Latest Computer Viruses Vol. 3L – Qresolve online Virus Encyclopedia

Continued from our last post — Virus Encyclopedia vol.3K

 In the last volume, we talked about exploits and Trojans and how these can compromise your PC performance. In this volume also, we will continue providing useful information to the readers about such exploits and Trojans that can not only degrade your computer performance but also trick you to spend money into buying fake antivirus license. 

1. Exploit.SinaDLoader.B

Introduction

Discovered by Daniel Chipiristeanu, a well-known virus researcher on 3^rd September 2008, Exploit.SinaDLoader.B is a medium intensity malware that spreads at a medium rate and imparts medium damaging impact on your computer. This malware gets hosted at different websites and therefore can make inroad to your computer through different channels. 

Symptoms

The presence of this malware imparts just very few noticeable symptoms. Hence, its detection often becomes a bit difficult. However, it’s a malware that gets hosted at various malicious websites and hence, can get easily executed on your system. 

Technical Description:

This exploit adopts new trend to infect computer and tries out a number of exploits in order to infect the user. If one of them doesn't work out, then it tries out other exploits.

Snapshot Viewer Control.1, DownloadAndInstall, Adodb.Stream, ShockwaveFlash.ShockwaveFlash.9, UUUpgrade ActiveX Control module, RealPlayer, Baidu Search Bar and Xunlei Thunder are the major exploits that Exploit.SinaDLoader.B users to infect the PCs. All of these exploits are actually the same file with varying description. It is a small downloader (1900 bytes) packed with FSG. It downloads 5640ghi?.com/max1.exe file. Hence, for the downloading of the "final" malware, a long line of scripts/executable is first required to be downloaded. Hence, usually the spreading of this malware is not very fast. But in every way, it’s dangerous to your computer. Hence, keep your system antivirus updated to fight against Exploit.SinaDLoader.B.

2. Trojan.HTML.IFrame.F

Introduction

Discovered by virus researcher Daniel Chipiristeanu on 3^rd September 2008, Trojan.HTML.IFrame.F is a medium-intensity malware. It spreads at a medium rate and imparts medium damaging impact on your computer. It is basically an iFrame inserted into clean WebPages code.

Symptoms

The presence of malware doesn’t impart any warning symptoms. It shows up clear symptoms only after getting your computer fully compromised. Hence, it gets very difficult to know the presence of the malware beforehand. It can only be fixed after it has already done some degree of damage to your system.     

Technical Description

It is just an invisible iFrame that resides hidden inside clean web pages code. These iFrames occur at the end of the initially clean HTML code. The presence of this iFrame redirects the malware to another infected website. The details of this malicious site are given below:

• Domain Name: orentraff.cn
• ROID: 20071002s10001s83561693-cn
• Domain Status: ok
• Registrant Organization: NizovGrisha
• Registrant Name: NizovGrisha
• Administrative Email: [blocked]
• Name Server: ns1.everydns.net
• Name Server:ns2.everydns.net
• Registration Date: 2007-10-02 05:14
• Expiration Date: 2008-10-02 05:14

This site has an adult title and it hosts 9 adult pictures. It also hosts a couple of malware infection campaigns that include rogue antivirus software which are basically XP Antivirus variants. The list includes Trojan Spamer Tedroo , Trojan Exchanger, Trojan.Spy.Zeus, and many others.

The trick adopted by this malware is simple. It projects a website with otherwise clean main page and then injects the real infections through from a CGI (Common Gateway Interface) script with the following url:

 [infected_site]/in.cgi?[number_for_infection_campaign]. 

3. Trojan.PWS.Tupai.A

Introduction

Discovered by Mihai Razvan Benchea, a well-known virus researcher on 1^st September 2008, Trojan.PWS.Tupai.A is a Trojan with medium damaging capacity. It also spreads at a medium rate. It is not a hard to detect Trojan and usually makes inroad to a computer through vulnerable programs like SecureFx, IpSwitch, FTPWare, Rhine Software, FileZilla, Total Commander, BulletProof Ftp, GlobalScape Ftp, CoffeCup Fp, Ftp Commander Pro, Smart Ftp, Leap Ftp and Far.

Symptoms

The presence of this malware lead to the presence of setupapi.dll files in the folder of Internet Explorer.

Technical Description

Trojan.PWS.Tupai.A resides in Internet Explorer folder bearing the setupapi.dll name. The Trojan is harmful because it steals passwords of ftps servers. To get access to the passwords, the malware searches all well known ftp programs installed on your computer. Depending on what ftp programs are installed in your computer, it tries to decrypt passwords and addresses of ftp servers. After the decryption is complete it encrypts it using its own algorithm. Then it sends the data to http://85.225.[hidden].198/ftpg/ftp.php.

4. Trojan.FakeAlert.ACR

Introduction

Discovered by Dana Stanut, a famous virus researcher on 29^th August 2008, Trojan.FakeAlert.ACR spread at a highly alarming rate and it has a medium rate damaging impact. 

Symptoms

Presence of Trojan.FakeAlert.ACR, imposes the following symptoms:

• Without user consent, desktop background suddenly changes.
• The desktop shows an alerting image that the user’s computer is infected
• blphc9pvj0e1ac.scr, lphc9pvj0e1ac.exe, phc9pvj0e1ac.bmp files are found in %SYSDIR%:

Technical Description:

On being executed, the malware drops the following files in %SYSDIR%:

• blphc9pvj0e1ac.scr
• lphc9pvj0e1ac.exe
• phc9pvj0e1ac.bmp

The program gets executed itself at every system startup by adding the following registry key:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

From http://antivirusxp-2008.net, it downloads a rogue antivirus. On being installed, this antivirus will give fake alerts to the user notifying him about false infections detected on his computer. By doing it misleads the users to buy the licensed version of some malicious software.

To keep your PC protected, you should always keep antivirus program updated and should also become aware of the symptoms related to these Trojans so that you can take quick preventive actions.