Virus.Win32.Virut.ce can infect and overwrite files to be able to execute and spread itself. Virus.Win32.Virut.ce can also block access to security websites by modifying the Windows Hosts file. It can also inject malicious iframe on web files such as .HTM, .PHP or .ASP. The Trojan will badly infect .exe and .scr files on the computer resulting to severe malfunctions.

Category: Trojan Horse

Risk Level: High

Aliases:

• W32.Virut.CF
• W32/Virut.n
• PE_VIRUX.A-1
• W32/Scribble-A
• Virus:Win32/Virut.BM

Technical Details

Characteristics:
Virus.Win32.Virut.ce will infect executable files under MS Windows systems. The virus is a Windows PE EXE file that is polymorphic in nature. This Trojan will embed malicious code into processes running on the compromised computer. Next, the code seizes critical system functions to trace running application and open files. Upon detecting an initiated application, it infects the main executable file. Since this is a polymorphic PE EXE virus, it will write its own code on expanded PE portion of file. This action will result to the adjustment of the program’s entry point, which leads to the execution of the virus code.

The virus may infect every executable item very badly. It renders the compromised file irrecoverable. Antivirus applications may attempt to remove part of the infected code but the result is catastrophic. What the virus does is irreversible.

Distribution Method:
Computer users may acquire Virus.Win32.Virut.ce in various ways. Web site employing a drive-by-download method can instantly drop and execute this Trojan on visitor’s computer. Another means to spread this infection is through spam email messages and peer-to-peer network connections.

When it is set inside the computer, it monitors running processes and inject its code into the address space. It is intended to infect other executable files that have .exe and .scr extensions.

Recommended Virus.Win32.Virut.ce Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Spyware Protect 2009 is a counterfeit antispyware program that can be acquired by visiting malicious websites or via Trojan Downloader and Trojan Zlob.  Upon infection by a Trojan, it will connect to a remote server and download a copy of Spyware Protect 2009 and install it on the compromised computer. This rogue program will attempt to convince computer users to pay for the registered version of the program by displaying fabricated can results and frequent alert messages.

This program will also modify Internet Explorer configuration to redirect web browser to another fake security websites and download another malware. To avoid this instances, it is advised to remove any Trojan and files associated with it using legit anti-malware program when symptoms were observed on computer. 

Aliases:
-

Risk Level: Medium

Affected System: Windows

Common Symptoms:

1. Internet browser or homepage will be redirected to the following websites:

• antiwareprotect.com
• spyware-protect-2009.com
• spwprotect2009.com
• spywprotect.com
• sysprotect.net
• antivirus-win.com
• spy-protect-2009.com
• swp2009.com

2. Presence of files such as filedon.exe that can be downloaded from nerogiena.com/keshu/kebab/getexe.php?h=12

3. It will display alert messages

Use MBAM as Spyware Protect 2009 Removal Tool
1. Use MalwareBytes AntiMalware to remove Spyware Protect 2009

Spy Guard 2008 is a variant of Vundo trojans that spreads and infects computer with Potentially Unwanted Programs. Spy Guard 2008 display fake scan results to misleads computer users to acquire the registered version of the program.

Aliases:
-

Risk Level: Low

File Size: Varies

Affected System: Windows

Lsas.Blaster.Keyloger is part of the rogue program System Security which display it as a threat detected. It will then prompt users to download and install the said application. Though the said threat does not really exists on the computer, this scare tactics is currently employed by rogue program for deceptive purposes. A pop-up window with message appears.

Internet Explorer is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using Internet Explorer to connect to remote host.

Update: October 14, 2009
New harmful rogue program Security Tool is also using this Lsas.Blaster.Keyloger as a threat to scare computer users and prompts them that only a registered program can remove it from a computer.

Risk Level: Low

File Size: Varies

Affected System: Windows

Screen Shot Images:
Lsas.Blaster.Keyloger is a widely used fake threat. Here are some samples of different bogus security warnings that displays Lsas.Blaster.Keyloger detection.

How to Remove Lsas.Blaster.Keyloger

Use MBAM as Lsas.Blaster.Keyloger Removal Tool:
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.

Note: Lsas.Blaster.Keyloger may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

~dulla@204 is a harmful virus that can stop operation of document applications such as Microsoft Word, Excel, Powerpoint and Adobe Acrobat. ~dulla@204 also modifies Windows Registry and adds its own key to run itself when Windows starts. When attempting to open a document file, it will display “~dulla@204”.

Category: Virus

Risk Level: High

Technical Details

Characteristics:

Once executed, this virus will drop several files under Windows directory. These files bears random name like ~jmkiteyd~.exe, which is around 43kb (44032 bytes) in size.

To run ~dulla@204 on every Windows start-up, it will add the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services =”~dulla@204”
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services =”~dulla@204”
• HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run “~jmkiteyd~.exe”

When loaded, ~dulla@204 virus may infect executable files on the compromised computer as a method to propagate. The same process is applied on a network to distribute a copy of itself. Once running on the computer, ~dulla@204 will corrupt all document files by altering part of the header, which makes it irrecoverable.

Distribution Method:
Computer users may acquire ~dulla@204 from malicious web sites or legitimate site that are compromised with a Trojan. Visiting these sites may download and execute ~dulla@204 without visitors notice. Once on the system, this virus will infect .EXE files. It will also look for connected computers and do the same on network-shared drives.

Recommended ~dulla@204 Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definition of your antivirus program.
3. Reboot computer in SafeMode [how to]
4. Use antivirus program to run a full system scan and clean/delete all infected file.
To manually delete associated files, please browse Windows directory and look for files similar to ~jmkiteyd~.exe (43kb). When found, delete carefully one at a time.

5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services =”~dulla@204”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services =”~dulla@204”
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run “~jmkiteyd~.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

8. Addition removal tool can be found on this web site : http://www.insa.gov.et/INSA/faces/downloads/downloads.jsp

go.google, go.yahoo and go.msn are browser hijacker that dominantly redirect web browser to a fake online virus scanner web sites. go.google and go.yahoo existence is a result of a Trojan infection that has a payload of modifying browser settings, disable locally installed security programs and monitor Internet activity of the infected computer.

go.google, go.yahoo and go.msn web sites do not exist. It is an error page created locally that is configured to redirect to various fake security web sites. The site will run a fake online virus scanner that later detects numerous types of computer infections. It will advise visitors to clean these threats using a recommended tool. However, before the program can proceed to its scan and detect features, user must purchase first the registration key. This tactic is a clear indication of a fraud activity perpetuated by fake antivirus applications.

Screen Shot:

Category: Trojan Horse

Risk Level: Medium

Technical Details

Characteristics:
go.google.com, go.yahoo.com and go.msn.com are odd Internet browser behavior that can be attributed as browser hijacker. This infection is brought about by a Trojan infection that may also cause multiple system misbehavior. The obvious sign for this type of infection on the computer is having the home page or search result be forwarded to any of the mentioned deficient domains.

Once the Trojan invades the system, it will drop the following malicious files to accomplish its objective:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll
C:\WINDOWS\karna.dat
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\wini10802.
C:\WINDOWS\system32\brastk.exe
C:\WINDOWS\system32\TDSS(four random characters).dll
C:\WINDOWS\system32\drivers\TDSSserv.sys
C:\WINDOWS\system32\drivers\TDSS(four random characters).sys

Next, it will conquer the registry to obtain start-up spot. It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata
HKEY_LOCAL_MACHINE\SOFTWARE\tdss
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk

Recommended go.google – go.yahoo Removal Procedure

Here is a simple step-by-step procedure to remove go.google – go.yahoo virus from an infected computer. Please follow the steps carefully.

1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop or any accessible location of your hard drive.

2. After downloading, double-click on the file to install the application.

3. Follow the prompts and install the program using the “default” settings.

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before starting a scan. Please proceed with update to obtain the latest database necessary to detect and remove go.google – go.yahoo.

6. Scan your computer thoroughly and completely check all files, folders and registry entries for possible infection.

7. When scanning is finished, click on Show Results.

8. Make sure that all detected threats are marked, click on Remove Selected.

9. After removing items associated with go.google – go.yahoo, it will prompt to restart the computer. Click Yes to complete the cleaning process.

10. When computer starts, open MalwareBytes Anti-Malware. Go to Quarantine tab and click on Delete All to fully remove all malicious items.

Note: go.google – go.yahoo – go.msn infection may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

defender-review.com is a counterfeit security web site. It highlights fake reviews about the counterfeit programs called Personal Defender 2009 and Perfect Defender 2009.

Attackers behind rogue security application put-up this web site to promote rogue program. It also helps in misleading users and hides the actual goal of stealing money from its victims. defender-review.com produces uplifting information about the promoted product. In fact, these security applications are worthless and have no capability to protect the PC against virus attack.

Current Status: Inactive

Domain Registrant:

Registrant:
kim white hostmaster@defender-review.com +1.6093472366
PersonalDefender Inc
702 broadway avenue
egg harbor township,NJ,US 08234

Domain Name:defender-review.com
Record last updated at 2008-10-29 13:58:08
Record created on 2008/10/29
Record expired on 2009/10/29

Domain servers in listed order:
ns1.pdefzone.com   ns2.pdefzone.com

Risk Level: Medium

Affected System: Windows

Screen Shot Image:

Have you visited movie websites, particularly porn ones and encounters an error “Video ActiveX Object Error;” did it prompt you to download and install a file to be able to display the video? If you have installed the video codec called MacCodec then you may have been infected with OSX.RSPlug.A.

The PC-based fake codec used to trick users is now available on Mac systems. It has been described by Intego as:

A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.
Please click here to download new version of codec.

After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

Below are the images for the fake warnings:

Spyware.Cyberlog-x is a detection for a program that was developed to steal sensitive data from compromised computer. It used to log key strokes, record screen shot images, monitor Internet activities and steal user name and passwords.

On the other hand, Spyware.Cyberlog-x is a threat detected by fake anti-spyware product that is normally bundled with different Trojans. This malware is utilizing fake Media Codecs as a way of persuading victims to install the rogue program.

Risk Level: Medium

Affected System: Windows

Common Symptoms:
1. Fake security programs will pop-up a system tray messages stating that Spyware.Cyberlog-x is detected. The alert will have the following text:

Critical System Warning!
Your system is probably infected with the latest version of Spyware.Cyberlog-x.
Type: Spyware
Infection Length: 266,129 bytes
Risk: High
Systems Affected: Windows 95, 98, 2000, NT, 2003 Server, Windows XP, Windows Vista
Behavior: Spyware.Cyberlog-x is a spyware program that monitors user activity, log keystrokes, and tracks Web sites visited.
Symptoms: Low Internet connection speed
Low system performance
Security center alerts
Strange pop up windows
Protection: Click OK to download antispyware software.

2. From the same rogue security application, additional taskbar alert will be shown emerging from the task bar.

• System Alert: Trojan-Spy.Win32@mx. Type: Spyware/Trojan.
• Critical System Error! System Detected virus activities. They may cause critical system failure…

Recommended Spyware.Cyberlog-x Removal Tool

Here is a simple step-by-step procedure to remove Spyware.Cyberlog-x virus from an infected computer. Please follow the steps carefully.

1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop or any accessible location of your hard drive.

2. After downloading, double-click on the file to install the application.

3. Follow the prompts and install the program using the “default” settings.

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before starting a scan. Please proceed with update to obtain the latest database necessary to detect and remove Spyware.Cyberlog-x.

6. Scan your computer thoroughly and completely check all files, folders and registry entries for possible infection.

7. When scanning is finished, click on Show Results.

8. Make sure that all detected threats are marked, click on Remove Selected.

9. After removing items associated with Spyware.Cyberlog-x, it will prompt to restart the computer. Click Yes to complete the cleaning process.

10. When computer starts, open MalwareBytes Anti-Malware. Go to Quarantine tab and click on Delete All to fully remove all malicious items.

Note: Spyware.Cyberlog-x may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

Trojan.Zlob.K is a Trojan horse that may download and execute remote files and redirect Internet Explorer home page and search page to a different address. It may add encryption key to certain folders to hide associated files or any stolen data from the compromised computer.

Category: Trojan Horse

Risk Level: Low

Aliases:

• TROJ_ZLOB.MU
• Trojan-Downloader.Win32.Zlob.s
• Downloader-XC
• Trojan.Zlob.B

Technical Details

Characteristics:
Since Trojan.Zlob.K is a downloader, its goal is to download additional malware. It will communicate to predefined web sites, fetch malicious data, and run them on the infected computer.

Once activated, the Trojan may drop the following files:
%System%\ncompat.tlb
%System%\interf.tlb
%System%\hp[RANDOM CHARACTERS].tmp

Then, it will add the following registry entry so that it executes on every Windows start-up:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nvctrl.exe” = “nvctrl.exe”

To gain automatic start-up when running Windows Explorer, this Trojan will set the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
notepad.exe
msmsgs.exe

Additional registry entry that calls the application file msmsgs.exe is added. This will also allow Trojan.Zlob.K to run on every Windows start-up.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = “msmsgs.exe”

Lastly, the Trojan will hide malicious activities by injecting codes into legitimate file Explorer.exe.

Distribution Method:
Trojan.Zlob.K may arrive on target computer by means of another Trojan infection.

Recommended Trojan.Zlob.K Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”nvctrl.exe”
= “nvctrl.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Trojan.Galapoper.A is a computer infection that when executed will communicate to a remote server to download additional risks onto target system. This Trojan may also steal user’s data and send it to an attacker using HTTP POST protocol or email communication. Trojan.Galapoper.A and its variants habitually download Trojans from other groups of Downloaders, which may result to additional infections.

Category: Trojan Horse

Risk Level: Low

Aliases:

• Trojan-Downloader.TIBS
• Trojan.Galapoper.A
• Trojan-Downloader.Win32.Tibs.il
• Tibs
• WORM_NUCRP.GEN
• Mal/TibsPak, Mal/HckPk-A, Troj/Tibs-Fam
• TrojanDownloader:Win32/Vxidl.gen!A
• Trojan-Downloader.Win32.Tibs
• Win-Trojan/Tibs.7346.DN

Technical Details

Characteristics:
When executed, Trojan.Galapoper.A will avoid antivirus detection by applying a method of obfuscation. IT also performs the following set of operations:

• Inform an attacker of computer infection through email
• Create a copy of itself to various locations of the compromised system
• Drop a number of infected and clean files
• Communicate to predefined web sites to execute more malware
• Disable any installed antivirus, firewall, and other security-related software
• Steal sensitive information and send the gathered data to a remote attacker via email or HTTP POST protocol

Distribution Method:
This Trojan will arrive on computer with filename “zhopaizdupla.exe.” It is dropped by another Trojan infection that is usually obtained from malicious web sites and unsecured peer-to-peer connection.

Recommended Trojan.Galapoper.A Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_CURRENT_USER = “WindowsSubVersion” = “[VALUE]“

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Trojan.Zlob.J is a member of a Zlob family that refers to a large group of malware involving in malicious acts like modifying Internet browsers, redirect home page and search results, install fake security applications, and execute arbitrary file from a remote server. Trojan.Zlob.J also allows a remote attacker to access the compromised computer. Thus, the attacker may perform malicious actions and steal sensitive data from the infected system.

Category: Trojan Horse

Risk Level: Medium

Technical Details

Characteristics:
Upon execution, Trojan.Zlob.J will drop the following harmful files:
%System%\ld[RANDOM CHARACTERS].tmp
%System%\dfrgsrv.exe

To gain automatic start-up spot, the Trojan will modify Windows registry and add the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
“wininet.dll” = “dfrgsrv.exe”

Alternative start-up method is to inject malicious code into the following Windows process that runs when Windows starts:
winlogon.exe

Once running on the compromised system, Trojan.Zlob.J will monitor Internet activities and may modify settings of the home page.
Lastly, the Trojan will establish an HTTP connection to specified URL and performs the following actions:

• Ping the remote computer
• Send a status report regarding the infected system
• Download and execute remote files, which upgrade itself

Distribution Method:
Trojan.Zlob.J uses the web primarily to spread a copy of itself. Malicious web sites, infected web pages and unsafe file-sharing networks are the top sources of this Trojan. Once inside the computer, it may contaminate other files locally but will never spread on neighboring computers.

Recommended Trojan.Zlob.J Removal Procedure

1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry. [how to edit registry]
Navigate to and delete the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run “wininet.dll” = “dfrgsrv.exe”

6. Exit registry editor and restart the computer.
7. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.