New Targets in Detection (November 2007)

ADS Adware Remover

ADS Adware Remover is rogue anti-spyware. It may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats.

AdwareAlert

AdwareAlert is rogue anti-spyware and a clone of SpyGuard; it may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats.

Adware.Uplink

Adware.Uplink is an adware application that can display advertisements. It installs itself as a Browser Helper Object (BHO).

Adware.VapSup

Adware.VapSup plants a BHO which hijacks the Internet Explorer browser. It tracks the user’s surfing habits and saves them in a log file. It is also bundled with a rogue application. When users visit specific porn sites, they will be redirected to a homepage which displays warning messages that the system is infected and that it is necessary to download an application to fix the problems. The application is a rogue anti-spyware product which tricks users into purchasing the product by showing exaggerated threat reports.

BitAccelerator

BitAccelerator claims to expand the limits of the user’s Internet connection. The application is missing a EULA and privacy policy during the installation phase. Once installed, bitaccelerator.dll runs as a BHO on all user accounts, giving no indication of its functionality or intention.

Crawl.ws Toolbar

Crawl.ws Toolbar is a search toolbar which also has zoom and pop-up blocking functionality. Searches are made through “http://www.crawls.ws” and does not give accurate search results. The toolbar is installed on all user accounts and is missing both a privacy policy and EULA during the installation.

DoctorCleaner

DoctorCleaner is rogue anti-errorware that tricks the user into buying the commercial version. DoctorCleaner's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare/trick the user into clicking yes.

IEDefender

IEDefender is a rogue anti-spyware application. It tricks the user by detecting malicious files which are downloaded from Win32.TrojanDownloader.IEDefender, and then asks the user to purchase a registered version to remove those reported threats.

PrivacyKit

PrivacyKit is rogue anti-errorware that tricks the user into buying the commercial version. PrivacyKit's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare/trick the user into clicking yes.

RegistryCleanerSoft

RegistryCleanerSoft is rogue anti-errorware that tricks the user into buying the commercial version. RegistryCleanerSoft's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare/trick the user into clicking yes.

RegSort

RegSort is rogue anti-errorware that tricks the user into buying the commercial version. RegSort's distribution methods are stealthy and/or misleading. The user is presented with misleading advertisements, often popped up from files and processes installed by Trojans that scare/trick the user into clicking yes.

SpyOnThis

SpyOnThis is rogue anti-spyware. It may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats.

SpyWarp

SpyWarp is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats.

Sunshine Spy

Sunshine Spy is rogue anti-spyware. It may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats. Sunshine Spy also hijacks the desktop and displays emergency messages on the active desktop, telling the user that he/she is infected and needs to purchase their product to fix the problem. The malware makes the system unusable; the user cannot run any files at all. The threat may need to be removed by Ad-Aware in safe mode.

VirusRay

VirusRay is rogue anti-spyware and a clone of SpyDawn. It may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats.

WinPerformance

WinPerformance is a rogue anti-spyware application. It may give exaggerated threat reports on the compromised computer and then ask the user to purchase a registered version to remove those reported threats.

Win32.Adware.OneStep

Win32.Adware.OneStep installs without displaying a EULA. It runs as a service, updates automatically and does not offer a way to turn this off. Win32.Adware.OneStep redirects search words typed in Internet Explorer's address bar.

Win32.Backdoor.AimBot

Win32.Backdoor.AimBot opens a backdoor that may allow a remote user to take control of the infected system.

Win32.Backdoor.DarkBot

Win32.Backdoor.DarkBot opens a backdoor on the infected computer. It will then try to contact an IRC server and connect to a specific channel.

Win32.Backdoor.EvilBot

Win32.Backdoor.EvilBot opens a backdoor that may allow a remote user to take control of the infected system.

Win32.Backdoor.Fluxay

Win32.Backdoor.Fluxay is a backdoor that uses pipes allowing an unauthorized command shell on a compromised machine.

Win32.Backdoor.Libdoor

Win32.Backdoor.Libdoor is malware that opens up backdoors on a compromised computer.

Win32.Backdoor.MocBot

Win32.Backdoor.MocBot copies itself to the system folder. The malware runs as a process in stealth, constantly trying to open TCP ports on the compromised computer.

Win32.Backdoor. ReverseTrojan

Win32.Backdoor.ReverseTrojan opens a backdoor that may allow a remote user to take control of the infected system.

Win32.Backdoor.Shark

Win32.Backdoor.Shark opens up a backdoor on the infected machine.

Win32.Backdoor.Shiznat

Win32.Backdoor.Shiznat opens up a backdoor on the infected computer. It will then try to contact an IRC server and connect to a specific channel.

Win32.Backdoor.Weedbotz

Win32.Backdoor.Weedbotz opens a backdoor that may allow a remote user to take control of the infected system.

Win32.IRC.Flood

Win32.IRC.Flood is an application for flooding on an IRC network. This is a method of disconnecting users from an IRC server. The application may achieve this by exhausting bandwidth, causing slow response or by posting annoying, long and repetitive posts. Other types of IRC flooding include CTCP, DCC, ICMP, Message, Notice, Invite, Nick and Connect flooding.

Win32.Rootkit.Agent

Win32.Rootkit.Agent is malware that prevents its removal by hiding its presence. It does this by concealing running processes, files or data from the infected operating system. The malware may not be detected by system utilities, security-related applications, or by the user of an infected machine. This malware may have to be removed manually. Affected users may seek further help at the Lavasoft Support Forums.

Win32.Trojan.BHO

Win32.Trojan.BHO installs itself as a Browser Helper Object (BHO). It will then run when Explorer or Internet Explorer is started. It may also download additional files.

Win32.TrojanDownloader. IEDefender

Win32.TrojanDownloader.IEDefender is a downloader which downloads IntelVideo.dll; it hooks into the Internet Explorer browser. When the user is visiting sites in the browser, unwanted pop-ups will be displayed, telling the user that the system is infected and that he/she needs to download IE Defender to fix the problems.

Win32.TrojanDropper. MultiBomb

Win32.TrojanDropper.MultiBomb will run a set of Visual Basic scripts and aims to destroy your system.

Win32.TrojanDownloader. SecMediaOnline

Win32.TrojanDownloader.SecMediaOnline is a fake codec downloader which installs a rogue application on the system without the user’s permission. The downloaded application may give exaggerated threat reports and then ask the user to purchase a registered version to remove those reported threats.

Win32.TrojanDownloader. Vildo

Win32.TrojanDownloader.Vildo connects to bad http domains and downloads and installs files to the user's PC without his/her knowledge or consent.

Win32.TrojanDownloader. Zanoza

Win32.TrojanDownloader.Zanoza connects to bad http domains and downloads and installs files to the user's PC without his/her knowledge or consent.

Win32.TrojanSpy.Zbot

Win32.TrojanSpy.Zbot is a Trojan that installs an executable in the system32 directory named “ntos.exe.” It also creates a wsnpoem directory and installs two files, audio.dll and video.dll, within that directory. Win32.TrojanSpy.Zbot injects itself to the svchost.exe process, opening several TCP ports on the infected system and thereby compromising system security, making the system vulnerable for a remote attack. This Trojan may also provide a proxy server on one of the opened TCP ports.

Win32.Virus.Expiro

Win32.Virus.Expiro is a virus that will infect executable files on the disc. If infected, the user will need to run an anti-virus program to clear it.

Win32.Worm.Alcra

Win32.Worm.Alcra is a worm that attempts to replicate itself mainly into the shared folders used by file-share applications. It also generates equivalents to common Windows tools in its attempt to disable access to legitimate tools, for example ping.com and cmd.com.

Win32.Worm.Cissi

Win32.Worm.Cissi is a worm that tries to spread via e-mail without any user intervention and it attempts to copy itself to network shares. The worm changes the winlogon shell registry entry to start the worm at system start-up. Win32.Worm.Cissi also creates a ST folder within the Windows directory and uses it as a repository for copied files. The worm may also provide unauthorized access to the infected computer via IRC channels.

Win32.Worm.Darby

Win32.Worm.Darby is a worm that tricks the user to execute the file by having a folder icon. The worm replicates itself to several places on the system and runs processes in stealth. Win32.Worm.Darby also deletes files on the user’s system.

Win32.Worm.Fizzer

Win32.Worm.Fizzer is a worm that sends replicated copies of itself by e-mail using its own SMTP engine. It may also attempt to spread via file sharing applications, for example KaZaa. Win32.Worm.Fizzer also possesses backdoor capabilities allowing a remote attacker to gain unauthorized access to the infected computer via IRC channels.

Win32.Worm.Funner

Win32.Worm.Funner is a worm that spreads through MSN. It will also redirect sites using the Hosts File.

Win32.Worm.Ganda

Win32.Worm.Ganda is a worm that spreads as an e-mail attachment. It will also infect executable files on the system. Users will need an anti-virus program to fully remove this infection.

Win32.Worm.Gibe

Win32.Worm.Gibe is a worm that spreads through shared folders on the network and as an e-mail attachment. It will also harvest the infected machine for new addresses. Win32.Worm.Gibe pretends to be a security update for Microsoft Windows.

Win32.Worm.Kebede

Win32.Worm.Kebede is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.

Win32.Worm.Kidala

Win32.Worm.Kidala is a worm that spreads through shared folders on the network and as an e-mail attachment. It will also harvest the infected machine for new addresses.

Win32.Worm.Lovelorn

Win32.Worm.Lovelorn is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses. Win32.Worm.Lovelorn may also infect files.

Win32.Worm.Nachi

Win32.Worm.Nachi is a worm that spreads via the DCOM RPC vulnerability in Microsoft Windows.

Win32.Worm.Neveg

Win32.Worm.Neveg is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.

Win32.Worm.Newbiero

Win32.Wom.Newbiero spreads via local area networks by mapping hard drives. Win32.Wom.Newbiero has a backdoor function that allows the victim's machine to be monitored remotely. The worm also has DDoS functionality.

Win32.Worm.Padowor

Win32.Worm.Padowor is a self-replicated worm. It copies itself to several places on the system and uses the SMTP protocol to send outgoing messages.

Win32.Worm.Rants

Win32.Worm.Rants copies itself to the system folder. The worm acts as an annoyance; it may open random applications and display a message to the user within the specific application. An example message is: "Your pic. It's funny lol.”

Win32.Worm.Rays  

Win32.Worm.Rays is a worm that tricks the user to execute the file by having a folder icon. The worm replicates itself to several places on the system and runs processes in stealth. It also hides the file extensions to look like legitimate folders which the user can access.

Win32.Worm.Scold

Win32.Worm.Scold is a worm that spreads as an e-mail attachment. It will also harvest the infected machine for new addresses.

Win32.Worm.Sumom

Win32.Worm.Sumom copies itself to the system folder. The worm makes itself invisible for the user by changing specific reg data in the registry to a state where hidden files are not visible. It also disables the system restore function in Windows.

Win32.Worm.Torvil

Win32.Worm.Torvil is a self-replicated worm. It copies itself to several places on the system and uses the SMTP protocol to send outgoing messages.

TAI - Threat Analysis Index
The Lavasoft Threat Analysis Index (TAI) system is based on a 10-point scale, with 1 representing the lowest threat and 10 representing the highest. The behavior of the program has more influence when assigning TAI points than the actual technical aspects of the malware. In other words, if the malware secretly attaches without the computer user's full understanding and approval, then it will automatically be given higher TAI points. A minimum TAI value of 3 is required before the malware is put into detection. Read more on the Lavasoft Security Center here.

Threat Analysis (TA) Index

 
  home
3-month trial of Lavasoft Privacy Toolbox with Ad-Aware 2007 Plus ($26.95) More Info Buy Now

65Percentage of Lavasoft website visitors who are very worried about online threats and scams during the holiday shopping season, according to a Lavasoft Ballot Box Poll.


Personally identifiable information (PII) is any personal data concerning an individual that is capable of uniquely identifying a particular person. The collection, use or disclosure of PII is something the individual typically wants to control; this private data can potentially be exploited by criminals for identity theft.
Source: Anti-Spyware Coalition and Wikipedi.org

Online security does not always involve complicated solutions. Find out a simple way to make sure that the websites you visit requiring a log-in, like online banking sites, are authentic. Read More.

“It’s been a little while since my first virus, but I was lucky to stumble upon the Ad-Aware software and the helpful people at the Lavasoft support forum…They gave me a simple method of removal and guide you through each step carefully…I would recommend the free Ad-Aware software to anyone, in fact I already have. Thanks again.”
Darren (Glasgow, Scotland)

Lavasoft AB Lilla Bommen 1, 411 04 Gothenburg, Sweden | www.lavasoft.com | editor@lavasoft.com