|
Virus Alert: Worm Sends Mail, Infects Executable Files |
|
|
W32/Nofer-A also will try to infect executable files. W32/Nofer-A will copy itself to svchost.exe and to a randomly named executable file in the Windows folder. It creates a registry entry in HKLMSoftwareMicrosoftWindowsCurrentVersionRun that points to the randomly named executable file to ensure the worm is run at system startup. W32/Nofer-A also will attempt to spread using peer-to-peer networks.
Find out how to remove the worm at this Sophos page.
BackDoor-AVF Trojan Opens Port and Loads Itself at System Start-up
This is detection for a Trojan that opens port TCP 80 (HTTP) on the victim machine. Incoming requests on that port are redirected to a Web site on the Internet. After execution, the Trojan copies itself as SYS64.EXE into %WINDIR%SYSTEM32. The worm creates a registry run key to load itself at system startup:
B7 HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun Tuneling = SYS64.EXE
It runs HTTP server on port TCP80 and redirects incoming requests to http://promin.*OMITTED*.gs. It also sends on start a notification to the IP address 66.220.17.33 containing information about the victim. Find out more at this Network Associates page.
Worm Ends Security Software Processes and Runs Icon
Danvee is a worm that checks if a series of processes belonging to antivirus and security programs are active in the affected computer and ends them if they are. By doing this, certain applications will temporarily stop working. p Danvee spreads rapidly via e-mail in a message that is very easy to recognize, as it always includes an attached file called CROCK.EXE, and has an icon that can be viewed at this Panda Software page.
Trojan Creates Files
W32/Mooder is one of multiple minor variants of the W32/Mooder Trojan. The malicious mooder.exe variants have a file size of 8192 bytes. It may create the files called:
c:windowsmood.exe
c:windowssupertoy.exe
c:windowsmood.bat
c:windowsmood.cmd
c:windowsmood.vbs
c:windowsmood.htm
When run, it runs as a console application (command box). It tries to overwrite files with .exe .bat .cmd .js .vbs .htm extensions. Find out more at this McAfee page.
Trojan Tries to Create Malicious .exe Files
The Salvia Trojan driver was added to cover for a malicious file, salvia.exe, with a filesize 122.880 bytes. It's created using Borland C++.
When run, it may try to create:
c:windowssystemsalvia.exe
c:windowssystemcrack.exe
c:crack.exe
c:windows_salvia.txt
It tries to delete *.exe, *.com , *.dll from c:windows%system. Read more at this McAfee page.
Nowar Trojan Displays Message Box
The driver for the Nowar Trojan is to cover for a malicious file called nowar.exe. There are two minor variants, with file sizes of 7.680 and 24576 bytes.
When run, Nowar displays a message box on the screen. View it and other information at this McAfee page.
Three Trojans Act as Covers for Malicious Files
The entry for QDel391 was added to cover for a malicious file called intrenet.exe, with a file size of 17,408 bytes. The file is internally compressed with Aspack.
When run, no gui message boxes appear, it runs silently. It may drop the file intrenet.exe in the windows%system folder and create a registry entry under:
...MicrosoftWindowsCurrentVersionRun intrenet
It may also change the Internet Explorer startup page, however, McAfee purposely is omitting the exact address here. During testing, no file system changes were encountered, the vendor reports.
Source: Internet News
"
|
|
|
 |
| "Virus Alert: Worm Sends Mail, Infects Executable Files" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 5
Votes: 1
|
|
|
