Threats

Worm - W32.Imsolk.A@mm
W32.Imsolk.A@mm is a worm that spreads itself over mapped or networked drives and through removable devices such as jump drives or USB sticks. It first drops files in the Windows directory: svchost.exe, ff.exe, gc.exe, ie.exe, im.exe, op.exe, pspv.exe, rd.exe, tryme.exe and one in the windows\system32 folder called SendEmail.exe. Then it tries to copy 2 files, open.exe and a fake autorun.inf to the root of any mapped, network or jump drives it detects. It also tries to copy itself to other computers within the same LAN workgroup. It makes extensive registry edits, so that it starts when the system does and to hinder some user functionality. Most services used by popular antivirus and antimalware applications are also targeted, and the worm will try to stop and cripple them. Finally, it will try to spread itself by hijacking any outlook address books or Yahoo Messenger contact lists.
Top of Page

MSIL-Elasrofah
Elasrofah is a trojan. When activated, it allows back door access to the infected machine. First it creates files, being %ProgramFiles%\Internet Explorer\ID.Conf, %ProgramFiles%\Internet Explorer\services.exe, and a randomly named file in %UserProfile%\Application Data\[randomcharacters]\Hacks4Sale installer\1.1.0.0\Update-[randomcharacters].exe. It sets a registry key in the %user profile% to force it to start when windows does. It calls its start-up item "microsoft.exe". It also drops a start-up line in the HKLM RUN area. Next, it alters the HOSTS file to redirect traffic, and opens a back door. This trojan monitors network traffic, tries to steal username/logon combinations for everything imaginable, spreads itself to any LAN connectivity, and can even put itself in any CD's or DVD's burned on the infected machine. It can even change your router settings, and perform DDoS attacks.
Top of Page

Infostealer - Bzup - B
This is a Trojan horse that tries to steal personal information on the infected system, such as passwords, email accounts, TAN and PIN numbers for banking, and other information.
Top of Page

W32 - Queneethan
Queneethan is a worm. It spreads over network shares and can get past weak passwords. This worm uses rootkit tools. It makes many registry entries to alter Explorer settings. Shortcuts are created and dropped on the user desktop, leading to shady sites. It searches the system for drives other than C:, and when it finds them, copies itself as a hidden folder on the drive, and drops a fake autorun.ini on these drives so that it runs whenever the drive is accessed.
Top of Page

Antivir Solution Pro
Antivir Solution Pro is a fake antivirus package. It blocks attempts to launch EXE files, such as TASKMGR.EXE, MSCONFIG, and other useful EXE's. It also blocks and redirects web traffic by setting itself up as a proxy server. It will modify the HOSTS file for this purpose. A HiJackThis log will show you R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643, which should be removed. The infection is profile specific, and drops 2 randomly named files into the Local Settings\Application Data\[random name] folder of the user profile. Internet connectivity is crippled in safe mode. A newly created user is initially unaffected when this rouge is in place.
Top of Page

W32 - Temphid
Temphid is a worm. It spreads itself around using removable drives as a carrier. Once it runs, it creates 2 files in the system driver folder called MRXNET.SYS and MRXCLS.SYS. They may appear to be Realtek drivers, but are not. It sets up the MRXCLS.SYS as a system service that starts automatically and sets a registry key for this. When a removable drive is detected, it drops 2 TMP files starting with WTR as file names.
Top of Page

W32 - Wapomi-B
Wapomi, a.k.a W32-Jadtre, is a worm. It spreads itself using a vunlerability in Microsoft Windows Server Service RPC, over network shares, and via removable drives. It will infect EXE files on the infected system as well. It querries most services called by svchost, and when it finds one that is stopped, it replaces itself with the corresponding DLL file and then starts itself. Then, it drops a randomly named .SYS file in the %windows%\drivers folder. The randomly named file gets hooked in as a service via adding a registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[random name]. It also modifies the HOSTS file to keep the worm connected to the outside. It runs through the system and infects EXE files it finds, even if encased in a RAR file. It adds itself to removable drives by creating %DriveLetter%\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Install.exe and %DriveLetter%\recycle.{645FF040-5081-101B-9F08-00AA002F954E}\autorun.inf
Top of Page

Trojan - Bamital
Bamital is a trojan horse that, once triggered, downloads other malicious software on the infected machine. It is a web hijacker as well, affecting Explorer, Safari, Firefox, Chrome and Opera. It will watch and change your search querries and generate pop up ads. Files associate with this trojan may be found in the %system% folder as some or all of the following: curslib.dll, kbdnet.dll, mscert.dll, msnetlib.dll, rdolib.dll, wincert.dll, and winuid.dll.
Top of Page

DeadEye
DeadEye is a fake performance enhancer application. It promises to increase the performance of your sysetm. It requires Java runtime, so if it is not already present in the system, it tries to install it for you. It creates multiple registry keys to ensure it runs when windows stars, and may try to cripple well known antivirus applications that are present. It will also try to disable the firewall. Once active, it will create a hidden but shared folder on the affected system, allowing the machine to be accessed by a remote attacker. It leaves some of its workings in a folder it creates as %CommonProgramFiles%\Adobe\Brick\ and in %ProgramFiles%\Adobe\Brick\.
Top of Page

W32 - Aemrant
Aemrant is a worm. It uses removable drives, such as USB drives, to spread itself around. It is a malware dropper as well, and will try to infect the system with additional pieces of malware. It will also try to disable security. It hides pieces of itself in the %recycler% folder as apwrtz.exe, ffdshow.exe, desktop.ini and system.exe files. It puts itself in the user profile start up menu, for whichever user was logged in when the infection was set off. It creates many registry edits in order to hide itself and hinder efforts to remove it. Whenever it encounters a removable drive, it drops the files thumbs.sdb and autorun.inf to set it off whenever that drive is accessed.
Top of Page

Trojan - Pidief
Pidief is a trojan that takes advantage of a vulnerability in Adobe Reader and Flash Player. It uses these vulnerabilities to download and install other malware to the infected machine. When triggered, it tries to download what looks like a bitmap file, but is actually an encrypted file that opens back door access to the system. It creates 4 files: %Windir%\EventSystem.dll , %System%\es.ini, %System%\qmgr.dll and %System%\dllcache\qmgr.dll. The qmgr.dll gets copied to the %system% folder names as kernel64.dll.
Top of Page

Trojan - Ransomlock
Ransomlock locks down the infected system's desktop. Essentially, it holds the victim's computer for ransom. It drops a SVCHOST.EXE file in the %windir% folder, an INF.EXE file into %program files% under Adobe, and a LOOK.JPG on the root of the system drive. It changes the registry to force the LOOK.JPG to be the wallpaper. This is a "ransom note" and may be in Russian. Any TXT, HTM, CHM and JPG files it finds, it renames with their original names plus .KORREKTOR as a file extension. Any time a file it has renamed is opened, the INF.EXE it drops is triggered, which prompts the victim to buy a "license". It will attempt to open a browser window to make that purchase possible. It makes 3 registry entries to create the association: HKEY_LOCAL_MACHINE\SOFTWARE\"syshelper" = "1", HKEY_CLASSES_ROOT\korrektorfile\DefaultIcon\"(Default)" = "%ProgramFiles%\Adobe Systems,inc\Foto file\INF.exe,0", and HKEY_CLASSES_ROOT\.korrektor\"(Default)" = "korrektorfile"
Top of Page

W32-Expichu
W32-Expichu is a worm. It spreads itself by infecting removable drives, such as flash drives or other USB storage devices. It can overwrite system files and will try to connect the infected system to remote sites. Additionally, it may download other malware and load it on the infected system. It hides itself using randomly generated file names in the %windir%\fonts folder and in the temp directory, using 4 random letters as the file name with .TMP and .FON file extensions. It also drops multiple registry keys to set it off when windows starts and triggers alternate behavior when certain files are run or accessed. It will try to alter IE settings and dump other malicious software into the infected machine, and may disable Windows File Protection. When it copies itelf to a drive, it drops a SysLive.exe and fake AutoRun.inf file in the root of that drive, so that the EXE will run whenever the drive is accessed.
Top of Page

Trojan - GootKit
GootKit is a trojan that opens back door access and steals information from the infected machine. It also downloads other malicious files to run, making a blended threat. It starts by creating %System%\msxsltsso.dll and setting itself up in the registry to run whenever Windows starts. It uses a key in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ area of the registry. It also adds 2 entries in HKCR\CLSID structure to register it as a COM object. Next, it tries to connect to a server to download a customized configuration file, defined by the attacker. It works like part of a botnet, and can go to predefined web locations, send mail, modify an FTP server, control processes and threads, modify the regisrty, steal FTP and other password it sees, and can modify Java and HTML files it encounters. It also likes to download and run other malicious software.
Top of Page

Trojan - Ascesso
Trojan - Ascesso is a spammer. It send junk email and also downloads files from other locations on the web. The spam it sends includes a link which, when clicked on, triggers the trojan to download and run. It drops SECUPDAT.DAT into the %UserProfile% and %System%, and makes a randomly named EXE file (using letters for the name) in the %UserProfile%. This trojan gets into a SVCHOST.EXE process. Once in the process, it puts a .SYS driver file into the %System%\Drivers folder using random letters for the file name. It uses several registry keys in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services to install the .SYS driver it loads. In the end, it attempts to send spam to a variety of popular .coms such as Google, Yahoo and Microsoft. This trojan is capable of downloading updated configurations sent from its creator.
Top of Page

W32-Yimfoca
W32-Yimfoca is a worm, and spreads itself using links sent via Yahoo! Messenger. Once it runs, it copies itself to the windows directory as infocard.exe, and also creates mds.sys, mdt.sys and winbrd.jpg. It uses a registry entry to start it when the system starts, which is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Firewall Administrating" = "%Windir%\infocard.exe". It will try to connect to a website that could be disguised to look like a social networking site. This worm will try to disable malware protection and Windows Updates. This worm also acts as a sort of "door holder", meaning it can download new configuration files for itelf as well as other maliciou scontent, increasing the likelihood that other malware is present where this worm is found in action. The ultimate goal of the worm seesm to be to search for Yahoo Messenger members on the infected system, and sending messages as those users that contain links to copies of the worm.
Top of Page

Trojan - Holisnif
Holisnif is a trojan horse that tries to steal private information on the infected machine using packet sniffing. It creates a randomly named EXE file that it calls out to in the registry to start when the system starts. The registry entry is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"sniffer" = "%CurrentFolder%\[RANDOM FILE NAME].exe" The randomly named EXE drops legitimate packet sniffer libraries in the %system% foler as Packet.dll, wpcap.dll and in the %system%\drivers subfolder also drops npf.sys. It will then try to start these sniffers, which look at any ethernet access for login credentials over POP3, SMTP and FTP common ports. If it encounters login information, it gathers it and tries to send the keystrokes to a remote server.
Top of Page

Trojan-Peacomm
Trojan-Peacomm is a Trojan infection. It collects personal data and email addresses on the infected system. It may also send email as the infected user, and generally lowers security settings. It copies itself to the %windir% as asam.exe, and creates another file there called herjek.config. It sets asam.exe to bypass the firewall using a command line netsh string. The registry is modified in the HKLM and HKCU RUN areas calling out to asam.exe. It will create its own instance of an SMTP server on the infected machine and attempt to send out spam.
Top of Page

W32-Ircbrute
W32-Ircbrute is a worm, spread using access to removable drives. When executed, it opens backdoor access on the infected system. It will create a false desktop.ini file in the %systemdrive%\driver\files\ folder, along with a file labeled DT.EXE. It sets itselp up in the registry under HKLM to start on system startup, calling out to DT.EXE. When it sees a removable drive connected, it drops a false autorun.ini along with the false desktop.ini and DT.exe files, into its root. It then tries to open TCP ports and connect to IRC servers.
Top of Page

W32-SillyFDC
W32-SillyFDC is a worm. It spreads itself by copying to mapped drives and removable drives. This worm will attempt to compromise security settings and can download files for its use. It creates a host of malicious EXE, BAT, VBS and TXT files in the %system%, %systemdrive% and %windir% areas. It also modifies the registry to make it start when the system does, in the HKLM and HKCU sections. When it infects a new drive, it drops a bogus ntldr.exe file and autorun.inf in its root. The infected system may try to fool the user into sending a malicious link, or cause them to see false warnings that whoever they are chatting with is infected, and prompts to send the malicious link as a solution.
Top of Page

Antivirus 2010 aka Internet Security 2010
This is something we have seen lots of recently. This malware pretends to be legitimate antivirus software, but basically holds parts of your system for ransom until you pay them for software that not only does not work, but also seriously compromises your control of the system. Symptoms include constant warning messages of infection, the inability to launch basic system tools like taskmgr.exe or cmd.exe, restrictive policy implementation, and finding yourself frequently redirected to the IS2010 web site to purchase the software. While taskmgr.exe will not run, 2 processes named IS2010.EXE and SMSS32.EXE will be running. They will also be files in the %System%\system32\ folder, bearing the same names. Regedit will also not likely run, but the following registry keys are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internet-security10.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internet-security10.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-soft-download.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com]

Other registry modifications are made to prevent the user from undoing the changes made. While many important, basic tools that could be used are disabled by this threat, changing the names of executables needed to combat it work effectively. For instance, renaming a copy of taskmgr.exe to dog.exe, for example, will allow task manager to run, which in turn lets you at least kill the processes so that you may begin to clear out the problem. The same principle can be used to call up other system tools, facilitating a manual removal.
Top of Page

W32-Winemmem
W32-Winemmem is a virus that opens backdoor function on the infected machine. It modifies self-extracting archives, installers and packages. When actively infecting a system, it hooks the CreateFileA() API. Whenever an infected file is called, it opens backdoor access for a variety of activity on the infected machine.
Top of Page

JavaScript-Downloader-BNL
This is a trojan associated with variants of the FakeAlert-BY fake antivirus ransomware. This trojan will try to download the necesary components to install fake AV style ransomware and possibly other pieces of malware. This trojan can be triggered by simply browsing Websites where it has been hosted.
Top of Page

W32-Difupat
W32.Difupat is a virus that infects any EXE files it finds in the Program Files folders. Once the virus runs, it drops an executeable RAR file in %System% named reinstall.exe. It then replaces the existing IEPXLORE.EXE with a copy of its own version, using the same name IEXPLORE.EXE. Registry keys are altered to make the virus run whenever the sytem starts under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\notify\getpass\, and loads FUNCTION.DLL and PSERVER.EXE to memory. It also creates a mutex to prevent more than one instance from running on the infected machine.
Top of Page

Worm - W32 Custam
Custam is a worm that uses removable USB media, such as jump drives and external hard drives, to spread itself. It creates randomly named folders on the %SystemDrive% and drops a registry subkey under HKLM as an installed component. Once active, it tries to connect to IRC servers for instructions and opens a back door. It drops autorun.inf files along with randomly named EXE and INI files to any drive connected via USB.
Top of Page

InfoStealer - Banker
Banker, a.k.a. BankerG, is a Trojan that tries to steal information from the infected system. It creates two files in the %system% folder, and tries to cripple Windows file protection in order to modify actual system files. It creates a DLL in the %system% folder it uses to launch itself on system start up. It may also try to connect to external sites using HTTP POST commands. The Trojan's mission is to steal financial information it finds in the infected system.
Top of Page

Trojan - Mozipowp
Mozipowp changes web broswer settings in order to display advertising content. It copies itself to %UserProfile%\Application Data\SystemProc\lsass.exe. It will also create what seem to be Firfox-specific files in the %ProgramFiles%\Mozilla Firefox\extensions\[UNIQUE USER ID] area called chrome.manifest, install.rdf, and chrome\content\timer.xul. It adds several registry keys to HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ to cause it to start on system start. The keys are labled with random characters, not necessarily ASCII, and should appear obvious. It also sets values in HKEY_CURRENT_USER\Identities\ in order to track itself. It redirects browser traffic when the user tries to visit web sites on Firefox if the URL contrains common keywords, names to popular social networking sites like MySpace, and also the names of popular search engines such as Google, Bing, and Yahoo. It adds code to explorer.exe to connect to sites in an attempt to update itself. It will monitor other browsers but may only affect the use of Firefox.
Top of Page

Trojan - Arugizer
Arugizer opens backdoor access on the compromised computer. First it creates the file C:\WINDOWS\system32\Arucer.dll and sets itself to run automatically via the registry, using key HKLM\Software\Microsoft\CurrentVersion\Run\"Arucer" = "rundll32 C:\Windows\System32\Arucer.dll,Arucer". It then pokes a hole into port 7777 to let the remote attacker download and exectue files, delete files, upload files to another host, and send a listing of all files on the sytem to the attacker. It also adds a registry key in the RunOnce area of HKLM labeled with a random trojan related value.
Top of Page

PCDefender
PCDefender is ransomware. It is fake antivirus software that gives false and/or exaggerated infection reports on the infected system. The user is fooled into accidentally installing it. Once it runs, it creates

C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender

C:\Program Files\Def Group

C:\Program Files\Def Group\PC Defender

C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}

It also hides pieces of itself in C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\ as ZIP files, and also in the C:\Windows\Prefetch\ and C:\Windows\Installer folders using letter-number strings for EXE and PF files. It might try to delete the C:\config.msi folder, along with C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_a2c.dat and C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1237843074jtun_allbb0317.x00.seg1.zip. It makes several registry modifications so it will start when the system does, and also makes about 20 other HKEY_USERS entries. It makes dozens of other registry edits as well.
Top of Page

Saluni
Saluni is an information stealer. It's function is to try to retrieve personal information on the infected system and send it to the attacker. Particularly, it tries to steal password and login information from broswers such as Internet Explorer and FireFox, from sites including PayPal, Google, MSN and Steam, and also IM applications like Pidgin Trillian and Yahoo. It saves the information it retrieves in DAT files in the %temp% directory called keylog.dat and pass.dat, then tries to send the files to an FTP site. You may notice it present via a generic looking system error message reading "error - Run-time error 429". BLue screen of death is common with this infection. The remote attacker can use the infection to download configuable files to the infected system. it appears to be profile specific, and loads the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"default" = "%System%\kernel.exe" to stry when the system starts. Logging in as an alternate user may prevent it from loading.
Top of Page

Kneber botnet
Kneber botnet, as reporter in http://www.msnbc.com on the 18th, has managed to infect approximately 75,000 systems in about 2,500 organizations around the world. It's goal is to steal login information abotu financial and social networking sites on the infected system. It harvests Yahoo, Hotmail, Facebook, corporate login credentials, email logins, and a variety of other such credentials. Over half the machines infected with Kneber also were infected with Waledac, a peer to peer botnet.The infection is named for the username tht links the botntet together, and is delivered via a Zeus Trojan variant. More info to come as this latest threat develops.
Top of Page

Changeup.B
Changeup.B is a worm, spreading itself using removable drives. It tries to steal personal information it finds on the infected system. When it runs, it creates a copy of itself as %SystemDrive%\VIDI\UNUK\DRG.exe and creates an INI file as %SystemDrive%\VIDI\UNUK\DesKTop.ini. It creates a registry key to start itself when the system starts under HKLM\Software\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}\"StubPath" = "%SystemDrive%\VIDI\UNUK\DRG.exe". Next, it downloads 3 files - ogard6.ircdevils.net, acc008.homeip.net and acc7hr33.webhop.biz, which can update the worm. It spreads itself by copying the DRG.EXE and Desktop.ini files to %DriveLetter%\VIDI\UNUK\ and uses an INF file to auto-start labeled aUtOrUn.inf
Top of Page

Pykspa.F
Pykspa.F is a worm that spreads through Skype instant messenger. It also spreads via removable and mapped drives. It sends random text messages with up to 200 different greetings in multiple languages. The generated message includes an URL that points to a Once active on your system, it attempts to send personal information it finds to a remote location. When it runs, it copies itself as randomly named DLL's and EXE's in the folder it laands in, the %System% folder, teh %temp% folder, and the %UserProfile%\application data folder of the logged in user. It adds registry keys to the HKLM\Microsoft\windows\CurrentVersion\Run so it will start when the system does, using the randomly named EXE's it created at launch. It also initiates policy restrictions, so items like taskmgr.exe may not launch. It will disable known registry tools as well as lower system security settings and crippling safe mode. If it detects an antivirus program it knows, it tries to run its uninstaller. When it spreads itself to mapped or removable drives, it creates an autorun.inf and randomly named BAT file in order to spread itself any time the drive is accessed.
Top of Page

FakeAlert IS2010 aka Internet Security 2010
IS2010, aka Internet Security 2010, is something we have seen lots of at ZolexPC recently. This malicious program pretends to be legitimate antivirus software, but basically holds important parts of your system for ransom until you pay them for software that not only does not work, but also seriously compromises your control of the system. Symptoms include constant warning messages of infection, the inability to launch basic system tools like taskmgr.exe or cmd.exe, restrictive policy implementation, and finding yourself frequently redirected to the IS2010 web site to purchase the software. While taskmgr.exe will not run, 2 processes named IS2010.EXE and SMSS32.EXE will be running. They will also be files in the %System%\system32\ folder, bearing the same names. Regedit will also not likely run, but the following registry keys are created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internet-security10.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-internet-security10.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-soft-download.com]

[HKEY_USERS\S-1-(varies)\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com]

Other registry modifications are made to prevent the user from undoing the changes made. While many important, basic tools that could be used are disabled by this threat, changing the names of executables needed to combat it work effectively. For instance, renaming a copy of taskmgr.exe to dog.exe, for example, will allow task manager to run, which in turn lets you at least kill the processes so that you may begin to clear out the problem. The same principle can be used to call up other system tools, facilitating a manual removal.
Top of Page

Owlforce
Owlforce is adware, and its goal is to flood you with advertisements. It monitors your browsing behavior and reports it back to Owlforce’s web site in order to feed you targeted advertising, generally in the form of annoying pop-ups. It seems to like FireFox, as it creates files specific for it, as well as other files, as follows: %ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\chrome\content\OFoxb.xul

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\chrome.manifest

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\components\IFoxB.xpt

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\components\OFoxB.dll

%ProgramFiles%\Mozilla Firefox\extensions\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}\install.rdf

%ProgramFiles%\Ofb1\Ofb1.dll

%ProgramFiles%\Ofb1\sites.ini

%ProgramFiles%\Ofb1\Uninstall.exe

It also creates these registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E1500AC-87A5-416b-A211-82E848649DA9}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7467507-DD40-4123-BE49-7B7DF5DB80C6}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9504AE8F-1019-4258-A047-C04CCC5301E6}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C1BC108B-B3EF-4E18-8EE6-CF3C381E3783}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ofb1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ofb1.1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3E1500AC-87A5-416B-A211-82E848649DA9}

This adware is Trojan-like and is manually installed. It may come bundled with free screen saver applications or other freeware.
Top of Page

Sasfis
A Trojan horse, Sasfis is a malicious downloader. It can also execute files. It creates a TMP file at %Temp%\1.tmp. It adds a key to the registry: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\"AccessVBOM" = "1" and the subkey HKEY_CLASSES_ROOT\idid. It sets itself to run whenever windows starts by creating the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = " Explorer.exe rundll32.exe %System%\[RANDOMLY NAMED FILE] [5 OR 6 RANDOM CHARACTERS]" It will run MS Word, if installed, and execute a VBA script to load and run the %Temp%\1.tmp file. It attaches itself to an instance of svchost process and deletes the original executable. A randomly named DLL file with a name that contains 4 random letters for the file name, and a random 3 letter extension, gets created in the %System% folder. Once it is set up, it attempts to connect to an HTTP address, typically using port 90. If it succeeds, it then begins downloading and running other malicious content.
Top of Page

Spyeye
Spyeye is a Trojan that attempts to mine information from the infected system. It opens a backdoor for remote access. When it executes, it creates a configuration file to %SystemDrive%\cleansweep.exe\config.bin, which is a compressed and encrypted file. It also creates a decryption file to %SystemDrive%\cleansweep.exe\cleansweep.exe. It loads itsel fin the registry to run when Windows starts under HKCU\Software\Microsoft\Windows\CurrentVersion\Run\”cleansweep.exe” = “SystemDrive%\cleansweep.exe\cleansweep.exe, so the infection may be user profile specific. This Trojan also attaches to running system processes to capture network trffic and send/receive data around the firewall. It may work as a rootkit, hiding its own processes and possibly implement restrictive permissions policies. It steals information from Internet Explorer and Firefox browsers. The attacker may also execute code remotely, download and run files, log keystrokes and modify the infection.
Top of Page

W32.Arbormen
This virus injects malicious code to files with the extensions .EXE and .SCR. It first tries to infect any process with the word "explorer" in to and any process with "TibiaClient". It seeks out files to infect along these paths - %Windir%

%UserProfile%\Application Data

%UserProfile%\Movie Maker

%UserProfile%\Local Settings\Application Data

%ProgramFiles%\Internet Explorer

%ProgramFiles%\Outlook Express

%ProgramFiles%\MSN Gaming Zone

%ProgramFiles%\NetMeeting

%ProgramFiles%\Windows Media Player

%ProgramFiles%\Windows NT

%ProgramFiles%\Windows Update

%ProgramFiles%\Common Files

It also tries to download other malicious code and/or files as well as send out information on the infected system.
Top of Page

Ircbrute
A worm, Ircbrute spreads itself using removable drives, such as USB flash drives, camera cards and other removable media. Once active on the system, it opens a back door for the attacker. It creates 2 files, %SystemDrive%\RESTORE\[SID]\Desktop.ini and %SystemDrive%\RESTORE\[SID]\ise32.exe. It sets itself up to run at windows startup using the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C967120}\"StubPath" = "%SystemDrive%\RESTORE\[SID]\ise32.exe". It also creates an autorun.inf file on te root of drives, so that it will run when the drive is accessed. It tries to connect to an IRC server using port 9890.
Top of Page

Backdoor.Bapkri
This is a general detection for DLL files that try to avoid detection by encryption, and opens a back door to the affected machine. This detection tells you a malicious DLL is encoding data in an effort to conceal the back door and/or its related activities. Any file with this detection may be considered malicious.
Top of Page

Backdoor.Revird
This Trojan not only opens a back door but also tries to steal personal information from the affected machine. When it is activated, it creates files in the %system%\ called nwwwks.dll, rdisk.dll, skeys.dll, SvcHost.DLL.exe and SvcHost.DLL.log. It also makes a folder %SystemDrive%\drivers\own\ and starts %System%\nwwwsk.dll as a new service, disguised as a gateway service for netware. It adds a registry key as part of service creation: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWCworkstation and gathers information about the system it has infected. It then copies all files with .DOC, .PDF, .PPT, .RAR and .ZIP files to a remote location affter gathering them to the folder it created %SystemDrive%\drivers\own.
Top of Page

Trojan.Avalanec
This Trojan opens a back door on the affected system, allowing remote access. Once activated, it copies itself to %System%\sysservice.exe and creates a configuration file called %System%\sysservice.dll. It adds a registry key so that it will start whenever windows starts. That key is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Startup Manager" = "%System%\sysservice.exe". It adds itself to the Windows Firewall allow list using the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\sysservice.exe" = "%System%\sysservice.exe:*:Enabled:DNS client". It then tries to connect to remote siets to download configuration updates, and allow the remote attacker into the system to execute commands.
Top of Page

Bloodhound.Exploit.30x
This infection relates to files that are attempting to use known vulnerabilities in Microsoft Excel installations. Vulerabilities include a field parsing remote code execution weakness, malformed BIFF remote code execution and a 'FEATEADER' record remote code execution weaknesses. Files showing this heuristic can be assumed to be malicious.
Top of Page

AdShortcuts
A potentially unwanted program, AdShortcuts redirects web page traffic to a series of sites other than the one you wanted, before finally allowing you to go where you intended to browse. Usually it is bundled in with installers from some "free" applications.
Top of Page

Trojan.Tdlload
This Trojan horse modifies legitimate system files. The modifications allow it to install malicious content on the affected machine. This trojan can damage Windows systems up to Vista, as well as some servers, such as Windows Server 2003.
Top of Page

OSX.Loosemaque
This trojan horse pretends to be a video game. However, it deletes files from the home folder when you play it. When launched, you get what looks like the old school game Galaxa, and each time you destroy an enemy, a file or folder in the user's home folder gets deleted. When you finally die, the trojan sends your score to a remote location and deletes itself.
Top of Page

W32.Akannuna
This virus infects EXE files. Once executed, it will infect any EXE files in the folder where it resides.
Top of Page

W32.SillyFDC.BDD
This is a worm that spreads itself using removable drives. It creates a registry entry to let it run when windows starts "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987892}\"StubPath" = "%SystemDrive%\RECYCLER\[SID]\TsGh.exe" and hides desktop.ini and TsGh.exe files in the %SystemDrive%\RECYCLER\ folder, which it copies to any connected removable drive. It will drop an autorun,inf file on removable drives it manages to infect.
Top of Page

Backdoor.Pfinet
A Trojan horse, Backdoor.pfinet opens backdoor access to the affected machine and might try to gather personal information. A device driver called %SystemDrive%\temp\acpimem32.sys is dropped on the machine, and it drops 2 log files labeled windbg.dat and windbg2.dat in there as well. A service labeled usblink is started by the driver file. If you find a file in the Temp directory labeled fixdata.dat, then it has succeeded in creating a virtual disk image, and hides uninstall information.
Top of Page

Trojan.Whitewell
A Trojan horse program, Whitewell opens a back door connection on the affected machine. It also can get its configuration information from social networking sites such as FaceBook. It also drops an EXE file called runinfo.exe into the %temp% directory. It tries to disguise itself as a McAfee component in the registry, dropping the following key into the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"MCAFEEIPS" = "%UserProfie%\local settings\temp\setup.exe"
Top of Page

Trojan.Bredolab!genX
This group of Trojan signatures mean the file in question has been tampered with to avoid detection by antivirus engines.
Top of Page

Infostealer.Banker.F
This is a Trojan horse, meaning it tries to fool you into running it. It attempts to steal personal information from the affected machine, and can be part of a combined threat, pu tin place by another piece of spyware. It patches hte iexplore.exe process in order to monitor network traffic, gathers any personal information it can, and tries to send it to a remote location.
Top of Page

Spyware.AoboKeyLogger
This spyware attempts to steal information from the affected machine via keylogging. It can also store passwords and take screen shots, and runs in a stealth mode. It sends the captured information to a pre-set FTP site or email address.
Top of Page

W32.Kasticyz
This virus infects EXE files at random, including anything accessible via network share and removable drives. Its goal is simply to spread itself.
Top of Page

Downloader.Ergrun
A Trojan horse, Dlownloader.Ergrun can download other items to your machine. It creates a false svchost.exe in the %temp% directory and sets itself to start whenever Windows does.
Top of Page

W32.Exkowen
This virus attaches itself to exe's on the infected system. It can invite other malware, and spreads via any connected drives on the infected system, including removable drives.
Top of Page

Trojan.Ransomlock.C
This incredibly annoying Trojan horse locks down the infected system, making it totally unusable. It prompts the victim to purchase a license in order to regain access to the computer. it changes the file attributes of explorer.exe, regedit.exe, cmd.exe and taskmgr.exe to hidden system read only. It also deletes registry keys related to safe mode, effectively disabling it. The KEY for disabling the error message is 13616, and is hard coded into the Trojan.
Top of Page

Trojan.Zbot!gen1
This is a heuristic detection, indicating the file in question was compressed or otherwise disguised in order to avouid detection. It is a good indication of other infection on the affected system.
Top of Page

Trojan.Pandex!gen1
This is a heuristic detection for variants of the Trojan.Pandex infection, which generates spam and attempts to mine email addresses from the infected system.
Top of Page

Trojan.FakeAV!gen2
This detection indicates a file signature that shows the file has been encrypted or compacted in order to hide it from anti-virus detections. It indicates the likely presence of other infections.
Top of Page

Trojan.Kissderfrom
Kissderfrom is a trojan horse that attempts to steal personal information from the infected system. It may also open a back door and allow remote commands to be executed.
Top of Page

W32.Pilleuz
A worm, Pilleuz spreads itself using file sharing programs, instant messaging clients by Microsoft, and removable drives. It also may open a back door allowing remote commands to be executed on the infected system.
Top of Page

Infostealer.Bzup.B
This is a Trojan horse that tries to steal personal information on the infected system, such as passwords, email accounts, TAN and PIN numbers for banking, and other information.
Top of Page

VBS.Invadesys.B
A worm that copies itself to all drives on the infected system. It embeds itself into the legitimate explorer.exe and smss.exe files, compromising the integrity of the operating system.
Top of Page

AntiVirus2010
This is a misleading application we like to call Ransom-Ware. It infects your system and gives lots of false and super-exaggerated infection reports.
Top of Page

W32.Lafee
A virus that affects EXE and SCR files, which may connect to an external web address to download additional malicious content.
Top of Page

Trojan.Opachki
This trojan horse injects HTML code into web pages, leading to a malicious URL
Top of Page

Packed.Generic.254
A heuristic detection, this means that files may have been encrypted or otherwise spoofed to conceal them from antivirus software.
Top of Page

Downloader.Kuaiput
A trojan horse, this infection downloads and executes malicious code from an FTP site
Top of Page

W32.Perz
This worm spreads through file sharing networks. It is unclear what the worm does at this time, but if you use file sharing applications, you are vulnerable.
Top of Page

SillyFDC Variants
This worm family spreads itself through removable and share drives, such as jump drives. It adds itself to the infected system to infect new drives as well as adding itself to the removable drive.
Top of Page

Sopiclick
A Trojan Horse, Sopiclick can manipulate certain web statistics and download files on the infected system. Payloads may vary.
Top of Page

Fnumbot
Another removable drive worm, Fnumbot also opens back doors on the infected computer that others can use to access the infected system.
Top of Page

WindowsAntivirusPro
A misleading application we like to call Ransom-Ware. This alleged antivirus package gives false and exaggerated reports. the trial version also nags with pop-ups until purchased.
Top of Page

Trojan.Fsearch
A Trojan application that modifies search results when searching the web. It redirects any search queries to alternate domains, and affects both Internet Explorer and FireFox.
Top of Page

W32.Stealsmth
Another information stealer, W32.Stealsmth infects files and attempts to steal personal information from the affected system.
Top of Page

Spyware.WinSupervisor
is a spyware application that records the activities of users on the affected system. When programs open, this application takes a screenshot of your desktop and logs all keystrokes. It saves this information to a report that can be sent to a predetermined email address for review.
Top of Page

NortelAntivirus
A misleading application, this “antivirus” program gives exaggerated reports of threats in the affected machine.
Top of Page

AsteriskLogger
This is a potentially unwanted program. It reveals passwords that are typed in that otherwise would be masked by a dot or asterisk in standard login text boxes.
Top of Page

Infostealer.Ebod
This is a Trojan that attempts to steal personal information from the affected machine. The information may include logins, passwords, banking information and the like.
Top of Page

VBS.Runauto.G
This is a worm that opens back doors on the infected computer. It spreads itself via network shares and removable drives.
Top of Page

JS.Frienren
This work spreads through social networking sites. It spreads itself by sending this message to all members of the infected user's Renren friend list: Subject: Pink Floyd - Wish You Were Here Body: Wish You Were Here @ 2016 Summary:[http://]o.99081.com/xnxss/[REMOVED]
Top of Page

Packed.Generic.X
This is a heuristic set that indicates a file that may have been modified to hide it from anti-virus detection.
Top of Page

Trojan.Fakeavalert!Gen
This family of Trojans pretends to be an antivirus alert. This is sometimes referred to as ransom-ware. It plagues the infected system with pop-up ads and malware.
Top of Page

Adware.DoubleD
This is adware. It poses as a smiley toolbar and causes random ads to appear on the infected system.
Top of Page

W32.Feberr
This is a virus that infects executable files on the affected system, and tries to download more malicious content to the affected system. Discovered August 2009
Top of Page

W32.SillyFDC.BCT
This is a worm that spreads through removable drives and can download files on the affected system. Discovered August 2009
Top of Page

Hacktool.PstorRevealer
This is a hacker tool that tries to collect stored passwords on your system. Discovered August 2009
Top of Page

W32.Stiraut
This is a worm that spreads via use of removable drives, and opens a back door on the affected system. It attempts to send messages to random users on social networking sites. Discovered August 2009
Top of Page

W32.Trats.B
This worm and its variants spread by use of removable drives, like flash drives, and also by sending instant messages with links to copies of itself. It also attaches itself to executables and tries to download items on the affected system. Discovered August 2009
Top of Page

W32.Screentief
This is a worm that spreads itself around via removable drives, such as flash drives. It can also take screen shots of whatever is on your screen and tries to send these to the attacker. Discovered August 2009
Top of Page

Downloader.Sninfs
This is a trojan horse that can download other malicious content on the affected PC. One of the associated pieces is called Infostealer.Bancos, a piece of spyware. Discovered August 2009
Top of Page

Koobface worm
Koobface and its variants spreads through social networking sites such as FaceBook and MySpace. It reports confidential information it finds, such as saved user name and password info in your system, to remote locations.
Top of Page

Downadup/Conficker worm
First version of this worm is known from december 2008. Nowadays it has 300+ several variants. More information could be found in Virus Lab Blog. January 22, 2009
Top of Page

I-Worm/Nuwar
Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R. March 31, 2008
Top of Page

I-Worm/Nuwar
New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it's about 110 - 130kB long and it's detected by AVG as I-Worm/Nuwar.N February 14, 2008
Top of Page

I-Worm/Nuwar
We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it's about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L. February 14, 2008
Top of Page

Win32/Mabezat.A
In last few days we've registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia. November 14, 2007
Top of Page

Downloader.Tibs
A new Downloader.Tibs variant is spreading today thanks to massive spamming. Infected emails contains about 130-140kB long attachment, usually with name happy2008.exe, which is trojan horse itself. There are also emails with links directing users to a malicious web pages. The files are already detected as Downloader.Tibs. February 14, 2008
Top of Page

Trojan Downloader.Agent.UZM
A new Trojan Downloader was spammed today. Trojan is attached in zip archive to emails in HTML format with subject "Hot game" and body text that claims some Angelina Jolie or Lara Croft undressing game. xgame.zip attachment contains xgame.exe (20992B) which drops executes and deletes kernel driver C:\WINDOWS\System32\drivers\runtime.sys and downloads another downloader smartdrv.exe. runtime.sys runs injects and hides Iexplore.exe process and downloads another components. xgame.exe is detected as Trojan Downloader.Agent.UZM, smartdrv.exe is detected as Trojan Downloader.Agent.UZN, runtime.sys is detected as Trojan Downloader.Agent.THW and other downloaded components are detected as several variants of Trojan Backdoor.Ntrootkit. November 10, 2007
Top of Page

I-Worm/Stration downloader
Next Stration downloader variant spreads by email in messages with randomly generated subject and body with two attachments. PDF attachment is harmless but EXE attachment which is 18708B long is downloader itself and AVG detects it as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia. November 5, 2007
Top of Page

I-Worm/Stration downloader
Latest Stration downloader spreads by email in messages with randomly generated subject and body with one EXE and one PDF file attached. EXE file is 20992B in size and it`s downloader itself which is detected by AVG as I-Worm/Stration.FJA. The file downloader tryes to download is already detected as I-Worm/Stration. More information about Stration worm familly can be found in the Virus Encyclopedia. November 1, 2007