Latest Threats?

Avast Free Antivirus / Premium Security
1

Hey everyone. Just wanted to know if Avast has added TR/Dldr. EbayBill.D and the (fake WGA) w32 Cuebot-K worm signatures. Happy with Avast mind you, but I couldn’t find these in any of the vps listings on web site. Maybe just an oversight on my part. I have to say though, there has definitely been many new signatures added lately. I can’t help but to believe Avast will fare even better in the next AV Comparitives. Regards to everyone, and thanks.

2

I’m afraid it’s not possible to say without having the samples of this malware.
The naming (especially on less common viruses) differ between antivirus companies, so these very specific names don’t really say much.

3

The fake WGA is analysed here:
http://www.sophos.com/security/analyses/w32cuebotk.html

There you also have the removal instructions

The other one is:
Downloader-AAP.c is a trojan that is delivered via a spammed eBay message. This downloader is designed to pull a password stealer from websites controlled by the malware author.

Aliases

* TR/Dldr.EbayBill.D (Avira)

* (Sophos)

* Trojan-Downloader.Win32.Agent.ann (Kaspersky)

* Trojan.Clagger.B (Symantec)

* Trojan.Clagger.D (BitDefender)

* Win32/TrojanDownloader.Agent.UF (ESET)

Technical info: (from Sophos)

This section contains the description and advanced technical information

Troj/Dloadr-AJB is a Trojan for the Windows platform.

Troj/Dloadr-AJB includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Dloadr-AJB copies itself to \ipf.exe and creates the file \drivers\winut.dat.

The following registry entry is created to run ipf.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IPF
\ipf.exe

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

:*:Enabled:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\system32
ipf.exe
\ipf.exe:*:Enabled:ipf

polonus

4

I’ve sent one WGA scam sample to Alwil guys today (along with 200+ other samples :slight_smile: ). I guess they’ll soon add it…