agent-GTN is a Trojan for the Windows platform.

When Troj/Agent-GTN is installed the following files are created:

<System>\hrpdcf.bin (harmless data file, can be deleted)
<System>\mp3res.dll (detected as Troj/Agent-GTN)
<System>\xprot.sys (detected as Troj/Agent-GTN)

38. Troj/Agent-GTO is a Trojan for the Windows platform.

Troj/Agent-GTO includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Agent-GTO is installed the following file is created (also detected as Troj/Agent-GTO):

<Program Files>\Internet Explorer\setupapi.dll

39. Troj/Agebt-GTP is a spyware Trojan for Windows

40. Troj/Bckdr-QMK is an IRC backdoor Trojan for the Windows platform.

Troj/Bckdr-QMK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run Troj/Bckdr-QMK copies itself to <System>\msmsgs.exe.

41. Troj/PhpShell-C is a PHP-based backdoor Trojan.

Troj/PhpShell-C is normally found on compromised webservers.

42. Troj/Gamania-BS is a password-stealing Trojan for the Windows platform.

When first run, Troj/Gamania-BS creates the following files:
<Windows>\Debug\<random>.exe
<Windows>\Debug\<random>.dll

(where <random> is a 12-digit hex string)

These files are also detected as Troj/Gamania-BS.

43. W32/Zaap-A is a worm for the Windows platform.

W32/Zaap-A spreads by copying itself to removable drives, with the name protector.exe.

When first run, the worm copies itself to C:\ntkrnl.exe

44. Troj/Banhost-J is a Trojan for the Windows platform.

Troj/Banhost-J modifies the <System>\drivers\etc\hosts file so that attempts to visit certain banking websites will get redirected to a malicious server.

45. Troj/Banhost-K is a Trojan for the Windows platform.

Troj/Banhost-K modifies the <System>\drivers\etc\hosts file so that attempts to visit certain banking websites will get redirected to a malicious server.

46. Troj/DwnLdr-HBU is a Trojan downloader for windows

47. Troj/DwnLdr-HBV is a Trojan downloader for Windows

48. Troj/IRCBot-AAT is a Trojan for Windows that attempts to communicate with a remote server over IRC

49. Troj/Lineag-DJ is a Trojan for Windows

50. Troj.Lineag-DK is a Trojan for Windows

51. Troj/Agent-GTQ is a Trojan for the Windows platform

52. Troj/Bckdr-QML is a Trojan backdoor for Windows.

[Top]

---

Dangerous Applications
Unwanted Freeware

03/16/08

Posted by Dave
5 Star Support Security Specialist

There are always new free add-ons for your browser and free applications for your computer coming out, almost on a daily basis anymore. Trouble is, most of them cause a host of other problems because many contain Adware and/or Spyware of some sort. Sophos UK maintains a list of these and refers to them as Potentially Unwanted Applications or PUA's. Below is a list of the most recent ones released that you need to avoid:

1. Spyware Remover is a an application for the Windows platform. Spyware Remover is known to produce bogus warning to ask user to register.

When Spyware Remover is installed the following files are created:

<Start Menu\Programs>\SpywareRemover\SpywareRemover on the Web.lnk
<Start Menu\Programs>\SpywareRemover\SpywareRemover.lnk
<Start Menu\Programs>\SpywareRemover\Uninstall SpywareRemover.lnk
<Desktop>\SpywareRemover.lnk
<Program Files>\SpywareRemover\DataBase.ref
<Program Files>\SpywareRemover\Launcher.exe
<Program Files>\SpywareRemover\SpyCleaner.dll
<Program Files>\SpywareRemover\SpywareRemover.exe
<Program Files>\SpywareRemover\SpywareRemover.url
<Program Files>\SpywareRemover\license.rtf
<Program Files>\SpywareRemover\tcl.dll
<Program Files>\SpywareRemover\unins000.dat
<Program Files>\SpywareRemover\unins000.exe
<Program Files>\SpywareRemover\zlib.dll
<Windows>\Tasks\SpywareRemover Scheduled Scan.job

2. FakeShareaza is an unwanted program. Adware

3. FakeShareaza MediaBar is a potentially unwanted application for the Windows platform.

When Fake Shareaza MediaBar is installed the following files are created:

<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\ShareazaIEHelper.dll
<Program Files>\Shareaza Applications\Shareaza MediaBar\ShareazaMediaBar.dll
<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza_icons.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\Shareaza_logo.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\Uninstall.exe
<Program Files>\Shareaza Applications\Shareaza MediaBar\Updater.exe
<Program Files>\Shareaza Applications\Shareaza MediaBar\basis.xml
<Program Files>\Shareaza Applications\Shareaza MediaBar\button_arrow.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\historyCombo.html
<Program Files>\Shareaza Applications\Shareaza MediaBar\resizer.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.html
<Program Files>\Shareaza Applications\Shareaza MediaBar\search.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_images.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_maps.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\search_news.bmp
<Program Files>\Shareaza Applications\Shareaza MediaBar\showSettings.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\storesearchcriteria.js
<Program Files>\Shareaza Applications\Shareaza MediaBar\version.txt
<Program Files>\Shareaza Applications\Shareaza MediaBar\web.bmp

4. ForceLibrary is an unwanted program – Adware.

5. SpySheriff is a anti-spyware application for the Windows platform.

Known trial versions of this software use excessive amounts of virtual memory, leading to a reduction in system performance.

6. SpySheriff Downloader is a potentially unwanted application.

SpySheriff Downloader downloads the application SpySheriff Installer from a pre-defined site.

7. Soso AddressBar Search Downloader is a potentially unwanted application – Adware

8. Shutdown Timer is a potentially unwanted application.

Shutdown Timer allows the following actions to occur on the computer:

Log off
Hibernate
Standby
Restart
Shutdown

9. Vapsup is an unwanted program – Adware

10. Mal/Dial-U is a dialer.

When first run Mal/Dial-U copies itself to the Windows system folder.

The following registry entry is created to run Mal/Dial-U on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OpenMstart
<System>\<original dialer filename>

11. Passware Password Recovery is a potentially unwanted application for the Windows platform.

Passware Password Recovery includes functionality to steal passwords saved in Internet Explorer.

12. IRCFast Downloader is a Potentially Unwanted Application for the Windows platform.

IRCFast Downloader attempts to persuade the user to download otherwise free software from the author's servers for an extremely high price. This site has been associated with malware.

13. OneStepSearch is an unwanted program – Adware

[Top]