List of spyware, adware, malware, keyloggers, trojans, virusses and other nasties. With full details and removal instructions
Look it up in the list below or search our database.
Also known as: MatrixDialer 123 mania
This is a spanish born adware.
http://www.123mania.com
Spanish Shopping Portal Dialer Translated roughly from the vendor in Spanish: "Contract of User: Using our program you specifically recognize and accept the following warnings and conditions: 1) the access to this Web, ace ? like a its contents and services est? ?nicamente allowed to people of legal age. 2) You must be of legal age in his pa?s of residence (in the case of Espa?a, greater of 18 a?os). 3) When accepting the "Certificate of security" or the unloading of the file that shows its navigator, knows that instalar?n in its PC the programs that permitir?n to connect to him with our services. As?mismo, for its comfort, colocar?n direct access in its system to facilitate pr?ximas to him connections. 4) You not exhibir? this material to minors or any other person who can be victim or who do not fulfill these conditions. 5) You deber? to pay the costs of conexi?n telef?nica. Knowing that to the program him desconectar? autom?ticamente of present his conexi?n and him conectar? to a special n?mero of tarificaci?n 906. Price MAXIMO per minute is of 1.06 euros from the fixed network of telefon?a, and 1.357 euros from the m?vil network, taxes including. You tambi?n know that at any time podr? to to this end become disconnected of our services using bot?n existing, extinguishing his m?dem or hanging tel?fono seg?n comes in each case. The system him desconectar? autom?ticamente passed 30 minutes, deciding you freely if you wish to connect again. 6) All the rights of copyright and any other rights of intellectual and industrial property are reserved in favor of the holders, authors, publishers, people in charge and/or proprietors of this Web. As?mismo recognizes that estar?n in any case exentos of any responsibilities of ?ndole personal and/or econ?mica that could derive: ?) Of the access of minors. 6b) Of utilizaci?n of the program or software that allows the access to the services. 6c) Of the access and/or utilizaci?n that any user makes of the contents and services. 7) For resoluci?n of any controversies to ra?z of the present document, of the access to the Web or anyone of his contents, you he is specifically put under the espa?olas laws and jurisdicci?n of the courts and courts of the city of Madrid, Espa?a, to which he confers ?nica competition exclusively and. 8) we requested to Him that if does not understand, does not fulfill or it does not accept some of the ends contained in the present contract does not continue with conexi?n. Identificativos Data: Matrix Technology Network, S.A. CIF A-83491530 Apdo. 28080 Post office 13180 - Madrid"
http://www.masminutos.com
Also known as: ADW_17lele (TrendMicro) Adware-17Lele (Mcafee) Trojan-Downloader.Win32.Agent.et (Kaspersky) TR/Dldr.Agent.ET Trojan.Downloader.Agent.Et.S
Connect to the internet and downloads files without users knowledge.
Also known as: Other Products: SVA Player SVAPlayer 180solutions 180 solutions MetricsDirect 180search Assistant 180 search Assistant
Company appears to have evolved from the old "paid-to-surf" program Epipo. Comes along with some "advertiser supported" programs, a tactic known as bundling. Depending on the program (180 Solutions markets several) it may pop-up ads or in the case of the Zango application it may pop-up other websites based on keywords you use while surfing or searching. It is important to note that 180 Solutions derives financial benefit by popping up these 3rd party websites. To the best of our knowledge 180 Solutions does not track or store personally identifiable information as per their privacy policy. However it does transmits logs of every web page you visit. The URL or keyword is passed with a unique identifier to their advertising server when a targeted advertisement is shown. With the later versions of their software this logging can be disabled by using the tray icon. Heavily distributed through the use of "affiliates" via a process called bundling. Recent research by Ben Edelman (http://www.edelman.org) reports that it has been installed via browser security holes. We have also noted that 180 Solutions applications are often installed with a number of other adware programs at the same time causing an extreme load on the PC. It has also been noted that these applications have been force installed by web sites (affiliates) or Windows Media files. Company claims it no longer distributes n-case although it is unknown how many legacy installations are still in circulation.
http://www.180searchassistant.com/home.html
It shows Targeted adds on users computer based on the content of users search. From Authors EULA: 1.Web3000.com and JSoft Consulting may provide aggregate statistics about customers such as your traffic patterns, and related site information to reputable third-party vendors in order for Web3000.com and JSoft Consulting to obtain valuable promotional offers to provide to you. 2.In order to provide this service, Web3000.com and JSoft Consulting collect information on your web usage that remains anonymous to third parties. 3.Without revealing your Personal Information to third parties, Web3000.com and JSoft Consulting will seek out high-value offers and great deals from commercial partners and advertisers that match your interests.
This adware product is in the form of a toolbar downloaded via active X control. It is very similar to the behavior of ISTBar and 2020Search.
http://www.2-seek.com
Also known as: 2000Cracks.100 Bigorna.100 GateCrasher.110 NetController.108 Sparta.110 VagrNocker.120 VagrNocker.200
This is a trojan originating from evil eye software. Infection consists of a single executable called sparta.exe.
Also known as: Istbar.2020Search
This toolbar is installed by active x download from their website. You must first check a box signaling that you have read their very long EULA. It will prompt you to install the file and before you know it you have toolbar on your IE browser. From their EULA paragraph 3: "THE TOOLBAR MAY BE OFFERED TO YOU BUNDLED WITH ANOTHER THIRD PARTY SOFTWARE APPLICATION (A "THIRD PARTY APPLICATION"). SUCH THIRD PARTY APPLICATION IS OWNED OR LICENSED BY A THIRD PARTY AND THIS EULA DOES NOT APPLY TO YOUR USE OF SUCH OTHER THIRD PARTY APPLICATION, REGARDLESS OF WHETHER THE TOOLBAR AND THE THIRD PARTY APPLICATION CAME BUNDLED TOGETHER. YOU AGREE THAT 2020SEARCH SHALL NOT BE RESPONSIBLE FOR ANY LOSSES, DAMAGES, INJURIES, CAUSES OF ACTION, CLAIMS, DEMANDS OR EXPENSES, INCLUDING LEGAL FEES AND EXPENSES, OF WHATEVER KIND OR NATURE ARISING OUT OF, RELATING TO OR RESULTING FROM THE THIRD PARTY APPLICATION."
http://www.2020search.com
This is an older adware. Their website has been shut down due to abuses apparently. It is unknown if legacy versions still exist.
http://www.20x2p.com
2M Free Tetris bundle's potentially unwanted software like Comedy-Planet , webhancer.
Also known as: Second Thought Trojan.Win32.SecondThought.ag SecondThought SecondThought.A
Accepting their "second opinion when you surf" actually gives you a toolbar named "Mysearch". 2nd-thought will redirect your searches as long as it is installed on your computer. Browswer hijacker that will reset your home page and often redirect your searches to porn sites. Sometimes it will prevent you from changing your home page.
http://www.2nd-thought.com
Also known as: Adware.2Search (Symantec) clsIESpy GoogleCatch 007guard 007Installer The007Guard msnnames msn names IM Names IMNames
2Search is an adware component that installs as a Browser Helper Object, tracks key words entered into search pages and displays advertisements. For specific search words, this adware inserts custom results (exactly 3 results) at the top of the google?s result page. Tracks search words entered in google and other search pages then sends them to its controlling server.
3D Falling Icons installs 180search Assistant, Seekmo Search Assistant, and Zango Search Assistant along with it. From EULA : The Licensed Software will run in the background on your computer and may periodically direct you to our sponsors? websites. By installing and/or using the Licensed Software you grant permission for 180 to periodically display sponsors? websites to you.
404Search is adware targeted at 404search.com. It uses sites controlled by the Kanoodle search engine. The 404search engine uses an IE BHO named 404search.dll.
http://www.404search.com
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
This dialer makes it easy for their advertisers to collect statistics on their product. From their website: "Our service includes: Worldwide billing Statistics/reports are in real time with drill down capabillities Unlimited Webmaster and Technical Support GlobalPhon supplies you content to market your traffic better"
http://globalphon.com/index.asp
This adware makes it facilitates Madison Administration Inc. to display ads from their affiliates. From their website: "Each ad delivered points directly to your site allowing you to control your content and try new approaches instantly." This is refering their advertiser portion of their website.
http://www.7adpower.com
Also known as: WebCastAccelerator
91Cast displays pop-up advertisements.
Allows attacker remote access to computer.
A polymorphing Trojan that uses multiple startup entries.
Also known as: ABetterInternet SPYW_BISPY.A [Trend Micro] PSW.Bispy.A [Trend Micro] TR/BiSpy.DLL.B [Trend Micro] Adware.Binet [Pest Patrol] ceres nail.exe nail DRPMon Best Offers Network binet
This adware program has an .EXE and a .DLL file component. The .EXE component looks for certain registry entries and deletes them, while the .DLL component maintains a particular registry entry related to a BHO. Often this product is bundled with more than one adware program. Reports of Ceres and Nail.exe being bundled and distributed through unlicensed content via BitTorrent. Company denies responsability of distribution and claims this occured through "rogue affiliate distributors".
http://www.bestoffersnetworks.com/
Allows remote control of the infected machine.
Also known as: BackDoor-JJ Bck/A-Trojan.20 Trj/PSW.Atrojan Trojan.PSW.Atrojan.20 Win32.PSW.Atrojan.20 Win32/PWS.Senha.Trojan InsaneNetwork.400
The site where this trojan originated has been removed. It is unknown whether legacy versions of the main executable are still in circulation.
ABCScrabble is a vector for YourSiteBar, Comedy-Planet, webHancer, etc and displays popup advertisements based on websites visited.
Also known as: W32.Abotus.Worm@m, Aboutus, I-Worm.Aboutus
Abotus is a worm that will attempt to reply to all messages in the Microsoft Outlook inbox.
Also known as: about:blank
An invasive Hijacker that copies multiple files and morphing startup entries on every boot to avoid detection and removal. Symptoms include: About:Blank as your homepage Excessive pop-ups (normally porn related) Randomly generated files names This is quite possibly one of the most difficult kind of infections. Many times in order to get a computer completely rid of this pest, a professional spyware researcher must be consulted.
Also known as: Downloader.Abox Troj/Abox-A(SOPHOS) FunBox
Downloads unwanted software without users knowledge. Uses FTP and Http to connect to its server. Installs a tray icon with shortcuts to porn sites.
Absolu-trans is a dialer program used to access pornographic websites by dialing a high-cost phone number using the modem.
This is an ad supported free software download. There is also a deluxe version available without adware. Before the installation begins you are given a EULA where it states that 'advertising technology' will be installed with the program. During installation, you are asked to fill out a survey as part of the installation. It asks question such as income status, gender, education, zip code, and your interests. This is to better understand what kind of advertisements to send you.
http://www.absoluteyukon.com/
Also known as: Adware.ABXToolbar [Symantec]
Popular domain names are being directed to rogue servers through an attack dubbed "DNS cache poisoning". Upon landing on these web addresses The ABX toolbar gets loaded into the PC. This appears to happen via an ActiveX control embedded in multiple iframes. ABX is a Browser Helper Object (BHO) that displays a large number of unlabeled pop-up ads. Search Page/ Start Page of Internet Explorer are also modified. Active-X Control installation can be vaccinated against by using the Free SPG Blocklist at http://www.spywareguide.com/blockfile.php
http://www.abx4.com
Also known as: Ngd DCON
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
http://www.accessplugin.com
This is an ad supported gambling program. This program displays gambling related pop-ups when surfing the internet.
http://www.aceclub.com
Also known as: Ace Notes
ABX Toolbar displays popup adds in Internet Explorer (IE) and modifies the users Search and Start pages without consent.
Also known as: Acid Shiver Backdoor.AcidShiver.Kor PWS-Shivers Trojan.PSW.AcidShiver
From the Website: This trojan runs on a random tcp port each time it's started and it sends an email to the infector, telling them the info. To connect to it, you need to connect via telnet on the specified port. Everything is command line based but it's still a very good Trojan. Btw if you add a cool feature please remember this is an open source project..." Functions - Lists most of the commands (description of command) - Hide a task from control + alt + delete - Show a hidden task in control + alt + delete - List Contents of Current Directory - List Contents of Current Directory - Change To Specified Directory/Drive - Clear Screen - Kill Process by PID (Shown in PS) - Shows Running Processes - Deletes Specified Files - Change Port Acid Shiver Listens on (Until Next Reboot) - Change to default Windows Desktop folder - Change to Windows Recent folder - Change to default WS_FTP folder - Show Version Number of Acid Shiver - Show physical, RAM, CD-ROM, and Network drives - Relay connection to host on port, Control + C to abort - Sendkeys to active window - Show Ethernet stats and physical address - Rename the users computer - Shows DOS Environment variables - Beeps the specified number of times - Type 'CDROM' for more information - Terminate Acid Shiver - Rename a specified disk drive - Type 'Shutdown' for more information - Retrieves information on specified drive - Disconnect a session by socket index show in 'STATUS' - Shows users current system date - Shows some general system information about host and user - Show the state of all sockets used since last reboot - Retrieve specified file - Retrieve specified file in hex form - Run the specified shell command - Run the specified command and display results (may lock up) - Make a new directory - Remove a directory and all files and subdirectories inside - Copy file1 to file2
Also known as: BackDoor-DE, Backdoor.AcidBattery
Features: "fun stuff", hide C-A-D, freeze sys, FTP, screendump, ICQ sniffer, msgbomb, delete files, shut down system. Compressed with ASPack Their website is listed as not active. It is unknown whether legacy versions of this trojan are still in circulation.
Also known as: Backdoor.Acidoor, Backdoor.Acidoor.11
Acidoor is a Trojan that gives a hacker unauthorized access to your computer. By default, it uses ports 4432 and 4433. It is unknown whether this trojan is still in circulation.
This will give an attacker access to your computer. It is unknown if this trojan is still in circulation.
This will dial a pornographic number causing massive telephone charges. Translated from Italian to English: This is the disclaimer: Attention: situated classified to the adults This situated one contains of the elements audiovisual aids (images, clip video) and/or of the witnesses to erotico and pornografico character. It introduces moreover of the situations to sexual character that put in scene of eterosessuali, bisexual, homosexual or transessuali the persons. The persons of inferior age to the 18 years, as also those susceptible ones of being annoyed from a similar content, are not authorized to visit this situated one and are they prohibited to approach you directly or indirectly or to telecaricare, to acquire, to visionare, to read, to listen to or to possess whichever document of this situated one, like as an example photographic rows, acoustic rows video, rows, written elements, advertising elements or whichever other message, mass media or contained you belong to this situated one. If an inferior age to 18 years is had, also is formally prohibited to pass to an order for an article or a service supplied on this situated one. Parimenti, whichever not authorized reproduction of the content of this situated one is formally vietata.La consultation of whichever document contained on this situated one is classified to a public adult and in places in which the document consultation such it turns out in conformity with the customs, the rules and the laws in vigor.
Also known as: Backdoor.Acropolis.10, BackDoor-NM
When launched, the Trojan opens a network connection on ports 32791 and 45673. This gives a remote operator the capability to use your computer to send messages using mIRC.
Also known as: Adware-ActivShop(Mcafee) Activshopper Activ shopper Activeshopper Dealbar
This program adds a sidebar with Internet Explorer. The side bar keeps launching every time something is searched on famous search engines like Google, Yahoo, MSN, Search.com, Ask, AOL,..etc., and shopping sites like amazon.com.
http://www.activeshopper.com/
From their website: Our Active-X Dialer provides access to users with a modem as well as cable / DSL / LAN users.
http://www.global-acces.com/
Also known as: 411 Active Search Wast Giant Explorer 411 Ferret
This software program is much like their other two products siteguide and travelcover. They monitor searches so that they can target advertisements to show you. Their site is no longer active. There may be legacy versions of this software still in circulation.
http://www.activesearch.com
Also known as: AdvSearch SearchPike BrowseProxy Actual Names
The ActualNames software is an address bar search hijacker targeting IE, Netscape and AOL browsers. It also seems to contain components to interfere with the sending of mail from various applications and web sites. However, the function of these files has not been pinned down. ActualNames can silently download and execute arbitrary unsigned code from its controlling server actualnames.com, as a self-updating feature. ActualNames/BrowseProxy is also a severe security hole as it allows any web site to execute arbitrary programs.
http://www.actualnames.com
Also known as: httpload
An ActiveX control that downloads and installs files. Used by ispdialer.com (now nocreditcard.net) to install premium-rate diallers, generally for porn sites. This is a pay-per-month pornography site.
http://www.nocreditcard.net
Also known as: AdArmor
This is a rogue anti-spyware application. This is listed on the Rogue Anti-Spyware list from Spywarewarriors. http://spywarewarrior.com/rogue_anti-spyware.htm
http://adarmor.com
Advertisement software that creates pop-ups and is usually bundled with other adware applications.
Also known as: Ad-Popper
Little is known about this adware program's origins.
Displays bannered advertisements on users desktop.
Also known as: ad bars Dialer.Rubosk(Sunbelt)
This is an adware program that centers around a toolbar that attaches itself to your Internet Explorer browser. This is a spanish adware program.
http://www.adbars.com
Also known as: ESD Technologies, Inc
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software. From the Website: "The Adblaster Corporation offers advertisers a breakthrough way to communicate one-to-one with millions of consumers, anywhere on the web. With patent pending filtering technology we can deliver pop campaigns to our users that never appear next to objectionable material"
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software. AD-BLOCK is a software application, which is intended to suppress .pop-up. windows from appearing during use of Internet Explorer 5.0 and higher, operating on Microsoft Windows 95/98/ME/2000/XP platforms. AD-BLOCK also directs Internet Explorer 5.0 to a search page when the user enters a Uniform Resource Locator which is non-existent or otherwise would resolve to an error page or other browser redirection service, in order to provide a search function for finding internet resources as directed by the user. Linkz Internet Services does not maintain individually identifiable user information, nor does Linkz Internet Services maintain any record of information entered by the user into their browser during operation of AD-BLOCK. In the performance of the search re-direction function, the user may be directed to a search page operated by Linkz Internet Services or its affiliates. In such an instance the web server may maintain customary records of the user.s IP address, the date and time of access, and will record the search query made by the user for the purpose of generating aggregate search statistics.
http://adblock.linkz.com/Home.php
Also known as: Adbreak.d
AdBreak consists of a Browser Helper Object which opens pop-up advertising as you use Internet Explorer, and a task run at startup which highjacks your home page, search and error pages to point to AdBreak's servers. AdBreak appears to be out of circulation. Its domain name, adbreak.com, is listed for sale. AdBreak appears to be out of circulation. Its domain name, adbreak.com, is listed for sale.
http://www.adbreak.com/
AdCalls is a dialer that enables the user to call anyone in the US or Canada at anytime on their home or mobile phones. This also includes International calls. Some advertisements, special offers, and coupons are included directly from the ad viewer.
http://www.adcalls.com/iframe_2.html
Also known as: AutoAlexa
This is a trojan that installs the alexa toolbar without user consent in order to inflate the alexa ranking of the distributor's website.
Also known as: Troj/Fakespy-B ADclicker-BM(Mcafee)
Runs in the background and periodically pops up a warning that there is a problem with your computer. Can display a warning message from the system tray that your computer has spyware. Clicking the warning message will take you to a website to download antispyware software that does not do what it claims. This adware program could also be called a trojan due to its elusive installation and hijacking methods.
Also known as: Ad Destroyer
Advertised as a spyware remover. This software delivers ads to your computer and may or may not be targeted to your search. Http://www.addestroyer.com is no longer active.
Also known as: Adsincontext Adgoblin - Adsincontext
Not much is know about this system, except that it installs popup ads on the users machine and has "callbacks" to the controlling server. This site is no longer active.
http://www.adgoblin.com/
Also known as: HOT Dialer
Adh1_sexarea is a dialer which can be used to access pornographic websites by dialing a high-cost phone number using a modem.
Also known as: ad logix Adware.Adlogix (Symantec) Adware-AdStart (McAfee)
From the publisher: Adlogix is a next-generation ASP providing an intelligent technology platform to help advertisers, publishers (website owners) and media buyers plan, manage and distribute any rich media or advertising campaign over the internet, ITV or wireless devices. Has been seen to be installed with a rootkit to hide files.
This adware program sends sends you ads based on your internet behavior. From their website: "AdManager allows you to increase targeting capabilities, to speed ad delivery, and to monitor and control inventory projections in real-time, leading to higher CPMs and less unsold inventory. AdManager's flexible architecture provides innovative online ad management technologies both as an outsourced solution (AdManager Hosted) and as a site-side solution (AdManager Licensed)."
http://www.accipiter.com/products/admanager.php
Also known as: BHO.WStart
Many users complain about this adware program infecting their computer as a BHO. Users should be cautious of WStart.dll showing up on their computer as a 02 entry in X-ray PC.
Also known as: Ad Partner
Registers itself as a Browser Helper Object. Displays popup advertisements.
Also known as: TrojanClicker.Win32.Adpower.b adpower ad power
This is a dialer application used by some adware programs.
Also known as: Pugi/SearchExplorer
Also known as: AdRoar Adware.AdRoar
AdRoar is a Browser Helper Object that is used to display pop-up advertisements. May download and install updated versions of itself.
http://www.adroar.com/
Also known as: Iconads
AdRotator will display advertisements on your computer.
http://adrotator.com
This is a rogue anti-spyware. This is on the Rogue Anti-Spyware list provided by Spywarewarriors.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://adware-remover.net
Also known as: Ads Store
Displays ads from the ads-store.com website
Displays popups and popunders.
Adtomi is a stock tracking program that will display pop-up advertisements in the background. Adtomi hijacks users home page and opens pop-up windows.
http://www.adtomi.com
From their website: The AdTraffic search assistant software resides in the Address Bar of your browser enhancing your online experience without interruptions. AdTraffic sits in the background of a users computer and only presents itself when a URL is misspelled, a keyword is written in the address bar, or a broken link is clicked. When a URL is misspelled or a broken link is clicked, AdTraffic will deliver a page where the user can correct the error and search for the correct purpose. When a keyword is typed into the address bar the software will deliver direct search results based on the keyword indicated. The results are made up of 20 different pay per click search engines, delivering relevant quality results the user can browse to find what they are looking for. Changes Internet Explorer hompage and redirects error and search pages.
http://adtraffic.net
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
"Adult Hosts" consists of large hosting networks that specialize in hosting large numbers of web sites devoted to adult content. Many of these large hosting networks offer their own advertising and metrics services for hosted sites, and may have ties to the distribution of adware, spyware, and dialers.
"Adult Networks/Services" consists of domains associated with companies and vendors that specialize in offering commercial services through or to the online adult content industry. These services may consist of advertising, metrics, content aggregation, registration & billing, and age verification. Many of these adult services may have ties to the distribution of adware, spyware, and dialers.
Also known as: AdultLinks AdultLinks/LinkZZ AdultLinks/QcBar QaBar adultsearch Adult Links
Adds dubious links to your browser, desktop and start menu.
http://www.adultlinksco.com
Also known as: Dialer.WE; lsdialer
Adult.lsdialer is an adult content dialer.
Also known as: Dialer.Lusval (Symantec), Dial/Laet-B (SOPHOS), Global Cash Solutions Dialer
This will change your dial up settings to dial a specific number causing massive charges.
Advanced Cleaner displays fake alerts in trojan payloads in order to scare the user into purchasing their product.
From the website: Advanced Email Monitoring is new spy software tool from variety of Internet monitoring Software available today. Once installed on monitored computer it sends exact copies of all outgoing emails to your secret email address.
http://email-monitoring.net/
This is a trojan that will give an attacker access to your computer.
Advertismen deliver its own advertisement or third party advertisements to user's machine.It drops third party advertisement software on user's machine without their knowledge. From the EULA, A program that display advertisements in a pop up window or directly inside the browser window.It adds discreet advertisements to your Internet Explorer, Netscape, Opera or Firefox browser windows that will display links to internet tools and pages. You allow that third party software may be installed with the Software and that advertismen.com shall not be liable to anyone with respect to such third party software.
http://www.advertismen.com
Also known as: AdwareEliteMedia (Sophos) Adware-BitLocker.dr(McAfee)
Installs as an Internet Explorer BHO. Displays advertisements while surfing the internet.
Adware.iptv-plugins delivers massive advertisements to infected user's machine. It also slows down the performance of infected computer.
Also known as: Adware.Win32.Semt.a Semt
Display advertisement over user's machine. Install through Adware Downloader.
Also known as: Adware-Verticity (Mcafee) Verticity.IEDriver (Sunbelt)
Verticity downloads and displays advertisements. Please do not mistake the adware-Verticity with www.verticity.com
http://www.kitaramedia.com
Also known as: Winprotect
Winprotect is a simple program that will allow you to use an F Key as a shortcut to lock Windows 2000 or Windows XP. Winprotect Adware displays false pop-up messages in the Task bar. When clicking the pop-up, it redirects to a predetermined advertisement webpage.
Also known as: AlertSpy
This is a rogue anti-spyware. This is listed on the Rogue Anti-Spyware site by Spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://adwaredeluxe.com/
AdwareRemover2007 displays fake infection alerts and phones home to their site where a .cab file is installed through an ActiveX Control.
This is a rogue anti-spyware. They are listed on the rogue anti-spyware list provided by spyware warriors. http://spywarewarrior.com/rogue_anti-spyware.htm Uses false positives to scare users into purchasing.
http://adwaresafety.com
Also known as: Backdoor.Afcore.q CoreFlood.dll Backdoor.Coreflood BackDoor.Afcore.20 Troj/CoreFloo-C Backdoor:Win32/Afcore.Q.dll TR/Afcore.Q Win32:Afcore BackDoor.Afcore.AI Backdoor.Afcore.Q
Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) The Trojan has numerous functions that give attackers almost full control of victim computers.
Also known as: Trojan.Win32.Agent.rx, TROJ_AGENT.ECN
May download and install other malicious components.
Once this trojan is installed, it phones home to several porn sites.
Also known as: Troj/Agent-FXI (Sophos)
This trojan has the ability to communicate over a remote connection through HTTP. Once installed, it will leave 2 rootkits on the victim PC that allow the attacker access to the computer.
Also known as: Backdoor.Agent.B W32/Morph.worm W32.Randex.gen BackDoor.IRC.Fuxor Backdoor:Win32/Agent.G BackDoor.Agent.C Agent.Y
Some variants seem to be related to Webrebates. Agent.b is a Trojan backdoor that opens the infected machine to remote access.Agent.b is packed with two packers: Morphine and UPX. The packed file size is 38 KB and unpacked - 104 KB. Agent.b is controlled over IRC channels. The controller can download and execute files on the infected machine.
Agent.BBN is a downloader trojan. It installs as a Browser Helper Object for Internet Explorer.
This is a trojan that drops a rootkit in the C:\Windows\System32\Drivers directory. It also displays Chinese advertisements.
Agent.bgg downloads files without users permission. The key threat of this trojan is the rootkit that is dropped. When fully installed, it will mask the rootkit with the MD5 hash of beep.sys to avoid detection.
Also known as: Jakposh (Symantec)
This is a trojan that allows for the person distributing to remotely control your computer by download an ICQ client to your machine. Other products, such as Spysheriff, are installed as well.
Also known as: Win32/TrojanDropper.Agent.EYA Trojan-Downloader.Win32.Small.iuq (Sunbelt)
Agent.EYA drops other files and can communicate with a remote server.
This is a Chinese distributed Trojan that detects for the best known security applications in order to disable them. This trojan also has the ability to contact a remote mail server with network sensitive information.
Also known as: AGETIT_Secure_v2 (Sunbelt)
From Author: AGETIT Secure is a program which generates an executable file which when executed will download and execute any specified file from the net.
Also known as: W32/Gaobot.worm.gen.d, W32.HLLW.Gaobot.gen,Win32.HLLW.Agobot.3, W32/Agobot-BV,Win32/Gaobot.gen!,WORM_AGOBOT.RM,Worm/Sdbot.39936.B, Win32:Gaobot-268, Worm/Agobot,Backdoor.Agobot.3.Gen,
This is a classical backdoor trojan that allows a 'master' to control the victim machine remotely by sending commands via IRC channels.
This trojan is most easily recognized by the file aimaster.exe running in the infected computer's running processes.
Also known as: IconPop-aimface
Under Investigation
http://aimface.com/
This is a trojan that will give an attacker access to your computer.
This is a trojan that will give an attacker access to your computer.
Also known as: Trojan.PSW.Ajan.10
From the Website: How do use Ajan: First you must configure it to send email to you. If you don't Ajan will never mailed you :)...For configuration run AjanConf.exe. Use this format: AjanConf.exe ajanServ.exe Program will ask you: Your email address, Mail server for sending mails (any valid mail server possible this step) Mail server port (mail servers actually use 25. port) Visible or hide running: you can choice visible or not visible run Ajan... (Recommended) After this steps configuration of Ajan completed. You can distribute Ajan server this step but we recommended first you bind a windows program (mirc, WinZip, crack patches, etc.) and after distribute. For insert Ajan into a normal program you can use AjanBind program... You need 3 thinks. 1. Ajanbase.exe (base file) 2. Ajan.exe (Ajan server) 3. Normal program (mirc, WinZip ...) And you can enter these programs while AjanBind ask. After you bind your Ajanbase.exe file convert to normal program that include Ajan program. And Ajan automatically runs when Ajanbase.exe run.
This is a trojan that will give an attacker access to your computer.
Also known as: Aladino.a
Once installed, this RAT Trojan allows remote connect through port 5005.
Also known as: Alexa Toolbar, Amazon Toolbar
Alexa web search -- a new kind of search engine. With traffic rankings, user reviews and other information about sites, Alexa is a web site discovery tool. Features an Amazon shopping button on the product and anonymously aggregates surfing information. Provides clear EULA as well as opt-out instructions. Alexa web search combines the Google search engine with Alexa's comprehensive site information and puts it all inside an Amazon.com interface. Used to transmit a identification ID, however, Alexa no longer does this. Has a very clear EULA but user's should understand that their surfing habits will be anonymously aggregated. Note- There have been reports that secure URLs can be sent when using the "Related Site Function" due to a security flaw in Internet Explorer.
http://www.alexa.com/
Also known as: Backdoor.Win32.mIRC-based, Program.mIRC.603, Tool.HideApp
Alexandra is a trojan, which is spread via links in IRC chat. When run on the target PC, a new folder is created in the System32 Folder which contains configuration files for mIRC (a popular IRC chat client). The infected machine then joins a Botnet, and awaits commands from the Botnet owner.
Also known as: AlexTrojan.200 Crackdown.100
This trojan communicates through the infected computer's port 4444.
Also known as: Alfa Cleaner XSRemover
From Alfa Cleaner website: Complete up-to-date protection from viruses, spyware, adware and hackers attacks. Other spyware removers are blind to most of the new threats. AlfaCleaner is not! Up-to-date features: * Heuristic analysis finds and deletes the newest threats. * Real-time protection is a deep system driver that blocks new spyware / adware / virus activity and offers to block / allow all strange system requests. * Automatic updates keep AlfaCleaner up-to-date without bothering you. AlfaCleaner uses false positives to scare users into purchasing the full version. Can be installed from Alfacleaner or installed from malware and windows exploits.
http://www.alfacleaner.com/
Also known as: Adware.AlibabaTB(Symantec) Alibaba Adware-AliToolbar(Mcafee) AliToolbar
Alibaba Toolbar adds a toolbar with Internet Explorer and logs search keywords.
This is a trojan that will give an attacker access to your computer.
Also known as: backdoor.alien
This is a trojan that will give an attacker access to your computer.
There exists a remote code execute vulnerability in the Chinese payment processor, Alipay, password input control "pta.dll". A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system. The original article can be found at http://ruder.cdut.net.
Also known as: Hot Action Dating Dialer
The Search that Never Stops Allth.at will keep looking for your item on the sites you select and report new search results back to you. You can also choose to have new results emailed to you or, you can subscribe to the RSS feed and have your new search results delivered right to your RSS reader.
http://allth.at/home/welcome
Also known as: Backdoor.Win32.Almaster
This is a RAT Trojan that allows someone to remote connect onto the infected PC.
Also known as: Alt Net AltnetPointsManager Points Manager
This Browser plugin comes with Kazaa. It acts as a search engine, and supplies advertising to Kazaa users.
Also known as: Backdoor.Alvgus.a.exe
This is an RAT ( Remote Administration Tool ) This could be used to gain access to your computer.
Also known as: BKDR_AMANDA.A (Trend Micro)
This is a RAT that allows someone to remotely connect into the infected PC. Amanda operates over TCP ports 20, 28, 10012, 10013, 11011, 23032.
Also known as: BackDoor-FO [McAfee], Backdoor.Ambush [Kaspersky]
This Trojan will attempt to give the attacker remote access.
The Attacker can take control over the Victim's Machine once they dropped the server application.Amiboide Uploader has the features to transfer file and take control over the hard drive.
Also known as: Amitis 1.2
This trojan will compress files in victims pc and then download them, convert pictures in victims computer.
http://h2kclan.com/index.php?caty=hacking
Also known as: backdoor.AnaFTP.01.a
This is a trojan that allows for a hacker to remotely connect and transfer files onto the infected PC over FTP.
Also known as: Trojan.StartPage.O (Symantec), CWS.AnalyzeIE Module (Research-Sunbelt), Troj/Small-EI (SOPHOS), TROJ_SMALL.AFG (TrendMicro)
AnalyzeIE is a trojan that changes the browser settings such as default startpage of Internet Explorer. It usually comes into user computer by exploiting browser vulnerabilities. It is also capable of downloading and executing other components.
It is a dialer that connects to servers with pornographic content.
Also known as: Anger.Trojan
Implements a PPTP challenge/response sniffer. These c/r can be input into L0phtcrack to obtain the password, and an active attack on PPTP logons via the MS-CHAP vulnerability to obtain the users password hashes.
The site is CoolWebSearch. It tries to load a dialer, a trojan called Anicmoo (Norton), two ByteVerify trojans (Parser class and Counter class)
Also known as: TROJ_ANICMOO.AV (Trend Micro) Troj/Animoo-H (Sophos)
This worm is distributed through exploit .ani files that appear as JPEG's. This exploit affects fully patched Windows XP SP2 systems through IE 6 and IE 7. Vunerable systems include: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 2 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 Microsoft Windows Server 2003 for Itanium-based Systems Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition Microsoft Windows Vista The worm is also distributed across the network via mapped networked drives and shortcuts to a network location. It will infect all executable files with the worm. It also attempts to write to the Floppy drive of the infected PC, which causes seemingly random floppy drive activity often; if no floppy disk is inserted, the user might be presented with an error regarding a floppy disk, even if no floppy disk has recently been used. If successful, it will write a copy of the worm's main executable (tool.exe) and an autorun.inf file. If the floppy is inserted into a clean PC, it will infect it. Please refer to Microsoft Security Bulletin MS05-002 for information on the animated cursor vulnerability. A tell-tale sign that a PC is infected with this is an error message called "Windows - No Disk" that says, "Exception processing message c0000013 75b6bf9c 4 75b6bf9c 75b6bf9c."
Also known as: Trojan.Win32.AnnoyingSaver AnnoyingSaver Trojan Horse Trojan.Annoy Troj/Annoying Trojan:Win32/AnnoyingSaver TROJ_ANNOYSAVR.A Win32:Trojan-gen. Trojan.AnnoyingSaver.A
From Viruslist.com This Trojan horse installs a screensaver and doesn't allow it to be removed.
Also known as: Ant.AV
AntAv attempts to disable anti-virus applications.
Also known as: MultiDropper-DM.cfg trojandropper.win32. TrojanDropper.Win32.ZomJoiner.14
http://smoke2k4.narod.ru/
This is a trojan that creates a service by installing rootkits called antiarp.sys and hbkernel.sys. It tampers with numerous Windows Processes in order to control the victim machine.
Also known as: Ataka IEPatch.PWL.Trojan Trojan:Win32/AntiBTC TROJ_ANTIBTC.A TR/Ataka Win/Po-zdrawi.28416.trojan Ataka-AntiBTC Trojan.Win32.AntiBTC Trojan.Win32.AntiBTC.a
From Viruslist.com This Trojan arrives as an executable files (we got it named IE0199.EXE). When it is run, it extracts two files from its body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows system directory. Note: the MPREXE.EXE executable file (not a DLL) is one of the standard Windows files. The Trojan then registers the MPREXE.DLL file in the system to force the system to run this file upon each reboot. The registration is done depending on the Windows version either in the system registry, or in the SYSTEM.INI file in [boot] section in the "drivers=" string. The MPREXE.DLL file is pointed as auto-executed. When executed, the MPREXE.DLL file just executes the SNDVOL.EXE file and exits. The SNDVOL.EXE file enables auto-dialing by changing the system registry Internet options, randomly selects one of three Bulgarian Web servers (www.btc.bg, www.infotel.bg, ns.infotel.bg), connects them and sleeps for some time. The Trojan does not perform any other actions.
This is a trojan that installs an adware payload once installed.
Also known as: BackDoor-KF Backdoor.Trojan.Client BackDoor.Thex.12 Troj/Bdoor-KJ Backdoor:Win32/Antilam Win32:Trojan-gen. BackDoor.Antilam.AL Backdoor.Antilam.2.0.R
Antilam is a family of remote administration trojan programs. The backdoor code allows remote users to control victim computers over a local network or the Internet. Most of the features are configured by the hacker(s) exploiting Antilam by using a special server editor program. The remote administration commands allow Antilam to perform the following actions on victim computers: - shut down or remove the trojan program - gather system and owner information - load and eject CD-ROM contents - "mess" with the Windows Desktop contents - turn off or speed up the mouse movement - show user-defined messages - manage open windows - restart or shut down the computer - change the system date - turn off the keyboard - manage files on victim computer disks - gain full access to the system registry - change screen resolution - save any information that is typed by the victim - print user-defined texts - change Windows color schemes - manage dial-up connections - manage the remote clipboard - chat with other hackers that are connected to the victim computer
Also known as: AntiLeech Plugin
This will generate pop-up advertisements on your computer.
Also known as: Backdoor.AntiPC BackDoor-APJ
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soliders inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads coulike a virus or worm, which then spread more damage.
Also known as: Antispy Spider
AntispySpider reports false errors and security threats on computers.
http://www.antispyspider.us/
This is a rogue anti spyware and should be removed.
This is another Rogue Anti-Spyware. This is on the Rogue Anti-Spyware list. http://spywarewarrior.com/rogue_anti-spyware.htm. Have seen multiple logs where the Trojan.Media-Codec was installed as well. http://www.spywareguide.com/spydet_2839_trojan_media_codec.html
http://www.anti-vermins.com
This is a rogue antispyware, if found on your computer you should remove this asap.
This is a rogue security application that is installed with the trojan, Myzor. Once installed, it lures users to purchase their scanner in order to remove the trojan installed.
http://www.antivirgear.com
This is a rogue anti-spyware. This should be removed from your computer if found.
This is a rogue anti-spyware. This is listed on the Rogue Anti-Spywarelist from Spywarewarriors.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://antivirusprotector.com
This is a rogue anti-spyware. This is listed on the Rogue Anti-Spyware site from Spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://6d-antivirus.com
Also known as: AVGold
Advertised as a spyware removal program. Is usually installed by a trojan and can install the Winnook Trojan. After install icon appears in the tray and once user clicks on icon, a web browser opens up to the site http://www.antivirus-gold.com
http://www.antivirus-gold.com
Also known as: Antixbot.a (Symantec)
Antixbot is a worm which attempts to spread through Windows Live Messenger. It changes IE HomePage to http://www.imtools.org without user's knowledge.
Installs itself in Internet Explorer as a toolbar.
http://route.anwb.nl
Also known as: Buddylist
Inserts several different files that are all connected to one another. These file names are generated randomly with the same file size. Most are found in the C:\WINDOWS\System32 folder. It is possible for someone to perform any of the actions: Enable and disable Ctrl+Alt+Delete Enable and disable the Start button Reboot or shut down the computer Move the mouse pointer Open or close the CD-ROM drive tray Read or delete AOL mail Hide or show the task bar Locate a member on AOL Monitor AOL Instant Messages Send a Instant Message
Also known as: APStrojan.ob AOL.PWSteal.32512 Troj/Aolps-OB Trojan:Win32/PennyTools.236544.A TROJ_AOL.BUDDY W32/PennyTools.trojan Win32:Trojan-gen. Trojan.AOL.Buddy.a
The "Trojan.Aol.Buddy" is an AOL password stealing Trojan. Two versions are currently known (by May 1999).
Also known as: Adware-Appoli (McAfee), Adware.Appoli (Symantec)
Appoli is an adware program that shows pop up advertisements. Appoli installs as a Browser Helper Object for Internet Explorer. It is usually dropped by a downloader trojan.
This is a browser plugin.It pings back to secure.toolbarhost.com and appzplanet.com
http://www.appzplanet.com
Also known as: pop People On Page Envolo Apropos Media Pop!
AproposMedia is the advert-showing part of the 'PeopleOnPage' program, an Internet Explorer sidebar which claims to show a list of other users of the current site. From their Website: POP! World is being provided to you free of charge in exchange for your agreement to download and view advertising served via ContextPlus (a proprietary browser-based advertising delivery system). ContextPlus will deliver advertising on your computer screen on behalf of POP advertising clients. These advertising clients may be competitors of the publishers whose Web pages users may be viewing or may have viewed recently. By viewing advertisements served via ContextPlus ("ContextPlus Ads"), POP is able to subsidize the cost of providing you POP! World
http://www.peopleonpage.com/
Also known as: Backdoor.Aquadoor Aqua.020
This is a trojan that installs its adware payload through port 6655 on the infected PC.
Also known as: Vai-te
This is a worm that propagates itself over ICQ chat. Can be triggered several different ways including certain away messge text, messages, and a series of swear words.
Also known as: Backdoor.Arape.a
This Trojan will change your browser and also give the attacker the ability to access and send files from and to your computer.
Also known as: Backdoor.Arctic.06
This Trojan will give the attacker remote access.
Also known as: MayArchive.b (F-Secure), Trojan.Archiveus (Symantec)
Archiveus bundle randomly selected files (mostly data files) from your computer into a password-protected archive and deletes the original files. It then asks you to buy any product from a specific site to get your files back. Presence of one or all of the following files may indicate that Archiveus has affected you computer. %SystemDrive%\EncryptedFiles.als %UserProfile%\My Documents\Demo.als %UserProfile%\My Documents\EncryptedFiles.als %UserProfile%\INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt The files 'EncryptedFiles.als' and 'Demo.als' contain the original files in archived form. File 'INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt' has the instructions you must follow in order to get your files back. The content of 'INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt' is shown below. ==================================================================================== INSTRUCTIONS HOW TO GET YOUR FILES BACK READ CAREFULLY This is automated report generated by auto archiving software. All your documents, text files and databases was archived with the long password. You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations). Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. System backup will not help you to restore files. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information. WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted files, you should send an email to restoring@[blocked].net or restoringfiles@[blocked].com This is your only way to get your files back and save your time. We do not want to do you any harm, we do not ask you for money, we only want to do business with you. ########################################################################## Remember you are just one step away from your files ########################################################################## ======================================================================================= Once you replied back to the given email id, you will get a reply mail like the one shown below. ======================================================================================= ------------------------------ How to get your information back. 1. Follow the link below http://[blocked].info/?570b5653aF03c0e3d6Adfc029aTdca79 and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications. 2. Choose any product you like and buy it. 3. Send an email with your order id to our email address restoring@[blocked].net or restoringfiles@[blocked].com The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored. ------------------------------ We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted! We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy. We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password: kfnr3kseo2uurnn33xxss883hd731bdjaebq The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us. We guarantee that you will never be asked to buy anything in our online pharmacy again. We do not want to do you any harm, we do not ask you for money, we only want to do business with you. =========================================================================================
Also known as: Aristotles.100
From 2-Spyware.com - This parasite is a mIRC infector, which specializes in damaging this popular chat client. In case of success of its actions, this pest becomes able to monitor user's activities and steal his or her messages and passwords. This technique is tremendously dangerous, because it can often result in the loss of user's accounts
Also known as: Backdoor.Armageddon.10 MultiPager-A [McAfee] TrojanNotifier.Win32.EES.a
Armageddon is a Backdoor Trojan that infects Windows 9x. When run it can give unlimited access to a system to anyone running the appropriate client software. The Trojan was discovered in France. To work, it requires components be gathered from different web pages.
This is a trojan that is installed through a javascript exploit. Once installed it has the ability to log sensitive information such as passwords entered on unsecured websites.
Also known as: Backdoor.Arsd
This is a RAT that can gain remote access to your computer.
Also known as: Backdoor.Ascreen.a
This is a trojan that installs an adware payload.
Ashlt is a spyware program that sends out private information.
Also known as: W32.ASpam.Trojan.B (Symantec)
The installer was attached to a mass-mailing from Microsoft (aspam@microsoft.com), offering an anti-spam feature for Outlook Express. Creator unknown.
Also known as: Assasin
The Assasin Trojan Horse allows unauthorized access to the infected computer. This Trojan Horse also attempts to terminate the processes of many executables, including various firewall and antivirus programs.
Also known as: Backdoor.Assasin.10, Backdoor.Assasin.11 [AVP], BKDR_SANISI.A
Sophisticated trojan. Has features of most trojans,EG:open close cd drive,pop up messages,upload-download files,etc. Also attempts to counter attack many executables, including various firewall and antivirus programs.
Also known as: Assassin.100 Backdoor.Assassin
This trojan communicates over port 6669 in order for it to drop its adware payload.
Also known as: Asylum 0.1
This is a trojan that installs an adware payload onto the infected PC through a remote connection.
Also known as: Adw.BestOffersNetworks.AtomicClockSync(Sunbelt)
It synchronizes the user's PC clock with an atomic clock time server. The application bundles several other adware also.
Atomic Time synchronizes local time with a central time server. It acts as a vector for AproposMedia. From EULA : 1.ContextPlus (CP) will periodically deliver advertisements and promotional messages to your computer based, in part, on your interests as shown by the websites you view. 2.ContextPlus AdServer software, described in detail below, delivers ContextPlus advertising and various informational or promotional messages to computer screens while users view Internet Web pages ("ContextPlus Ads"). The "ContextPlus Network" is an advertising network that delivers advertisements from the ContextPlus Network's advertising clients to users of ContextPlus Supported Software ("Subscribers"). The ContextPlus AdServer technology identifies the interests of anonymous Subscribers based on their computer usage and web surfing behaviour, including the URLs of Web pages viewed by Subscribers and other criteria but does not intentionally collect ANY personally identifying information. 3.The ContextPlus AdServer displays ContextPlus Ads on computer screens on behalf of the ContextPlus Network's advertising clients and not necessarily on behalf of the Web site the Subscriber may be viewing when the ad appears. 4.In fact, the ContextPlus Network's advertising clients may be competitors of the publishers whose Web pages Subscribers may be viewing, or may have recently viewed. 5.ContextPlus Ads may be displayed on behalf of advertisers who may be competitors of the publishers of the Web pages Subscribers are viewing or have recently viewed.
Also known as: Backdoor.Audiodoor.11
This is a trojan that installs an adware payload onto the infected PC through a remote connection.
Also known as: Backdoor.Audiotroj.10
This trojan installs unrelated software.
Also known as: Backdoor.Augudor
This trojan opens port 1011.
Also known as: Radiate
Probably one of the first real adwares that started the whole craze. Inserted banner advertsing into freeware and shareware applications. Profiled surfing habits and sent information back to the home server without permission. Defunct- No longer supported by its creators.
Aureate Group Mail is an application which helps users to maintain their email mailing list. It also displays advertisements.
Displays advertisements and tracks surfing habits.
AutoBot is a do-it-yourself Botnet. It allows anyone to set up an executable that connects their victims to an irc server ready, willing, and able to take commands
This trojan installs other malicious programs and sets up a remote connection in order to further control the victim PC.
Also known as: Backdoor.Autocrat.b
This is a trojan that drops and adware payload.
Also known as: AutoSearchBHO Hijacker MSInfoSys Wink AutoSearch - AutoSearchBHO
AutoSearch is an IE Browser Helper Object that hijacks address-bar searches. It knows about some of the other prevalent search-hijackers ? IGetNet, CommonName and NewDotNet ? and will steal back any address bar searches they take over. Any address bar search you do is sent to a single page at www.tunders.com (which includes only static adverts, no search results).
Also known as: AutoSpy.110
This is a trojan that will give an attacker access to your computer.
AV Trojan is a Trojan horse that terminates the processes of common antivirus and firewall products.
Also known as: ProcKill-A Trojan.Win32.Avkillah.a
This Trojan will kill many anti-virus and firewall applications.
Also known as: Backdoor.Avone.2
This is a trojan that is installed with free video converting software.
Avone.A is a virus that infects Excel workbooks and deletes files.
Also known as: AV System Care
This is a rogue anti-spyware. This is listed on the Rogue Anti-Spyware site by spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm. This is just one of many Miscellaneous Security programs produced by Verio Productions Limited.
http://avsystemcare.com
Also known as: Axexx CHM (Sunbelt) Adware-Xplugin.dldr (Mcafee) SPR/TMKSoft.Adw.1 Trojan.Dropper.Agent.Ik Dropper.Agent.6.BN Trojan.Dropper.Agent.IK Trojan.Downloader.Esepor-3 Trojan.StartPage.775 W32/Dropper.QI W32/Agent.IK-tr Trojan-Dropper.Win32.Agent.ik Win32/TrojanDropper.Agent.IK W32/Agent.DEA
This is a CHM file exploit. If the file is opened it drops an executable file and runs it.
This is an overflow exploit that is common in Tencent QQ that allows for the distributor to gain remote access to the account.
Also known as: AzeBar AZE SEARCH TOOLBAR
From AZeBar website AzeBar is a powerful search toolbar that allows you to search directly from your browser without having to navigate to a search engine. Simply type in what you are looking for into the AzeBar search box and click the "GO" button to see results. After installing the AZeBar, other bars and applications are installed. Please read their terms page. http://www.azebar.com/pages/terms.html
http://www.azebar.com
Also known as: Trojan.PSW.BStroj.19
A Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine.
Also known as: B-RAT-T
The Client application which is running on Attacker's system can take control over the remote system which has the server application.B-RAT-T can able to record the keystrokes , logs current running process , manage the file transfer.It also take control over the victim's mouse , CD Drive and Desktop theme.
Also known as: babetv Global Content Ltd
Also known as: Backdoor.Back
Also known as: Backdoor.Backage
Backage is a backdoor Trojan horse that allows unauthorized access to a compromised computer. Backage is written in Visual Basic. The default ports are 5333 (TCP) and 411(TCP).
Also known as: Backdoor.Backattack
Also known as: BackConstruction.210 BackConstruction.250 Bla.100 Bla.200 Bla.400 Bla.503 Cain.150 Dimbus.100 Ripper.100 SatansBackdoor.100 SatansBackdoor.101 SatansBackdoor.102 BackConstruction.120 BackConstruction.150 BladeRunner.080 DeepThroat.300 Mneah.100
This product allows someone to remotely control your computer by communicating through port 666.
Also known as: Backdoor.BackConstructor
Also known as: Backdoor.Win32.Death.18 Backdoor.Death.18 BackDoor-FP Backdoor.Trojan Backdoor:Win32/Death.1_8 TROJ_DEATH BackDoor.Death
This Trojan is a password stealer and allows remote access.
Also known as: Galapoper(Mcafee)
Connects to websites that hosts configuration scripts that contain remote control commands. These commands can be different for each infected computer. Has the ability to download and execute files. Can send spam that is composed from information from numerous servers.
Backdoor-ARR can allow unauthorized access to users computer.
Also known as: TrojanDownloader.Win32.Agent.cd (AVP)
Downloads unwanted software without user knowing.
Also known as: Backdoor.Win32.VB.yo BackDoor-CLS
This is a trojan that has the ability to log keystrokes and install an adware payload once installed. It also allows for the distributed to gain remote access to the infected machine.
Also known as: Troj/Ciadoor-CJ (SOPHOS), BDS/Agent.CFC
This is a backdoor trojan which provides remote access to an infected computer.
Also known as: backdoor-dkd.dr (McAfee)
This is a trojan that drops a rootkit to hide itself from detection.
Also known as: Troj/Bckdr-QHH (Sophos) BKDR_SDBOT.W (Trend Micro)
This trojan communicates with a remote IRC server through a service the attacker puts onto the victim's PC. Once active, the trojan can send sensitive information back to the attacker.
Opens ports to allow remote access to computer. Can be used as a proxy and can download and execute files without users knowledge.
Also known as: Downloader-JF.dr(Mcafee), Backdoor.Sedepex(Symantec)
Has the ability to download and run files, disable security software, send email, and communicate with remote servers via HTTP.
Communicates with remote servers via HTTP. Receives commands to download and execute files. Sends out marketing email spam with its own SMTP engine.
Also known as: Troj/Agent-ENR (Sophos)
Backdoor.ahj downloads additional files, allows other to access the computer.
Backdoor.BackOrifice , When installed allows others to gain full access to the system through a network connection.
Also known as: Win32.Webber (Computer Associates), BackDoor-AXJ (McAfee), Troj/Padodor-Y (Sophos)
Backdoor.Berbew.N is a Trojan that steals confidential information like passwords and send it to a predetermined URL. It also opens a backdoor on random port and lowers security settings.
This is a trojan that installs an adware payload.
Also known as: Win32.Mytob.BO [Computer Associates], Net-Worm.Win32.Mytob.gen [Kaspersky Lab], W32/Mytob.gen@MM [McAfee], W32/Mytob-AE [Sophos], WORM_MYTOB.CD [Trend Micro],W32/Sdbot.worm.gen.h , Backdoor.Win32.Rbot.qu
Backdoor.Cont is an IRC backdoor Trojan , which runs continuously in the backdrop, providing a backdoor server on a port. It listens for instructions from a distant malicious user. The supposed instructions are implemented locally on affected machines. Drops a file "C27D8FEF-D7AE-42c0-82E6-F30598265639.exe" at location %temp%\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe. This file is generated by the packer used to compress the executable file and is not malicious. Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
Backdoor.CVM opens a backdoor and can provide unauthorized access to a compromised computer. Periodically connects to a remote server to receive information to update itself.
This is a trojan that installs through your IRC client.
Also known as: W32/Rbot-BCQ (Sophos), Backdoor.Win32.Rbot.aeu ,MS03-026_Exploit!Trojan, W32/Sdbot.worm, Worm_Rbot.Cya (Trend Micro)
Backdoor.DRam is a worm and IRC backdoor Trojan , which runs continuously in the backdrop, providing a backdoor server on a random port. It connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for instructions from a distant malicious user. The supposed instructions are implemented locally on affected machines. It can perform denial of service (DoS) attacks against target sites using different flood methods. This worm is capable of gathering and stealing Microsoft product keys as well as application product IDs from popular software products installed on affected machines.
BackDoor.DrefIW is an IRC Backdoor Trojan Horse that gives its author control of an infected computer through Internet Relay Chat (IRC).
Also known as: Troj/Bifrose-KP (Sophos),Backdoor.Win32.Bifrose.rr W32/Sdbot.worm.gen.h [Mcafee]
BackDoor.Ebnoy is an IRC Backdoor Trojan that allows a remote attacker to control the compromised computer and performs various malicious actions through Internet Relay Chat (IRC). It adds False IP's to more than 50 popular antivirus companies urls in the Host file, disables antivirus notifications, firewall notifications, update notifications, and overrides firewalls. It also steals data from SQL Server and Mysql databases. It drops oreans32.sys and libmysql.dll, where oreans32.sys is a component of a legitimate executable file protection system and in itself is not malicious. The file oreans32.sys is registered as a new system driver service named "oreans32", with a display name of "oreans32". libmysql.dll is also a legitimate client API used to trace SQL statement sent by other applications. BackDoor.Ebnoy creates the folder, %Windir%\system32\programs\. These files are used for Transmission through P2P programs. Copies itself to the %Windir%\system32\programs\ folder as the following filenames: 2 Find MP3 8.2.0.exe Adobe InDesign CS 2.exe Adobe keygen for photoshop indesign incopy SERIAL crack.exe Adobe Photoshop CS 2.exe Autocad 2002 Crack.exe Autocad 2004 Crack.exe Autocad 2005 Crack.exe Autocad 2006 Crack.exe BEST HACK TOOL FOR REAL HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.exe Counter strike - cs full version.exe Counter strike keygen WORKING FOR ONLINE STEAM.exe Credit card generator.exe Eric vd Vogt Gay Movie - Dutch homosexual fetish raped.exe Fifa 2006 FULL with crack.exe Fifa 2007 FULL with crack.exe flash 8.exe Free SMS Bomber.exe Google hack tutorial for beginners.exe HalfLife 2 WORKING Steam crack.exe Hotmail account hacker in 30 minutes.exe Hotmail hacker.exe hotmail_account_sniffer.exe Hotmailhacker v1.0.exe IP Changer.exe Microsoft Office Activation Crack.exe Microsoft Office Professional Crack.exe Microsoft Office Professional Serial.exe Microsoft Office Professional Universal Crack without serial.exe Microsoft Office Universal Activator v1.0.exe MSN hacker - password stealer.exe norton anti virus FULL NEWEST VERSION.exe Norton AntiVirus 2005 crack.exe Norton AntiVirus 2006 crack.exe Norton antivirus crack.exe Norton firewall 2006 crack.exe porn.exe porn_account_cracker.exe porn_account_hacker.exe psx2 - playstation 2 emulator.exe toon boom.exe UniVersal GSM unlocker for removing simlock (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).exe WinRAR 4 beta.exe yahoo_cracker.exe yahoo_hacker.exe Yahoo_mail_cracker.exe ZoneAlarm crack (keygen).exe
Backdoor.Gaster is a Trojan that gives an attacker access to your computer. It opens up port 19937 by default and ends various processes.
This Trojan gives the attacker access to the infected computer.
Also known as: Troj/GrayBrd-BA (SOPHOS), BackDoor-CXD (McAfee)
Backdoor.Graybird is a backdoor trojan.
Also known as: W32/Sdbot-PY (Sophos), Backdoor.Win32.SdBot.gen , W32/Spybot.worm.gen.n
BackDoor.IrcBik is a Backdoor Trojan for the Windows platform. The backdoor component of BackDoor.IrcBik allows a remote attacker to control the users computer and use it as a proxy server or to launch distributed denial of service attacks. The Trojan also logs users' keystrokes to a file named ntfsdi.txt in the Windows system folder.
This is a trojan that uses the value 'anassim' to autostart.
Also known as: Worm.P2P.SdDrop.d (KAV), W32/Sddrop.worm.g (McAfee), WORM_SDDROP.A (Trend Micro), W32/Sddrop-B (Sophos),W32.Kwbot.F.Worm (Symantec)
Backdoor.IrcJan is an IRC Backdoor Trojan Horse that gives its author control of an infected computer through Internet Relay Chat (IRC). It adds False IP's to more than 50 popular antivirus companys urls in the Host file, disables antivirus notifications, firewall notifications, update notifications, and overrides firewalls. One of the malicious exe files acts a Server exchanging commands. BackDoor.IrcJan creates a folder containing a lot of malicious executables with the same file, MD5 and different names.. Backdoor.IrcJan creates the folder, %Windir%\system32\programs\ Copies itself to the %Windir%\system32\programs\ folder as the following filenames: 2 Find MP3 8.2.0.exe Adobe InDesign CS 2.exe Adobe keygen for photoshop indesign incopy SERIAL crack.exe Adobe Photoshop CS 2.exe Autocad 2002 Crack.exe Autocad 2004 Crack.exe Autocad 2005 Crack.exe Autocad 2006 Crack.exe BEST HACK TOOL FOR REAL HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.exe Counter strike - cs full version.exe Counter strike keygen WORKING FOR ONLINE STEAM.exe Credit card generator.exe Eric vd Vogt Gay Movie - Dutch homosexual fetish raped.exe Fifa 2006 FULL with crack.exe Fifa 2007 FULL with crack.exe flash 8.exe Free SMS Bomber.exe Google hack tutorial for beginners.exe HalfLife 2 WORKING Steam crack.exe Hotmail account hacker in 30 minutes.exe Hotmail hacker.exe hotmail_account_sniffer.exe Hotmailhacker v1.0.exe IP Changer.exe Microsoft Office Activation Crack.exe Microsoft Office Professional Crack.exe Microsoft Office Professional Serial.exe Microsoft Office Professional Universal Crack without serial.exe Microsoft Office Universal Activator v1.0.exe MSN hacker - password stealer.exe norton anti virus FULL NEWEST VERSION.exe Norton AntiVirus 2005 crack.exe Norton AntiVirus 2006 crack.exe Norton antivirus crack.exe Norton firewall 2006 crack.exe porn.exe porn_account_cracker.exe porn_account_hacker.exe psx2 - playstation 2 emulator.exe toon boom.exe UniVersal GSM unlocker for removing simlock (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).exe WinRAR 4 beta.exe yahoo_cracker.exe yahoo_hacker.exe Yahoo_mail_cracker.exe ZoneAlarm crack (keygen).exe
Also known as: Backdoor.IrcContact (Symantec), Backdoor.Win32.IrcContact.30 (Kaspersky), Win32.Coiboa.G (Pest Patrol) Win32/Contact.C (CA eTrust)
Backdoor.IrcUnd is a Backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default, it opens port 6667 on an infected computer. The Bot module of Trojan provides an invader with illegal remote admittance to the compromised system and the invader can carry out the following events on this infected machine: -> Connect to download files from the URLs -> Execute programs remotely -> Perform DDOS -> Start and stop services -> Retrieve system information -> Uninstall the bot Once running, the bot module connects to a predefined IRC server and channel on a predefined port , awaiting commands from the invader.
Also known as: Peerbot.B (PandaSoftware), W32/Peerbot.B.worm
BackDoor.JK is an IRC Backdoor Trojan Horse that gives its author control of an infected computer through Internet Relay Chat (IRC). It adds False IP's to more than 50 popular antivirus companies urls in the Host file, disables antivirus notifications, firewall notifications, update notifications, and overrides firewalls. It also steals data from SQL Server and Mysql databases. BackDoor.JK creates the folder, %Windir%\system32\programs\. These files are used for Transmission through P2P programs. Copies itself to the %Windir%\system32\programs\ folder as the following filenames: 2 Find MP3 8.2.0.exe Adobe InDesign CS 2.exe Adobe keygen for photoshop indesign incopy SERIAL crack.exe Adobe Photoshop CS 2.exe Autocad 2002 Crack.exe Autocad 2004 Crack.exe Autocad 2005 Crack.exe Autocad 2006 Crack.exe BEST HACK TOOL FOR REAL HACKERS KEYLOGGER WEBCAM SPY! - PRIVATE.exe Counter strike - cs full version.exe Counter strike keygen WORKING FOR ONLINE STEAM.exe Credit card generator.exe Eric vd Vogt Gay Movie - Dutch homosexual fetish raped.exe Fifa 2006 FULL with crack.exe Fifa 2007 FULL with crack.exe flash 8.exe Free SMS Bomber.exe Google hack tutorial for beginners.exe HalfLife 2 WORKING Steam crack.exe Hotmail account hacker in 30 minutes.exe Hotmail hacker.exe hotmail_account_sniffer.exe Hotmailhacker v1.0.exe IP Changer.exe Microsoft Office Activation Crack.exe Microsoft Office Professional Crack.exe Microsoft Office Professional Serial.exe Microsoft Office Professional Universal Crack without serial.exe Microsoft Office Universal Activator v1.0.exe MSN hacker - password stealer.exe norton anti virus FULL NEWEST VERSION.exe Norton AntiVirus 2005 crack.exe Norton AntiVirus 2006 crack.exe Norton antivirus crack.exe Norton firewall 2006 crack.exe porn.exe porn_account_cracker.exe porn_account_hacker.exe psx2 - playstation 2 emulator.exe toon boom.exe UniVersal GSM unlocker for removing simlock (NOKIA,ERICSSON,SONY,SAMSUNG,OTHERS).exe WinRAR 4 beta.exe yahoo_cracker.exe yahoo_hacker.exe Yahoo_mail_cracker.exe ZoneAlarm crack (keygen).exe
This is a virus that allows for someone to remotely connect to your computer.
Backdoor.Lala is a Trojan Horse that allows unauthorized access to a compromised computer. The Trojan opens TCP/UDP port 4627, 1149, or 1877 to allow remote access.
Backdoor.Lara is a IRC backdoor Trojan , which runs continuously in the backdrop, providing a backdoor server on a port 6667. It connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for instructions. The supposed instructions are implemented locally on affected machines. This Trojan also kills Taskmanager and Regedit processes, making it hard to revert the registry changes. It adds itself as a Windows Firewall Exceptions, making all traffic permeable from the specific Server.
Backdoor.LMU is a trojan component that can be used by adware applications to download additional components.
This is a trojan that allows for the distributer to remotely connect and install unrelated software.
BackDoor.Multi is a IRC backdoor Trojan , which runs continuously in the backdrop, providing a backdoor server on port 6667. It connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for instructions. The supposed instructions are implemented locally on affected machines.
Also known as: Backdoor.rat
This is a trojan that downloads an adware payload from the internet when it is installed. User's should watch for suspicious randomly generated filenames.
Also known as: BackDoor-BBK, NTbindshell, Troj/Bckdr-BBK (SOPHOS)
Remserv is a backdoor Trojan that allows remote intruder to gain access to your system.
Also known as: W32.Spybot.Worm (Sunbelt),Worm.P2P.SpyBot.gen
BackDoor.SndMax is an IRC Backdoor Trojan Horse that gives its author control of an infected computer through Internet Relay Chat (IRC). It adds False IP's to more than 50 popular antivirus companys urls in the Host file, disables antivirus notifications, firewall notifications, update notifications, and overrides firewalls.
Backdoor.Thunker runs a proxy server on the infected computer. This allows the attacker to route internet traffic through the infected computer.
Also known as: Generic BackDoor.u (McAfee)
Opens a port to allow attacker access to users computer. Attacker can possibily delete files, upload/download files, open/close CD-tray, edit the registry, and have control of almost all computer functions.
Also known as: Win32.VB.qg (Kaspersky Lab) Trojan-Spy.Win32.VB.qg (Sunbelt)
Backdoor.VB.qg is a generic back-door program. Can allow an attacker access to your personal computer. Backdoor.VB.qg can give an attacker the ability to upload/download files, execute/delete files, change system settings, edit the Windows Registry, open cdrom tray, launch key-loggers or other malicious software.
This is a trojan that installs an adware payload onto the infected PC through a remote connection.
BackDoor.YFP is an IRC Backdoor Trojan Horse that gives its author control of an infected computer through Internet Relay Chat (IRC). One of the malicious exe files acts a Server exchanging commands. Once Local machine is infected, it uses local machines IP and places messages on IRC as "excuse me,but its seems that your computer is vulnerable to the new mirc exploit,so get yourself ASAP this repair from http://[Local IP ]/WinXP_Mirc_Fix.exe" This worm Disables Anti Virus Notifications, Disables Firewall Notifications, Overrides Firewall, Disables Updates Notifications. It adds False IP's to more than 50 popular anti virus companies urls in the Host file.
Also known as: Backdoor.Antilam.20.a, Backdoor.Minilash.10.a, Backdoor.Minilash.10.b
This is a trojan that drops its adware payload onto the infected machine through port 2130.
Also known as: Backdoor.Backstabb
It?s a Trojan written in Visual basic.
Also known as: Bad Ass Troj_Crazy BadASS.Worm
Also known as: Bad Blood
A trojan that uses ports 6006 and 27374.
Also known as: Backdoor.Badboy
This is a RAT that allows remote control or connect to the infected PC.
Also known as: virus [Eset], VCL.BadCommand.541 [Kaspersky], VCL.Dome [Computer Associates]
This is a trojan that allows the distributor to remotely connect and control the infected PC.
Also known as: Badcon.Trojan
This Trojan horse takes advantage of an old Windows 95/98 vulnerability. A Microsoft patch that fixes this vulnerability has been available since March 2000. The affected systems are Windows 95, Windows 98 and Windows 98 Second Edition (SE).
Also known as: BadTrans W32.Badtrans.B@mm
This is a worm/virus that sends itself by email. Installs keystroke logging Trojan horse.
Bald Eagle Screensaver bundles adware and other potentially unwanted softwares like WhenU Products, My247eShopper etc. This also adds a Browser Helper Object to the Internet Explorer. StartPage changes to http://www.321search.com From EULA : Often, such ads and informational messages will be published to computer screens on behalf of those who are competitors of the Web pages users may be viewing, or may have recently viewed.
Also known as: Troj/Bamer-C (Sophos)
Bancban-BO is a password stealing trojan. It targets certain brazilian banking sites to steal confidential information.
Bancban-PN is a password-stealing Trojan.
Also known as: Backdoor.Bancodor
Bandjammer is an exploit that targets band myspace pages. Once the band's myspace page is hacked, it creates an invisible background image that links to a dangerous site. After hijacking the victim's browser, it sends the user to a fake codec page.
Also known as: Band Objects
BandObjects.eStart is an unwanted toolbar. It will replace your links with its own.
Also known as: Win32.Banish.A [Computer Associates], Email-Worm.Win32.Banish.{a, b} [Kaspersky Lab], W32/Banish.worm [McAfee], W32/Multie@MM [McAfee], W32/Banish-A [Sophos], WORM_BANISH.A [Trend Micro]
A modified variant of Banish.A worm that attempts to block security sites with various IP filters. Creates or modifies the following Keys \SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\0000\ DeviceDesc Created IP Traffic Filter Driver ClassGUID Created {8ECC055D-047F-11D1-A537-0000F8753ED1} Class Created LegacyDriver ConfigFlags Created 0 Legacy Created 1 Service Created IpFilterDriver \SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER\ \SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPFILTERDRIVER\0000\Control\ New Value: IpFilterDriver New Value: 0 Modifies: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Value Name: key2 = C:\WINDOWS\system32\winlog.exe Adds two files to the OS: winlog.exe winlog.dll
Also known as: Backdoor.Banito
Also known as: PWS-Banker (SunBelt)
Monitors Internet Explorer windows for the following strings to steal personal information: haspa.de internetbanking.de mastercard meine.deutsche-bank.de portal-banking.de postbank.de visa vr-ebanking.de vr-networld-ebanking.de www.e-gold.com banking.de bankingonline.de bankofamerica.com citibank.de commerzbanking.de Attemps to disable security software.
Also known as: Troj/Bnkmr-Fam (SOPHOS) Trojan-Downloader.Win32.Banload.cyb (F-Secure) Trojan-Downloader.Win32.Banload.usl (Kaspersky Lab) PWS-Banker.dldr (McAfee) TROJ_BANLOAD.FBI (Trend Micro) TrojanDownloader:Win32/Banload.gen!H (Microsoft)
Banker.Gen are family of password stealing trojans that captures bank account information and sends this information to the author. Sends computer information such as machine name etc..., to author of trojan through e-mail. May show web pages with fake forms.
Also known as: Adware.TrafficSol (Kaspersky)
Banner Rotator installs through Adware downloaders,which delivers advertisement over the user's computer.
Also known as: Infostealer.Banpaes(Symantec)
This trojan drops its adware payload after it is installed through cartoes.exe.
This trojan is distributed through phishing e-mails. Once it is installed on the host machine it will have the ability to mass mail the infection to others.
Also known as: Banworm
This propagates by attaching itself to an email it sends to all addresses it finds on a PC.
Also known as: bargain buddy BullsEye Network exactadvertising eXactUtil
Bargain Buddy consists of an IE Browser Helper Object, and a process set to run at startup. The BHO monitors web pages requested and terms entered into forms. If there is a match with a preset list of sites and keywords, an advertisement may be shown. The process can contact its maker's server to download updates to the list of adverts and to the software itself.
http://www.exactadvertising.com
Also known as: Barjac.Trojan
Barjac emails the system information to the Trojan's author. This information includes the computer name, IP address, Microsoft Outlook email addresses, and files that have the .doc extension.
Also known as: BarokPWSteal.Trojan
Barok steals passwords and emails to a defined location. This Trojan is reported to have been distributed by the Love Letter Virus.
This is a virus that allows the distributor to gain remote access to the infected PC.
This is a worm that installs an adware payload onto the infected PC through a remote connection.
This trojan allows the distributor to gain remote control of the infected PC.
Once this virus is installed it allows for the distributer to remotely access and control your PC.
Also known as: Bat/kbd3 Trojan.Mousedisable Troj/Batkbd3-A Trojan:BAT/KeyboardDisable.F*Trojan.BAT.KeyboardDisable.F Trojan.BAT.KeyboardDisable.f
BAT.KeyboardDisable.f is a primitive BAT-Trojan written in the DOS command language. When it is launched it blocks the functioning of the keyboard and mouse.
Also known as: Del-422 BAT.Trojan Troj/KillSys-A Trojan:DOS/KillAll.P DelSYS [Trj] Trojan.Destroyer.A Trojan.BAT.KillAll.p
This is a extremely dangerous Trojan program written as a BAT file. It contains the compressed files BAT2EXE and COM2EXE. It deletes all files on disks C:
Also known as: Trojan.BAT.Looper.af
When launching, the Trojan checks for a file names cargo68.dll. If no such file is found, then the Trojan copies itself under this name. It creates a file called altec.bat, which will add the Trojan to ZIP archives and deletes .doc and .dot files on the C: disk
Also known as: Trojan.BAT.MkDirs.z Bat/qd180 BAT.Trojan Troj/Batqd18-A Trojan:BAT/Mkdirs.Z
When launched, the virus deletes all the files from the C:\windows\ directory.
Also known as: Trojan.BAT.NoFPU Bat/Karal Trojan:BAT/Patchsysini.A* Trojan.BAT.Patchsysini
This is a primitive Trojan, written in DOS command language. It disconnects the mathematical coprocessor. As the result the computer starts to run extremely slowly. Windows 95 may lose functionality due to the action of the Trojan.
Also known as: Bat/dt108 Simpsons.Trojan Troj/Simpsons BAT/Simpson.A* BAT_SIMPSONS BAT/Simpsons BAT/Simpson.A BV:Qo BAT.Trojan.Simpsons Trojan.BAT.Simpsons
This is a Trojan that affects all files on C:, A:, B: and D: drives. To delete the files, the Trojan uses a "DELTREE /Y" DOS command.
Also known as: Trojan.BAT.VSX BAT.Trojan Troj/VSX-A
This trojan moves files with the extensions .BAT, .VBS, .DLL, .SYS, .OCX, and .MOD from the C:\ root directory to this directory.
Also known as: Bat.Live4
BatLive4 attempts to delete system files, files on drive A, and .doc files that are in the C:\My Documents folder.
Batty is an adware which shows lots of annoying Popup Advertisement on user's machine. It does not provide any information like an End User License Agreement.
Also known as: Bazooka Bar
Also known as: Backdoor.BDDT
Also known as: Brilliant Digital BrilliantDigital B3D Projector
A player for 'rich media' advertising. It allows sites to use 'rich' (ie. annoying) advertising with 3D effects, sound, and so on. However, it does not add its own advertising to other sites. Apart from being downloadable from Brilliant's own legitimate-looking site, it is also stealth-installed by newer versions of KaZaA and other free applications.
http://www.brilliantdigital.com/
Also known as: SPYW_BDPLUGIN.E BaiDu toolbar BDPlugin SoBar
Monitors and logs Internet activity. When executed, it copies itself to the Program Files folder as BAIDUBAR.DLL. It then registers itself as a browser helper object that will monitor the affected user's Internet activities.
Also known as: BDS/Delf.CO.13(Sophos) Troj/Delf-CGT (Sophos)
BDoor-pviever downloads files from the internet, repeatedly contacts remote server and can possibly allow remote connection to the infected computer.
Bearshare.outlook spreads through file sharing programs like bearshare and installs other malwares.
Beast allows the attacker to take control over the victim's machine.
Also known as: Backdoor.BeastDoor
Also known as: Embedded EXE [Kaspersky], Backdoor.Antilam.20.a, Backdoor.Antilam.20.o, Backdoor.Bedienks.2, Backdoor.Bedienks.2 [Kaspersky], Backdoor.Pestdoor.31, Backdoor.Yat.302, Backdoor/Bedienk.2.Server [Computer Associates], Backdoor/Bedienks.2.Server [Computer Associates], BackDoor-BQ [McAfee], Bedienks.2 trojan [Eset], security risk or a "backdoor" program [F-Prot], Yet Another Trojan
Bedienks is a remote access Trojan which is designed to allow manipulation of an infected computer using a TCP port connection and a client-control program.
http://www.prime-soft.de/index3.htm
Also known as: Bedrill.Trojan Trojan.Bedrill
Bedrill is a Trojan horse that sends batches of spam, which are downloaded from a remote server, from an infected computer.
Also known as: Adware-WorldAnywhere (Mcafee) WorldAnywhere gpstool
Internet Explorer toolbar that can display advertisements. Some variants of Begin2Search can download and install other unwanted software.
http://www.begin2search.com/
Also known as: Backdoor.Belio
Also known as: BPV1a.dll BestPhrases
Displays advertisements based on keywords typed in search engines such as Google.
Also known as: Best PopUp Killer
This is a Security program that is designed to block pop-ups specifically targeting those that come with free P2P software.
http://www.trustsoft.com/pp_bpuk_1.php
Bget is a powerful and fast web data extraction software that extracts the data from any type of websites.
http://www.bget.com/
Also known as: Backdoor.Bifrose BackDoor-CEP.svr (McAfee) Bifrost
Bifrose is a backdoor Trojan that provides unauthorized remote access to the infected computer. This trojan may steal confidential information and log keystrokes.
Also known as: W32/Bifrose.BYC (Norman)
This Trojan injects itself into "explorer.exe" in order to Hide itself. It gives remote attacker control over the system.It installs SOCKS4 proxy.
Also known as: Adware.BigTrafficNet (Symantec)
Displays advertisements and can download other unwanted software.
http://www.bigtrafficnetwork.com/
Also known as: bigwar.name
This trojan installs other malware that collects information from the infected machine and sends it to their host.
BillByCall is a dialer program that originates frmo teleaction.com. Users should watch for unfamiliar filenames that seem pornographic in nature. For Example: romantica.exe or d20%erotik.exe.
http://www.teleaction.com/
Also known as: Backdoor.BillsDeath
Also known as: Trojan.Java.Binny.a
The trojan uses a vulnerability in SUN Java Runtime to write to disk and to subsequently execute malicious code. SUN Java Runtime is a packet which processes Java, integrated into browsers such as Opera and Mozilla.
Also known as: Backdoor.Bionet
Bionet allows attacker to take control of infected computer.
Also known as: Backdoor.BirdSpy Backdoor.BirdSpy.30 [Kaspersky], Backdoor/Birdspy.30 [Computer Associates], Backdoor/BirdSpy.30.DLL [Computer Associates], BackDoor-WM [McAfee], BirdSPY 3.0, security risk or a "backdoor" program [F-Prot], Win32/BirdSpy.30 trojan [Eset]
This is a RAT trojan that allows remote connection and control.
Also known as: Backdoor.Bitcon
BKdoor.RpCs allows access to computer from remote client.
This trojan origniated from a hacker name Sniper_Sa that defaced a few legitimate sites. When browsing these sites, a file called bl4ck.com is dropped on their computer in a Temp directory. It is possible from there an additional payload could be dropped on the infected machine.
Also known as: Backdoor.BlackAngel
Also known as: Backdoor. VB.pb Black Core
From the Website: Blackcore is only used to be used to test vulnurabilities on your own system. Don't use as a trojan! We are not responsible if you cause any damage with this product.
http://www.duder.tk/
Also known as: Backdoor.BlackDiver Black Diver 0.98
This is a RAT trojan that allows the distributor to gain remote access to the infected PC.
Also known as: BlackStar.100 Ghost.230
This is a trojan that opens port 3215 in order to contact a server to drop malicious files onto the infected system.
Also known as: Thing
This trojan allows for a remote connection.
Also known as: Blade Runner Backdoor.Blade Runner
This trojan gives the distributor the ability to capture screenshots of the infected PC through a remote connection.
This is a RAT trojan that allows the distributor to gain remote access to the infected Pc.
Also known as: Backdoor.Blaire
Also known as: W32.Blaster.Worm Msblast.A W32/Msblast.D Worm.Win32.Lovesan W32.Blaster.D.Worm Lovsan worm Lovsan.D
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. Recent updates to the variants will download the file called MSPATCH.EXE instead of MSBLAST.EXE Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed: TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP" The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (www.windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Blazefind's product includes a toolbar that changes your IE browser as well as your home page. It can be uninstalled from the add/remove programs in the control panel. Blazefind (made by CDT Inc.) was bought by 180solutions Inc. It is unknown if this product is still in circulation.
http://www.blazefind.com/
Also known as: Backdoor.Kamikaze Blazer5 Trojan Sockets.cli Win32.HLLP.DeTroie
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage.
Also known as: Adware.BlockChecker
Block Checker is an application that is used to check the online status of the buddies for Instant Messengers like MSN, Yahoo and AOL. The application also installed other adwares.
http://www.block-checker.com
BlondeSalope is used to access pornographic websites by dialing a high-cost phone number using a modem.
Also known as: Backdoor.BlueEye.10b
From the Website "File manager,Process viewer,Window manager * No Process Visible inject into explorer.exe and exiting the parent * Computer info,Server info,Uninstall,Close server * Power Option * ICQ Notification * Invisible Startup * SelfDelete * Server EXE size is 8.4kb
Also known as: Backdoor.BlueAdept
Also known as: Backdoor.Blueang
Also known as: TrojanDownloader.BMP.Agent.a Exploit-BMP.dldr IMG_BMP.Exploit Troj/Agent-A TR/Dldr.BMPAgent.A2 Win32:BMP-Exploit Trojan.Downloader.BMP.A
From Viruslist.com This TrojanDownloader expolits a vulnerability in MS Windows accessible during viewing BMP files. To date Agent only affects Russian versions of MS Windows 2000. Agent may cause email clients to close on other versions of Windows or in other operating systems.
Also known as: Backdoor.BNLite
Also known as: Backdoor.BO_Installer [Kaspersky], Bck/Bo.installer [Panda], destructive program [F-Prot], Orifice [McAfee], SilkRope.Trojan [Computer Associates], Win32.Orifice [Computer Associates], Win32/BO.Plugin.Silk_Rope.2_0 trojan [Eset]
This trojan allows the distributor to make a remote connection to the infected PC>\.
Also known as: Bobo.100
This is a trojan that opens port 4321 in order to contact a server to drop malicious files onto the infected system.
Software that installs and monitors your internet surfing and delivers adds based on what you've searched for.
http://www.bonzi.com/bonziportal/index.asp
Also known as: Remanent BS2 BS3 Booked Space
BookedSpace is an Internet Explorer Browser Helper Object used to show advertising. BookedSpace/Remanent: early variant (around July 2003) with filename rem00001.dll, controlling server 66.225.192.199. BookedSpace/BS2 and BookedSpace/BS3: newer revisions (August 2003) with filename bs2.dll or bs3.dll, controlling server www.bookedspace.com. BookedSpace/Remanent is silently installed by MThree MP3 to WAV converter. BookedSpace/BS2 is silently installed by FreeWire's FreeMP3Player. The origin of BookedSpace/BS3 is currently unknown. BookedSpace can contact its controlling server when a new page is visited, which may direct it to open pop-up ads. When the controlling server is contacted, the URL of the current page is passed along with a user ID for tracking purposes.
http://www.bookedspace.com/
Also known as: BookmarkExpress
This will display advertisements on your computer.
Also known as: Borlan.MMsAssist (Sunbelt-Software), Adware.Borlan (Symantec), Adware-Boran (McAfee), Boran Vision Communicate Borlander
Borlan installs a Browser Helper Object for Internet Explorer and shows advertisements. Often dropped by a downloader trojan.
Boss Watcher is a combination of the two programs that allow you to watch the screens of the computers of your local network. One program is BWServer. It is running on the remote computer. It sends screenshots to the BWClient program that is running on your computer. The programs use TCP/IP protocol. BWServer starts as a system process and does not have any user interface. BWClient has a convenient interface.
http://www.sofotex.com/Boss-Watcher-download_L11822.html
This trojan allows the distributor to gain remote access to the infected PC.
Also known as: Backdoor.BrainWiper.03
From the Website: This is a client/server based trojan. It has loads of features. Unchangable Website - Launch a web site full screen and they can'r change or close it. Message Box - Open a message box with a title a message that you want. Launch Program - Launch a prog on thier computer. Delete Program - Delete a prog on thier computer. Keyboard Breaker - Their comp types in what ever you want and then presses enter until they restart. Crash PC - They get 3 blue screen errors and then thier PC goes into meltdown. Chat - You get to have a simple chat with the victim. Leahcim Chat - A more complec chat using IRC but they might not login. Blackout - Their screen goes black and any key they press they get a error Edit Autoexec - Edit autoexec.bat on thier comp! Beep - Pointless, thier computer beeps Status - Just a status screen but it also tells you what time you done something.
http://www.manga-man.cjb.net/
Also known as: Backdoor.BrainSpy
Also known as: Brave Sentry
BraveSentry is related to SpySheriff and Spware-no. It can be installed from the BraveSentry website and has been forced onto the computer without EULA and users knownledge of installation. BraveSentry can report false detections of spyware to scare the user into purchasing the product to remove the false infections.
Also known as: Breach.2001 SocketsDeTroie Backdoor.Breach
This trojan downloads an adware payload after installing from Backdoor.Breach.2001.exe. It contacts a server from port 1 in order to download its adware payload.
Also known as: BroadcastPC
Displays pop-up advertisements.
http://www.broadcastpc.tv
Also known as: Backdoor.BrownOrifice
Also known as: Browserpal
This is a program that allows Browser Pal to show you ads from third party advertisers based off your search patterns collected when you are on the internet.
http://www.browserpal.com
Also known as: Browser Accelerator
From the Website: We automatically record the name of the domain (for example,"123company.com" if you use a private Internet access account, or "mycollege.edu" if you are connecting from a university's domain); the IP address (a number that is automatically assigned to your computer when you are using the Internet) from which you access our website; the type of browser and operating system used to access our site; the date and time you access our site; the Internet address of the website from which you linked directly to our site; and the pages you visit. Should you send us an email about a question or comment; we will then have access to personal information such as your name and email address. Sometimes we ask you to fill out surveys posted on our web site. These surveys collect demographic information such as age, gender, annual income, postal zip code, name, and the like. WHY DO WE COLLECT THIS INFORMATION? The non-personal information that we collect from you may be used for both internal and external purposes, in order for us to make your experience with our site more enjoyable. The aggregate data we collect from you is used internally and externally to help us increase our marketing efforts and to provide pertinent data to the members of our Internet family. We may also use your email address to notify of you other products or services you may be interested in. Your email address may also be used to contact you regarding a question or comment you submitted to our site.
http://www.browseraccelerator.com/
Also known as: App/Bpinst-A CashToolbar QuickLaunch BrowserPal Browser AID
BrowserAid is a manufacturer of various Internet Explorer toolbars, most of which seem to be installed sneakily. BrowserAid/ABCSearch offers a 'Power Search' feature when right-clicking a selection. BrowserAid/CashToolbar, BrowserAid/LetsSearch and BrowserAid/QuickLaunch are minor variations on an adware theme. The script at this site cannot tell them apart and detects them only as 'BrowserAid'. The toolbar opens untargeted pop-up adverts periodically when IE is open. LetsSearch hijacks home page and search settings to point to searchmadesafe.com; QuickLaunch points at quicklaunch.com. BrowserAid/BrowserPal offers pop-up blocking features. It is a later version of BrowserAid/pStopper, a pop-up blocker which is not known to have been stealth-installed and is not targeted by the script at this site. BrowserAid/Rundll16 is a smaller parasite that only opens pop-ups; it does not include a toolbar component. It hides in the Windows folder under the name 'rundll16', which is not a system file, but is a filename also used by other malware (eg. SubSeven trojan, Roron worm, ZMorph virus). The software can download and execute arbitrary code from its controlling server, as an update feature. The terms of use of the BrowserPal variant state this may also be used to install any other third-party software.
http://www.browseraid.com/index2.htm
Also known as: Alxtool, IShowBao (SunBelt), Trojan.Bhong (BOClean)
This is installed from Chinese trojan bundles. It downloads additional trojan packages from urlad.cn.
BrowserToolbar is an IE toolbar object which comes with various other components that act as adware and spyware.
http://www.browsertoolbar.com
Also known as: BVillage
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software. BrowserVillage collects and stores information about the web pages you view and the data you enter in a search engine's search field while using software provided by BrowserVillage. We also collect the following information: your Internet Protocol ("IP") Address, which may include a domain name; the date and time you downloaded software provided by BrowserVillage; and the name of and information about the advertisement that may have brought you to download software provided by BrowserVillage. Software provided by BrowserVillage.com is designed to check for the availability of software updates to ensure that you enjoy the latest improvements of the software. When the software checks for the availability of updates, anonymous information about the software version are sent to our Web server. The information is only used to determine whether new software is available for download and is not associated with your personally identifiable information.
Also known as: Trojan.Trafbrush (Symantec)
Also known as: Backdoor.BSE
http://www.btgrab.com
Also known as: Backdoor.BTNGdoor.10
A program that (secretly) changes your dialup connection setting so that instead of calling your local internet provider, your Pc calls some very expensive 0900 or international phone number
Also known as: Backdoor.Bubbel
Also known as: w32/Ramex.A (F-Secure) P-to-P
This is a worm related to Skype. Once the victim visits the site this file is hosted on, it downloads and installs automatically before it sends infectious messages to all of the victim's contacts in Skype.
This Worm attempts to steal personal information through the online game: RuneScape. Once installed, several hidden files are also installed into the system32 directory of the victim PC. It then has the ability to mail any sensitive information that is stored in C:\WINDOWS\system32\syswin32f.dll.
This product is disguised as a game. It will send links to itself to all people on your buddy list in AOL messenger, coming from you and asking to install this software. Once somebody does this, the process repeats with their list Their site, www.buddylinks.net, is listed for sale.
http://www.buddylinks.net/
Also known as: Bugs.100 Backdoor.Bugs
Also known as: IEPlugin
Bulla is a Browser Helper Object for Internet Explorer. It tries to search all pages you view in IE and replaces banner adverts from the page with adverts from its controlling servers. Also known as IEPlugin, from the filename of the BHO DLL. This is a generic name; Bulla has nothing to do with the parasite known as IEPlugin.
Also known as: Backdoor.BusConquerer
Also known as: Backdoor.Bushtrommel
Also known as: BackDoor-BR Backdoor.Buttman
Features include authentication, gateway connections, Explorer, Registry, Screen, Execute, Windows, Transfer...
This trojan intercepts login network traffic before it takes the user to the desired website. This allows for the trojan to steal important passwords. It intercepts passwords from: webmail.tiscali.co.uk/mail earthlink.net/wam comcast.net webmail.bellsouth.net fastmail.fm/mail http://mail.google.com/mail http://mail.rambler.ru/mail hotmail.msn.com mail.yahoo.com webmail.aol.com win.mail.ru
Also known as: Ultimate Browser Enhancer lop lop.com WinActive c2lop
Lop is a group of spyware and hijacker programs that set your Internet Explorer start page and search features to use the site lop.com ('Live Online Portal') or one of its clone sites. C2.lop is is a pay-per-click search portal where other web sites pay for each click-through to their site via C2.lop. They offer search programs ranging from pornographic material to mp3 downloads. The downside to these programs is of course opening your computer up to advertisements from them and their affiliates. These programs have also been known to install via an Active X control. It also installs a toolbar to your Internet Explorer browser. This toolbar directs you to lop.com sites. Your browser settings are also changed by C2.lop. These changes can take place in your toolbar settings or even your start page through a Browser Helper Object (BHO). Once installed this program will run whenever Windows is loaded. The value of these autostarters varies from which program you have downloaded for lop.com.
http://www.lop.com/
Also known as: BackDoor-WO Backdoor.Cabro BackDoor.Cabronator.10 Troj/Cabrotor Backdoor:Win32/Cabrotor.1_0 Win32:Trojan-gen. Backdoor.Cabrotor.1.0
The backdoor program performs following commands: reports computer info (Windows version, CPU type, UserName, CompanyName e.t.c.) open/closes CD drive reports directories and file names in there runs a local file or executes a command sends information: RAS, MS Messenger and .NET services exits Windows - downloads a requested file performs DoS attack to requested victim address terminates itself
Also known as: Backdoor.Cafeini
From the Website: Why CAFEiNi is better than other backdoors (like NetBus): -can kill more than 30 Windows antiviruses and antibackdoors from memory -automatic update of server by http -doesn't install itself into registry (when can or install under random name) -written in Visual C++ (smaller and faster than Delphi) -you can control remote computer by telnet (eg. from Unix) -works on Windows 95/98/ME and also Windows NT/2000 -with CAFEiNiclient you can control multiple computers (eg. open CD-ROM doors on 10 computers with one button click) -full multitasking (eg. you can upload and download files in one time from multiple computers) -some new backdoors commands (especially with desktop) -client is very easy to use, like old good Netbus 1.x -includes configurator for server (edit server)'
This is a chinese adware that is downloaded as part of trojan bundles.
Also known as: Trojan.Caiijing (Symantec)
This is a trojan that installs a large bundle of other Chinese trojans and adware. It also poses as a part of the Google Toolbar.
Changes Intenet Explorer start page.
http://www.camgirlslive.com
Also known as: cardstatement card statement zbot trojan
File claims to be a VISA statement, hosted at a site sent via an email link. When executed, the ZBot Trojan is activated. The file sdra64.exe is added to the System43 directory, and is known as a keylogger and banking theft infection file.
http://spywareguide.com/articles/greynets_special_report_instan_75.html This bundle relies upon an end-user who is trusting enough to click on the infection link generated by an apparently modified IRC Trojan, Poker3.exe. When the infected end-user then uses an Instant Messaging program such as Microsoft's MSN Messenger or AOL's AIM, this spawns a number of randomly selected messages to the people on that user's contact list, sometimes containing the other user's email address as an enticement, other times merely posting a link.
Carlson Dialer is known to be installed by IM worms particularly related to the MSN chat client. Once it is on the victim's PC, it will make long distance calls depending on your geographic position. If the machine infected with this dialer is part of a larger network, the dialer will attempt to write itself to the domain server.
This is a Browser plugin. It changes Intenet Explorer search page.
http://www.cash4toolbar.com
Also known as: exact.cashback
From there EULA: Such notification will contain the trademark "CashBackBuddy"). Bullseye delivers relevant contextual information to you in the form of advertisements, promotions and other content based on the URLs and/or search terms you enter when navigating the Internet. These advertisements, promotional messages and other notifications or information may be displayed on your computer screen at any time while you are online.
http://www.cashbackbuddy.com
Also known as: Cash bar
From their site, CashSurfers.com reserves the right to monitor the websites you visit in order to provide ads related to the content you are viewing.
http://www.cashsurfers.com
This adware program is often times installed with other trojans. The major threat this infection poses rests in the Browser Helper Objects section in the registry. These values point to winapi32.dll which lies in the system32 folder.
Also known as: Cashfiesta
Pending Review.
https://cashfiesta.com
Also known as: Casino Online
http://www.casinoonnet.com
From their website: "Welcome to Casino Rewards, the worlds premier online Casino Loyalty Program. Enjoy amazing benefits, incentives and quality online gaming that is exclusively available to Casino Rewards members. Casino Rewards is the most competitive loyalty program online with great weekly and monthly promotions."
http://www.casinorewards.com
CAX Dialer may be used to access Adult Content Sites.
CazzoCulo is used to access pornographic websites by dialing a high-cost phone number using a modem.
Also known as: Backdoor.CCInvader
Also known as: Trojan.Win32.CD_Argen Trojan Horse Troj/CD-Argen Trojan:Win32/Cd-Argen TR/CD.Argen Win32:CDDoor Trojan.Win32.CD_Argen
From Viruslist.com When run, this program, in a loop, opens and closes the CD drive and also displays messages. Until the loop is finished, it is possible to terminate the program only by removing it from the task list (Alt-Ctrl-Del). The program does not harm computer hardware and software in any way, but, because of its behavior, it is classified as a Trojan program.
Also known as: Celine.100 Celine
This is a trojan that drops its adware payload through port 4523.
Also known as: Win32.Centim
Centim are family of downloader trojans. Several variants exist with few common behaviors. Connects to remote server and downloads additional files after an hour from the time of installation. Stores the downloaded file in %Temp% directory and executes it.The downloaded files have randomly numbered names.
Also known as: Backdoor.Cero
This is related to buddylinks. http://www.spywareguide.com/product_show.php?id=711
Also known as: Backdoor.Charge
Also known as: Backdoor.Chatspy
Also known as: CheckURL
Also known as: Backdoor.Cheeser
Also known as: Backdoor.ChinDoor
Also known as: Backdoor.Chupa
Also known as: Backdoor.Ciadoor.11.a Backdoor.Ciadoor.logger BackDoor-ASB [McAfee] BackDoor-ASB.cfg trojan BackDoor-ASB.cli trojan BackDoor-ASB.svr trojan Cruel Intentionz Administator W32/CYAdoor.A [F-Prot]
This is a long running Trojan. This Trojan has many variants. This attacker can gain total control of your computer.
Also known as: Cruel Intentionz Administator CIA, Ciadoor
Allows a remote attaker control of users computer.
http://darksideofkalez.com/
Also known as: Backdoor.Cigivip
Also known as: Trojan.Cinmeng (Symantec)
Cinmeng monitors Internet Explorer for keywords to display relevant pop-up advertisements. Contacts remote server to download configuration file.
Also known as: AdWare.Win32.Cinmus.b (Kaspersky) Adware.Cinmus (Sunbelt) Adware.Cinmus.A
This is a chinese adware program that centers around pornographic related advertisements. Once installed, it will phone home to several other sites to download the rest of the software that is bundled with the executable.
This is a trojan that allows for a remote user to access the infected PC using a backdoor it creates. It also has the ability to turn off all major anti-spyware and anti-virus applications.
Also known as: Trojan.Java.ClassLoader.a Exploit-ByteVerify Trojan.ByteVerify Troj/ByteV-Fam Java/Bytverify JAVA_BYTEVER.A Java/ByteVerify Java.Trojan.Exploit.Bytverify
Gains unrestricted rights on the local machine by invoking the .assertPermission method of the PolicyEngine class in Beyond.class.
http://www.cleanator.com/
Also known as: Clear Search
ClearSearch is an adware which tracks advertisements.
Also known as: X10 Adware Clear Stream
http://www.riversoftware.net/
This trojan drops an adware payload through a remote connection.
Also known as: CleverIEHooker.Jeired
A mysterious BHO that has been found on a lot of infected machines.
Also known as: ClickTillUWin
Incented Lotto- ClickTillUWin is an icon installed on the desktop. Each time you click on the icon, you will be directed to the ClickTillUWin game page. Also installs a unique identification to your computer. Does not seem to install by ActiveX
http://www.clicktilluwin.com/
Also known as: Click Alchemy Alchemy
http://www.ClickAlchemy.com
This application is used as a tool to scam myspace users. It gives the attacker the ability to send mass messages using a fraudulent myspace account for the purpose of phishing. If the user's account is phished then their account will be used in other phishing related activities. Users should be aware of the very real danger when accepting unfamiliar friend requests.
ClickTheButton is described as a price comparison service. It detects when you are visitng a known shopping site and provides sponsored links to competitor sites. It runs as a process on startup (ctbclick.exe) and installs a number of extra DLLs. ClickTheButton downloads parts of advertising pages when you visit a new web site. When a complete advert has arrived it will be displayed, usually as a pop-up or pop-under window
http://www.clickthebutton.com/
Also known as: iPend
Causes webpages in Internet Explorer to have highlighted keywords, linked to pay-per-click search engines. Details yet unknown. Seems related to odysseusmarketing.com First reported as suspicious, it became clear soon that it will pass the ZoneAlarm firewall without user consent. When it tries to connect to the Internet, and ZoneAlarm displays it's dialog whether the program should be allowed to connect or not, ClientMan will auto-click the 'Yes' button after checking the 'Always' checkbox. This way, it grants itself Internet Access without the user even noticing more than a short flash of the ZA dialog.
Also known as: Backdoor.Clindestine
Also known as: Trojan.Spy.CLogger clogger CLogger 1.0
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage. Quote from the Website: CLogger is a powerfull keylogger build in C/C++. Thanks to it you will be able to increase the security of your PC in recording text typed by each users. Every actions on your keyboard will be logged in order to allow you to know who has done what with your PC.
http://creber.free.fr/clogger/index_en.php
Also known as: Command Desktop Advertising
This is an adware program that is not removed in a traditional sense. In order to uninstall this program, you must download a separate uninstaller from their website.
http://command.adservs.com/about.php
Also known as: backdoor.CmjSpy
Monitors Internet Explorer for keywords to display relevant advertisements.
Also known as: CNNIC Update C-Nav Chinese Navigator
This is a Chinese ad-ware program that modifies your browser and alters the PC's Winsock LSP.
Other than replacing the IE search feature with a Chinese site likely to be incomprehensible to non-Chinese users, CnsMin is not overtly harmful, but it uses extremely anti-social methods to make it difficult to uninstall. Is installed by ActiveX drive-by-download at its company's site, 3721.com. Has also apparently been included in junk e-mail, which could be how some Western users have ended up with it.
http://www.3721.com/
CN_Vids is a worm that circulates via e-mail. Once infected, the worm tricks the user into downloading miscellaneous security applications. Once this is accomplished it circulates through your outlook address book.
Also known as: Coced.221
This is a trojan that drops its adware payload onto the infected machine on port 7300. Once infected, this trojan allows your computer to be remotely accessed.
Also known as: CoderDialer ADW_LADDER.B (Trend Micro)
This is a dialer program.
Also known as: Backdoor.Coldfuson.11 BackDoor-AOP W32/Coldfusion.B Cold Fusion 1.2
Gives attcker unauthorized access to compromised compter.
http://www.hacktrojan.com/tuto.htm
Also known as: Cold Death
This trojan uses stealth tactics in order to avoid detection from anti-spyware product.
This is a RAT trojan designed to gain access and control of your computer through port 413.
Also known as: Backdoor.Comando
Also known as: Infostealer.Gamepass (Symantec) Trojan.Popuper (PCTools) Trojan-GameThief.Win32.OnLineGames.tbow (Kaspersky Lab) PWS-OnlineGames.ce (McAfee)
This trojan alters key windows processes such as explorer.exe in order to steal sensitive information from the victim's PC.
Also known as: comedy planet comedyplanet
Comedy-Planet displays advertisements and product listings from a wide variety of companies.They Collect the User Information.
Also known as: IncrediFind Comet Systems
Comet Cursor changes the mouse pointer when hovering over partner sites. It is infamous for being one of the first programs to install sneakily with another, and for tracking viewing of partner pages. Newer versions of Comet Cursor have grown very big indeed, with all sorts of features unrelated to mouse pointers. They seem to have "cleaned up their act" for the most part. Comet tracks visits to web sites that use its cursors, with an ID unique to each installation. However since the sites must deliberately include the Comet code in each page, this isn't much different to third-party advertising banners with cookies.
http://www.cometcursor.com/
Also known as: Backdoor.BAT.Comlabat.04
Also known as: Adware-CommanderNET (Mcafee)
This is installed via Active X. Installs as a toolbar. It changes Internet Explorer homepage. After every launch of Internet explorer it contacts its own server for updates. Invalid URLs and search pages redirects to Google?s home page.It redirects the "page not found" error page
http://newnet.qsrch.com
This trojan spreads itself by e-mailing everyone on the infected PC's contact list.
Also known as: CommonName/Agent CommonName/Toolbar BabeIE BabeIE2 CNMib
CommonName is yet another 'keywords' service, allowing you to type a company name instead of a URL. Originally a normal service, the software has become bundled adware. The newer variant CommonName/Agent periodically opens pop-under advertising as well as highjacking search settings. Cookies are used to identify you when requests are made to CommonName, allowing them to track your web usage. Requests are made when advertising is opened and when you visit a web address with a top-level-domain that the CommonName software does not know about. This includes .edu and .mil. This adware is also bundling with Rootkit.win32.WinIk
http://www.commonname.com/
Also known as: Dloader.Prop.NoShow
ConCommand is a trojan that has the ability to gain access to your computer through a remote connection. It will try to hide itself and other files by disabling the "Shown hidden files and folders" in the Windows Explorer Folder Options properties.
Also known as: Timesink tsadbot
Uses the Internet to dynamically deliver content to desktop software. Once the content is received, it can be displayed at any time in the application. Content activity information such as advertising impressions and click through data is recorded and sent back to Conducent for daily reporting. Conducent does not provide users with an uninstall feature. Their software provides real-time ad targeting campaigns through the Timesink component TSadbot.exe. Conducent has formed strategic partnerships with most of the major Internet advertising networks. The company is now out of business, but its product lives on, although dying out.
Also known as: SecurePCCleaner YourPrivacyGuard
ConfidentSurf displays fake infection alerts in order to scare the user into downloading their product.
Conga is a set of trojans that are installed onto the victim's machine using socks.exe.
Also known as: Backdoor.Connection Connection.130
Also known as: TrojanDownloader stubby.c Trojan Downloader
Appears to be related to the VX2 downloader.
http://www.conscorr.com
Also known as: CAS ConsumerAlertSystems.CASclient CASClient Adware.CasinoClient (Symantec) Adw.ConsumerAlertSystem.CASClient (SunBelt) Trojan.cmapp ADW_CMAPP.B CMapp
Monitors users searches then delieveries content relative to the users search. Places icons on desktop, displays popups and pop-unders. (From CAS website) CAS can be installed two ways: directly from the ConsumerAlertSystem.com website, or as an add-on application by one of our affiliate partners (an example of this type installation method would be the add-on/optional software that is installed when you install one of many popular instant messenger or toolbar programs). In the event installation was as the result of an affiliate partner, the partner is required to abide by a strict code of conduct as presented in our Privacy Policy and EULA. Should you believe that you have been a victim of an affiliate partner in violation of these terms, please report this to our abuse department by submitting a report to our abuse department as soon as possible - if it isn't reported, then we can't take the appropriate steps to take action against the offender!
http://www.consumeralertsystem.com/
Possibly related to Context Plus and Apropos Media. Appears to search through its own hidden cached web pages for keywords typed in Internet Explorer and search boxes. Displays adds based on these keywords. Some code analysis suggests that it tries to bypass the windows host file by using its own DNS file to resolve IP addresses for displaying adds.
This is an adware application that will serve various advertisements. Installs a BHO. ( Browser Helper Object )
This is a rogue anti-spyware. This application drops the very adware and Trojans that it detects to goad purchase.
http://www.contraviruspro.com
Also known as: Backdoor.ControlTotal
This is a trojan that is installed with Bravesentry and other rogue antispyware products. Once installed, it modifies the infected PC's winlogon.exe.
From their website: The Toolbar Software Is Designed to Collect and Use Non-Personal Information. The Toolbar Software collects certain non-personally identifiable information about your Web surfing. This includes your response to online ads; Zip code/postal code (if so submitted by the Subscriber for the purpose of utilizing the complete functionality of the toolbar); country and IP address; standard web log information and system settings; what software is on the computer (but no information about the usage or data files associated with the software); and time of successful software installation. This program adds a toolbar.It changes Internet Explorer's searchpage and errorpage.
http://www.thecoolbar.com
Also known as: CobCat HotCat
What is HotCat and CoolCat? HotCat is a server application used to send and receive information to/from a remote client (CoolCat) using the TCP/IP protocol. The client can this way completely control the remote computer in which the server is installed. The server application (HotCat) can serve many (thousands, theoretically) clients simultaneously. HotCat and CoolCat can be compared with other similar applications as NetBus or Back Orifice. Allows complete remote control of a PC.
http://www2.educ.umu.se/~cobian/CobCats.htm
Also known as: Adw.CoolOnlineOffers.Opmrket (Sunbelt)
From EULA : 1. It displays in the form of intermittent advertisement, through various ad formats, and pop in a separate browser; coupons, offers, related websites, key information websites, words, and web pages. 2. Only, ads and Web Pages displayed are based off relevant data which is obtained from the User?s desktop.
CoolwebScrollBar bundles WhenU products , which deliver popups. From EULA : SaveNow's offers and information are provided to users by showing a limited number of relevant interstitials or "pop-up ads" when users visit various sites across the Internet.
Also known as: CWS CoolSearcher Cool Web Search BootConf MSInfo SvcHost DNSRelay DataNotary Trojan.Norio Jetseeker winlink XPlugin coolwwwsearch Aze Search Toolbar Trojan.StartPage (Sunbelt) WinRes Spyware.CHM.A ieak6.CWS CoolWebSearch.info
One of the most infamous hijackers known to date. Comes in a variety of versions, all using different techniques. Handle with extreme care! CoolWebSearch is a name given to a wide range of different browser hijackers. Though the code is very different between variants, they are all used to redirect users to coolwebsearch.com and other sites affiliated with its operators. Known variants: CoolWebSearch/DataNotary: earliest known variant, hijacking to datanotary.com. Drops a CSS stylesheet file in the Windows folder and sets it to be used as the user stylesheet for all web pages viewed in IE. The stylesheet includes embedded JavaScript code which tries to guess when the user is viewing porn sites. CoolWebSearch/BootConf: drops a user CSS file in the same way as DataNotary, but pointing at www.coolwebsearch.com. Also hijacks the home page and all search settings to point to coolwebsearch, and hacks the DNS Hosts file to redirect access of MSN address-bar search to coolwebsearch.com. The site names are obfuscated using URL-encoding (%XX) to make them difficult to read. A program bootconf.exe is set up to run on every startup, resetting the hijack. Finally coolwebsearch.com is added to the Trusted Sites list, along with msn.com, whom coolwebsearch are also impersonating. CoolWebSearch/MSInfo: another user-CSS-hijacker, this time pointed at true-counter.com, currently redirecting to global-finder.com. CoolWebSearch/SvcHost: a Hosts file hijacker, which works in a rather unusual way (probably to avoid being detected by anti-hijacker tools). Its targeted sites (Yahoo Search, MSN Search and all countries? versions of Google) are set in the Hosts file to point to ?localhost? (127.0.0.1). Since the local host (the computer the browser is running on) is most often not running a web server, this results in an error page; it is this error page that is then hijacked to the CWS site slawsearch.com. CoolWebSearch/PnP: a search hijacker that hides inside the ?inf? folder usually used for storing device driver information. Its hijacker file oemsyspnp.inf is run on each startup, using a slightly different install command each time. This command cycles through install sections 'RunOnce', 'AudioPnP', 'VideoPnp', 'IdePnP' and 'SysPnP', though quite why is unknown as it does the same thing regardless of which section is used, namely hijacking home page and search settings to point at www.adulthyperlinks.com and www.allhyperlinks.com. It also adds activexupdate.com to the IE ?Safe Sites? list, for unknown purpose (this is not the same as the Trusted Sites Zone). CoolWebSearch/MSSPI: a search results hijacker implemented as a Winsock2 Layered Service Provider (a fairly low-level networking component, which is tricky to remove). Targets Google, Yahoo and Altavista, opening advertising from unipages.cc. CoolWebSearch/DNSRelay: an address bar search hijacker implemented as an IE URL Search Hook. As well as search phrases, entering any site name into the address bar without a leading ?http://? or ?www? will result in a search aimed at activexupdate.com, a CWS site redirecting through yellow2.com to allhyperlinks.com. CoolWebSearch/Winres: It registers Winres.dll under %Windir%. Then it changes the Start Page to about-blank.(This page itself looks like a Search engine). It changes the start page frequently.It downloads and installs other adwares like 2020 search, isearch.. Etc., It adds some of the sites into trusted zone. It also creates two shortcuts on Desktop.
This is a adware that is installed through a Chinese trojan bundle. Once installed, a media tool is added above the infected PC's system tray. The purpose of this tool is to rotate between desktop backgrounds and screensavers.
CoreNet logs urls and displays pop-ups and advertisements.
Also known as: Backdoor.CorruptedLite
Also known as: CouponBar
From Coupons, Inc., "From time to time Coupons, Inc. may collect information before or after you print a coupon, or with no associated coupon. In some cases, we will collect personal information on our own behalf to fulfill your requests for offers and promotions, provide you with ongoing promotional opportunities and to send you advertising and promotions on behalf of our clients and advertisers. In such cases you will always be provided with notice that we intend to collect personal information and you will have an opportunity to opt-out of future messages or use of your personal information."
http://microsite.coupons.com/gmsa/Login.asp?pid=11049&ZID=uc10&NID=10
This trojan is no longer active. It did originate from http://www.trojancow.8m.com/
http://www.trojancow.8m.com/
Also known as: CQD2Loader
This is a trojan that is dropped onto the PC to be infected via an Active X control. Once installed it will phone home to a remote server and install its adware payload.
It comes in a package with the cracks available at crackinfo.net.It downloads other malwares and makes the system unstable.
Also known as: Backdoor.CrackDown
http://www.crackedearth.com
This will add a button to the IE toolbar that will direct people to go to www.CrackSpider.com. It also adds shortcuts to the favorites.
http://www.CrackSpider.com
Cram Toolbar installs as an Internet Explorer toolbar and redirect searches. May show advertisements. Also changes the startpage of Internet Explorer.
This adware toolbar creates a Browser Helper Object on users machine with out any EULA and start recording of the user browsing activities.It hijacks the home page.
Also known as: Backdoor.CrashCool.b Jodeitor
When Backdoor.CrashCool is executed, it performs the following actions: Attempts to open and close the CD-ROM drive. Listens for remote commands from the author on port 9898 and attempts to execute them.
Also known as: Backdoor.Cratpro CRatPro.110
Also known as: Backdoor.CrazyNet
Also known as: Kudd.com Create a Monster
Provides "billing solutions" such as dialers for both dial-up and ISDN. They seem to be using "VLoading" for their dialers.
This is a toolbar that will redirect your searches.
Also known as: Cure PCSolution
This is a rogue anti-spyware. They are listed on the rogue anti-spyware list provided by spywarewarriors.com http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://curepcsolutions.com
Also known as: CustomIE.BHO MycustomIE
This is a dialer that is downloaded via active X control.
This trojan's primary function is to spam the infected machine.
Also known as: Backdoor.Cyanure
Also known as: Backdoor.CyberJack Downloader.ERJ
This is an older trojan that is installed from chinese websites. Once installed, it allows the distributor to gain a remote connection to your computer.
Also known as: Backdoor.CyberSpy BackDoor-CU.cli Backdoor.Trojan BackDoor.CyberSpy Troj/CyberSpy-A Backdoor:CyberSpy TR/BackDoor-CU.Cli Win32:Trojan-gen. BackDoor.CyberSpy
Upon execution of this program the trojan copies itself into the Windows system directory and registers itself in the system registry so that it will start each time an infected system is rebooted. Once this is done it sends a notice via e-mail or ICQ (according to settings made by its author), and then begins to listen to a given TCP/IP port clandestinely. Having received the message sent back by the virus (information about specific networks sent back by the virus via ICQ or e-mail), the hacker controlling Backdoor.CyberSpy, with the help of any telnet-client, gains access to a victim computer's command line (prompt).
"The Cydoor Technologies delivers highly targeted advertising directly to desktops in advertising enabled software applications. Cydoor's SoftClick Optimization Engine ensures that advertising is delivered to the precise target audience. " This program uses your internet connection to download ads and send out usage statistics. Removing this may cause dependant programs (such as P2P applications) to stop working. This program is only seen bundled with other programs. It is not an independent application.
http://www.cydoor.com/Cydoor
Also known as: Backdoor.Antilam.g1 Backdoor.Cyn.20 Cyn_Trojan
Cyn is a Backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens ports 15432 and 51234 on the compromised computer.
This is a dialer program that is installed via Active X control called IEloader.cab.
Also known as: TargetingSource POTD Burnaby e-card_viewer.cab e-card viewer ecard
Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected. Installed by ActiveX drive-by download on a page pointed to by mail claiming you have received an 'e-card'. The ActiveX control purports to be a viewer for e-cards. When IE is started for the first time it attempts to connect to Cytron's servers to download a list of keywords to look for, and URLs of pop-ups to open. According to various reports, it also sends itself to everybody listed in your address book, with an email claiming you have sent them a greeting card. Once they open it, they too are infected. Cytron/potd installs potd.dll into Downloaded Program Files; with Cytron/sec the filename is sec.dll instead.
http://www.cytron.com/
Uses VBScript to edit registry, get folders, create scripting file system objects.
This trojan is no longer in circulation, but has the ability to log keystrokes.
Also known as: Dagger.140
This is a RAT trojan that is designed to gain access to your computer through port 2589.
Also known as: Hardcore Toolbar Daily Toolbar BDSM Toolbar Lesbian Toolbar Anime Toolbar Asian Toolbar Big Tits Toolbar Ebony Toolbar Fetish Toolbar Gay XXX Toolbar Shemale Toolbar Twinks Toolbar Voyeur Toolbar
DailyToolbar is a pornographic-related toolbar that periodically generates pop-up advertisements. You Must click "Yes" in order to even view their site. This will download the toolbar to your browser.
http://www.dailytoolbar.com
Also known as: Burnaby, the internal object name; TargetingSource, the name used to describe the control in Downloaded Program Files. Troj/Ortyc by VS antivirus.
Cytron is an Internet Explorer Browser Helper Object. It scans the content of pages being viewed for keywords and opens pop-up advertising when they are detected
http://www.dailywinner.net
Also known as: Backdoor.Daniel
This Trojan will allow remote access to the victims computer.
Also known as: Backdoor.Danton Danton.330 Danton.210
Also known as: Backdoor.Daodan Daodan.123
This is a trojan that drops a payload on the infected machine through port 3333 after it is installed from Backdoor.Daodan.123.exe.
Also known as: Darkmoon
The Attacker can take control over the remote machine once the server application is installed in victim's machine.It can record the keystrokes and steel the passwords , log the current running process information , control the file management.
This trojan has the ability to load files onto the infected PC through an FTP connection.
This trojan allows a remote connection.
Also known as: Dash Bar
http://www.dashbar.com/
Also known as: Dialer.GBDial
Looks to be related to Global Access. From the Website: "Use our targeted full page ads, or your own pages. Combined with our active-x dialer, this means maximum profit for you. With our premium support service, help is always available."
http://66.117.37.13/
Also known as: DateManager
This software is distributed by the GAIN corporation. This will bring advertisements to your computer.
http://www.date-manager.com/
Also known as: Backdoor.DCI
Also known as: Trojan.Panddos(Symantec)
DDoS-V is a trojan used to perform DDOS attacks.
Also known as: Backdoor.Deadcow
This Trojan is written in C++. This will attempt to give the attacker remote access.
Also known as: deal helper dealhelper.com
From the Website: DealHelper at www.dealhelper.com is a product developed to bring you deals, offers, coupons and informational messages on the Internet.
http://www.dealhelper.com/
This is a toolbar that is installed from trojan packages that also install Borlan. This Chinese based toolbar creates a directory at C:\Program Files\Deepdo\.
http://www.deepdo.com
Also known as: GameHack
Once this trojan is installed onto the victim's PC, it contacts a dangerous malware payload site that uses .jpg exploits to install other trojan infections onto the infected PC.
Also known as: Backdoor.DeepThroat Backdoor.DeepThroat.11 Backdoor.DeepThroat.20 DeepThroat.b Backdoor.DeepThroat.b Trojan.Win32.TrojanRunner.b Win32.TrojanRunner.Joiner.i DeepThroat.100 DeepThroat.310 MiniBacklash.110
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage.
This is a trojan that installs an adware payload through a remote connection.
Installs as a Browser Helper Object and monitors user's surfing activity.
Also known as: Backdoor.Delf Backdoor.Win32.Delf.ado Win32/Delf.NDZ
Gives unauthorized access to compromised systems. Sends mail to random MailIDs. Trojan is written in Delphi.
Also known as: PEDev.BHO, Adware.PEDev
From the Website: During the required 30 seconds or so it takes to log-on to one?s ISP (latent time), the DelFin Media Viewer? can deliver your online campaign in DVD quality large screen animation, with smooth motion and vivid sounds all enabled with full commerce capability.
http://www.delfinproject.com/
Also known as: Backdoor.Delikon
This Trojan will give the attacker remote access.
Also known as: Backdoor.DeltaSource.07 Backdoor.DeltaSource.05
From the website: Functions include: - Ping - Spawn Program - Spawn Invisible - Delete file - Program list - Program kill - Send host to URL - MsgBox - Mouse Swap/Unswap - Mouse freeze/unfreeze - Hide/Show taskbar - Reboot - Server Info - Hide/Show cursor - Get Double Click Time - Set Double Click Time - Get Cursor Pos - Set Cursor Pos - Open/Close CD-Rom - System Info - Screen Eater - Screen Off - Print text - Logoff - Shutdown
Also known as: DXCecho DXC
From their website: DeluxeCommunications guides relevant web sites to you at the precise moment you are actually interested in them. Just browse the internet as you normally do and when you do a specific search or visit a relevant site, DeluxeCommunications will deliver one matching web site which allows you to visit it at that very moment or an alternative search results page containing sponsored listings. DeluxeCommunications will not always deliver a matching web page and will only deliver what it feels is the best possible match to help you navigate the internet. At time of install 9/25/2006, no EULA was displayed.
http://www.dxcdirect.com/
Also known as: DerSpaeher.200
When the user downloads the malicious file (backdoor.derspeher.3.c.exe), the trojan will drop its adware payload by using port 1000.
Also known as: Backdoor.DerSpeher
Also known as: WSearch (SOPHOS)
DeskAdTop listens for specific keywords typed into web browsers and displays pop-up advertisements based on them.
This is an adware program that installs a search toolbar next to the system tray that searches their affiliates.
This is a trojan that is installed through a Windows Media Player exploit. This trojan is not a problem with Windows Media Player 11.
Changes the desktop wallpaper. Displays regular popup advertisements for AdwarePunisher.
Also known as: Trojan.Win32.DesktopPuzzle
From Viruslist.com This is a Trojan written in Delphi. The original filename is SLIDESCR.EXE. When executed under Windows 95, it blocks the task manager and opens a messagebox with the following text: Slider 1.0 Oops, looks like somebody doesn't like you very much ! You have to finish this sliding tile puzzle before you can continue whatever it is you're doing ! Use the cursor keys to move the pieces (black piece is the empty one). After 'OK' is pressed, the Trojan splits Windows desktop into several parts, mixes them and waits for the user to restore the original desktop by solving the sliding tile puzzle. It also swaps functions of cursor keys: 'Up' becomes 'Down', 'Left' becomes 'Right' and that makes solving the puzzle more difficult. There's no way to continue working with other Windows applications until you complete the puzzle. Under Windows NT the task manager is not blocked by the Trojan and the puzzle task could be killed. If the Trojan is executed from a DOS session (full screen mode) the desktop data is not acquired correctly and the puzzle parts are blank. This happens because the desktop image is acquired by the Trojan before Windows switches from DOS screen to its desktop.
Also known as: Desk Wizz Adware.ZQuest(Symantec) ZQuest(McAfee) Adware/Deskwizz(Panda Antivirus)
Downloads unwanted software and displays pop-up advertisements.
Also known as: Backdoor.Destrukor
Also known as: Backdoor.Deves
Also known as: Backdoor.Devil.13 Trojan.Win32.Flood.d
From the Website: Server Features ICQ Killer Notepad flooder Open/Close Cd-Rom Reboot computer Send application bomb Send beep Send msg yche yche Send text to notepad Windows clean up
Also known as: Backdoor.Devildor
Also known as: Backdoor.Dftpserver
Attempts to dial premium toll numbers using the modem.
Also known as: Dial/Playgrnd-B Launch DerBiz.com ASDPLUGIN ASDPlug ASDPlug.Adult ASDPlug.XAdult ASDPlug.gegames ASDPlug.surfya ASDPlug.fullgames
Dialer.ASDPlugin is a premium-rate dialer related to adult sites. 1.When installed, copies itself into system32 Directory. 2.Creates Shortcut items in Desktop and Start Menu. 3.When uninstalled, removes only the shortcuts and changes back the URL of IE. 4.Changes the Modem Settings.
Also known as: troj.e-nrgyplus
This is a dialer program that is installed like a trojan on the infected PC. Once installed it will use a dial up connection to make calls. Users should watch for the file e-nrgyplus.exe in their running processes.
This Dialer has hundreds of different variants.
Also known as: Trojan.Win32.Dialer.ks (SOPHOS) QDial-34 (Mcafee)
Dials toll numbers, can download and install unwanted software.
Also known as: maxd64
Dialer.Maxd is a porn dialer which used by some porn sites to connect toll numbers without user's awareness.
Also known as: Mostrar
Installs itself and trys to use the modem to dial a pay telephone number. Can possibly download and install other software.
This is a typical porn dialer. Will attempt to dial out causing long distance charges. This added two sites in the Trusted Zones. (www.whatsnew.name)(www.nodialup.name) You will receive pop ups from www.whatsnew.name.
Dials a high-charge toll number.
This is a dialer that is installed through an executable file distributed via active X control.
Also known as: Dialer 2004
DialerActiveX is an ActiveX control used by premium rate dialers.
Seems to be related to a dialer. Several popular forums are removing this application from Hijackthis this logs. Will continue to investigate.
This is a dialer that is downloaded from various different pornographic related sites. Once on your system, it will attempt to make calls using a dial-up connection.
http://www.dialerfactory.com
A premium-rate phone dialler providing access to porn sites. Known to be installed by the RapidBlaster parasite, possibly also ActiveX drive-by installation.
Also known as: HowToSearch Dialer, DialerPlatform
Another dialer that attempts to call an international number causing extreme charges. DialerPlatform.com was sold to Global Acc?s S.L.
"Dialers" consists of web sites associated with vendors and distributors of porn dialers, many of which are installed through deceptive means, including security exploits.
DialupRipper is a program that quickly finds all the Dialup-Networking Connections and logs the details to a text file and send the connection name, user name and password.
Also known as: Dialer.DialXS
Also known as: Adware.Diginum (Symantec) Dignum
Diginum displays advertisements while using this software.
Also known as: Backdoor.Digispy New BackDoor1 [McAfee]
Digital Spy can connect to remote systems ( running the server.exe ), when it is connected you can: View/kill running applications view registered icq uins request information on victim get the time of victim get a screenshot of victim explore/delete/upload/download/run files create/delete directories turn ftp on/off chat with victim send a mesage to victim let victim hear a sound open/close cd drive view/hide startbar set a different wallpaper view a picture set mouse to coordinates disconnect victim logoff victim restart victim shutdown victim
Also known as: DigitalRootbeer.100
This is a trojan that drops its adware payload onto the infected machine by accessing port 2600.
Also known as: Direct Popup Advertiser
Direct Advertiser displays pop up advertisements and monitors surfing habits to generate ads that you are more likely to respond to.
Also known as: DirectConnection.100
This is a RAT trojan that can gain access to your computer through TCP ports 1600 to 1602.
This is a Korean based browser plugin that displays advertisements.
Also known as: DIRT.220 TrojanCow.100
This is a trojan that communicates through port 2001.
Also known as: 51NET DiyBar
DiyBar installs as an Internet Explorer toolbar and Browser Helper Object that is capable of showing advertisements.
Also known as: Backdoor.DKangel
DL.A.nvk downloads additional files to computer and tries to execute them.
Also known as: Trojan.Win32.Dlder.a BackDoor.Grokster Troj/Download-A Trojan:Win32/DlDer.A TR/DlDer.B Win32:Trojan-gen. Backdoor.Dlder.A
From Viruslist.com: "This two-component spyware-Trojan was discovered at the end of December 2001. Once the Trojan is installed on a user's system, it constantly upgrades its main component that connects to the 2001-007.com Web site and reports a user's ID, the Web browser being used and all URLs and all its child windows open. The Trojan violates a user's privacy and opens a security hole in the system by downloading and activating executable files. This spyware-Trojan is installed with LimeWire, Kazaa, morpheus and some other software packages along with other spyware. The Trojan is installed even if a user selects not to install any additional components from these packages. The main Trojan component is an Explorer.exe file that is located in a Windows folder in \Explorer\ subfolder (do not mistake it with the original Windows Explorer.exe). This component is constantly upgraded by the second Trojan component that has the name 'DlDer.exe' and is located in a Windows folder. The DlDer.exe file, when it is started, downloads an Explorer.exe file from a Web site, and puts it in a \Windows\Explorer\ folder. Then the Trojan creates a start-up key for the Explorer.exe file. Upon the next system restart, the Explorer.exe file is activated, and it creates a start-up key for the DlDer.exe file, and starts to connect to the aforementioned 2001-007.com Web site, reporting a user's ID, Web browser and all URLs visited by a user. We recommend deleting both Trojan components from an infected system. If these components can't be deleted (locked files), they should be deleted from a pure DOS (in the case of a Windows 9x system), or renamed with different extensions (EXA for example) with immediate system restart (in case of Windows NT/2000/XP system)."
Also known as: BackDoor-CZI (McAfee) Troj/Agent-DJL (Sophos)
Downloads unwanted software without users permission.
Also known as: Agent.eaa Trojan-Downloader.Agent.eaa
Dldr.Agent.eaa is installed as a service and download additional file to the infected computer.
Also known as: Backdoor-ASB (McAfee) Troj/Dloader-YI (Sophos)
Dldr.Agent.TE downloads files to users computer without users knowledge.
Also known as: Download.Trojan (Symantec) Troj/Small-GT (Sophos)
Dldr.Small.GT tries to download executables from a remote location and execute them on the local machine. This trojan resets your system clock to the year 1980, which causes many applications to function improperly.
Website hosting multiple malicious files.
http://download4money.com/files/programs/
Also known as: Troj/Dloader-LO (SOPHOS)
Unknowingly downloads unwanted software to users computer. Downloads and runs other downloader trojans.
Also known as: Generic Downloader.c McAfee) Troj/Dloader-OR (Sophos)
Dloader-OR downloads, installs and run new software without user's permission.
Also known as: Win32/TrojanDownloader.Agent.IBH
Dloader.Agent.IBH downloads files to users computer without users knowledge.
Dloader.Bcc downloads and executes files without users knowledge.
Dloader.C.man drops files without users knowledge. These other files download and install trojans and adware. It has been known to use the WMDM PMSP Service Vulnerability in order to connect to malicious sites.
Dloader.cao.1 downloads files and executes them without users knowledge.
Dloader.kt.duc downloads and tries to run the downloaded files.
Also known as: TrojanDownloader:Win32/Losabel.C (Microsoft)
Dloader.Losabel tries to disable security software to remain undetected and downloads/executes malicious files.
Dloader.NJH downloads files without users knowledge and permission.
Downloads software without users knowledge.
Also known as: Trojan.Popwin(DR Web)
Downloads and installs software without users knowledge.
Downloads additional files without users knowledge.
Dloader.vmfinder tries to disable security software and download other files without users knowledge.
Also known as: Win32/TrojanDownloader.Delf.NQX (NOD32)
Downloads files without users knowledge.
Also known as: SearchBar
Toolbar that changes browser settings and redirects searches. Their site redirects you to http://www.findwhatevernow.com/search/. This is the main page for another toolbar called "FindWhateverNow Toolbar".
http://www.dlsearchbar.com
This is a downloader which downloads additional files to complete the functionality of the program. And also sends out system information .
Also known as: Backdoor.DM Backdoor.DM.11
Also known as: WIN32.DNSCHANGER.S TROJAN, Trojan.Flush.G (Symantec)
This trojan modifies the DNS server settings and redirect the browser to unwanted sites. May download an adware payload.
Also known as: Backdoor.DnsDoor
A toolbar plugin for IE that allows you to perform searches. From their own pages: In the course of using the Downloadable Toolbar, the Downloadable Toolbar automatically records certain information about your use of the Downloadable Toolbar and the Internet: time and date of login; duration of session; URL hits during session; advertisements served during the session via the Downloadable Toolbar; software add-ons installed via the Downloadable Toolbar; when you send a message sent via the Downloadable Toolbar, the time you send the message and the recipient's user name or email address. This information enables us to catalog traffic patterns and other usage statistics, which helps us better tailor our services to the needs of our users. Dogpile writes to us "The toolbar is not designed to collect user information, email addresses, or other personal information. There never has been any login information. It does not monitor the user's activity. The only information that is collected is what is collected by the webservers serving the Dogpile site. That includes basic information collected by all webserves such as browser type, ip address, time, url requested. The site does some basic reporting functions such as number of users visiting different areas. This information is not associated with any personally identifiable users and it used by us to know which services are popular and which are not. The toolbar does not hijack anyone's browser. The only settings changed are homepage, search, and autosearch and only when the user chooses those options. The user is free to change those settings and we don't try to interfere with that. The toolbar has a very simple uninstall function that does not leave hidden applications behind." This is the revised privacy policy. http://www.dogpile.com/info.dogpl/tbar/privacy.htm
http://www.dogpile.com/info.dogpl/tbar/
Also known as: Dollar Revenue
This adware drops more files on users machine that are used to display advertisements and download additional files. It installs UCMore Toolbar to track user search queries. This adware usually comes bundled with some other program.
http://dollarrevenue.com/
Also known as: SennaSpy2001 Backdoor.Doly
This trojan drops its adware payload onto the infected computer by accessing port 1015.
Also known as: Backdoor.Dominador
Also known as: Backdoor.DonaldDick.153 Trojan.PSW.EPS.dr Trojan.PSW.Ring0.a
This is a Windows 9x Internet Backdoor trojan. When running it gives full access to the system over the Internet to anyone running the appropriate client software. Read/write/delete/run any file on the computer -Record keystrokes -Get information about the system -Open/close the CD-ROM tray and many other things
Also known as: Backdoor.Dongdor
This is a worm that uses fake windows names as autostarter values.
Dope Wars 2.2 is ad-supported software. It is part of the Gator Advertising and Information Network (GAIN), which helps keep software free by delivering messages based on the sites you view.
This is a program that hooks URLs, sends them to a predetermined Web site, and then redirects the URL to the correct location. The Web site can log a user's IP address and visited URLs. It does following: Adds the value: "redirect"="<path to executable file>" on the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run If a user accesses a Web site, it hooks the URL and changes it to: www.dotcomtoolbar.com/redirect/url.asp?url=<URL the user would like to visit> Which allows www.dotcomtoolbar.com to log your IP address and visiting URL.
http://www.dotcomtoolbar.com/
DownLd-ABB downloads additional malwares and executes them.
Also known as: DownloadPlus MCInst
DownloadPlus is a process run at Windows startup which opens pop-up adverts (many of them porn-related) and, for some reason, weather reports. The software also refers to itself as MessageCenter internally. Can silently download and execute arbitrary unsigned code from its controlling server, as a self-updating feature. One comment inside the program claims copyright by "PornKing".
Also known as: Generic.Downloader.a (McAfee) YourEnhancement
Downloads software without users knowledge.
Downloader-AB downloads files from the internet and then executes them.
Downloads unwanted software without users knowledge. Main purpose is to download files from the internet and execute them.
Downloader-adonga connects to remote server to get configuration information. It then displays advertisements and downloads software while user browses the internet.
Also known as: LoaderAdv
DownLoader-Adv is a WMF infection that drops many trojans and adwares on victim's PC.It disables the task manager.It makes use of maximum system memory and displays a lot of popup advertisements and change the Web objects on Desktop.It also downloads rouge anti-spywares.
Downloads and installs software without users consent.
Also known as: Trojan-Downloader.Win32.Aphex.10.d (Kaspersky)
Downloads unwanted software onto a users computer without their knowledge.
Downloads software without users knowledge. Types of software seen downloaded are: Other downloader trojans Backdoor programs Mass mailers Spyware
Downloads software without users knowledge. Types of software seen downloaded are: Other downloader trojans Backdoor programs Mass mailers Spyware
Also known as: Netwark
Downloader-Arun installs itself as a service then attempts to download additional files to compromised computer.
Also known as: Trojan-Downloader.Win32.Agent.ala (Sunbelt)
Connects to the internet without user's knowledge and downloads malicious applications.
Downloads unwanted software without users permission.
Also known as: Generic Downloader.be (McAfee)
Downloads unwanted software without users knowledge. As of June 14, 2006, connections have been made to dollarrevenue, zenotecnico, and other sites.
Also known as: DrSmartload
This trojan installs several products without the user's knowledge. Files like drsmartload will be installed in your Windows and system32 folders as a result of this infection. Common results of the infection include an abunance of pop-ups that relate to rogue anti-spyware cleaners.
Launches Internet Explorer and takes user to a porn website to distract user as unwanted files or programs are downloaded.
Unknowingly downloads unwanted software to users computer. Downloads and runs other downloader trojans.
Downloader-F0116 tries to download and execute files without users knowledge or consent.
Downloader-IMG is a Trojan Downloader which installs DollarRevenue Adware and GimmySmiley Adware on user's machine.Those adwares installs another binaries which leads to display many annoying pop-up advertisements.
Downloader-IP117 downloads additional unwanted software related to Chinese adware.
Also known as: Troj/Dloader-SL (SOPHOS) Trojan.Downloader.Small.Popcorn64 Trojan.Downloader.Small.Popcorn
Downloads software without users knowledge.
Downloads software without users knowledge.
Downloads additional software to computer without users knowledge.
Also known as: Troj/DwnLdr-BUL (SOPHOS) TROJ_DLOADER.AOC (TrendMicro)
Connects to a remote server to download other software.
Also known as: MegaPorn Downloader
Connects to a remote server to download porn dialers and other unwanted software.
Downloads unwanted applications withour users knowledge.
Also known as: Backdoor.Win32.Delf.ash (Kaspersky)
Downloader-RPCS attempts to download other files.
Downloads unwanted files without user knowing. Can download adware and other types of trojans.
Downloader-Tadpu downloads additional files and tries to execute them.
Downloads files without users knowledge. Usually downloads trojans, downloaders, addware or other types of malicious programs.
Downloader-UP is a downloader trojan that downloads additional threats and reduces security settings. Sends system information to remote server.
Also known as: Troj/Dloadr-UY(Sophos)
Downloads files without users knowledge.
Also known as: Troj/Dloader-KD(SOPHOS)
Unknowingly downloads unwanted software to users computer. Downloads and runs other downloader trojans.
Downloads additional software to computer without users knowledge.
Downloads unwanted software without user knowing.
Also known as: Trojan-Downloader.Win32.INService.gen (Kaspersky)
Downloads files without users knowledge. Usually downloads trojans, downloaders, addware or other types of malicious programs. Downloads Downloader-TQ. Adds itself to startup when the computer reboots.
Also known as: Trojan.Win32.Agent.ay(Kaspersky) Generic Downloader.ab(McAfee)
Downloader.ab copies itself to %WINDIR%\System32 with a random name. It then tries to download a file and execute it.
Also known as: Generic2.KKV (AVG)
This is a Adware Downloader, which installs Adwares in user's machine with out user knowledge.
Also known as: Downloader-AVQ (McAfee)
Downloader.Agent.afl is a downloader trojan that downloads and executes remote files. Sends system information to remote servers.
Also known as: Win32/Beenut (eTrust)
Aleddo is a downloader trojan that brings in additional security threats to user computer without any consent.
Also known as: TR/Dldr.Age.66267.A (AntiVir)
This downloader connects to a domain and drop other Adware and Tzrojan binaries.
Downloader.bqn downloads addition files and trys to execute them without the users knowledge.
Also known as: Downloader.gen8 (Authentium) Downloader-BDG (Mcafee)
Downloader.Gen is a group of trojans which downloads and executes malicious files from remote server.
Downloader.JS is a group of trojans which downloads and executes malicious files from remote server.
Also known as: Monnet Trojan Downloader
Downloader.Monnet is installed on a user's computer mostly via a stealth installation or bundled with other spyware threats, and can severely compromise system security. It opens illicit network connections,disables security software and systems Firewall Settings, modifys system files,disables anti-spyware applications,and installs additional malware.
Also known as: Trojan Downloader MS, Troj/Dropper-BP
Downloader.MS is installed via stealth installation or else bundled with other spyware threats, and can severely compromise system security. It opens illicit network connections and downloads additional malware files which are Trojans , Hacking tools etc. ,disables security software and systems Firewall Settings. Some Malware files downloaded by this Trojan Downloader are Hidden from Windows API, and are to be removed in Safe Mode.
Also known as: VBS/Psyme (McAfee), Trojan.VBS.KillAV (KAV), Trojan.Downloader.Delf.BJK
Downloader.Psyme downloads and executes a file through a known exploit of ADODB stream objects in Microsoft Internet Explorer.
Also known as: Trojan Downloader Red
Downloader.Red Communicates with web sites using http protocols to download further malware binaries.Creates multiple copies of the Trojan infection on the PC. Could use infected PC to send mass mail using SMTP protocols.
Downloader.S downloads additional unwanted software that can display advertisements and download more files.
Also known as: Trojan.Downloader (Prevx)
Downloads software. At time of investigation (05-18-2006), the downloader connected to SearchClickAds to downloaded and install SearchClickAds, Mirar toolbar, and Bookedspace. Can be configured for other download campaigns.
Also known as: Trj/Downloader.LSM , W32/Small.EAZ!tr.dldr , Trojan/Downloader.Small.eaz
Downloader.Small.EA is a Trojan downloader, which drops malwares over the user's machine.
Also known as: Downloader.AG (Sunbelt)
Downloader.Traff downloads a lot of other Malware threats. It changes security and firewall settings of the Operating System. It causes change in Internet Explorer's Search Page.
http://www.traffbucks.biz
This Trojan connects to porn sites.
Downloads software without users knowledge.
Also known as: systimer
From their website: "Eaccleration reports that Download Receiver and Webcelerator products were discontinued in 2002 when eAcceleration exited the online advertising business." DownloadReceiver is a component used by eAcceleration (Acceleration Software International Corporation) to download and install their Webcelerator software. It also runs an advertising process called systimer.exe, on startup which connects to eAcceleration's servers at buttonware.net every so often to download a list of pop-up adverts and directions as to when to show them.
http://www.eacceleration.com/
Also known as: MediaLoads ClipGenie
DownloadWare is a process that runs on Windows startup. If a network connection is available it will connect to its servers, which can direct it to download and install software from advertisers. It may be installed through an ActiveX control called ActiveInstall, which decodes and runs a built-in executable and then (tries to) remove itself. This executable can include DownloadWare and other bundled software - often premium-rate diallers from Movie Networks, Popcorn.net, MVPNetworks or Real-Tens [sic]. This program is bundled with NetworkEssentials.
http://www.downloadware.net/
Also known as: Backdoor.DP.25 BackDoor-LC
Allows attacker complete remote access to infected computer.
Also known as: Backdoor.DRA
This trojan communicates over a secure IRC channel.
Also known as: Backdoor.Drat
This Trojan will transfer files off of the infected computer. Removal is difficult because it resurrects itself after it is uninstalled.
Also known as: Drater
This Trojan gives the attacker access to your computer.
Also known as: QDel104 Trojan Horse Trojan.Update Troj/Dreb Trojan:Dreb TROJ_DRWEB TR/Dreb Win32:Trojan-gen. Trojan.Dreb
This Trojan deletes the files C:\COMMAND.COM and WIN.COM. Starting Windows 95/98 is impossible.
Also known as: DriveCleaner
This is a security program that can distribute itself from shady affiliates through an Active X control. The site uses Flash to inform the user that "pornographic and sensitive" files have been found. The number of files it reports may be the same on several separate PC's. Clicking the Flash content starts a download of the software.
http://www.drivecleaner.com/
Also known as: winbrume
Dropper-GF is a Search hijacker that installs itself as a Browser Helper Object for Internet Explorer and redirect specific searches. This trojan usually get installed into user computer by other trojans. Once installed, this trojan updates itself and downloads configuration from a remote server. This configuration information is then used to redirect searches.
Also known as: Trojan-Dropper.Win32.Small.abx (Sunbelt)
Dropper-Loadppc is a Trojan Dropper that installs itself in the users Machine and contacts remote servers to download additional malwares like Srv.SSA-KeyLogger, Coolwebsearch, Ztoolbar, and Startpage etc. It is programmed to contact a pre-defined Domain address to configure shortcuts on Computer Desktop to allow it to download and install advertising software. It also modifies the Users Startpage.
Also known as: BalloonPop Word Game
From their website: Plays like the classic word game Hangman, but with a very funny twist. Alot of fun!. When installed the game drops other files that download software with out users knowledge. At the time of install (11-13-2005)180 Search Assistant, Internet Optimizer, and Search Miracle are a few of the other programs installed without user's knowledge.
http://www.lookoutsoft.net/freewebgames/baloonpop.html
Also known as: Critical Security Update Trojan Trojan.Dropper (Symantec) Trojan-Spy.Win32.Luhn.a (Kaspersky) TrojanDropper:FakeWinupdate (Sunbelt Spyware Research)
Has been spammed through email as a Critical Security update. Spammed email: Subject: Critical security update available Microsoft Security Bulletin MS05-039 Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588) Summary: Who should receive this document: Customers who use Microsoft Windows Impact of Vulnerability: Remote Code Execution and Local Elevation of Privilege Maximum Severity Rating: CRITICAL Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software: ? Microsoft Windows 2000 Service Pack 4 ? Download the update ? Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 ? Download the update ? Microsoft Windows XP Professional x64 Edition ? Download the update ? Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 ? Download the update ? Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems ? Download the update ? Microsoft Windows Server 2003 x64 Edition ? Download the update Non-Affected Software: ? Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Executive Summary: This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Conclusion: We recommend that customers apply the update immediately. ? 2005 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement Microsoft DOES NOT email security update warnings to users. To learn about the Microsoft Security Bulletin MS05-039, Please visit this link. http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx Drops Keylog-Sklog. http://www.spywareguide.com/product_show.php?id=2370 The data file of logged keystokes can be sent to the malware author via FTP.
Also known as: DSLifestyle DropSpamLifestyle Misc.DropSpam (CounterSpy) Adware.DropSpam (Mcafee)
DropSpam 2.0 scans your mail box for spam and viruses before sending them on to you, ensuring that every email you receive is free from harmful viruses and annoying spam. DropSpam claims to eliminate spam and installs a toolbar. DropSpam toolbar directs users to the DropSpam search engine that creates popup advertising. Can come bundled with Webhancer.
http://dropspam.com/
This malware downloads other malwares. It also tries to shutdown services like Firewall Policy.
This is a Trojan that installs a hidden executable file and .dat file in the system32 directory of the victim's PC. While running, it has the ability to manipulate mail in Outlook and specifically looks for Opera Mail usernames and passwords. It also makes connections through mIRC.
The DSK Trojan has the ability to: window control, Victim Chat, Remote process control, fake message boxes, registry editor, remote file manager (Upload/Download/Exec/Delete, ect) and remote web downloader,remote file search, static IP Notify also makes it \'LAN Bypassable\', upload/download queing system makes downloading many files very easy to manage.
Also known as: Backdoor.DskLite DSK Lite 1.0
This trojan will give access to your attacker via remote access.
Also known as: Backdoor.DSNX
An application distributed by Broderbund. Broderbund was purchased by RiverDeep Interactive.
Also known as: Backdoor.DSSdoor
Drops downloader trojan Downloader-VR(Mcafee). Can drop and execute other files.
Also known as: Backdoor.dtr.1.6 Backdoor.DTR
This Trojan allows the attacker to have access to the victims computer.
This is a trojan that allows a remote connection.
Also known as: Backdoor.Duddie
This Trojan will give the attacker access to files on your computer. Also the ability to upload and download any information the attacker wishes.
DuDu Accelerator for Internet Explorer is a download manager utility that shows advertisements when the user accesses the Internet.
Also known as: Backdoor.Dumador
This is a trojan that is often installed in dollarrevenue bundles. It leaves 2 dll files in the system32 folder called durvil1.dll and durvil2.dll. Once installed, it will prompt the user to a website to enter in their e-mail address.
Also known as: Adware.Dynamic ddm_d rfwnad Adware Dynamic
Adware installed via ActiveX. Shows ads, known to cause browser slowdowns. Known do download and install N-Case, Winpup and other nasties. Their website also suggests relations to "180solutions" and "toolbarcash".
http://www.dynamicdesktopmedia.com/
E-nrgyPlus dialer connects to toll numbers without users awareness or permission to load pornographic material.
Also known as: Spyware.e2give (Symantec), E2G
Tracks users surfing habits. Possibly tracks users personal and computer information. Ability to display pop-ups.
http://www.e2give.com
Their site redirects to a .dat file that is installed onto the user's machine. Upon visiting their main site, their demo is installed through javascript.
Also known as: runwin32.exe
This product is described on many sites as a Trojan. It's not however. This is a garden variety hijacker transmitting the same benign information the rest of the malware applications send.
Also known as: Easy Bar
EasyBar monitors online behavior of user and adds related links to the toolbar. It also changes Internet Explorer's search page and start page.
From the Website: By downloading the EasySearchBar, you accept the EasySearchBar License Agreement, which also gives EasySearchBar permission to display relevant contextual information to you in the form of advertisements, via our Special Offers software, should they decide to do so.
http://www.easysearchbar.com/
Also known as: Backdoor.Easyserv
http://www.EasyWWW.com
Also known as: ebatesmoemoneymaker ebates moe money maker
Sends ads to your computer or changes out core links with affiliate tracking links. Such ads may or may not be targeted, but popup, and are not merely displayed within the form of an ad-sponsored application. The application is centered around user loyalty, "loyalty ware", and providing cash or other rebates to users who make purchases with their merchant partners. Moe Money maker reserves the right in their EULA to disable any software they feel might interfere with your rebates. Recent research on Ben Edelman's site has shown this application being installed via browser security holes. In downloading and/or installing the Moe Money Maker Software, you agree to the following: 1)Ebates and its agents may pop up brief alerts when you can save money by shopping through Ebates or by using the Moe Money Maker Software. 2)Ebates may direct your traffic to the merchant of your choice. This may be done a)by presenting a choice in a pop up alert asking whether you wish to save by shopping through Ebates, thereby directing your browser through Ebates in order to ensure you earn a reward, or b)by automatically routing you through Ebates and automatically earning you a cash-back discount with no further action on your part being necessary. 3)Ebates may disable or uninstall any other product or software tool that might interfere with the operability of the Moe Money Maker Software or otherwise preempt or render inoperative the Moe Money Maker Software in a manner that might jeopardize the ability of Ebates to earn you cash back discounts or coupon savings offered by Ebates. In installing the Moe Money Maker Software, you authorize Ebates to disable, uninstall, or delete any application or software that might, in Ebates' opinion nullify its function and put you at risk of loosing the cash-back savings that Moe Money Maker Software is designed to earn you. 4)If you would like to utilize another savings tool, you can simply uninstall the Moe Money Maker Software before installing a competitive application. The Moe Money Maker Software can be easily uninstalled through the standard 'add or remove programs'
https://www.ebates.com
Also known as: EclYpse_Trojan Eclypse.100
It is a dialer program which is used to access pornographic websites by dialing a high-cost phone number using a modem.
This is a trojan that allows for a remote connection.
Also known as: Egg Drop WinEggDrop Shell
This trojan allows for the distributor to gain a remote connection to your PC.
Also known as: Backdoor.Ego
Also known as: Backdoor.Ehks
Also known as: EICAR-AV-Test
This file is actually NOT a real virus or malware, it is just a "dummy" virus file,totally harmless, that can be used to test your anti-virus solution. It can be downloaded freely from the eicar website. Why would you want to? Because this solves the dilema of having a way to test your security software without risking to endanger your system. If you software does not detect it, no harm is done.
Also known as: Backdoor.Elfrit
Also known as: EliteToolBar Elite Bar Search Miracle SearchMiracle EliteBar EM Toolbar Enternet Media Toolbar EliteBar Internet Explorer Toolbar Yupsearch esearch2005
EliteBar installs itself as an Internet Explorer toolbar and also redirects search requests.
Also known as: Backdoor.Eljefe
From their website: Firewall bypass Keylogger ,Webdownloader ,Protected Storage 1)logging all keystrokes 2) Download 2 urls cab files and extracting and executing the inside exes (Firewall bypass) 3) Protected storage (Outlook, IE stored passes),Cashed Dialup passes Sender 4) keystrokes ,passes will mail to the email id,daily or the log size is over 5) firewall bypassing by injecting code into IE and sending mail 6) No Process visible ,injects into Explorer.exe on startup and exiting 7) Active Setup Startup 8) EXE size is 11.9 KB 9) encrypted log file
http://www.elitec0ders.net
From thier website: No Process Visible in any Task manager,Process Injects into Explorer.exe on startup and exiting the parent. Firewall bypassing by injecting code into IE and sending mail Invisible Startup, will not show in msconfig,autorun.exe (sysinternals) Automatic Uninstall Protucted Storage ,Cashed Passwords sender No need to use your own SMTP server(sending directly) to MX. Remote Installer,Uninstaller Built in Binder makes the keylogger same as the binded EXE(Icon,Version) We can bind keylogger with any type of EXE or picture,documents HTML formatted logs Detect ICQ/MSN/AOL/Yahoo Chats. Logging Window names,All keys typed in that window. SelfDelete EXE Size is 12.7 KB
http://www.elitec0ders.net/keylogers.htm
From their website: 1)Targetted keylogging(logs only the keys from the specifyed windows) 2)keystrokes will mail to the email id,daily or the log size is over 3)firewall bypassing by injecting code into IE and sending mail 4)Deleting all Cookies at installation. 5)EXE size is 8.5kb
http://www.elitec0ders.net
Also known as: EmailThreats
"Email Threats" consist of domains associated with advertising companies that run HTML email advertising campaigns. These ad-oriented HTML emails may may make use of web bugs, scripting, and rich media content, as well as various tracking technologies to record and measure impressions and responses to ad campaigns. Also included in this category are email verification services, which use HTML email features to verify and monitor the receipt and reading of emails.
Also known as: Snack Man(Sunbelt), Adware.WinBo(Symantec), NBrowser, Snackman, Hydra
This free game is supported by adware. Though it says this in the EULA it does not go into great detail as to how much or what adware programs are bundled with snackman.exe. Often times, PacerD is installed with this game. In this case, 33 or more separate adware and trojan programs were installed. Snackman.exe leaves a hidden window open that generates numerous pop-ups. So much that it is nearly impossible to play the 'free' game because of pop-up interference.
http://www.enbrowser.com
Also known as: Backdoor.Enculator
Also known as: EnergyFactor (Spybot)
From the Author: (http://www.energyplugin.com/eng/info.html) Energy Plugin is distributed by hundreds of associated websites. Users who install Energy Plugin have free access to the premium resources of all associated sites (software and services) and accept to receive advertising ads while browsing.
http://www.energyplugin.com/eng/
EngageSideBar and Cookies Upon your first visit to EngageSideBar, EngageSideBar sends a "cookie" to your computer. A cookie is a piece of data that identifies you as a unique user. EngageSideBar uses cookies to improve the quality of our service and to understand our user base more. EngageSideBar does this by storing user preferences in cookies and by tracking user trends and patterns of how people search. EngageSideBar will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute, or court order. What Information Do We Collect? EngageSideBar does not collect any unique information about you (such as your name, email address, etc.) except when you specifically and knowingly provide such information. EngageSideBar notes and saves information such as time of day, browser type, browser language, and IP address with each query. That information is used to verify our records and to provide more relevant services to users. For example, EngageSideBar may use your IP address or browser language to determine which language to use when showing search results or advertisements. Serves advertisements inside Internet Explorer at a user configured area. As of 6-26-06 Engaged was silently installed along with CMDService and Top Banners. No EULA displayed for any of the programs installed.
http://www.engagesidebar.com/index.html
A hijacking application that directs you to a portal. There are a few accounts of the software running on the web. The application seems to be new. Web research indicates this infection may be related to Cool Web Search Variant.
Also known as: Dialer.BaciamiStupido (Symantec)
This is a dialer application. Stealthily replaces the target location(URL) of Favorites menu Items. This dialer can infect the computer when a computer user go to some malicious sites. It also reduces the security levels of Internet Explorer.
Also known as: Fullcontext.EQAdvice(Sunbelt) EQBranch FCAdvice
Displays advertisements and allows downloads of additional software.
Also known as: Sofa Toolbar Soft Toolbar
This is a Chinese toolbar that can be installed in trojan bundles.
Also known as: Backdoor.Eret
This dialer is installed through a file called full.exe. Once its installed, it will create an autostarter and also dial toll numbers.
This is a dialer that is installed via active X control when surfing to pornographic related sites.
This is a Miscellaneous Security application related to AntiVirusForAll and AVSystemCare. This product takes credit card information before giving the selling price to the user.
Also known as: System Doctor System doctor 2006 Systemdoctor Errorprotector
Error Protector Alias system doctor is a rogue antispyware which display fake infection information to deceive users to buy the product.
Collection of Personal Information from Service Visitors Error-Guard, Inc. may collect and/or track (1) the home server domain names, email addresses, type of client computer, files downloaded, search engine used, operating system, and type of web browser of visitors to Error-Guard, Inc.'s web service, (2) the email addresses of visitors that communicate with Error-Guard, Inc. via email, (3) information knowingly provided by the visitor in online forms, registration forms, surveys, email, contest entries, and other online avenues (including demographic and personal profile data), and (4) aggregate and user-specific information on which pages visitors access. Personal data collected by Error-Guard, Inc. may be used by Error-Guard, Inc. for many reasons, for example, for editorial and feedback purposes, for marketing and promotional purposes, for a statistical analysis of users' behavior, for product development, for content improvement, or to customize the content and layout of Error-Guard, Inc.'s service. Aggregate data on visitors' home servers may be used for internal purposes but will not be provided to third parties such as marketing firms. Individually identifying information, such as names, postal and email addresses, phone numbers, and other personal information which visitors voluntarily provide to Error-Guard, Inc. may be added to Error-Guard, Inc.'s databases and used for future calls and mailings regarding service updates, new products and services, and upcoming events. Driveby download. We have also noticed points of deceptive advertising where computer error messages are created without the label of "Advertisement"
Also known as: WinSoftware.ErrorSafe Error Safe
A Windows Error fixing tool that asks the users to register it to fix the detected errors. May give overstated reports of defects found in user computer. Installs through improper bundling.
Once the Esbot worm is installed by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability, it will install various unwanted programs via active X controls. It will create a fake service as well as various entries to the infected PC's winlogon.exe.
EScorcher is an ad-supported Antivirus program.
http://www.escorcher.com/
Also known as: Trojan-Downloader.Win32.Esepor Trojan-Downloader.Win32.Esepor.m
Also known as: Backdoor.Espion
Installs as a Browser Helper Object and displays advertisements. Once installed, this adware downloads configuration information from remote server for further instructions.
From the Website: Records and analyzes Internet traffic patterns on your local network. A web based interface generates various real-time reports which reveal Internet activity. Advanced users can write their own report, using HTML and SQL queries. EtherScout can monitor traffic from all network machines without the need to install any client software on every PC.
Euthanasia can send anonymous and untraceable email with any SMTP server using Sendmail versions earlier than 8.9.
http://kr0mecorp.home.ml.org
Also known as: Evade 1.12
The client Application which runs on the Attacker's System can connect to the server application on Victim's machine.Evade is able track the current running process , file trasfer , record keystrokes and gather the system information form the Remote machine.
Also known as: EventHorizon.100
This trojan drops its adware payload onto the infected computer by accessing TCP port 4488.
Also known as: Backdoor.Eventor
Also known as: ADW_EVERDA.AG ADW_EVERDA (Trend Micro) Win-Adware/SuperCenter.32256 (AhnLab) Win-Adware/BHO.Xema.135168 (AhnLab)
EverDa randomly generates its filenames and displays popup advertisments.
Also known as: Trojan.Fixit.a
From the Website: What this program does is when it is run on someones computer it opens up a port and runs in the background so anyone can connect. Disguised. This program is disguised and fools the person running it that it will fix the bugs in win95..the bugs it acts like it is fixing are "nuke" "ssping" "teardrop" How it runs... Ok what you need to do is give it to the person fool them into taking it which is easy then have them run it... You need there IP too...After they run it...The program runs in the background and the only way to shut it down is ctrl+alt+del...One thing that is important the program modifys the win.ini file so that everytime you start up your computer no matter weather you did ctrl+alt+del it starts up again in the background so you do not know its running and anyone can connect...If you do not want this program to run you have to go into win.ini and take out the command line Run=C:\WIN95\system\msrun.exe and delete the file msrun.exe in the win95\system directory... What ports and pass/login... You need to put there IP in then The port which is 23456 the the pass and login is yo and connect Ok now you have connected... I am pretty sure about you can download files and I know you can upload... Another thing there are some custom commands...I am going to tell you how to use them in CuteFTP only... goto "Commands" then "Custom Commands" then "Define" then click on "add" now in the label field type "Execute exe" Then goto "command Text" Type "EXEC %f" check the box that says "Show server's response" you may put in a hotkey if you like... When your done with that click on "add" again now in the label field type "Execute Notepad Text" Then goto "command Text" Type "EXEC c:\win95\notepad %f" There is one thing with this command everytime you go into a different computer the windows directory might be different... What I mean by windows directory is where there windows95 is installed... so if there windows directory is c:\win95\ you need not change the text in the "Command Text" box but if there windows directory is c:\windows\ or c:\window\ you need to goto goto "Commands" then "Custom Commands" then "Define" Then click on the "Execute Notepad Text" in the "Commands" box and you will have to change the "Command Text" text to which ever directory... Example... If there windows directory is c:\windows\ you have to change the text in the "Command Text" to "EXEC c:\windows\notepad %f" And so on for there windows 95 directory... check the box that says "Show server's response" you may put in a hotkey if you like... Which operating system... The only operating system I know this program works on it Win95.
This will give an attacker access to your machine.
Also known as: Backdoor.Evilsock
Also known as: Backdoor.Evncil
Also known as: eXact Bargain Buddy Cash Back eXactUtil
Used by eXact Cash Back and Bargain Buddy to download and install other component.
Also known as: eXactSearchbar
eXactSearchBar is an IE toolbar with the usual search features. Advertised by e-mail to mail.com users as a mail.com toolbar. From their EULA FAQ: What does the eXact Software do? eXact offers a number of software products free of charge, including FunGameDownloads and PhotoGizmo, to Internet users in exchange for permission to display our offers, discounts and/or advertisements. In conjunction with the above-mentioned software, eXact's ad supported software products provide users with valuable offers, discounts and/or advertisements.
http://www.exactsearchbar.com/
Also known as: Backdoor.Excalibur
The Attacker can take control over the remote machine once the server application is installed in victim's machine.It can record the keystrokes , log the current running process information , control the file management.
Also known as: Backdoor.Executor
Also known as: Expert Antivirus
This is another Rogue Anti-Spyware. Drops the very files that it detects in the scan to goad the user to purchase.
http://expertantivirus.com/
Also known as: MetaDirect
EXPLODER does a proper shutdown of Win 95 from a web page. Once this application is installed it can run as a normal program on your computer, often hidden to the user. In addition it has full access to your system and can download and install other applications as well. More over there are possibilities that EXPLODER is used in a way that would produce an unwanted shutdown of a person's PC by placing it in an unexpected location on a web site.
Also known as: Backdoor.Exploiter
Also known as: W32/Kwbot.worm, SdBot.05.v, Troj/StartPa-MN
This trojan uses a very specific set of names for its files. Users should watch for any files showing up on their PC that are called "abcdefgh.exe".
Also known as: Infostealer.Eyoni (Symantec) PWS-EyeOnIE (McAfee)
EyeOnIE steals passwords by installing itself as a Browser Helper Object. EyeOnIE will log passwords and URLs entered into Internet Explorer.
Also known as: Backdoor.EzKilla
Also known as: Adw.eZROMs
It is a Browser. It displays advertisement. Also installs other malwares.
http://www.ezroms.com
Also known as: ezSearchBar EZ Search bar ezCyberSearch ezCyberSearch.B
An IE toolbar. Its contents are loaded from a page at ezcybersearch.com each time a new Internet Explorer window is opened, and may include link buttons and a search field. Linked to EZCyberSearch.com, 50cents.com, 50centlyrics.com. And probably to CoolWebSearch because it has turned lilac in colour. It was always related to AllCyberSearch, GoCyberSearch and TinyBar, which now all have gone over to CoolWebSearch.
http://www.ezcybersearch.com/
Also known as: TopText ContextPro ClickFast
This a browser plug-in for Internet Explorer. This means that the TopText software cuddles up in Internet Explorer's process; from the outside, no-one can tell if either native Internet Explorer code or TopText is communicating to the Internet. After installation of Toptext, network traffic logs revealed that there was unusual HTTP traffic between Internet Explorer and a foreign server, each time the user navigated between URLs. The data transmitted is small and cryptic so we don't know if this is confidential information or not. This "product" continually mutates.
http://www.ezula.com/
Also known as: Dash Bug Free eZula.DashBugFree
From the Website: DashBugFree is brought to you by the EARN network. EARN helps keep many popular software applications and services free in exchange for delivering advertising, links to third parties, and information based on the context of the web sites you view.
http://www.dashbugfree.com
Also known as: eZula.DashConnect (Sunbelt) Dash Connect
DashConnect is brought to you by the EARN network. EARN helps keep many popular software applications and services free in exchange for delivering advertising, links to third parties, and information based on the context of the web sites you view.
http://www.dashconnect.com/
Also known as: Backdoor.Fadedoor
Also known as: FairTale Dialer (Paretologic)
It is a Porn Dialer which connects to the fairtale.nl website
http://www.fairtale.com
Also known as: FakeDel joke
This programs simulates the deletion of files and folders present on the Hard Drive.
Fake GoogleTalk is a password cracking utility designed to steal googletalk passwords.
This application allows users to covertly steal msn login credentials from another user.
Fake Yahoo Messenger is a password cracking application that is designed to steal sensitive information related to Yahoo messenger.
Also known as: TROJ_FAKEAV.AJ (Trend Micro)
This product tricks the user into purchasing various different rogue anti-spyware applications. It produces numerous official looking advertisements in order to manipulate the user into purchasing the product.
Fake Myspace profile spreads a trojan called FakeNd.Generates fake alerts on the desktop and guides you to purchase anti-spyware.
Also known as: Win32.Banload.bgx
FakeVoegol gathers email addresses from Windows Address Book of infected computer and email them to a remote attacker. It also sends information about infected computer.
Also known as: Backdoor.FallingDoor
Also known as: FakeAlert, False Alert, Adware.MsnAgent, AdClicker-BW (McAfee)
A false windows alert message pops up , informing you that your computer is infected with spyware. Clicking on which will opens up advertisements. Variants of this adware may change default browser settings such as startpage, searchpage ,URL Prefix etc.
Also known as: Trojan.Win32.StartPage.amd (Sunbelt) Covert.Sys.Exec (Prevx)
This worm has the ability to not only steal confidential information from your computer, but it also leaves an adware payload for Chinese related sites.
Also known as: Fan Alizee
FanAlizee is a dialer which can be used to access pornographic websites by dialing a high-cost phone number using a modem.
Also known as: Fan Nolwenn
FanNolwenn is a dialer program used to access pornographic websites by dialing a high-cost phone number through a modem.
Also known as: Fan Salma
FanSalma is used to access pornographic websites by dialing a high-cost phone number using a modem.
Also known as: Backdoor.Fantador
Also known as: Backdoor.Farnaz PWS-CL Troj/Zorro Backdoor:Win32/Farnaz BDS/Farnaz Win32:PersianTwins BackDoor.Farnaz Backdoor.Farnaz.A
This program is a hidden telnet server. It stays in the system as a hidden application and listens to socket 133 using TCP/IP protocol. By using that, a hacker may connect to a victim computer and get access to disk files and system resources.
From their website: FasterXP consists of an extensive set of optimizations created to improve your system's performance and reliability. With FasterXP your PC will: Boost your hard drive's speed Increase your connection speed by up to 200% Decrease your HDD's access time and fragmentation Block IE pop-up and pop-under ads Enhance your system, make it more effective Improve the reaction time of the Start menu Launch Internet Explorer much faster Search the web without loading search engines 100% Spyware free. Displays Ads and bundles some malwares like toprebates , Abetterinternet. Malwares bundled can change. Changes home page to http://www.fasterhomepage.com/ Story on Direct Revenue and FasterXP http://www.vitalsecurity.org/2005/06/direct-revenue-busted.html
Fastfind is an Internet Explorer plugin that may be used to display targeted advertisements. May also change Browser.
http://www.fastfind.org
Also known as: Fast Finder ToolBar Adware.FFToolBar(Symantec)
It Changes search requests and might display popup ads.
This is a tool to download free Mp3's, at the price of downloading and installing several adware programs such as 888bar.
Portal Based Toolbar
http://www.fastseeker.com
This botnet connects you to several servers designed to feed the victim a never ending stream of advertisements. These ads do not show up in actively shown windows. Users will be able to tell a difference in performance speed.
This adware program is installed by trojan downloaders such as Trojan.Paytime and Krepper.
Also known as: Backdoor.Fatcon
As stated in their FatPickle Terms of Service Agreement: The PROVIDER may provide free or reduced-cost services, tools and features through the sponsorship of advertisers. As a result, the PROVIDER asks that the USER support the advertisers and their advertising. The PROVIDER requires all advertising to be suitable for general audiences and makes every effort to provide advertising relevant to the USER. The PROVIDER reserves the right to serve ads according to its discretion.
http://prohosting.fatpickle.com/shmed/html/policies.thml
Also known as: Backdoor.Fatroj
Also known as: FavoriteMan.Erationalnews (Sunbelt), erationalnews.com
FavMan.Erationalnews collects personally identifiable information with data collected from other sources to use in direct or online marketing practices. It also changes the users Start page to "http://www.splashspot.com/home"
Also known as: ofrg Lwz F1 Emesx.dll
FavoriteMan is an IE Browser Helper Object. It connects to the web site "yourspecialoffers.com" and, when directed to do so by the command files stored on that site, adds entries to the IE Favorites menu, and installs other software such as Transponder/VX2, NetPal and ClickTheButton. FavoriteMan attempts to find your e-mail address from Outlook or Outlook Express and sends it on first use. Unlike the other parasites from Mindset, however, it does not seem to send a log of URLs browsed. Update: They seems to be releasing more and more different variants, seemingly programmed to install other spyware/adware remotely.
FavSearch quickly searches through both the shortcut descriptions and URLs in your Internet Explorer Favorites list and returns a list of items containing any word, phrase, or partial word or phrase you specify. You can then simply double-click any item in the list of results to have Internet Explorer navaigate to its corresponding URL. This is especially useful if you have accumulated a large collection of Favorites and finding specific items in it has become tedious and frustrating. If you are using Internet Explorer 5 or later, installation of this program adds a new FavSearch button to Internet Explorer's toolbar plus a new menu item under the 'Tools' menu, giving you convenient access to the program whenever you are browsing the Web.
http://www.zdnet.fr/telecharger/windows/fiche/0,39021313,11007776s,00.htm
Also known as: Backdoor.FC
Also known as: Backdoor.Feap
Fear is a program that enables an attacker to gain almost complete control over an infected PC.
Also known as: Backdoor.FearLess
Also known as: FeDownloader
This is a Trojan Downloader which can get trojans or other malicious applications from the internet and install them on Victim's machine.The attacker's can take control over the victim's machine once the malicious applications installed.
http://areyoufearless.com/
Also known as: Backdoor.Fennarat
Also known as: Backdoor.Fenster
Also known as: BackDoor-AVN.dll Backdoor.Ferat.10
Also known as: Backdoor.Feri
From the Website: The cheapest and most complete daemon around for Windows 95/98/Me and WindowsNT/2K/XP. Remote control your computer by the network/internet with a telnet client. (FTP, shutdown/reboot, execute, schedule commands etc.
http://www.techsoftworld.com/networking/ftp/fictional-daemon-4.4--for-ftp.html
From their wesite: Personalize your favorite file-sharing program with FileFreedom 4.0. Get file ratings, reviews, recommendations, most popular lists, intant messengers, playlist sharing, and a host of other unique features. FileFreedom works seamlessly with your favorite file-sharing networks, such as Morpheus, Grokster, BearShare, KaZaA, LimeWire. Displays popups and popunders. Their site has been listed for sale. It is unknown if legacy versions are still in circulation.
http://www.filefreedom.com
Also known as: FileNail.100
This is a trojan that can access your computer through port 4567. Once contact is established, it has the ability to install its adware payload.
Also known as: FindFM Find FM
Installs a search toolbar and changes Internet Explorer's search and homepage. The software does not have a clear easy to read EULA. The website does not display a privacy statement in any form. Searches are routed through a third party aggregator.
http://www.find.fm/
The original executable has been removed from the internet. It is unknown whether legacy versions still exist.
Also known as: Find Whatever Now
This toolbar is related to the dlsearchbar from Integrated Search Technologies.
http://www.findwhatevernow.com/search/
Also known as: Backdoor.FireHotcker
This Trojan is out of circulation.
This is a rogue anti-spyware. They are listed on the Rogue Anti-Spyware site at spywarewarriors.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://fixerantispy.com/
Fizzlebar is a Browser Plugin for the Internet Explorer. It displays pop-up advertisements while the users browse the internet.
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software. You may see special offers from our sponsors periodically while the toolbar is in use. You are free to unistall the toolbar at any time. Special offers are usually served as a new browser window that loads behind or in front of your active web browser window. This loading may or may not cause a minor disruption in your web browsing while the advertisement loads, depending upon network conditions, computer speed, and other factors.
http://www.fizzlewizzle.com/toolbar/
Also known as: Trojan.FlashKiller
This trojan when run immediately erases data on the hard drive and destroys the Flash BIOS chip, if it is write-enabled.
Also known as: Troj/Browmon-D [Sophos] PWSteal.Flecsip.B [Symantec] Agent.FA Spy.Agent.FA Trojan.Spy.Flecsip.I Logger.Flecsip.i PSW.Generic.QHJ PWSteal.Flecsip.B StartPage-IZ TR/Dldr.Agent.DS.1 Trj/Flecsip.C Troj/Flecsip-B Trojan.Flecsip.B Trojan.Grab Trojan.Spy.Win32.Flecsip Trojan/Dldr.Agent.DS.1 Trojan-Spy.Win32.Flecsip.i W32/Flecsip.A@pws W32/Flecsip.D W32/Flecsip.I-pws Win32/Blabag.F Win32/Flecsip!PWS!Trojan Win32/Spy.Agent.FA
Flecsip is usually propagated through Spam mails. When users unknowingly extract the zip file of the Trojan, they will get infected. When the Trojan is executed, it drops three files into SYSTEM32 Folder. When Internet Explorer is launched, Flecsip steals URLs of the web pages visited, Date & Time, Method type (POST or GET), Keystrokes, Status of any checkboxes or radio-buttons and stores all the gathered information in one of the dropped files and sends it to the controlling server without user knowledge. One more file is used as an identification number for the infected user.
Also known as: Backdoor.Flobo
This Trojan appears to be out of circulation.
FlowGoBar is a Internet Explorer search toolbar. When searching in the toolbar you will be directed to www.sirsearch.com. FlowGoBar is bundled with different Screensavers offered free by eUniverse Inc.
http://www.flowgo.com
Also known as: Backdoor.Win32.Fluxdor
From the Website: The first release of the advanced RAT Flux. It allows administration of remote computers, including the ones behind routers or protected by firewalls. Small server size (22 kb) without cutting down on features. Features such as streaming of desktop/webcam, persistant server, 1024-bit encrypted connections, filedownloads supporting resume, keylogger, passwordsniffer, SOCKS4 plus a lot more. Flux also introduces a whole new concept of user organisation, screen capturing methods and streaming of multiple users desktop/webcam to thumbnails.
http://www.evileyesoftware.com/screenshots/Zmx1eC5qcGc.txt
Also known as: Backdoor.Fluxay
This Trojan will add a service.
May collect info on Referrers (HTTP Referrers, Top-level Domains, Search Engines, Keywords, Quality Index, Frequency Index, Newsgroup Referrers, and E-mail Referrers), Visitor statistics (Major ISPs, Hostnames, Browsers, OSes, Countries, Timezones, Plug-Ins, Screens, Colors, Java, and JavaScript), and more.
http://www.flyswat.com
Also known as: Backdoor.FMTdoor
Also known as: Backdoor.Fof
This Trojan will allow the attacker access to the victims computer.
Also known as: Backdoor.Foobot
Foobot is a backdoor Trojan. Connects to an IRC channel and receives instructions through TCP port 6667. May open advertisements.
This will display advertisements on your computer. These are also known as popunders.
Also known as: W32/Forbot-CT (Sophos)
A worm that takes advantage of unpatched machines exploiting LSASS and DCOM vulnerabilities.
Also known as: Backdoor.ForcedEntry
This Trojan will give the attacker access to your computer.
Also known as: Glacier
Fotos is a Trojan capable of giving an attacker remote access to the host computer. It sends Host machine Information in form of a mail to the attacker.This Trojan is written in Visual basic.It creates an exception on the Windows Firewall.
Also known as: Infostealer.Orcu(symantec)
This worm spreads through Orkut.It copies itself in "%windir%/system32" folder(%windir% is a folder where windows is installed). This also installs a Browser Helper Object using which it steals information when visited sites like banking sites.It also collects system related data regarding hard-disk, motherboard and Mac address. If any Orkut user opens S/He opens account on the infected machine, a message with the infection link is sent to the friend?s list. Crashing of the explorer were also seen when any explorer window was closed.
FouBot is a worm that can send spim messages via MSN. It has been observed to send repeated SPIMS on fanfou.com via the MSN publish feature
This is a trojan download that installs a botnet package.
Also known as: Backdoor.FoxEyes
FoxPass poses as an application designed to crack into Myspace accounts. Its true purpose is to trick the user's attempting to steal myspace login credentials. FoxPass displays an error tricking the user into thinking the application is broke. It instead steals all the username and password information stored by Mozilla FireFox and stores it in a text file in the C:\Windows directory.
Also known as: Backdoor.Fraggle
Also known as: Backdoor.Frapes
FraudTool-AntiSpySpider is used to disable the Windows Task Manager and Registry editor. Can display an infection message in the system tray. This tool is used with AntiSpySpider to trick the user into purchasing the application. Downloads and displays advertisements.
Also known as: Freak88.100
This is a RAT trojan that comes from backdoor.freak88.exe. Once installed, it can allow access to your computer through port 7001.
Also known as: Backdoor.Freddy
Also known as: FreeAccessBar
This is a Browser Helper Object.It also displays contextual advertisements. From the EULA(http://www.freeaccessbar.com/eula.html): By installing and/or using the Free Access Toolbar? software and service you grant permission for Petro-Line, Ltd. to have the Free Access Toolbar? software run in the background on your computer and periodically launch, in a separate browser window, advertisements for our partner's websites, services or products. The advertisement will be contextual related at the moment they are most interested in a particular product or service. The frequency of these advertisements will vary depending on your use of the Internet. The partner's advertisement, websites, products or services that will be shown to you are not endorsed by and/or affiliated with the websites that trigger their appearance.
http://www.freeaccessbar.com
This adware creates a toolbar for Internet Explorer. It will then display pop-ups related to your search activity.
Also known as: Free Connect, Dialer.HZ
FreeConnect is an adware application which shows porn related pop ups and also acts as an Adult content premium rate dialer. This is a porn related trojan that is installed when visiting Spanish related pornographic sites. Once installed, your start page will be highjacked to otherchance.com. The package installed poses as a media plugin for Windows Media Player 10.
Also known as: Backdoor.Freegate
This is not the same as the anonymizer of the same name by Dynamic Internet Technologies, Inc.
Also known as: FreeLoad
A type of software typically used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modems usual Internet service provider, another phone number dialed and the user is billed.
Also known as: Adw.Freepcscan.Spywareslayer (sunbelt)
The program is a rogue anti-spyware application that reports false positive installations. These false positives are to trick users. So that this can lead into paying freepcscan.com to enable Spyware Slayer and clean their PC. Its EULA also claims to give the user information to third party, show adds, etc. From EULA : The following Privacy Policy discloses our personal information gathering and sharing practices with respect to our website located at www.FreePCScan.com (the ?Website?). FreePCScan.com? is the sole owner of the personal information collected on the Website. Use of web bugs allows FreePCScan.com? to track certain websites that an individual may visit online. Web bugs are also used to assist in ascertaining the products and services that individuals are interested in and to track online behavioral habits for marketing purposes. However, by submitting that information to FreePCScan.com?, you grant to us the right to use your personal information for any legal purpose including, without limitation: a) marketing purposes such as sharing your information with third party advertisers; b) providing promotional offers to you by means of e-mail advertising, telemarketing, direct mail marketing, online banner advertising and/or package stuffers; c) transferring your personal information to a third party, when necessary, to receive a product or service that you may have ordered from such third party while using the Website or when responding to offers provided by FreePCScan.com?; d) tracking compliance with our Terms and Conditions; and e) for validation, suppression, content improvement and feedback purposes. Credit Card information In connection with most purchases and transactions that take place on the Website, FreePCScan.com? will collect your credit card information. The entities that advertise and/or place banner ads on the Website are independent third parties and are not affiliated with FreePCScan.com?. Minors/COPPA FreePCScan.com? does not knowingly solicit or collect information from visitors under 18 years of age.
Also known as: free scratch cards FSC2K FSW FSC
FreeScratchAndWin is an IE spyware Browser Helper Object dressed up as a web 'scratchcards' game. (What exactly is available to be won, and whether anybody has ever won it, remains unclear.) It also highjacks your home- and search-page settings to point to xzoomy.com, and complains if you try to change them back. Opens pop-up adverts every few minutes. The software's terms of use advises that the software can track users' web usage. Downloads and installs arbitrary unsigned code as part of an update feature. Addendum: FSW should not be confused with http://www.FSW.com which is a legitimate e-commerce development company.
http://www.freescratchandwin.com
Also known as: Frenzy 0.10b Backdoor.Frenzy
From the Website: Open CD-Rom , Beep host , Get Port Status , Get the Windows Version , Kill Frenzy server , Change Resoultion , Set hosts mouse Posistion to 0,0 , Display moveing button , Enable/Disable EndTask List , Hide/Show Start bar , ShutDown or Restart Host computer , Directory list any directory , Drive list , Log what you are doing , Enable/Disable a real annoying box that tell's the server they moved the mouse , Get the date , Get the time , You can rename the server.exe what ever you want , You can get there locationm in the world , You can get there computer user name , You can get there uin if they Are on ICQ ,Display a error message of your specification ,Run a program form the Server's computer ,Send Keys to active program ,Close Active program ,List active stuff ,Close active stuf
Also known as: FastSearchWeb (Mcafee)
Hijacks Internet Explorer homepage, search page and adds toolbar.
This is a trojan designed to steal passwords and send the information to a remote computer.
The characteristics of this malware are similar to that of a Trojan worm. The parent file is a ".pif" file, which in turn leads to two other binaries with random name. These two files are hidden. These two files have Autostarters. One of these files is of same size as parent ".pif" file. One Interesting feature of this malware is, it kills task manager process. It phone homes to some blacklisted Sites apart from downloading another ".pif" file. This malware on it's own goes through all AOL buddy list and sends the infection URl , incase buddy is online other wise it mails the same content to offline buddies.
Also known as: FTH
The Attacker can take control over the Victim's Machine once they dropped the server application.FTH Trojan has the features to transfer file , take screenshots , delete particular files and find out the system information.
http://www.am20forces.cjb.net
Also known as: BackDoor-KZ Backdoor.Trojan BackDoor.SSpy.15 Troj/Casus-15 Trojan:Win32/Casus.1_5 BDS/Casus.15 Win32:Trojan-gen. BackDoor.Casus Backdoor.FTP.Casus.1.5 Backdoor.FTP.Casus.15
The virus code, "Casus" registers itself in the system registry so that it will automatically run when the infected system is rebooted. Via e-mail and ICQ, Casus sends notifications to its host (hacker receiving the network notifications) and begins to listen, over the TCP/IP protocol on port 21. Having received the notices, informing him of located networks, the virus host with the help of any FTP-client gains access to file systems on victim computers.
Also known as: Backdoor.Ftp99
This trojan will give the attacker complete control over your system.
http://www.wariorz.com/troj.php
Also known as: W32.Fubalca.D (Symantec)
This is a worm that spreads through unprotected networks in order to download trojan packages that log keystrokes.
Also known as: Backdoor.Fulamer
Also known as: FunScreenz
Free Screen savers that are ad supported software,
http://funscreenz.com
Free "Ad Supported" game. It is declared to the users that the games are "Ad Supported" and shall display Targeted Ads. From their website: "Games are Free to consumers who agree to receive additional software provided by eXact Advertising, including NaviSearch, a search helper applications and BullsEye, a comparison shopping and related offer provider..."
http://www.fungamedownloads.com
Also known as: TangoDialer (Ad-aware)
Fundial is a dialer used to access adult contents from web sites.
Also known as: Backdoor.Fundoor
Also known as: Backdoor.FunFactory
Also known as: Backdoor.Fxdoor
Also known as: Backdoor.FYEO
FYHacker is a chinese based intrusion tool designed to remotely execute code by setting up a service called "AutoRemote". FY.exe remains resident in memory while this tool is activated.
Also known as: Backdoor.F_Door
Also known as: Game Bar
GameFiesta Toolbar is a Browser Helper Object that installs as an Internet Explorer Toolbar with a unique toolbar id, which it uses to contact the server. Changes the default search page and error page of Internet Explorer. From EULA: By installing this GameFiesta.com software bundle, you accept the GameFiesta License Agreement, which also gives EasySearchBar Inc/AbetterInternet, permission to display relevant contextual information to you in the form of advertisements, via the included Special Offers software.
Also known as: Dialer.Gamesplayground Games play ground
This program installed via ActiveX control. In order to download any games from this site user need to install this dialer program.
Also known as: PSW.Win32.OnLineGames.bs, PSW.Agent.NBJ
Gampass is a password stealing trojan for various online games. It is capable of stopping various antivirus applications.
Installs itself as a Browser Helper Object and shows pop-up advertisements.
Also known as: Backdoor.GateCrasher.11 Trojan.PSW.Inethlp
From the Website: Personal FTP Server. Functions: Change Server Port On-Line Email Address Close Server UnInstall Server Start/Stop FTP Server Print Text Chat With Victim Send Message Capture Screen Turn Monitor On/Off Open/Close CD-ROM Enable/Disable System Keys Show/Remove FBI Screen Hide/Show Task Bar Switch Caps Lock State Switch Num Lock State Goto URL Get Owner Get Orgaization Get Windows Directory Get System Directory Get Windows Version Get CPU Type Get Network Logon Set Network Logon Get Default Printer Get ICQ Uin# Reboot System Restart Windows
Also known as: Gator eWallet Claria gain
Gator is a software product that can automatically fill in passwords and other form-elements on Web pages. For this service it is accompanied by an advertising module called OfferCompanion, which displays pop-up ads when visiting some Web sites. Gator is an adware company and not considered spyware. e.g. a program that logs keystrokes Ads are clearly labeled as coming from GAIN. Gator states that since its software is always running, it can target users with "Special Offers" and other ads anywhere they go (even competitors' sites) with remarkable targeting capabilities, since it can analyze the domain name/content of the sites the user is visiting. Currently Claria maintains that only user's first name, postal/zip code, and country are sent to GAIN Publishing. It is noteworthy that there are different versions of the Gator application in circulation and each version is governed by a seperate privacy policy. Consumers should read and understand the privacy policy that corresponds to the version they are using. For additional information on each version/policy user's should consult the privacy agreement located at http://gator.com/help/privacy_statement.html Claria makes other products that can be viewed here: http://www.gainpublishing.com/software/ Gator Corporation has changed their name to Claria Corporation.
http://www.gainpublishing.com
This is a chinese based adware that is installed from Borlan. Once borlan is installed, it contacts 17bloger.com and downloads a file called adgag.exe. This file then installs files for this program to C:\Program Files\Gentad\.
Also known as: Genue.100
This is a RAT that can access your computer through TCP port 7511.
http://www.geowhere.net
Also known as: Backdoor.Getpass
Also known as: Adware.Getup (Symantec)
Connects to the getupdate.com website to download and display ads
Also known as: Backdoor.GHack
Also known as: Backdoor.Ghost.23
This trojan will: Open/Close you host's CD-ROM drive, Hide/Show start button, Hide/Show startBar, Hide/Show taskIcons, Disable/Enable Ctrl+alt+del, Set a random background color, Logoff user, Force restart, send customed messages, Send host to a url, Blackout/Blackin host's windows, Start host's notepad, Chack ICQ UINs for online status, Prank host, Put a custome junk File on Host's DeskTop ,Print crap on host's printer, reset host's mouse position and Hide/Show teskBar Clock.
Also known as: Trojan.Win32.GhostSpy Trojan Horse Trojan.GSpy.10 Trojan:Win32/GhostSpy TROJ_GHOSTSPY.A Trojan.GhostSpy.1.0
From Viruslist.com GhostSpy is a Trojan horse created to spy on the actions performed on victim machines. The GhostSpy program (virus) can perform the following: record all actions to a log file (keystrokes, applications started, files opened, etc.) tracking from a remote computer blocking of victim computers with the help an additional plugin called"GhostSpy Screen Spy" it can display pictures of the screen. Once run the Trojan program registers itself in the system registry auto-run key so that it is run each time a victim computer is restarted. When run GhostSpy is not visible in the list of active processes. All events are entered into a log file and, depending on how the Trojan is setup, periodically archives the log-file and also sends it via e-mail to an indicated address.
This will allow an attacker to gain access to your machine. Also is a keylogger.
Also known as: Giga
GIGA Search will modify your browser and Hijack your browser
From the Eula "GimmeWeb COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW AND THE DATA YOU ENTER IN SEARCH ENGINE SEARCH FIELDS WHILE USING THE SOFTWARE. GimmeWeb USES THIS INFORMATION TO DETERMINE WHICH ADS AND BUTTONS TO DISPLAY ON YOUR TOOLBAR."
http://www.gimmeweb.com
Also known as: gipwizard
Gip Wizard can take control over the Victim's machine.It sends the trojan application through a predetermined email address.Records all the passwords and send back to the given email id.
Also known as: Slimline.230 Univ/b
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage.
http://usuarios.lycos.es/vanhackex/troyanos/troyanos.htm
Give4Free is program that installs a BHO that monitors online purchases.
http://give4free.net/
Also known as: Platform-A Adult content dialer
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
Also known as: Backdoor.GlobalKiller
A type of software typically used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem?s usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature and can rack up expensive and unwanted bills. Some dialers are used for "legit" purposes, meaning that a user knowningly accepts the charges in exchange for some "online content". But many times we have seen dialers used in sneaky ways, using various tricks to get it installed on a users machine, without them knowing what it going on. In general, if a dialer is detected on your system, you either know why and how it got there or it sneaked in illegally.
http://www.global-netcom.de/
Also known as: Backdoor.GNotify
Also known as: Backdoor.GoAway
Also known as: VBS.GodWill.A@mm
Godwill take information from the user's Microsoft Outlook Express Address book and create a .vbs file in the windows system directory. It will send the file to all the email address which collected from the Address Book.
This is a combination between a search portal and a "free movie player". Creates pop-up ads Changes browser home page without lettting you change it back Adds an advertisment in your Outlook signature, which is appended to each mail you send Adds many URL entries into Favorites Menu.
http://www.gohip.com/
GoIn Direct Dialer can make long-distance phone calls using a modem ,without alerting the computer user. It makes calls to adult pay-per-minute phone services.
Also known as: W32.Gokar.A@mm
This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it?s hostile attachment. The worm has it?s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.
Also known as: Trojan/Spy.Goldun.de.1
A password stealing trojan. Also downloads and executes files from remote server. Installs through exploits and also downloaded by other malwares. Hides its files from windows API.
Also known as: Win32.Goldun.ms
Goldun.NQ is a password stealing trojan that targets E-Gold accounts. This trojan comes as an e-mail attachment purporting to be an IE7 installer.
This is a trojan that installs several executables to overwrite default Windows settings in Internet Explorer. Creates a hidden Internet Explorer window in order to connect to the CNNIC ad network.
Also known as: CWS.Gonnasearch Trojan.CWS.gonnasearch
This is an adware progam that isn't in circulation any longer. If legacy versions do exist, a positive symptom would be the creation of a folder called CrackSearch in the Program Files directory.
This is a trojan that is installed as part of other trojan bundles. It drops a file called google.png.exe in the System32 Directory.
From Author's website: Gophoria makes ANY text, url, or image in your Internet browser window active! With gophoria, you have the ability to return a new window with search results in four clicks or less... from ANY web page! Gophoria Toolbar doesn't have an Unistaller, to remove this application.
http://www.gophoria.com/
Also known as: Backdoor.Gosocks
Also known as: Got Smiley
Ads animated smileys or emoticons to emails in exchange for viewing pop-up banner ads and anonymous, aggregate profiling of your surfing behavior. NOTE: A NO pop-up ad version is available for $30.00 U.S. From the publisher "Choose from over 1,000 unique smileys and icons! Easily select your smileys by category for any occasion and customize GotSmiley software to match the way you enjoy writing email the most"
http://www.gotsmiley.com/
Also known as: Adware.GPSTool.BHO
GPSTool adds a BHO to Internet Explorer. This application may show various types of advertising, not limited to pop-up ads. These include ads from auction sites, adult sites, etc. An Interesting fact with this Adware is, this one looks for Keywords "Date/Sex/Adult" , on any open html page and hyperlinks it. The appended url to this hyperlink is http://<Something>/cgi-bin/v30/ezlclk.fcgi? . These are search pages with search keyword being "Date/Sex/Adult". This follows up by a wide range of popups ranging anything (most of the times popups like adult sites, casino sites, False malware scans etc). When clicked on this hyperlink , it leads to lot of other popups.
Also known as: Backdoor.Grab
GralicWrap is an Application that maintains a constant connection with a central database. Each website that the user visits is verified against this database. This data may include private information including passwords, user login information, etc. From Author : GralicWrap compares the Web URL you are visiting with the ever-updating fraudulent database.
Also known as: Targit CRS FirstPop
Gratisware is an Internet Explorer Browser Helper Object. Whilst browsing with IE, it occasionally pops up advertising.
http://www.gratisware.com
Also known as: GRX.Bot
This worm is installed as a video codec for pornographic material. Once infected, the victim will be sent to a series of web pages of the attackers choice.
Also known as: Backdoor.Grisch
Also known as: Backdoor.Grob
This application spams accounts for facebook, youtube, and msn with phoney login credentials until the accounts are frozen for suspicious use.
Also known as: shutdown virus shut down GTA Hood Life Grand Theft Auto
You can read more about this virus in this blog entry, http://blog.spywareguide.com/2007/07/gta_hoodlife_virus_attack_is_a.html
Also known as: Gumblar Threat
Gumblar injects a malicious IFRAME that loads malicious JavaScript code from an external domain.
Also known as: Backdoor.Guptachar
Also known as: Backdoor.GWBoy
Also known as: Backdoor.G_Door.20 BackDoor-FR.svr Backdoor.Trojan BackDoor.GDoor.20 Troj/Bdoor-FR Backdoor:Win32/G_Door.A BKDR_GDOOR.A BDS/G_Door.20.2 BackDoor.G_Door Backdoor.G.Door.2.0
This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from a remote station.
Also known as: Backdoor.G_Spot
HabboSteal is a phish scheme centered around Habbo Hotel. Users are sent to a fake login screen for the site that is identical to the actual service. When victim's enter their username and password, it logs them in directly to HabboHotel and stores their login credentials for the attacker.
Also known as: Backdoor.HacDef.b Backdoor.HackDefender BackDoor.Hacdef.BM , Backdoor.HacDef.J
This Trojan is a member of the Backdoor family of Trojans. It runs only under Windows NT, Windows 2000 and XP. The Trojan has two files: a main component and a helper library. The program has a sleath function, which hides processes, files on disk, and also system registry values.
Also known as: Trojan.IRC.Hack BackDoor-DJ.dr IRC Trojan Trojan.IrcHack Troj/Bdoor-GK Trojan:IRC/Hack TROJ_HACKDREAM TR/IRC-Hack Win32:Trojan-gen Trojan.Win32.Crack2000
This Trojan horse is a self-extracting package that installs a program to attack IRC clients. The Trojan then installs to the system the Serv-U FTP server in a configuration that shares a C: drive on the victim PC for full access. The Trojan also registers a Serv-U FTP server in the WIN.INI file in the auto-run section.
Also known as: BackDoor-Q trojan Backdoor.HackTack.112 Backdoor.Moonspy Hack Attack Hack'a'Tack
From the Website: Hack'a'Tack is a remote administration tool for Windows 95/98. As we heard from some users, the server doesn't work on NT, only the client does. Hack'a'Tack consists of two files: Hack'a'Tack.exe and Server.exe. Hack'a'Tack.exe is the Client you have to run on your own computer. Server.exe must run on the computer you want to connect to. Once opened, the Server copies itself into the windows directory and is executed on each start of windows.
http://www.koreworks.com/htm/trojanhorse.html
Also known as: Backdoor.Hackboy
Also known as: Backdoor.HackDef.100 Hacker Defender 0.21 Hacker Defender 0.26 Hacker Defender 0.3.7 Hacker Defender 0.30 Hacker Defender 0.33 Hacker Defender 0.37 Hacker Defender 0.50 Hacker Defender 0.51 Hacker Defender 0.73 Hacker Defender 0.73a Hacker Defender 0.84 Hacker Defender 1.00
From the Website: Hacker defender v0.2.1 - english readme Main Hacker defender v0.2.1 by Holy_Father Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP. Main code was written in Delphi 6. Functions for new thread are written in assembler. program uses adapted LDE32 LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE special edition for REVERT tool version 1.05 Usage >hxdef021.exe [inifile] default hxdef021.ini is used if run without specifying the inifile Idea Main idea of this program was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Program installs hidden backdoors and register as hidden system service. Version TODO - extend backdoor (create admin part) - net functions for backdoor - run root process on system level 0.2.1 + always run as service 0.2.0 + system service installation + hiding in database of installed services + hidden backdoor + no more working with windows 0.1.1 + hidden in tasklist + usage - possibility to specify name of inifile x found and then fixed bug in communication x fixed bug in using advapi - found bug with debuggers 0.1.0 + infection of system services + smaller, tidier, faster code, more stable program x fixed bug in communication 0.0.8 + hiding files + infection of new processes - can't infect system services - bug in communication Hooked API List of API functions which are changed: Kernel32.FindFirstFileExW Kernel32.FindNextFileW Kernel32.CreateProcessW Ntdll.NtQuerySystemInformation (class 5) WS2_32.recv WS2_32.WSARecv WSOCK32.recv Kernel32.ReadFile Advapi32.EnumServicesStatusW Advapi32.EnumServicesStatusA Inifile There are more settings in this version. Inifile must contain three parts: [Hidden Table], [Root Processes] and [Hidden Services]. Hidden Table is a list of files and directories which should be hidden. There is no chance to find those files and directories. Programs in this list will be hidden in tasklist. Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. Hidden Services is a list of service names which will be hidden in the database of installed services. Service name for the main rootkit program is HackerDefender021. Backdoor Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 512 bits long key the shell instance is created and next incoming data are redirected to this shell. Because rootkit hooks all process in system all TCP ports on servers will be backdoors. This backdoor will work only on servers where incoming buffer is larger or equal to 512 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle. So, backdoor is created and it is hidden because its packets go through common servers on the system. So, you are not able to find it with classic portscanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP. During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log only disconnection at the end. You have to use special client if want to connect to the backdoor. Program bdcli021.exe is used for this. usage: bdcli021.exe host port
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
This application will attempt to dial a long distance number causing massive charges.
Also known as: polish haczyk homepage Super Laski
A very shady malware. Claims to be a dialer but has various highjacking techniques. Pops up advertisment for some porn sites. Most features are unknown. Some detective work turned out this was created by: F.P.H.U. OF.PL (Production, Trade and Services Company Dabrowa Gornicza, Slaskie
Also known as: Haldex Ltd
Also known as: Trojan.Win32.StartPage.ip, Half Lemon
HalfLemon is a browser changer that changes the start page and search page of Internet Explorer without user consent. Can be installed by ActiveX download.
Also known as: Hanuman Server DOS SHELL DAEMON
Hanuman Sever is a daemon that runs on port 3333. Anyone who connects to this port when the server is running will get a dos shell or rather a command intepretor ( because Hanuman Server runs on NT based environment too.. ). There is no authentication, it means that anyone can connect to this port and can cause havoc to your machine.
Also known as: Trojan.Happy99 I-Worm.Happy W32.Ska Happy00
This is a mass mailing worm that will attempt to overwrite core windows system related files.
http://www.bismark.it/gnomixland/phpscript/pagina.php?sezioni=Trojans
This is a brower plugin toolbar that displays popups. The domain name this product originates from is also a container for other adware installers.
http://www.happytofind.com
When this Trojan is executed, it changes a single byte of the MBR of the first hard drive on the computer (normally drive C). This change prevents the computer from booting.
Also known as: Trojan-Downloader.Win32.Harnig.z (SunBelt)
This trojan utilizes javascript exploits to drop trojan downloaders onto the victim PC. Once installed, these trojans drop varying payloads.
Also known as: Hatred Fiend
Hatr3d F3ind when installed on a computer allows a remote computer to take control of it. It is written in Visual Basic.
Full trojan with 51 firewall and antivirus kills, comes with Client,EditServer,TestServer,Server,Exe Binder.
Also known as: Backdoor.Haxdoor.o BackDoor-BAC.dll (Mcafee) BackDoor.Mutny Troj/Haxdoor-E Backdoor:Win32/Haxdoor.O BDS/Haxdoor.O.2 Win32:Trojan-gen. BackDoor.Haxdoor.AM , Backdoor.Haxdoor.O Haxdoor.CX Backdoor.Haxdoor.D (Symantec) Troj/Haxdoor-AH (SOPHOS) Backdoor.Haxdoor.I (Symantec)
This is a backdoor remote administration program. It spreads via the Internet using infected messages when commanded to by the author/user of the program. It is packed using FSG. The program opens port 16661 and waits for client machines to connect. It has a wide range of remote administration commands, the main function being to intercept passwords on the victim machine and send them to the creator/ user of the program.
Also known as: Backdoor.HBR
Also known as: Trojan.Win16.Heckler Heckler Trojan Horse Troj/Heckler Trojan:Win/Heckler JOKE_HECKLER TR/Heckler Heclker Trojan.Win.Heckler
From Viruslist.com This Trojan does not destroy anything, but is very annoying. It copies its link to a start-up folder to be run during Windows bootup, does not allow it to "kill" its task, and makes itself known every time. It is pretty hard to remove, because it blocks its application and VB DLL, re-creates its link in the start-up directory or even the whole directory if deleted. Upon attempting to kill its task, the Trojan opens several more essences of itself as 'punishment'.
Opens a configurable port on your machine and allows for remote access.
Also known as: Backdoor.HellDriver
HelpExpress is an adware component that shows advertisements. From the Author: Alset's HelpExpressTM Service enables its partners to send customers messages that are helpful, timely and relevant. These messages help people prevent PC problems, upsell and upgrade products, and perform other critical computing functions to enhance the computing experience.
http://www.alset.com/
Also known as: HAgent
This is a trojan that is usually installed through a .scr file. Once installed, it will phone home to install several .exe's to your WINDOWS directory.
Also known as: Hiwire Hi wire
Also known as: MediaPay Germany
This is a dialer from Germany.
http://www.deutsche-sexcam.de
Also known as: High Speed Torrent
High Speed Torrent misleads users into downloading this application with promises of increasing the download speed of torrent files. This application actually sets up a file that continually clicks offers without the users knowledge or consent.
Also known as: Troj/Craften-A (SOPHOS), Trojan.Win32.StartPage.xs
Hijacker.Allstar is a browser changer that changes browser settings including Startpage, default search page etc., without user consent. Creates shortcuts pointing to porn sites under Favorites Menu.
Also known as: Troj/Hiphop-G (SOPHOS)
Hiphop is an information stealing trojan for Windows Operating System.
Also known as: This variant seems to be related to Popout and Salmon Anglers Toolbar. HitHopper Toolbar
Displays advertisements.
http://www.hithopper.com
This is a trojan bundle package that installs various types of Chinese adware and browser plugins.
Also known as: Backdoor.Hoaveldoor
Also known as: Adware.TTC(Sunbelt)
Hoby-DX downloads additional software and displays advertisements.
Also known as: Holystic.Dialer (SunBelt), Preload
Can connect to toll numbers without user consent.
Also known as: Backdoor.Win32.Small.gl [Kaspersky Lab], Virus.Win32.Tenga.a [Kaspersky Lab], BackDoor-CTM [McAfee], W32/Gael.worm.a [McAfee], W32/Tenga-A [Sophos], PE_TENGA.A [Trend Micro], W32.Licum [Symantec] , HomeLandNotifier
Home land is a worm capable of adding a piece of code to all executable files .It may spread by exploiting the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Looks for a connection on the vx9.users.freebsd.at domain.
This adware program is no longer in circulation. Users should watch for homelandalert.exe in their running processes.
Also known as: Backdoor.Hornet
Also known as: HostControl.101
This is a trojan that drops its adware payload onto the infected machine through port 6699.
From Authors Website: 1.Non-Personal information collection and usage-- HostSeeker.com automatically collects information from your browser, such as your IP address, cookie requests, and page requests. 2.Occassionally we use this information to customize the content and advertising we serve to you.
http://www.hostseeker.com/
This dialer has the ability to make long distance calls using a dial up connection once installed. User's should be cautious of the following files running in the task manager: hotactiondating.exe hotactiondating-uninstall.exe nsi145.exe
http://www.hotactiondating.com/
Also known as: HotBar Hot bar Hotbarhostie hot-bar
Marketed as a program to add graphical skins to IE toolbars, it also adds its own toolbar. Reports state that the program generates pop-up ads that are clearly marked as coming from HotBar. According to the most recent versions the user has full control over the popup issue at any time. At first, during the installation process, the user may choose between an ad-free version of the program and an ad-supported version. The most recent iteration of the Hotbar program users which chose the ad-supported version can disable popups from the "preferences" within the toolbar. ANALYSIS AND RESEARCH ON THIS PROGRAM IS ONGOING. Please also refer to the EULA and notes of the HotBar company. Addendum Added 8.06.05 Hotbar offers a free version and paid version that is "advertising" free. However when choosing the paid version option Hotbar began installation via an ActiveX applet of their complete program suite BEFORE the transaction was completed. Therefore the consumer receives the advertising-filled Hotbar installations without paying for the program and loses the ability to change his or her mind about purchasing the product before making payment. Once the consumer has committed to the payment checkout webpage they will receive the Hotbar suite of applications with advertising. This suite includes ?Hotbar Web Tools? and ?Hotbar Outlook Tools? A toolbar was displayed in the top hand of the browser window displaying yellow icons. These icons are all sponsored links (advertising). A query was run through the "search engine" with the string "test search". Hotbar responded with five sponsored results and no organic results. Further testing with other common search strings displayed results from Overture, an advertising service owned by Yahoo and no organic results on the first page. Therefore, it would be more accurate to classify Hotbar?s free search engine as an advertising search engine as each link generates revenue for HotBar and Hotbar is only searching results in which they receive revenue. Of more important note is that certain phrases seem to be filtered out of HotBar search. For example the search for the term Hotbar, Remove Hotbar, Uninstall HotBar, Delete Hotbar, all return no results found although the same query in Overture, their primary syndicator shows these results. Hotbar does offer a button in the upper left hand menu called Premium where the user can complete the purchase and remove the advertising services. In addition to this button in the Outlook tools HotBar offers a graphical button called VIP. This takes the user to a splash page touting the benefits of owning HotBar by making a purchase. Further Notes: We do not consider this program spyware. We consider it advertising supported software. The application after installation serves ads on the tool bar after a search and all search ads on popular keywords seem to be paid placements. Ads are also served overtop IE at the bottom of the browser and labeled. Total memory usage was around 9 megs of memory and 5 to 15 cpu cycles depending on the search string you enter. We have included the analysis of the terms of usage from the software below: Notes on EULA Analysis Scoring Metrics Number of Characters: 29476 Number of Words: 4809 Number of Sentences: 134 Avg Words per Sentence: 35.89 Flesch Score: 10.02 Flesch Grade: 21 = This is Beyond a Twelfth Grade Reading Level
http://www.hotbar.com
From the Website: The BEST hotmail account hacker there is. Works for all versions of MSN and all Windows OS's. Steal anyones password over MSN Messenger and Windows Messenger in less than a minute.
http://www.agrreviews.com/modules/mydownloads/singlefile.php?lid=61
Also known as: Hot Offers Hotoffers
This Adware exploits security holes in a Web browser (often Internet Explorer) to install itself and redirects all browser default pages, address bar searches and search engine searches.
Also known as: Adware/BHO.Hprt (Ahnlab) BonusToolbar
This is a Korean Browser Plugin that has the ability to phone home to http://toolbar.bonuspack.co.kr in order to download updates and configuration information.
Also known as: Hot Searchbar
HotSearchbar is an Internet Explorer toolbar that will display advertisements.
http://www.hotsearchbar.com
A "media player" that streams two Youtube movie clips, and serves built-in adverts to the end user. No EULA is displayed in relation to the player itself, and there are at least three variants - one of which installs WhenU Save (which is disclosed).
Also known as: Hot Pleasure Hotpleasure
Hot_Pleasure is a dialer that can be used to access pornographic material, by dialing a high-cost number using the modem.
Also known as: BackDoor.Ntrootkit (Prevx) Hacktool.Rootkit (Symantec)
HTBomber is a tool used to attack websites using a DDoS attack. This tool connects to a botnet via an IRC channel in order to coordinate the attacks.
Httper is a pop-up opener and error-page hijacker implemented as an Internet Explorer Browser Helper Object. When enabled by its controlling server config.url404.com, Httper will redirect any web server error page to a sponsor's site. Can be directed by its controlling server to download and execute arbitrary code as a self-updating feature.
Also known as: Backdoor.Huigezi
Also known as: HungryHands
This adware program operates in the form of a browser helper object. It typically redirects your searches to pornographic material.
Also known as: IBIS Toolbar MSIETS BTIEIN btlink Wintools wtoolsa
HuntBar is a toolbar providing searching features, which is added to every new Internet Explorer and Windows Explorer window. It also changes your home page and search bar settings to point to HuntBar's servers, and automatically opens this search bar when it detects you using any other search engine. TrafficSyndicate, the makers of HuntBar, offer 'co-branded' versions of HuntBar which may be installed by other sites under a different name. HuntBar sends the domain name of the site being viewed, the domain name of any site previously being viewed and the title and any keywords in the current page to its controlling servers whenever a new site is viewed. It does this even if the toolbar is not turned on. However, it does not (currently) use a cookie or unique ID to track visits across sites. HuntBar can silently download and execute arbitrary code, as an update feature. Pay Load Consideration: This program loads three core files into memory creating a fairly large drain on resources. The payload is very high as each file takes up 3 to 5 megs of ram on our test machines at an idle state. When surfing these processes can jump as high as 10 to 11 megs of memory and the cpu usage is nearly an increase of 15% when the product is installed.
Also known as: HXDL.EXE HXIUL.EXE HXDL AL Aveo Attune HelpExpress
HXDL AL is part of an automated helpdesk software called Aveo Attune. HXDL AL downloads and runs a file called hxiul.exe. Attune is billed as a "revolutionary service" that provides targeted "Intelligram messages." These messages are said to provide the user with information about products, services, or common computer problems. Attune runs quietly in the background and automatically updates it's "Intelligrams" when the user is connected to the Internet.
Also known as: AdWare.Win32.Agent.ay (Kaspersky) Internet Speed Monitor ISM
Displays advertisements in Internet Explorer with a window title of "Internet Speed Monitor".
This will display advertisements on your computer.
A type of software typically used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem?s usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature and can rack up expensive and unwanted bills. Some dialers are used for "legit" purposes, meaning that a user knowningly accepts the charges in exchange for some "online content". But many times we have seen dialers used in sneaky ways, using various tricks to get it installed on a users machine, without them knowing what it going on. In general, if a dialer is detected on your system, you either know why and how it got there or it sneaked in illegally.
This product is related to HUNTBAR.
Also known as: IBS-Dialer
Dialer that is being promoted a lot by spam.
Also known as: Icannews
Displays advertisements and logs keywords. Downloads other software without user knowing. This program hijacks search page.
Installs a BHO related to chinese adware affiliates.
Also known as: i-choose i choose
This is a trojan that installs and replicates itself through ICQ. Once it is installed it can download its adware payload through 4950.
Also known as: PhaseZero StealthSpy
This is a RAT that can allow access to your computer through TCP port 555.
This is a rogue security application that is installed via fake codecs and/or a BHO in order to scare users into purchasing the full product.
IE Invoker is a danger to all networked computers. Once someone is victimized by this threat, it begins to spread out to any unsecured networked computers to infect. Users that suspect this threat is running wild on their network should watch for bot-like search behavior of Chinese sites, as well as the emergence of the file 1b1.dll on any network shares.
Also known as: eGroup IEAccess2 IE Access EGroup.IEAcess.surfya
IEAccess is an ActiveX control used to download and install premium-rate diallers, primarily for porn sites. Installed by ActiveX drive-by-download by porn-related pages from nocreditcard.net and sex-explorer.com, which may be opened or redirected to by pop-up advertising.
This Trojan hijacks the start pages redirecting to various portals on the web. This is seemingly related to the about:blank Trojan.
Also known as: IE FEATS Troj/Iefeat-AH(SOPHOS) Free Community SearchAid (Panda)
Changes Internet Explorer settings and changes the startpage. Has ability to download unwanted software. A BHO that's loaded in the users directory like: C:\Documents and Settings\Jon Doe\Application Data\iefeatsl\ This is a CWS variant.
Also known as: TROJ_POPMON.A PopMonster
http://www.popmonster.com/
Also known as: IE Helper
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, used to install a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web. The natural question is, what do BHOs do? The technical answer is "anything", but generally, it will have something to do with helping you browse the Internet. Of course, some BHOs are what is called "ad-ware" or "spyware": they do things like monitor the websites you visit and report this data back to their creators. Many slimeware applications fall into the BHO category.
Also known as: AdClicker-EJ (McAfee), Trojan.IEmax (Symantec)
IEmax is a trojan that changes browser's default homepage and redirect certain searches. It also shows advertisements. Can download other threats.
Also known as: IE MenuExtension IEMenuExtension Toolbar
Hijacks search results. Can display ads based on sex related keywords in search engines such as Google.
Also known as: F9Hijack (ca.com)
The URL requests may get re-directed via certain websites, which remain hidden and monitor the browsing behavior. All this also results in compromising the overall performance of the browser.
Also known as: IE Page Helper
IEPageHelper is an adware implemented as IE Browser Helper Object. Once installed, it will highlight words on Web pages and display targeted text advertisements when you move the cursor over the words.
Also known as: winobject IMIToolbar TrojanDownloader.Win32.Intexp Adware.dsrearch Win32.OneClickNetSearch.f (Kaspersky) DSrearch DSRCH TrojanDownloader.Win32.OneClickNetSearch.b TrojanDropper.Win32.Delf.av Win32.Imiserv.F (Computer Associates) Trj/Downloader.MO (Panda) TrojanDownloader.Win32.OneClickNetSearch.c (Kaspersky)
IEPlugin is an IE Browser Helper Object. It monitors site addresses, content entered into forms, and even local filenames browsed, and pops up advertisements when it sees a targeted keyword. It also installs a process to update itself, which will attempt to connect to its servers every minute or so. Adds a desktop toolbar for searching the intenet.
http://www.ieplugin.com
Also known as: IE SearchBar IE Search Toolbar IE Search Bar Perez
IESearchToolbar Adds a tool bar in Internet Explorer and change the browser.It records the user search queries.It redirects the given site address to predetermined web site and also it disables the "Internet Option" in IE.
http://try-this-search.biz
Also known as: IE Super
IETray is a search sidebar hijacker pointed at search-aide.com, implemented as an Internet Explorer Browser Helper object. When other search engines are used, it occasionally opens a pop-up alert window encouraging one to use the (now hijacked) search sidebar instead. ("For faster web searches press F9") It is currently unknown where IETray comes from. Their site is no longer active.
http://www.search-aide.com
Also known as: ign
When you enter something into the address bar, IGetNet checks to see whether it includes keyword they have sold to one of their advertisers. If so, it redirects you to that site; if not it forwards you to a search engine using an IGetNet affiliate code. searchresult.net, qcksearch.com (which is apps.webservicehost.com) and overture.com have been seen to be used. Also plays tricks with the "hosts" file on the users machine to redirect traffic directed to the microsoft network site to their own. From their website: "If you would like an easier way to drive business to your website, IGN Keywords are the perfect solution. Instead of one long URL linking to your site, your customers can simply type IGN Keywords directly into their Browser address bar and go right to your site!" There seems to be some relationship with "SubSearch". Uses also domains: www.clearsearch.net www.globe-finder.com
http://www.igetnet.com/
Iggsey toolbar changes browser settings such as default start page and default search assistant without user consent.
IKatzu adds itself to the Authorized applications in the Windows firewall and displays advertisements.
A webdownloader made especially for vb Trojan coders or users. It checks for the presence of Msvbvm60.dll in the system directory before downloading the Trojan if its not there it downloads the dll then the trojan.
Also known as: I-lookup ILookup/Ineb ILookup/Chgrgs GlobalWebSearch searchbus Spidersearch Spider Search TrafficHog Traffic Hog Begin2Search Begin 2 Search Bmeb
ILookup is an IE toolbar providing a search box and link buttons. It also adds bookmarks to the Favorites menu (mostly affiliate links) and hijacks the homepage and Search sidebar. Recent additions include the "searchbus" variant and some others. Installed by ActiveX drive-by-download, thought to be used on pop-ups. Users have reported porn-pop ups, and the program has various porn-related URLs inside. Can cause error messages of the type "Explorer has caused an error in ineb.dll...", when using both Internet Explorer and the Windows Explorer. Contains references to: superwebsearch.com
http://www.i-lookup.com/
This adware program is a variant of Direct Revenue's Transponder.
Also known as: Trojan.Imiserv.c
This is a backdoor Trojan used to take remote control of target computers.
This will allow an attacker to gain access to your machine.
Also known as: InCommand.100 InCommand.110 InCommand.120 InCommand.130 InCommand.140 InCommand.150 InCommand.153 InCommand.160 InCommand.167 InCommand.170
From the Vendor: 'First of all, click on 'About' on the client for help. The ICQ notify will _NOT_ page you _unless_ you enter YOUR ICQ UIN in the icq notify box and click notify. Then it will start paging you. Every time the victim gets on. The screen capture is slooow! It should be fixed in next versions to come! So you will have to live with it. If you need help or have a bug to report, please visit the forum that is shown in the 'ABOUT' on the client. But it pretty much runs awesome.'
Also known as: Indoctrination.100
This is a RAT Trojan that can gain access to your computer through port 6939.
This is a toolbar from Http://toolbar.worldanywhere.com that replaces your start page and rewrites urls
Http://toolbar.worldanywhere.com
Also known as: INetCashBar
This installs via Active X typically by a "Drive By Download"
Also known as: JaypeeSysBHO BHO42602 Jaypee Systems boombar eBoom atomwire
InetSpeak is a Browser Helper Object that adds a non-removable band of advertising and/or links below the standard IE toolbars.
Also known as: Infector.141 Intruder.100
From the Vendor's description: 'this trojan is just to keep your victims if av detect a sub7 server or the incommand or thing server. its an upload run trojan .It upload really fast (sub7 server in 2 minuts) remember always click 2 x on connect so upload with s7 this server so you will have always backup. its good to infect also you can change the icon from the server with micro angelo. you can bind it with the new undetected joiner and set the icq notify so when victim run it first time you will have notification.'
Also known as: InfernoUploader.100
This is a trojan that has the ability to drop its adware payload onto the infected machine through port 2040.
http://www.infocrawler.com/
Also known as: Constructor.Win32.VB.c TrojanDownloader.Win32.Small.fr
This will allow remote control of the victims computer.
http://r3l4x.com/php/html/modules.php?op=modload&name=Downloads&file=index&req=viewdownload&cid=2
Also known as: instan finder InstaFinderk
Mistyped searches will go to this site. This can hijack your homepage.
http://instafinder.com
The privacy policy is not on the website. You can view it after install only from the members area.
http://www.instantbuzz.com
Also known as: Instant Access Exedialer EGDAccess
This is a porn dialer. Please be warned that Graphic Nudity is displayed.
http://www.gay-land.de.vu/
Reports from several sources indicate that this dialer attacks some anti-dialer programs.
Also known as: InternalRevise.100 RemoteRevise.150
This is a RAT Trojan that has the ability to gain access to your computer through port 4545 once installed.
Internet Exploiter is a hacking utility that boasts the ability to exploit websites. It also has other features such as predefined specialized Google searches.
A toolbar that can deliver ads. systemroot+\system32\mybands.dll systemroot+\system\mybands.dll HKEY_CLASSES_ROOT\clsid\{4647e382-520b-11d2-a0d0-004033d0645d} HKEY_LOCAL_MACHINE\clsid\{4647e382-520b-11d2-a0d0-004033d0645d} HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{4647e382-520b-11d2-a0d0-004033d0645d}
Also known as: Internet-Optimizer InternetOptimizer AdSponsor
Internet Optimizer is an adware which also hijacks your browser error page. It opens pop-up windows to display ads from its network sites periodically. Internet Optimizer is an error page hijacker. It also displays ads from its network sites using popup windows.
http://www.internet-optimizer.com/
Also known as: Internet Billing Solution
Also known as: Inet Delivery Inetdel
Displays advertisements while surfing the internet.
This is an adware program that displays pop-ups without labeling them. This makes identification of the infection difficult for users. It is most easily recognized by the creation of seemingly random filenames in the common files directory of the infected machine. These will also show up in the task manager under running processes.
Also known as: Coulomb Dialer comload Saristar Pornpaq Downloader-BR(McAfee)
Comload is an ActiveX control placed on web sites to load and run executable files, notably premium-rate diallers. One of the types of dialler installation used by Coulomb, through ActiveX drive-by-download on porn-related pages. After the control is installed, any web page has the ability to run any executable file on the local machine.
http://www.coulomb.co.uk/
Also known as: IPINSIGT
IPInsight is a process or IE Browser Helper Object that monitors addresses entered into web forms, ostensibly to try to make a database of physical locations of IP addresses. Both of their websites, www.ipinsight.com and www.ipinsight.net, are deactivated.
Also known as: IQ Search, SPYRE.B (SOPHOS), Adware.Topantispyware (Symantec), iqsearch.DesktopAdware
Iqsearch is an adware component that changes desktop wallpaper to show advertisement for a specific product. Also downloads other files. Changes the browser settings for Java and opens a web page.
Also known as: Newads Webext
Displays advertisements from keywords entered into Internet Explorer windows. This program has been seen bundled with other adware programs.
http://www.trafficsector.com/
Also known as: IRC/Flood.cd.dr, IRC/Flood.cv(McAfee)
This bot connects to 69.64.50.211 on port 9515. This infection is not new however; a clickable link was discovered on the IRC channels.
Also known as: IRC-Mocbot!MS06-040 (Mcafee). W32.Wargbot (Symantec). Randax
IRCbot.06.040 exploits "Windows Server Service Buffer Overflow" MS06-040 against Windows 2000 machines. It creates a service with the display name "Windows Genuine Advantage Registration Service". It opens port 18067 and waits for commands.
This worm is considered to be extremely dangerous. Once it infects the victim PC, it allows for the attacker to gain full access to your computer through IRC channels. Research points to it starting a bot service in order to access the victim's PC.
The Trojan use Port "15000" for Main Server, and gives (near) complete control of the computer to the attacker: log keystrokes, take screenshots, get configuration information, modify file system and even iniate chats.
This is a variant of the Stration worm. It sends phishing links to all the Skype contacts on the victim's contact list. It also searches all files with the following extensions looking for e-mail information to steal: - .adb - .asp - .cfg - .cgi - .dbx - .dhtm - .eml - .htm - .html - .jsp - .mbx - .mdx - .mht - .mmf - .msg - .nch - .ods - .oft - .php - .pl - .sht - .shtm - .stm - .tbb - .txt - .uin - .wab - .wsh - .xls - .xml
Also known as: Isearchtoolbar Isearch toolbar TROJ_IESER.A
From their agreement located at http://toolbar.isearch.com/terms.html date 2.14.2005 2. Functionality - Software delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages. iSearch is able to provide you with Software free of charge as a result of your agreement to download and use Software, and accept the advertising and promotional messages it delivers. By installing the Software, you understand and agree that the Software may, without any further prior notice to you, automatically perform the following: display advertisements of advertisers who pay a fee to iSearch and/or it's partners, in the form of pop-up ads, pop-under ads, interstitials ads and various other ad formats, display links to and advertisements of related websites based on the information you view and the websites you visit; store non-personally identifiable statistics of the websites you have visited; redirect certain URLs including your browser default 404-error page to or through the Software; provide advertisements, links or information in response to search terms you use at third-party websites; provide search functionality or capabilities; automatically update the Software and install added features or functionality or additional software, including search clients and toolbars, conveniently without your input or interaction; install desktop icons and installation files; install software from iSearch affiliates; and install Third Party Software. In addition, you further understand and agree, by installing the Software, that iSearch and/or the Software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer, which, in turn, may disable or render inoperative, other software resident on your computer, including software bundled with such adware, or have other adverse impacts on your computer. Notes on this research: Link to this critical Windows Media Adware thread with screenshots: http://www.dslreports.com/forum/remark,12378695~mode=flat We also advise reading Ben Edelman's other samples and his commentary: http://www.benedelman.org/news/010205-1.html
http://www.isearch.com
This is a Browser Helper Object.It is installed by a trojan downloader without the concent of the user.It displays advertisements.
http://www.ishodh.com
it changes Internet Explorer error pages.
Also known as: AUpdate SearchBarCash xxxtoolbar Integrated Search Technologies Slotch IST Srv
ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc. Installed by ActiveX drive-by download on affiliate sites, typically porn adverts, from April 2003. At least ISTbar/AUpdate is known to install using aggressive JavaScript (opening an error and re-trying if you refuse the ActiveX download). ISTbar/AUpdate installs a TinyBar variant to implement its toolbar, and will be detected by the script at this site as TinyBar/B. The hijacker is aimed at my-internet.info and blazefind.com; distribution is managed by searchbarcash.com, its controlling server. ISTbar/XXXToolbar is an update based around porn. It uses its own toolbar code. The hijacker is aimed at its controlling server xxxtoolbar.com, and slotch.com; distribution is controlled by toolbarcash.com. ISTbar alse installs other parasites: both variants install porn pop-up producer RapidBlaster/lp; the AUpdate variant is also known to install DownloadPlus.
http://www.isearchtech.com
Also known as: Backdoor.VB.cs, Backdoor.VB.cw, Backdoor.Nimoo , Backdoor Program [Panda], Backdoor/Itadem.101 [Computer Associates], SennaSpy2001 [McAfee], Win32.Itadem.101 [Computer Associates]
ItADeM ,when installad on a computer allows a remote computer to take control of it.
Also known as: TSPY_AGENT.POA (Trend Micro)
This trojan utilizes IE exploits to infect the computer. Downloads malicious files into infected users' computer. Exploits the MS06-014 vulnerability.
Ad supported software that allows you to watch videos.
Also known as: Aornum iwon Ornum
Aornum is a task started with Windows which keeps in contact with its controlling servers, combined with an IE Browser Helper Object.
http://home.iwon.com/index_gen.html
Jamingo is a BHO that displays advertisements based off of your queries in search engines as well as your browsing history.
JavaLog is part of a sophisticated phishing scheme centered around monitoring the victim using a keylogger written in javascript. Once the site with the Javascript keylogger is opened, it monitors all keystrokes and saves them to a file called log.txt.
Also known as: ADW_JILY.A(TrenMicro) Adware-Jily(Mcafee)
It adds as a toolbar with internet Explorer. It frequently tries to contact its own server for configuration updates.
http://soft.jily.net/
JimCHM gets its name from the site where all of the infections files related to this trojan are hosted. JimCHM consists of several exploits which uses .chm files to infect most of its victims.
Also known as: Jimmy Surf
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos/AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.
http://www.openwall.com/john/
Jraun is an adware component that downloads other software (golden palace casino PT). Opens a blank browser window with title as ?Enter your search keywords here? when you open IE and redirect certain searches.
Also known as: Trojan.JS.Seeker
This script written in JavaScript language quietly changes a browser's home page and search page without user confirmation.
JT.Moonwalk is considered to be dangerous. Once it infects the victim's PC, it allows the attacker to gain full access to your computer through IRC channels. Once this infection have compromised the PC, it will send messages and files to everyone on the victim's Windows Live Messenger contacts. The message reads: "Oh My God !! accept this funny picture !! Look what I found more nude pictures of Justin Timberlake". This is followed by a zip file that infects other machines.
Also known as: Trojan.Jupillites (Symantec), Trojan.Small.BO (K7Computing.com), Trojan.Proxy.L, Troj/Cosiam-G Jupites.B(SunBelt)
Jupillites is a trojan that runs a proxy on random TCP port in the infected computer. Sends System Information about the infected computer to a remote server.
Also known as: KaBoom!
This is a Chinese trojan that copies 3 files to the victim's PC in order to post sensitive data back to the attacker. It does this by creating 2 hidden windows on the victim's PC. Filenames are randomly generated and hidden in the C:\Windows\fonts directory.
Also known as: TrojanDownloader.Win32.Kaotan
From the Website: KaoTan is a webdownloader made to suit users' needs. Here are its features : - You can download up to 2 files - 3 directories where the downloaded files can be saved : a. Windows b. Temp c. System - Injection modes : a. No injection ( standard connection ) b. Browser injection c. Explorer injection d. Trillian/MSN injection - You can set up a timer, thus delaying the execution : a. Off b. 30 seconds c. 1 minute d. 5 minutes - The server can melt, once ran - Critical data such as the URL to the file to download, or the names of the .exe, are encrypted'
http://www.chinesehack.org/down/
Also known as: IRC/Flood.i Backdoor.IRC.Flood Troj/IRCFlood-B IRC/Karmahotel* IRC_KARMAHOTEL.D IRC/Mircworm.BM VBS:Malware IRC/BackDoor.Flood Trojan.IRC.KarmaHotel.A Trojan.IRC.KarmaHotel
This trojan program consists of two scripts in HTML file. When an infected HTML page is opened, the VBS part of trojan is written to disk. The VBS part, in turn, creates another part (INI file), finds and modifies the initialization file of mIRC client, so that it allows mIRC client to respond to remote commands issued by other users, and turns off all Mirc warnings. Then mIRC is given a special initialization file that allows others to control the infected PC, download and upload files to it, read private messages in Mirc, etc.
Also known as: Backdoor.Katien.a DDoS-Kaiten IRC Trojan DDoS.Kaiten.53507 Troj/Kaiten DDoS:Win32/Kaiten TROJ_KATIEN.A TR/Katien Win32:Kaiten BackDoor.Katien.A
Katien is a backdoor trojan program. The trojan itself is a Windows PE EXE file about 50KB in length and written in Microsoft Visual C++.
This Trojan Connects to IRC servers and waits for remote commands.
Kazaam is a worm disguised as a component of Kazaa. Once installed, it connects the infected PC to a remote IRC channel where it receives commands from the attacker.
KaZooM is an add-on application that automatically claims that it speeds up the download process and finds the files you want with far more power than regular KaZaA searches. Kazoom also installs other spywares with it like NaviSearch, CashBack and Bonzi Buddy.
Also known as: Backdoor.VB.ao
Also known as: keen value powersearch incredifind perfect nav power search Search Upgrader
The More info blurb from within the program tells us that KeenValue collects alarmingly large amounts of personal data, displays annoying advertisements, and also can read third-party cookies and transfer that information back to the maker. Various variants of this stuff exist: - Powersearch toolbar - Incredifind adware The PowerSearch toolbar is a customised version of Visicom Media's ?Dynamic Toolbar?, other variants of which are not known to be parasitic.
http://www.keenvalue.com
Also known as: W32/SpotFace.worm (McAfee)
Kelvir.EB is a worm that spreads via Windows Live Messenger and MSN Messenger. This worm spreads by sending a malicious link to the list of contacts(for first 45 members) in the Messenger. This worm is dropped by Rinbot trojan. Once infected, this worm checks the infected machine for already running instance of this worm. If so, this worm kills it and start a new process. Deletes all files with .exe as extension in C:\ Waits for Windows Live Messenger window and sorts the Contacts list by Status, when becomes active. Then this worm sends the pre-configured message containing a malicious link to each in contacts list. Also kills the Task Manager, if exist during the message sending process.
KeyHost is a browser hijacker that redirects your browser
Also known as: Keylog-Sklog (Mcafee)
Logs keystrokes and may mail logged data back to malware author.
Logs keystrokes to a file (winupdate) in the %windir%\system32 directory. Filename of stored keystrokes can be different.
Also known as: Keylogger.WMRemote.100
This is an extremely dangerous trojan. Once it is installed, it has the ability to install other software. Most notable of these would be keylogging software that can steal critical information from the computer.
Also known as: bho.KiddaToolbar (Sunbelt) , Adware.Kidda (Symantec)
Kidda is an Internet Explorer URLSearchHook . The search's on this bar will go to kidda.de and sponsored links are returned.
Also known as: KillandClean
This rogue anti-spyware has been listed at http://spywarewarrior.com/rogue_anti-spyware.htm by Eric Howes. Upon running a scan with this application several good applications were flagged. Mcafee being one of them. Dropped several bad registry keys related to other products upon installation so it could detect them.
http://www.killandclean.com
Kill.AV-c attempts to disable anti-virus and spyware applications so other trojans can download unwanted files. It modifies the host file and changes Internet Explorer start page.
Also known as: killer Downloader.cfg [McAfee] ProcKill-G [McAfee] Trojan.Win32.Killav.g [Kaspersky]
From the Website: Stays resident on the machine to kill Start/restart avs/firewall every 5 seconds.. kills over 280 fw's/av's
Also known as: Trojan.KillMBR.v
This Trojan program is a DOS Com file written in Assembler. On start-up, this Trojan writes random data to the MBR sector of the victim machine's first hard disk. As a result, no operating system can load. When the computer is rebooted, it will freeze.
Also known as: ProcKill-CV(McAfee)
Script that attempts to stop security-related services. Can disable antivirus products, Windows firewall, and Windows update.
Also known as: Dimpy.Win32VBsy(Sunbelt) , Briz.F(Panda) Troj/Proxyser-R(SOPHOS) , Trojan-Spy.Win32.Sters.f , BackDoor-CWW , Trojan.Downloader.MVD.c
This Trojan collects information on the infected machine and sends it to its host server. It also changes the Hosts file so that few of the known anti-virus sites are inaccessible.
Kimya is a trojan designed to look for an open TCP connection in order to connect to the attacker. Once a connection is made, the attacker will have the ability to send SPIM to all MSN contacts. Users should be on the lookout for URLs with suspicious looking messages with links in them related to the executable file kimya.exe.
Worm that uses a bug in Internet Explorer and Outlook to automatically forward itself. Very dangerous! Running infected files causes the worm to reconstruct the uninfected host file using saved data. Such reconstructed files will have "~1" appended to the name (ex., infected MSOFFICE.EXE will be accompanied by an uninfected MSOFFI~1.EXE). The worm deletes them as soon as the program stops running so they exist only temporarily. W32/Klez.e@MM sends itself out using SMTP protocol. It harvests the Windows address book for email addresses. The virus may save a copy of itself into .RAR archives. There is a date-activated payload associated with this threat. On the 6th day of March, May, September, or November, the virus may overwrite local and network files containing the following extensions with zeros: .txt, .htm, .html, .wab, .doc, .xls, .jpg, .cpp, .c, .pas, .mpg, .mpeg, .bak, or .mp3. If the month is January or July, all files may be overwritten.
Also known as: koko koko.trojan trojan.koko
This infection sends notes to Facebook friends of people with infected computers, with subjects like: "You look just awesome in this new movie." Users are directed to a website, where they are told to download what is claimed to be an update of the Adobe Flash player.
http://www.koolbar.net/
A type of software typically used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem?s usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature and can rack up expensive and unwanted bills. Some dialers are used for "legit" purposes, meaning that a user knowningly accepts the charges in exchange for some "online content". But many times we have seen dialers used in sneaky ways, using various tricks to get it installed on a users machine, without them knowing what it going on. In general, if a dialer is detected on your system, you either know why and how it got there or it sneaked in illegally
Also known as: Kuaiso Toolbar (Research Sunbelt) Abobe Flash Play 9 UUPlayer
This is a browser plugin that changes the Homepage and search page of the Internet Explorer.
http://www.Kuaiso.com
This is a chinese based instant messaging program that is also an adware bundler.
Displays pop-up advertisements.
http://kugoo.com
This is a Chinese media player program that can be installed as part of some trojan bundles.
Also known as: Backdoor.KWM.a PWS-Susanin PWSteal.KMW.A Troj/Susanin PWS:Susanin TR/WebMoney.1 Win32:Trojan-gen. PSW.Susanin Trojan.PSW.Susanin.A
This is a Win32 backdoor Trojan that allows a remote host to gain access to an infected computer. The Trojan itself is a Win32 application (PE EXE file) about 14K in size.
Also known as: Steam Keylogger L4d Web Downloader
A Steam keylogger posing as a mod for the popular videogame Left 4 Dead.
L4D Logger is a keylogger trojan centered around the Steam Instant Messaging application. It is distributed as a sound editing tool for Half-Life 2 and Left 4 Dead, but monitors keystrokes entered in by the user in the Steam program.
Also known as: LameRemote.100 ProjectMayhem.100
This is a RAT Trojan that has the ability to ain access to your computer through port 6666.
Also known as: LameSpy.095
Also known as: Backdoor.Lana
Also known as: BackDoor-ANC trojan [McAfee], BackDoor-ANC [McAfee], Backdoor.LanFiltrator.05, Backdoor.LanFiltrator.05 [Kaspersky], Backdoor.LanFiltrator.10, Backdoor.LanFiltrator.10 [Kaspersky], Backdoor.LanFiltrator.10.b, Backdoor.LanFiltrator.11, Backdoor.LanFiltrator.11.b, destructive program [F-Prot], security risk named W32/LanInfiltrator.A [F-Prot], security risk named W32/LanInfiltrator.B [F-Prot], security risk named W32/LanInfiltrator.C [F-Prot]
LANfiltrator is a remote access tool, designed to access the remote computer through a router, LAN or proxy server. RAT?s generally work by connecting to the remote computers IP address. But when the RC is behind another device, ie, router, proxy, then there is an internet IP, that the connecting device uses, and the computers own LAN IP. It?s impossible for a normal RAT to connect to the remote computer, in other words, as it can not possibly access the sub-IP. Enter LANfiltrator. How it works. Well as most of you more experienced Trojan users will know if you send a server to someone that is on a LAN you will not be able to connect to them, because their IP is given to them by their local DHCP server (The computer that shares the internet with the other computers) which connects them to the internet. So, their IP is hidden behind the server and can not be easily accessed on the internet by you. Well, with LANfiltrator it is now possible to do this. Well basically the server works like a client, but invisible, with server functions built into it. So this means that the client will listen and wait for the server to connect, basically like SIN notification but more complex, so once the server connects to your client with your ip you can use the client as if it was a normal one. If you won?t to know more about how the server will connect to your ip there is more info in the edit server of the application on how this works.
Also known as: Last.2000 Matrix.200
This is a RAT Trojan that has the ability to gain access to your computer through ports 7788 and 8899.
Also known as: Laugh network Laughnetwork Hopeless Romantic Hopelessromantic start page
From The LaughNetwork, "The LaughNetwork software is a program that will automatically reset your start page to one of our custom homepages each time your computer reboots. This means that your homepage will be changed from what it was before you download our software. If in the future you decide you no longer want to keep our homepage as your default homepage you can uninstall our software and change it. By installing our software you acknowledge that your homepage will be changed and you agree to allow that to happen. On your new LaughNetwork homepage you will be shown content of our choosing and also advertisements of our choosing."
Also known as: PWS-Pinch LDPinch Trojan-PSW.Win32.LdPinch.epw (F-Secure)
This is a password cracker that sends stolen information information to a known bad IP address in Panama.
LemonLover spams the victim with several pictures of the internet meme sensation, LemonParty.org. It also has the ability to reinstall itself in case the victim tries to manually remove the threat.
Its a Trojan written in Delphi and gives the attacker remote access of the infected system.
http://booters.atspace.org/hacking%20tools2.htm
LinkReplacer is an Internet Explorer Browser Helper Object that adds content to the start of every web page viewed. This content is (currently) a script that reads all your cookies and sends them to LinkReplacer's controlling server wcft.net. Cookies set by web sites (and sent by LinkReplacer) may contain personally identifying information. Cookies are also often used for authorising access to web sites. LinkReplacer's owners will often be able to gain access to your accounts on web sites you have accessed with it loaded.
Also known as: W32/Lirva.a@MM
This worm is found in e-mails. Be cautious if you see any e-mails with the following subjects: Fw: Redirection error notification Re: Brigada Ocho Free membership Re: According to Purge's Statement Fw: Avril Lavigne - CHART ATTACK! Re: Reply on account for IIS-Security Breach (TFTP) Re: ACTR/ACCELS Transcriptions Re: IREX admits you to take in FSAU 2003 Fwd: Re: Have U requested Avril Lavigne bio? Re: Reply on account for IFRAME-Security breach Fwd: Re: Reply on account for Incorrect MIME-header Re: Vote seniors masters - don't miss it! Fwd: RFC-0245 Specification requested... Fwd: RFC-0841 Specification requested... Fw: F. M. Dostoyevsky "Crime and Punishment" Re: Junior Achievement' Re: Ha perduto qualque cosa signora?' Bodies: AVRIL LAVIGNE - THE CHART ATTACK! Vote fo4r Complicated! Vote fo4r Sk8er Boi! Vote fo4r I'm with you!
Also known as: Backdoor.Lithium.103 Lithium.100
Lithium gives hacker the ability to remotely control compromised computer.
Also known as: Adware.Littlehelper, Little Helper
Littlehelper is an adware application that displays popup advertisements when the user surfs the web. It also changes the default startpage of Internet Explorer to http://www.de.ag/ This adware does not propagate without user consent.
Also known as: Backdoor.LittleWitch
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage.
Redirects internet explorer searches. Their site is not active. It is unknown if legacy versions of this software still exist.
http://www.lizardbar.com
Installs itself secretly in the registry. On each boot sets the homepage of internet Explorer to a porn site using a .VBS
Popup blocking toolbar that can display advertisements from specific websites. If an invalid URL entry is given, it does not display the message ?Page not found error? in the IE. Instead it displays a page with a message saying ?Sorry, we're currently unable to find the site. Click here to search Locators for related sites.? And the hyperlink given is for searching the locators website.
http://www.locators.com
This is a japanese born adware that comes in the form of a browser plugin.
During installation a connection is made to ad-w-a-r-e.com and instructions from java script change the host and remove registry keys. Has potential to do other malicous acts. http://www.ad-w-a-r-e.com/cgi-bin/PopupV2?ID={<some clsid here>}&type=normal&mSkip=1&rnd=", 300000, "TRUE"); sendExternalEvent('EVENT:UPDATECRC:A1EDBE54FAEA39FAAC6DF618503910E7'); sendExternalEvent('EVENT:REMOVEKEY:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify?HKLM?DllName?0563F1C45F34E7305C57F10DD17B6E8F'); sendExternalEvent('EVENT:REMOVEKEY:SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects?HKLM'); sendExternalEvent('EVENT:HOST:127.0.0.1?www.igetnet.com'); sendExternalEvent('EVENT:HOST:127.0.0.1?code.ignphrases.com'); sendExternalEvent('EVENT:HOST:127.0.0.1?clear-search.com'); Downloads other unwanted software and displays advertisements. Causes the cpu to be at maximum usage which causes the computer to run slow and sometimes freeze up. Displays an advertisement that lists some causes of computer problems and offers a free program to check the computer for errors. Seems to be related to VX2. Adds other software, and sometimes creates a second "shortcut bar".
Also known as: Home Search Extender,Trojan/Startpage,HSA, Shopping Wizard, CWS Variant, Lookf,Only The Best
This Malware uses random file names located in the windows\system folders to escape simple filename based antispyware applications.
Also known as: Look N Search
Also known as: W32.Looksky.F@mm(Symantec) W32/Loosky-K(SOPHOS)
Spreads by sending a copy of the worm to email addresses from the Windows address book. Logs passwords and email addresses to a file named attrib.ini in the %windir%\system32 directory.
Also known as: LoseLove.100
Though it has been unactive since Feb. 2005, users should watch for the installation file called setup_esplugin.exe.
Also known as: AutoRun.Q WORM_WINKO.AO (Trend Micro)
This is a Chinese trojan that creates several dangerous processes resembling legitimate names related to Lotus, security software, or printer drivers. It also alters key windows processes like the Task Manager in order to prevent you from removing the infection. It also hijacks your Start page to http://main.94ak.com
Also known as: LoveFreeGames
Love Free Games modifies the Internet Explorer's Error page.
http://www.LoveFreeGames.com
Also known as: Lovebug, I-Worm.LoveLetter, ILOVEYOU
The worm uses the Outlook e-mail application to spread. LoveLetter is also an overwriting VBS virus and it spreads using a mIRC client as well. When it is executed, it first copies itself to the Windows System directory as: - MSKernel32.vbs - LOVE-LETTER-FOR-YOU.TXT.vbs and to the Windows directory as: - Win32DLL.vbs
Also known as: Trojan.LowZones Qlowzones Low Zones QLow Zones Zad
Lowers Internet Explorer security settings.
Also known as: Virus:Win32/Luder.B (Microsoft) Win32/Patched.A (NOD32v2)
Luder.gen starts a process for malicious software.
Also known as: Free Community
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software.
http://www.lzio.com/
From their website: "The Machers Toolbar is the one browser companion your whole family will appreciate. Easy to install and downloads in seconds, the toolbar puts a variety of functionality right on the top of your web browser. Best of all, it's FREE!"
http://content.machers.com/toolbar/install.html
Dialers that are force-installed by porn sites. Makers seems to be very shady: "Haldex LTD", from Gibraltar
Also known as: Madame Salope
MadameSalope is a dialer program used to access pornographic websites by dialing a high-cost phone number through a modem.
Also known as: MagicPasswordStealer Trojan MPS Trojan
This Trojan steals password from the infected system and send it back to the predetermined e-mail address.
May show Advertisements. Downloads a configuration file from its server when the web browser is launched. May change the default Start page, Search page and Search Assistant of Internet Explorer. Redirects the unreachable and unavailable web sites through its own server. Modifies Windows host file. Adds many webpage shortcuts into Favorites Menu of Windows Explorer. Also deletes the Links Directory from Favorites Menu. Modifies Windows registry to allow popups from certain sites by getting rid of Windows Pop-Up Blocker.
Also known as: Magic ads
Also known as: Magicon.A Trojan.Simcss Magicon Magic Control
This memory-resident downloader Trojan is designed to terminate firewalls and anti-virusses
Downloads a list of e-mail addresses and spam content from assigned websites. Has its own SMTP engine to send mail to the addresses on the list.
This is an adware program that is installed via an active X control. This is no longer in circulation.
This is a Trojan that has the ability to send spam e-mails to everyone on the victim's contact list.
This is a Korean based adware product that alters the infected PC's homepage. There are also several rootkits that are installed.
Also known as: Arau parasite Tubby
This is also an Internet Explorer Hijacker. There are several variants that take you to different sites.
"Malicious URLS" consists of domains associated with vendors and distributors of spyware, adware, greyware, and other potentially unwanted advertising software. Some of these domains may run exploits to facilitate the installation of this unwanted software.
This is a rogue anti-spyware. They are listed on the Rogue Anti-Spyware list from Spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://malware-stopper.com
Also known as: Malware-Wipe
This is another Rogue Anti-Spyware program. This site is listed on the Spyware Warrior Rogue list. http://spywarewarrior.com/rogue_anti-spyware.htm
http://www.malwarewipe.com
Also known as: Mantis.100
This is a trojan that has the ability to drop its adware payload onto the ifected machine through port 3723.
Also known as: Adware.Fapi(Symantec)
Usually installed with freeware programs. Can redirect DNS, 404 and other pages. Displays pop-up advertisements.
Also known as: Marcador COM
It downloads automatically and connects to sites without user permission.
Also known as: Adware.Margoc
Margoc is an adware program that displays pop-up windows. Displays pop-up window advertisements when certain Web pages are displayed. The Web site can configure the advertisements to be displayed and the trigger for them to be displayed. At the time of writing, they are triggered by queries to the Google search engine.
Also known as: Trojan.VBS.Mariquita VBS/Chimpn Bloodhound.VBS.Worm Joke/Chimpun-A VBS/Chimpn* VBS_CHIMPUN.A VBS/Chimpun.A VBS:Malware
From Viruslist.com Mariquita is not a real trojan virus; it is written in the Visual Basic Script language (VBS). 'Mariquita' launches the NotePad application and creates the text document "marquita.txt" The 'mariquita.txt' document contains the following text: Hola soy un virus CHIMPUN Next the virus starts MS Outlook and tries to create new email messages.
Also known as: Market dart
MarketDart redirects searches and changes browser settings. Downloads a text file from its server, which contains a list of URLs to be redirected and its corresponding target URLs where to be redirected. Changes the startpage and searchpage of Internet Explorer to http://ie.marketdart.com
Also known as: Massaker.100 Massaker.110 Backdoor.Massaker
This is a trojan that has the ability to drop its payload onto your computer through port 7119.
This is a porn dialer. Be careful the entry page shows nudity.
http://www.mastacash.com/
Also known as: Masterbar pugi Qidion Toolbar
Toolbar that tracks your surfing habbits, changes your homepage, shows advertising. - Has auto-update functionality - Seems to be related to "Pugi" according to some reports and code references.
http://www.masterbar.com/
Also known as: MasterConnector AXDownload WebInstall WebUpdate
An ActiveX installer control for premium-rate phone dialers. Installed by ActiveX drive-by-download on a pop-up window that imitates a Windows software installation dialogue, from web pages operated by Firstway Medien GmbH and COMFIX newMedia. The software may claim to be a webcam viewer, chat program or eDonkey, depending on the site. Any web page can direct it to install any executable code.
http://www.masterdialer.de/
Also known as: Masters Paradise MastersParadise.970 MastersParadise.920 MastersParadise.970 Masters Paradise 98
This trojan is installed by, anti master.exe. Once installed, it has the ability to add functionally unrelated software.
This adware program is in the form of a toolbar. Normally it will be installed from websites as an active X control. Many sites may have this toolbar installed from their website because they receive $.15 per installation. Often times it will be bundled with Zango and Media Access. From their website: "Matcash is an affiliate Toolbar that pays you each time a surfer installs our Toolbar on his computer."
http://www.matcash.com/uk/home.php
Also known as: Mature Bar
This is a porn site that wants you to install there toolbar upon entering their website. Be warned graphic pictures are on this site.
http://www.maturetoolbar.com/
Also known as: Startup.NameShifter.OM
Adware Maxifiles.Director has the ability to download other malware threats also.
Also known as: Maxi Search Freeprod Toolbar888 LuckyToolbar Lucky Toolbar Affiliate Beta Bar888 Maxsearch.Ipwins 888Toolbar 888bar
This is a browser plugin originating from www.maxifiles.com. It will redirect internet searches to maxifind.com.
http://www.maxifiles.com/index.php
Also known as: MBomber.100
This is a RAT Trojan that has the ability to gain access and alter your machine's settings through port 5190.
Also known as: 6dZone
This is a Chinese adware that displays advertisements from www.6dzone.com.
Also known as: Media Gateway MediaGateway MediaAccess Adware media
Ad delivery software which provides targeted advertising offers.
Also known as: MediaPass
Displays advertisements.
Also known as: media-motor Media Motor Adware.Popuppers(Symantec) Seeve
Displays advertisements and may be included in a trojan bundle.
http://www.media-motor.net/
Also known as: media tickets media ticket
Quote from website "With MediaTickets, you can now take your existing traffic and generate income in addition to current sponsor revenue streams." Unistaller listed on site.
http://www.mediatickets.net/
Also known as: SafeSurfing MediaUpdate.SafeSurfing MediaUpdate/012 MediaUpdate/020 MediaUpdate/022
Connects to a controlling server to download a list of site URLs and keywords to target. Redirects you to one of their affiliate sites.
Displays popup advertisements and drops icons on desktop containing shortcuts to various websites.
Also known as: MegaHost, Mega!, Adware.BestSearch (Symantec)
MegaSearch Toolbar is a IE toolbar which will redirect your searches.
http://seo-specialists.org
http://megasearchbar.com/
Mehandi Toolbar when prompted for download, redirects to alexa website to download Alexa Toolbar.
Also known as: MemoryMeter
A "freeware" program that displays the memory in use on your Pc. Has been know to be installed behind the users back. Can sometimes be hard to remove.
http://www.memorymeter.com/
From their website: By downloading Memory Watcher, you can now monitor your computer's memory usage. If you find that you're running low on memory resources, Memory Watcher will make you aware of this by displaying a meter that tells you how much memory resources are being used. With Memory Watcher, you can now avoid running low on memory and having your computer crash before it's too late. Notes from the Terms of Service from their website. www.memorywatcher.com/TOS.html 1) By installing the Memory Watcher Software on your computer, you understand that: (i) Several ADVERTISING CONSOLES may be launched for the duration of time you spend online. These consoles may continue to be launched as long as you have MemoryWatcher installed on your machine. MemoryWatcher does not monitor the activities or collect information from users once they have left MemoryWatcher . 2) QuadroGram may automatically transmit to and install on your computer , Software improvements, corrections, adaptations, conversions to more recent Software versions or any other changes to the Software, with or without giving notice. 3) By using the Software, you may be exposed to contaminated files, computer viruses, eavesdropping, harassment, electronic trespassing, hacking and other harmful acts or consequences that might lead to unauthorized invasion of privacy, loss of data and other damages. 4) By downloading the Memory Watcher software, you agree to receive advertising messages delivered on your computer in any form and of any frequency. QuadroGram may, in its sole discretion, change, modify, add or remove portions of this license at any time. Notice of material changes to this agreement will be posted onQuadroGram's web site or through the Software. There is no company information listed for MemoryWatcher. Advertisements continued to be display after the program was stopped.
http://www.memorywatcher.com/
This is a trojan that generates seemingly random filenames in order to avoid detection by some anti-malware scanners.
Also known as: Meridian Popupper
Displays popup advertisements whuile surfing the internet.
Also known as: MessageSkinner
This is a browser plugin for Windows Live Messenger that gives the user more emoticons and other add-ons. Once you install this application you are shown ads from a separate ad network that you must uninstall separately.
Not really adware, but advertisements sent by exploiting default Windows settings. For complete information see: http://www.spywareguide.com/txt_messengerspam.html
Also known as: MidaDdle
System tracks online behavior by matching user keywords in user-entered URLs, web page forms, search forms and click-through destinations which are then mapped against keywords generating ad delivery. From the Website: The midADdle interstitial ad network combines the latest innovations in business and technology to help create an increase in ad- awareness, brand- recall, and higher response rates. Since interstitials are launched between web pages they capture the user's full attention.
http://www.midaddle.com
From Randy Rasa, "This program uses the AdSoftware system from Aureate Media Corporation. Whenever you are connected to the Internet,advertising banners will be shown on the toolbar. Please support this concept by clicking on banners of interest. This is the only way I?ll receive any compensation for writing this program. Thank you for your support."
Comprises of a client / server trojan, Runs on win 98, Me, XP
Also known as: Backdoor.MindControl
Symantec: Gives its creator full control over your computer. Opens port 23, by default. Is written in the Visual Basic (VB) programming language. Needs the VB run-time libraries installed for it to work.
Also known as: MiniOblivion.010 Oblivion.010
Once installed through illwill_info.exe, this RAT Trojan has the ability to gain access to the infect machine through port 7826
This is a chinese adware that changes your start page and drops several files to the infected PCs system32 directory. It also alters the Winsock LSP.
Also known as: netnucleus
Mirar Toolbar is a Internet Explorer toolbar that has been reported to stealth install. "The Mirar Toolbar provides content relevant information while you browse the web. Finding pages of similar topic and interest to the page you're on it shortens the time required to find the info you need." This toolbar will go beyond simply redirecting your searches from search strings inputted in search engines. It matches terms found in urls and redirects your webpage to their affiliates. For Example: Visiting spywareguide.com has been seen to be redirected to winantiviruspro.com (A known rogue antispyware application). Mirar has been installed with exploits and can be installed from large bundles of ad-ware without user consent.
"Misc. Exploits" consists of miscellaneous, unaffiliated domains associated with delivering adware, spyware, and malware to victims' PCs, often through the use of various exploits.
Also known as: PWS-Mmorpg.gen (Mcafee) Foobar
mmorpg-Steal is a password stealer for massively multiplayer online role-playing games.
Also known as: Troj/MMThief-Q
This trojan is designed to steal passwords once it is fully installed on the PC.
This is a worm that travels through Windows Live Messenger in order to infect other users. It spams other windows live messenger accounts without the infected user ever knowing. The package that is installed gives the attacker the ability to remotely execute code using the Print Spooler Service Vulnerability.
Also known as: Mneah.100
This is a RAT Trojan that has the ability to gain access to your computer through port 4666 once installed.
Mob.Blockcheck is a fake application that claims to see who has you blocked on Instant Messaging, but actually takes your login information and sends it back to the attacker.
Also known as: Troj/Domcom-D (SOPHOS)
Mochia is a downloading trojan.
Also known as: Value Systems, Inc
Keylogger, takes screen shots - monitors for keywords while searching online.
http://www.avsweb.com/mom/
Also known as: DyFuCA NSUpdate NSLite Money Tree
MoneyTree is an ActiveX control used to download premium-rate dialers. MoneyTree/NSUpdate: installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder. MoneyTree/NSLite: installs nslite.dll and nslite.inf in the Downloaded Program Files folder. MoneyTree/UniDist: installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder. MoneyTree/DyFuCA: installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs the InternetOptimizer parasite.
http://www.avenuemedia.com/
Also known as: AccessMembre Access Membre
This trojan will delete system files and attempt to wipe your hard drive.
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
Its a powerful hacker tool, to get remote access on infected machine. It when installed gives remote access for multiple users.
These malicious codecs are installed along with NetBrowserPro.
Also known as: MediaPipe/MovieLand (Sunbelt-Software) Movie land Media Pipe
From TOS of MovieLand, "...BY PARTICIPATING IN THE MOVIELAND / MEDIAPIPE FREE TRIAL OFFER THE MEDIAPIPE SOFTWARE WILL ENABLE YOU TO ACCESS THE AVAILABLE CONTENT FOR THE PERIOD OF TIME THAT SPECIFIED ON THE ADVERTISMENT YOU HAVE CLICKED THROUGH. IF YOU DO NOT PROVIDE PAYMENT INFORMATION DURING THE TRIAL PERIOD OUR BILLING SOFTWARE WILL BE ENABLED UPON THE EXPIRATION OF YOUR TRIAL PERIOD. THE BILLING SOFTWARE WILL RUN ON YOUR COMPUTER, DISPLAYING POP-UP WINDOW REMINDERS THAT PROVIDE YOU WITH VARIOUS METHODS OF PAYMENT FOR THE ANNUAL LICENSE. THESE POP-UP WINDOWS WILL APPEAR MORE FREQUENTLY UNTIL YOU CHOOSE ONE OF THE PAYMENT OPTIONS AND PAY FOR THE LICENSE. THE BILLING SOFTWARE IS SOLELY DESIGNED TO PREVENT FRAUDULENT AND UNAUTHORIZED USE OF THE MEDIAPIPE SOFTWARE..."
http://www.movieland.com
http://www.movieplace.net/
This application is of unknown origin. It creates a toolbar just above the taskbar. It appears to serve unmarked popups while browsing even when the application is not in use.
Toolbar
MrFindALot runs in the background and changes Internet Explorers search page to www.mrfindalot.com/search.asp Drops and installs files for QuickLinks.
http://mrfindalot.com/
Also known as: Trojan.LowZones.am
Shows advertisements inside its own window. Adds few sites to Trusted Zone of Internet Explorer.
Once this trojan is installed, it drops a file called Sploae.exe into C:\Program Files\Internet Explorer directory. It also drops a .dat file that stores phone home URLs to other infections.
This is a rogue anti-spyware. This product is NOT related to Microsoft.
Also known as: Trojan.virtual-ie.MsMovies(Counter Spy) W32/Alcra-E (Sophos)
This malware changes attributes of System32 folder in windows directory as hidden because of which most of the windows application starts failing. This malware spreads through file sharing networks.
Also known as: MSN Password stealer PW
MSN-PW shows WLM(Windows Live Messenger) fake login screen to steal Windows Live IDs and password.
MSNAgent attempts to contact a remote server for the purposes of stealing the victim's login credentials. This threat is known to hide executable code within malicious .jpg files.
Also known as: Agent.RW
This is a Chinese trojan that installs a rootkit that communicates with a botnet.
MsnTroyano can exploit users Computer through security exploits, and can severely compromise system security. It may also open illicit network connections.
Also known as: Switch-dialer
Attempts to dial premium rate services without the user knowing.
Also known as: Msudpb.dll
Many malicious applications use this DLL file to connect to some sites which diplay Advertisements.
http://www.abcsearch.com
Also known as: Trojan.Multidr-KO (Sophos)
Trojan that downloads other malware and trojans.
Unknowingly downloads unwanted software to users computer. Downloads and runs other downloader trojans.
Also known as: Trojan.Muquest (Symantec), Trojan.Delf.REQUESTER (Sunbelt), Win32.Muquest
Muquest is a trojan that allows the infected computer to be used as a proxy server. It also sends system information such IP address, opened port etc.
Also known as: Musqkito Ads, Musqkito Dart Plus
Claims to perfom "precise consumer campaign targetting" based on "detailled vistor demographics". Installs a toolbar that (even when turned off!) shows advertisments in popups or overlapping existing banner advertising (in some case a change in the border of the ad can be seen when it loads). Also sends URLs when a search is done on a major search engine. Site is no longer valid, but still quite a lot of copies are floating around. We have received reports that other adware is bundled with this application but have been unable to verify.
http://www.musqkito.com/default.asp
Also known as: Orc Worm malware.orc
Orkut is an "invite only" community run by Google. This particular threat infects a PC, then tries to steal various pieces of information from the PC (banking details, usernames / passwords) by having them emailed to the creator of the worm. The infection takes advantage of Orkut's scrapbook feature (where users can send messages to each other, which are displayed on public pages within the user's profile). There is evidence of the infection links being self-propagating, however the links may also be delivered manually. On some occasions, the infected user can also be placed into a Botnet designed to share large movie files. The initial executable file creates two further files when activated, winlogon_.jpg and wzip32.exe (located in the System32 Folder) The files appear to be variants of the PWSteal.Trojan or another generic trojan designed to steal passwords. When the user clicks the "My Computer" icon, a mail is sent containing their personal data. In addition, they may or may not be added to an XDCC Botnet (used for file sharing), and the infection link may be sent to other users that they know in the Orkut network. For more informaton on XDCC see http://www.spywareguide.com/term_show.php?id=125
From their Website: "MX-Targeting is a software development company. We have developed a series of ad targeting applications such as MX-Targeting.dll that help advertisers deliver targeted ads. In addition to our software development, we also provide certain support services to the distributors of our software."
http://www.mx-targeting.com/index.htm
Also known as: Enconfidence Adware.Horoscope(Symantec)
From enConfidence, Inc., "The enConfidence Network is an in-context behavioral advertising network using software applications. These software applications are free to the public. In order to keep these applications free, pop up ads, based on your online behavior, will occasionally appear on your computer screen. Ad-free versions of these software titles will soon be available for purchase. We collect information regarding your Web surfing habits so that we can target advertisements and promotions that may be of the most interest to you.Please note that search query information collected by the Enconfidence Software is generally maintained by us on an aggregated basis (i.e., together with the queries of all of our end-users) for the purposes of generating statistics regarding the use of the Enconfidence Software (such as the number of queries performed by the average end-user per month, a list of the most popular query terms, etc.), and is never used in a manner that associates specific search query information with other information that would enable us to identify you, as we do not obtain or maintain any personally identifying information" My Daily Horoscope displays horoscopes and ads.
http://www.mydailyhoroscope.net
Also known as: Demiz Backdoor.Demiz
This Trojan will give the attacker remote access to the victims computer.
http://mistareal.jexiste.fr/
Also known as: Myspywarecleaner
This rogue anti-spyware application is often sold by means of misleading pop-up advertisements. One such case would be a pop-up ad that appears as a paid link when the search term "Microsoft antispyware" are entered into a search engine. Instead of taking you to Microsoft antispyware products list, it takes you to myspywarecleaner.com. This product is no longer in cirulation due to legal action from the Washington General Attorney.
http://www.myspywarecleaner.com/
This is a browser plugin which displays advertisements.
http://www.My247eShop.com
MyCleanerPc is a Rogue AntiSpyware which display false detections. There is no EULA , Privary policy and contact information posted in their site.
http://mycleanerpc.com/
Also known as: Novarg MIMAIL W32.MyDoom
This mass-mailing worm selects from a list of email subjects, message bodies, and attachment file names for its email messages. It spoofs the sender name of its messages so that they appear to have been sent by different users instead of the actual users on infected machines. It can also propagate through the Kazaa peer-to-peer file-sharing network. It performs a denial of service (DoS) attack against the software business site www.sco.com. It attacks the site if the system date is February 1, 2004 or later. It ceases attacking the site and running most of its routines on February 12, 2004. It runs a backdoor component, which it drops as the file SHIMGAPI.DLL. The backdoor component opens port 3127 to 3198 to allow remote users to access and manipulate infected systems. Note that it allows remote access even after February 12, 2004. This worm runs on Windows 95, 98, ME, NT, 2000, and XP. Already several "morally challenged" people are exploiting the backdoors that this worm creates for their own use, such as sending out spam or DDOS-ing sites.
Also known as: Trojan.Myftu [Symantec]
Myftu steals email addresses from the user and registers in a pornographic service without user knowledge.
MyFunCards changes the search page and also sends anonymous emails.
Their site is listed for sale. It is unknown if legacy versions of this software still exist.
http://www.mypagefinder.com
This is an application meant for educational purposes only. It uses Myspace Friend ID's to find out information about the intended victim.
Its a fake Myspace Hacker that shuts down your PC when you run it.
This trojan is installed as a package used to view video clips usually related to pornographic material.
Also known as: n case ncase
From the Website: n-CASE is a small application that is downloaded to your computer and runs in the background looking to show websites with information, offers and products that match keywords you are looking for when either shopping or searching online.
http://www.n-case.com
Also known as: Name Shifter
Nameshifter family of Trojans are downloaded through exploits and pose a large security risk. The aplication possess morphing abilities that dynamically change MD5's and filenames.
This is a rogue anti-spyware. Remove if found on your pc.
nanoantiviruscheck.com
Displays advertisements on your computer.
http://www.naupoint.com
Also known as: NavHelper
NavExcel is a search hijacker implemented as an IE Browser Helper Object. Address bar searches, attempts to connect to unknown servers, and all 404 page-not-found errors (even those whose sites provide custom error pages) are redirected to webservicehost.com. Bundled with screensavers from mvr.us. NavExcel can download and execute arbitrary code from its controlling server www.navexcel.com (as an update feature).
http://www.navexcel.com/
NaviSearch is a IE Browser Helper Object from eXact Advertising. It Hijacks your browser settings.
http://www.navisearch.net/
nCast is a chinese adware which shows advertisements.
Toolbar that hijacks error pages. Displays a different error page when a requested URL is not found.
http://www.need2find.com
Also known as: Creatrix Media nContext Media
Under Investigation
http://www.neededware.com
NeoToolbar is an Internet Explorer toolbar that silently downloads and installs other malware. Has been seen to install TIBS premium-rate dialer and CoolWebSearch.
This is a rogue anti-spyware. They are listed on the rogue anti-spyware list provided by spywarewarriors.com http://www.spywarewarrior.com/rogue_anti-spyware.htm
Net-devil is a trojan that will give an attacker access to your computer. Also a Key-Logger.
medias res Gesellschaft f?r Kommunikationstechnologien mbH
Also known as: NetBoy.100
This is a RAT Trojan that has the ability to gain access to the infected machine through port 8372.
This is a adult oriented browser that allows the user to surf to explicit material. It hijacks the domain to a blacklisted IP address in the Ukraine. The browser also drops a rootkit in the C:\Windows\system32\ directory. This rootkit is hidden from the Windows API to avoid detection.
Also known as: Backdoor.NetBus.12 NetBus.reg Troj/NetBus-REG REG_NETBUP.A
Also known as: Backdoor.NetCrack.12 NetCrack.100
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage. As reported on the Symantec Website: Backdoor.NetCrack is a Backdoor Trojan that gives an attacker unauthorized access to an infected computer. By default it opens port 911 on the compromised computer. Backdoor.NetCrack is a Delphi application, packed using UPX v1.05-1.22.
This is a trojan that communicates through port 901 on the infected machine.
Also known as: Backdoor.Netdex.a JS/Netdex@M Troj/Netdex-A JS/Netdex* BackDoor.Netdex
Netdex is multi-component backdoor trojan program. It allows a remote hacker to take control of infected computers. To accomplish this, the backdoor code downloads special script files from the Web site http://www.two.com.ru, processes them and then sends the result back to that Web site.
Also known as: Backdoor.Nethief BackDoor-TW Backdoor.Trojan BackDoor.Nethief Troj/Bdoor-TW Backdoor:Win32/Nethief BKDR_NETHIEF.F BDS/Nethief Win32:Trojan-gen. BackDoor.Nethief Backdoor.Nethief.A
This backdoors uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from remote station.
Also known as: NetMetro.104
This is a RAT Trojan that can communicate through port 5031 on the infected machine.
Also known as: PrizePopper Tracker TrackIExplore
NetPal is an IE Browser Helper Object from Mindset Interactive, the people behind Transponder. It does similar things to the Transponder range, but is quite different internally.
http://www.netpalnow.com/
Also known as: Trojan.NetPatch Trojan Horse Troj/Netpatch Trojan:NetPatch NETPATCH.A Joke/NetPatch Trojan.NetPatch
This trojan changes the system date.
NetPumper shows banners in the the application window. NetPumper has bundled CyDoor and SaveNow. There is a Pro version of NetPumper free from banners and bundled software.
http://www.netpumper.com/index.php
Also known as: Net Radar
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software.
This adware is primarily installed in the system32 folder of the infected machine. The most prominent sign of this infection is the creation of the file nssys32.exe, which uses the autostarter value "nsdriver". Other files related to this programs infection are randomly generated files placed in the system32 folder. These files also are linked to autostarts that are randomly generated from nssys32.exe. Installation occurs through active X control.
Also known as: Netsky.D
Netsky is a mass-mailing email worm that removes registry edits made by certain other worms, including MyDoom.A, MyDoom.B, Mimail.T, and Netsky.A. According to Adrian Gostin, BitDefender virus researcher, Netsky.D "is also programmed to play random sounds into the PC speaker of infected machines on the 2nd of March, between six and nine o' clock in the morning local time." Unlike Netsky.C, Netsky.D no longer enumerates via mapped network drives. Netsky.D harvests email addresses from .adb, .asp, .cgi, .dbx, .dhtm, .doc, .eml, .htm, .oft, .php, .pl, .rtf, sht, .shtm, .msg, .tbb, .txt, .uin, .vbs, and .wab files found on drives C through Z, with the exception of CD-ROM drives. Netsky.D uses an SMTP mailing routine similar to that of Sobig.F and MyDoom.A, using its own SMTP engine and querying the DNS server for the MX record, then connecting directly to the MTA of the targeted domain to send itself to recipients at that domain.
Also known as: PWS-Lineage!1919df (McAfee)
NetSniff is a spyware trojan which uses legitimate library files of Winpcap to monitor network traffic in an infected computer. Can performs network scanning operations. Block access to certain sites by altering Windows Hosts File. Variants of this trojan hides its files from Windows API.
Internet web accelerator. Loads favorite web pages faster because it stores them in it own special cache. Displays advertisements.
http://www.netsonic.com
This will hijack your browser settings and your start page.
Also known as: net spy NetSpy.200
An old and fairly rare trojan. At one time it was being sold. Currently its status is unclear.
http://www.siriusoft.net/
Also known as: Netster Smart Browse Toolbar (Symantec)
From http://www.symantec.com/security_response/writeup.jsp?docid=2004-112213-4204-99 : "The Netster Smart Browse toolbar: * Is an Internet Explorer toolbar with spyware-related functions. * Has replaced the Internet Explorer search destination to netster.com. * Tracks usage of search queries, clicked links on the toolbar, as well as search terms and other information in the netster.com server logs, which netster.com uses to better tailor future advertising content. * The user names and email addresses can be taken from several opt-in parts of the toolbar and given to third parties for advertising purposes."
This trojan has the ability to communicate through port 142.
Netvenda dialer is distributed while promoting free Flash games from the download url . It hides from the user and stays resident in the background.
Also known as: TrafficAdvance, Dialer.Trafficadvance, Dial/DialCar-Z (Sophos) Netvision-FastTrack
This is a dialer program that is used to access pornographic Web sites.
From the Website: The NETWEBSEARCH TOOLBAR, in the course of processing a given search query, sends a request to our servers. This request includes the keyword query, time of day, browser type, default language setting, IP address. The NETWEBSEARCH TOOLBAR also sends a configuration request when you start your browser. This request is approximately 5k in size and includes only anonymous data such as IP address, browser type, and information about the specific release date and distribution source of your NETWEBSEARCH TOOLBAR.
http://digital-delivery.us/netwebsearch_toolbar_eula.html
Also known as: Hopper SmartPops MediaPops MediaLoads Enhanced
Network Essentials is an IE Browser Helper Object which monitors URLs being viewed in the web browser, and a process which updates the list of targeted sites and downloads and displays pop-up adverts when directed to do so by the BHO.
http://www.networkessentials.com/
Also known as: Visua Explorer toolbar, CommanderNET (McAfee)
Visua Explorer is an adware component that installs as an Internet Explorer toolbar. Stealthily installed at a game site when you play games online.
Also known as: NeuroticKat.130, NeuroticKat.120
Also known as: NeuroticKitten.010
This is a RAT trojan that has the ability to communicate through port 800.
Also known as: newdial
Program used to download pornographic material to your computer.
http://www.skymasters.biz
Also known as: NewDotNet New Net NewNet
New.Net is a company that sells domain names for "nonstandard" top-level domains including .free, .xxx and .shop. While several such nonstandard TLDs are currently implemented by a number of organizations and under consideration by ICANN, this particular implementation smacks of an attempt to overthrow more legitimate pioneers of alternate domain-names (e.g. OpenNIC, AlterNIC). This software consists of a browser "plug-in" DLL (e.g. newdotnetx_xx.dll, where xxx indicate a version number), which is placed in the user's Windows folder. The file is normally placed in C:\Windows\ (C:\WinNT\ for NT users) and run silently at start-up (via Rundll32) by a Run key placed in the Windows registry. Until recently, New.Net offered a 0.05 USD commission for each system the plugin was successfully installed on. According to New.Net staff, this program has been discontinued. However other file-sharing clients and other free downloads continue to bundle it with downloads.
http://www.newdotnet.com
Displays ads, and a silly dog on your browser. Directs searches to paid advertisers. Assigns a unique Id to the computer that is sent out when you visit (some) sites. This unique ID is also associate with the email address and zip code entered in install. Has feature for "automatic update".
http://www.newtonknows.com/
This is a Chinese based ad-ware program that installs a BHO. Once installed, it will phone home to a text file that has a series of redirects to their affiliates. It downloads files to your computer through an FTP connection.
NextDoor is a worm that is installed by clicking an infected .zip file in a MSN chat client. Once this .zip is on the PC, it has the ability to connect to an IRC channel in order to download the Carlson Dialer and make long distance calls.
Also known as: Backdoor.Nickser.a BackDoor-AWX Backdoor.Trojan BackDoor.Nickser Troj/Bdoor-AWX Backdoor:Win32/Nickser BKDR_NICKSER.A Win32:Trojan-gen. Backdoor.Nickser.A
Nickser is a backdoor trojan program. The trojan itself is a Windows PE EXE file about 136KB in length. It is written in Microsoft Visual C++. When run the backdoor copies itself under the name lsass.exe name to the Windows directory and registers itself in the system registry auto-run key:
Also known as: Trojan.Noboot
When launched, the Trojan writes a component, which when launched will cause the computer to freeze, to the file C:\No-Boot.com. It also writes the string No-Boot to the end of the file c:\autoexec.bat. Once the computer is rebooted, it will freeze.
Also known as: Trojan.Java.Nocheat
Nocheat.class - size is 6518 bytes. This is the main component of the Trojan program and can execute several commands on a local computer. The commands are: - The "HP" command - Changes the start page of Internet Explorer
Also known as: JS/Noclose.gen Trojan Horse VBS:Malware Trojan.JS.NoClose.a
These are simple Trojans that are written in JS language. They exist in HTM-files. These Trojan scripts open many windows in Internet Exporer that can't be closed by the user.
Also known as: No Credit Card Sex Dialer
This is a porn related dialer.
http://nocreditcard.com
Also known as: Noknok.800 Noknok.820
This is a Remote Administration Tool originating from virtualplastic.net.
Also known as: Noptify.exe Verizon
Program is installed on hard drive from a CD that is given to customers who have purchased new Verizon telephones. No warning is given to customers that Adware is being installed. The program then runs at startup and attempts to dial out and report browser movements. The Zone Alarm firewall did detect this program's attempts to send outgoing packets, and users with firewalls therefore can block the outgoing packets. However, the program continues its attempts to dial out while it runs in the background, thereby multiplying running tasks in the background. Memory resources are seriously taxed and shutdown problems are caused.
Also known as: CDM.Novo
Content Delivery Module Diplays advertisements as popup and pop-unders. Logs keyword searches and websites visited. When internet explorer is launched, a configuration file can be downloaded and the contents of the log file is uploaded to www.targetnetworks.net
Also known as: vflash
NowBox is a system tray task that runs constantly with Windows. It downloads advertising to be shown if you click on its icon.
http://www.nowbox.com/
Also known as: Noxcape.100 Noxcape.200
This is a trojan that communicates through port 5555.
Also known as: Numb-Soft Troj/Istbar-DU (Sophos) Downloader-AFX (McAfee)
Displays pop-up advertisements based on keyword searches. Allows for easier access information online as well as access to many offers through an assortment of different types of Ad?s ( eg. Pop ups, Pop unders, Banners) and other various new technologies.
"NSIS Media Extension" added to the system without user's knowledge. NSIS changes FireFox files in order to serve advertisements.
Also known as: NTRC.120
This is a RAT trojan that communicates through the infected PCs 6767 port.
Also known as: FURootkit(McAfee) Troj/NtRootK-F(SOPHOS)
Set of tools used to maintain access to a compromised computer and hide the fact that the computer has been compromised.
Set of tools used to maintain access to a compromised computer and hide the fact that the computer has been compromised.
Set of tools used to maintain access to a compromised computer and hide the fact that the computer has been compromised.
Also known as: W32/Nugache@MM(McAfee),win32.trojan.scr , W32.Nugache.A@mm (Symantec)
It opens a backdoor on TCP port 8. It tries to connect to a predetermined IRC server, open a back door, and wait for commands from an attacker. The back door allows the attacker to do perform activites like * Perform a denial of service attack * Access an FTP server * Run as Web server * Logs keystrokes and saves them Propogates IM and e-mail. e.g. Instant Messenger, AOL mail Also propogates through Windows Messenger, network shares and instant messages.
Also known as: Backdoor.Nugry
Also known as: Dialer.Nunci (Symantec) Dial/ExDial-B (Sophos)
Changes Internet Explorer start pages, search page, error page, and tries to connect using a modem. Creates many unwanted shortcuts on Desktop. Modifies Windows hosts file.
Also known as: W32/Nuwar@MM (McAfee) Email-Worm.Win32.Glowa (Kaspersky) I-Worm/Nuwar (Grisoft) W32/Nuwar.worm (Panda) W32/Nuwar@mm (Fortinet) WORM_NUWAR (Trend)
Nuwar@MM uses its own SMTP engine to send spam mail and a copy of itself to email addresses obtained from the infected computer. Attachment filenames: Flash Postcard.exe Greeting Postcard.exe Greeting Card.exe Postcard.exe Some of the Subject headers: The Time for Love When You Fall in Love Your Love Has Opened My Love Our Love is Free Eternity of Your Love I Love You Soo Much Wrapped in Your Arms Our Love Nest Hugging My Pillow The Dance of Love Falling In Love with You Why I Love You A Kiss So Gentle Miracle of Love A Token of My Love Our Love Will Last Inside My Heart The Miracle of Love Our Love is Strong Love Remains I am Complete I Dream of you Dream Girl
Also known as: odysseus marketing
http://www.odysseusmarketing.com
This is an adware toolbar that is downloaded via an Active X class ID from their website. Once installed it will create a browser plugin in your Internet Explorer.
Also known as: Adware.OfferAgent (Symantec), switp
From the Author: Atlas Internet Associates delivers advertising and various information and promotional messages to your computer screen while you view Internet web pages.
http://www.atlas-ia.com/
Also known as: JS/Spawn Trojan Horse Trojan.Seeker.78 JS/Offiz* JS_OFFIZ.A JS/Spawn JS/Spawn.B VBS:Malware JS/NoClose JS.Trojan.Spawn.A Trojan.JS.Offiz
These trojan scripts open many Internet Explorer windows that once open can't be closed.
Also known as: Generic.dx (McAfee) TROJ_DROPPER.AHR (Trend Micro)
OkOk is a chinese worm designed to infiltrate network infrastructure and spread malicious content to other users in the same network. Once mapping the internal network infrastructure through ARP broadcasts, it sends the desired information back to the attacker.
Also known as: Omegasearch
Also known as: OmiUpdate Omi Update
Also known as: Onemoresearch
Directs users to a search portal for viagra and other related items. Inside the file another URL was discovered called : www.v61.com. At the time of this writing the site was empty as far as an end user is concerned.
http://www.onemoresearch.com
http://www.one2bill.com/
From OneStep website: OneStep Search helps you navigate the web more easily since you can search directly from the address bar. That means that even if you type a URL that does not exist, instead of your browser returning an error message, you'll get a page of relevant search results. OneStepSearch can be directly downloaded or bundled with other software.
http://www.onestepsearch.net
Also known as: Adw.OneToolbar One Toolbar
this is a browser plugin. This redirects www.google.com and www.yahoo.com to www.swoople.com. It also changes Internet explorer Error pages. From license agreement from the site:(http://www.onetoolbar.com/terms.html) You also grant onetoolbar.com permission to collect and store information of your Internet usage habit, including but not limited to information about every web page you view with the full Uniform Resource Locators, and the content of web page.
http://www.onetoolbar.com
The Onflow player calls back to Onflow's servers when an advert is played, with a player ID. This allows tracking in a similar way to 'third party cookies'. Currently, it comes secretly with an entire range of products and is secretly installed. Onflow claims that the software will no longer be bundled with other applications, and that the next version will be able to warn users before installing updates.
Also known as: OnlineDialer halex
Dialers that are force-installed by porn sites. Makers seems to be very shady: "Haldex LTD", from Gibraltar
http://www.online-dialer.com/
Also known as: TROJ_ULPM.BD (Trend Micro) OnlineGames.lgp
This is a japanese based trojan that installs a payload that shows advertisements related to 1860.hahax.com.
Also known as: TSPY_ONLINEG.FOK (Trend Micro)
Teech hooks directly to C:\Program Files\Internet Explorer\iexplore.exe in order to download other infection files related to numerous other chinese trojans. It also disables a select few antivirus applications in order to avoid detection.
Also known as: Repair Registry 2008
onlineregistryscan.org displays a fake scan upon loading the front page, then falsifies a report to coax the user into purchasing a product. User will be sent to secure.repair-registry.net, where the order form resides, unless the site is exited.
http://www.onlineregistryscan.org
Also known as: on srvr onweb media
Displays advertisements. Their website is no longer active. It is unknown if legacy versions of this software are still in circulation.
Also known as: Wildmedia
This is an adware search software. Their software is often distributed via a trojan downloader.
Also known as: Opinion Bar
This is a Broswer Helper Object. Author description : OpinionBar.com is not a "get paid to surf" program in the exact meaning of the words. Instead OpinionBar pays when you give you opinion. When you surf to a website that OpinionBar is interested in your opinion about you get the opportunity to answer questions in the view-bar. Your opinions are then pooled with everyone else who has answered the survey and the results are presented to the company doing the survey. Signing up for OpinionBar is different from other companies, you download the view-bar first and then the first time you open it you get to create your account. Thier view-bar is good even though it has some instabilites, which is to expect since it is a beta test.
http://www.opinionbar.com
Also known as: Backdoor.Delf.em
Trojan with Anti-Firewall, Anti-Anti-virus capabilities.
Also known as: OptixLite.020 OptixLite.030 OptixLite.040
This is a RAT Trojan that can communicate through port 5151 on the infected PC.
Also known as: OptMedia
It is a japanese adware which comes bundled with many japanese freeware products.
http://www.optmedia.jp
Also known as: Orgasm
This dialer charges you $3.99 a minute. By accepting their terms, you will start being charged for every minute after accepting.
Also known as: TROJ_DLOADER.QM (ThreatExpert) TROJ_BANLOAD.ECJ (Trend Micro)
OrkutTron is a password stealing trojan centered around the social networking group, Orkut. Immediately after installing the application, the user is asked to login to their Orkut account. This sensitive information is stored in a file called C:\Windows\System32\MEGATRON.ini.
The download url for this worm was found in Orkut.com. It comes in the form of a screensaver file. Once it infects the PC it runs as a process in the task manager and does not allow the user to shutdown the PC.This worm also sends system information through e-mail.
Also known as: BD Osiris 2.0 (Symantec)
Opens TCP ports 56565, 34343, and 45454 on the infected machine and allows unauthorized users to remotely control the computer.
Also known as: OTX Media
This is an adware program that uses some components that are also related to ONwebmedia.
Also known as: Outlookwabber, Uploader-AB (Mccafee), Trojan-Spy.Win32.Sters.h (Kaspersky)
This Trojan searches for the address book of different clients like Microsoft Outlook, Eudora, and The Bat to steal the information.
http://www.outwar.com
Their own comment on a forum: "To clarify a couple things. We are similar to netpalnow."
http://www.overpro.com/
Also known as: TROJ_DLOADER.OS (Trend Micro) Pacisoft
Connects to pacimedia.com and downloads lots of unwanted software that can download more software and show advertisements. The amounts of software downloaded and installed makes surfing almost impossible.
http://www.pacimedia.com
Also known as: Backdoor.Padodor.w BackDoor-AXJ.gen Troj/Padodor-J BKDR_BERBEW.F Worm/Padodor.W.2 W32/Berbew.F Win32:Trojan-gen. BackDoor.Padodor.AE Backdoor.Padobot.W
Padodor/Qukart was created by a Russian hacker group called HangUp Team. The original Padodor backdoor source code was used to create this variant, but the backdoor functionality was removed. Padodor/Qukart steals personal information including credit card numbers, logins and passwords that a user types and other sensitive data.
Also known as: 8848, PageRevisor Module of MySearch
May be CnsMin Variant. Installs as a Browser Helper Object and changes browser settings such as default start page etc.
PaintBrush is posed as a fake neopets download in order to trick younger PC users into installing this keylogger/rootkit.
Also known as: Trojan.RealSearch(symantec)
Painter is a dropper trojan comprises of multiple components, each having its own functionality. The functionalities includes Installs a Browser Helper Object, which drops another executable when Internet Explorer is started. Sends its live status to its server. Modifies search results from search engines. This is done by looking some intelligent text in the search results and creating links for it. Clicking on those links will result in showing advertisements (Shown in the below Screen Shots). Uses multiple Exploits to drop more malwares. Shows fake security-warning messages in the form of popup windows and balloon texts (Shown in the below Screen Shots). Clicking on these messages leads to advertisements to download rouge antispyware products. Note: The texts in the screen shots may vary everytime.
Also known as: Trojan.Pandex (Symantec)
Once this trojan is installed onto the compromised PC, it will collect e-mail addresses in order to spam the victim from a remote server. It may cause unexplained program crashes.
Also known as: Gooogle.BZ
This is a adware program that hijacks your browser to gooogle.biz. It redirects all your traffic through gooogle.biz and downloads an executable called superinstaller.exe to show you advertisements and install other adware bundles.
Also known as: Pangu888 Trojan.Pangu.Gen.1 (PCTools) Backdoor.Win32.Agent.sp (Kaspersky Lab) Backdoor.Trojan (Symantec) BKDR_SMALL.APO (Trend Micro)
This trojan allows for the attacker to remotely connect to the victim by creating a service called: WsndowsRemote.
Also known as: PornDial-133 Carpediem
This is a garden variety porn dialer with all the usual traits listed above.
http://www.parisvoyeur.com/
PassHax is a password recovery utility designed to grab sensitive MSN login credentials.
PCI.Load has the ability to remain invisible to certain firewall applications, such as McAfee Personal Firewall Plus. This virus also installs other malicious applications intent on stealing sensitive information.
This is a rogue antispyware. Remove if found on your computer.
http://pcprivacytool.com
Also known as: FCHelp
This adware program is installed in many trojan bundles. Obvious symptoms include a PECarlin directory in your Program Files.
Opens port 8961 and edits your win.ini file to include the hook: [windows] "run" = C:\windows\sysctl.exe
This is a Trojan Downloader that will download more files once on the users system.
Also known as: Perfect Cleaner
Perfect Cleaner gets installed through false Windows alert messages and false Internet explorer warnings shown by a trojan downloader. This trojan downloader also drops many files masquerading as malware files so that Perfect Cleaner can detect them to convince the user to believe the computer is infected.
Installs as a browser helper object and hijacks error page. PerfectNav displays advertisements on your computer.
http://www.euniverse.com/
Also known as: Permissioned Media friendgreetings.com cool-downloads.com WinSrv Reg OTMS.EXE winservc.exe
Another company that hawks those infamous "online greeting cards". The catch? To view the greeting card, the site attempts to install a 1+ megabyte application that will (unless you carefully read the license agreements and click "NO!") spam everybody in your Outlook address book with phony greeting cards and ads for their service, then place advertising spyware on your computer. The spyware will collect your name, email address and surfing habits, popping up ads and delivering HTML spam to your email address. This one particulary made me angry. Their greeting card worm uses a site called: http://www.friendgreetings.com/ When you visit it, it looks like a low end flower shopping site, by "Floral Inspirations by nancy - Phoenix, Arizona". Looking closer, you see that the content is absolutely fake, none of the links work. Doing a whois on the site reveals that the creator is: "Alfaro, Ricardo admin@permissionedmedia.com Permissioned Media Inc. Apartado 5956 Panama City, El Dorado Zona 6 PA 571-628-5535 "
http://www.permissionedmedia.com/
Pero.CN is an exploit run in javascript. Once the victim goes to a site with the extension com.php, exploit Javascript code is executed that redirects and downloads an infected executable file onto the victim's machine.
Also known as: Personal Money Tree, RebateRetriever, Rebate Retriever
From EULA : By adding an overlay to text of Web sites you visit. Upon the opening of any World Wide Web Page, the Software scans the Web Page, marks on top of those pages words and/or phrases with a blue underlines and or highlights, for which there are associated Web sites, and creates active links to such sites. This highlighting and underlining are not part of the Web page you are on, but are overlays provided by the Service. When you click on the marked word or phrase, you will be directed to a third party Web site. Links to the associated third party Web sites are provided by the Service are, are not provided by the Web site you are visiting.
PEST v4.0 RAT is an update on the earlier versions of PEST. It now has a remote batch file writer and various remote MSN messenger controls. The new client is also skinable, and comes with several preset skins, as well as the ability to create your own skins.
Also known as: Backdoor.Antilam.g1 Backdoor.Pestdoor.10 Trojan.Spy.PestLogger, TrojanDropper.Win32.Juntador.c, TrojanDropper.Win32.Juntador.e
From the Website: Trojan with MSN password stealer. PEST v1.0 was writen in Delphi 6.0 and has all the usual features that you will find in most client/server programs. It has open/close cd-rom, File manager (with working upload function, yay!), Edit server function with ICQ IP informer, window manager, task manager, etc. etc. The feature that I think distinguises PEST v1.0 from any other Client/Server program is the new MSN messenger informer utility. When the victim runs the binded 'server with MSN informer.exe' supplied with PEST v1.0 (there are 2 versions of the server supplied, the version with MSN informer cannot be edited, and always runs on the PEST default port 11831), the MSN informer utility is installed onto their computer. The utility starts up with windows on the victims computer, so you can always get their IP address again if they go offline.' 3.2: From the doc: 'a remote client & server. It connects to a computer with a server. You are able to edit the server but not many server editing options. The server runs when windows starts up and is undetected by virus scanners. PEST is one of the best Server & Client programs. You can dowload files,upload files and view their files. You have full control over the victims PC! You can control the mouse, you can screw around with the victims windows Os. You can open/close CD-ROM, you can get their saved passwords, you can get their computer info, you can change windows colors, you can send a messagebox, you can chat with your victim, you have full control over shutdown, you can even view his screen, and you can do much much much more!' 4.0: From the code: 'The PEST Batch File Editor allows you to create your own very, very simple DOS based program, and run it on the remote computer. Just enter your commands into the batch file editor and click send, and your program will instantly be run on the remote computer
This is a Rogue Anti-spyware application that is installed through the ITS Protocol Exploit in IE that was discovered early 2005. There are also confirmed reports of this program installing itself using the CHM Exploit. Users should avoid "Main.chm". Customers should watch for an alert in their system tray for an apparent spyware infection. This alert message comes from the infection itself.
This is a rogue anti-spyware. They are listed on the rogue anti-spyware list provided by spywarewarriors.com http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://pestbot.com/
Also known as: Pest Capture
This is a Rogue Anti-Spyware. This is listed on the Rogue Anti-Spyware list at http://spywarewarrior.com/rogue_anti-spyware.htm
http://www.pestcapture.com/
Also known as: PhagePorts W32/PhageP
Appears to use (some) code recycled from a publicly available trojan program. Installs itselfs in the LSP stack of Windows, where it can monitor traffic not just in IE, but in any browser. Depending on configuration, it will send the traffic details to a controling server. Pop-ups always happen in IE. Many versions also install other adware products (although payload appears to differ randomly/geographically). We have had reports of this being installed via the WMF exploit.
Also known as: BackDoor-DW PhaseServer.Trojan BackDoor.Phase Troj/Bdoor-DW Backdoor:Win32/Phase.1_0 TR/Phase.Cli Win32:Trojan-gen. Backdoor.Phase.A Backdoor.Phase.10
This is a hidden (hacker's) remote administration utility similar to the known Backdoor.BO (aka Back Orifice Trojan) trojan. Also known as Phase Server. It allows to administrate infected computers from a remote console, to steal files, to damage installed software, upload/download/execute files, change/list/create/remove directory, copy/move/rename/delete file, lockup server, crash server, create/delete/read/modify registry key.
This is a browser plugin which provide links to porn sites. It changes Internet explorer error pages and redirects it to www.crawl.ws/search.php?q= and then to www.freewarelot.com/search.php?q=.
http://www.gotphaze.com
This is gambling software that displays advertisements.
Also known as: Phoenix.200 Phoenix.190
Phoenix trojan gives the attacker unauthorized access to the infected computer.
Pib Toolbar is a toolbar that will display advertisements.
Pic Hunter is a malicious application that allows the attacker to scan and steal all image files from the victim's machine. The stolen images are sent over a FTP connection.
Also known as: Pick of the Web
PicSwitch is a custom built trojan whose sole purpose is to manipulate the pictures based on their file extension. The attack comes from a single infected picture that can execute shell code to change their extension, replace them with another picture, or simply delete them.
Also known as: Adware-PigSearch (Mcafee) Adware.PigSearch (Symantec) Adware.Win32.WSearch.c (Kaspersky) Adware/Wsearch (Panda) W32/WSearch.H (Norman) Wsearch Pig Move Search PigMoveSearch
When text is highlighted in Internet Explorer, PigSearch will display related search links and will pop-up advertisments.
Also known as: Trojan.PKZ300b PKZ300 PKZ300 Trojan Trojan:PKZ300b TROJ_PKZ300B TR.PKZ-300 Trojan.Pkz300B.A
This Trojan has been distributed under the following names: PKZ300B.EXE PKZ300B.ZIP PKZIP300.EXE PKZIP300.ZIP The triggered event is to format the hard drive.
Platrium is a collection of games that is supported by advertising.
platrium.com
Also known as: Adware.PLook (Symantec), www.affiliatetarget.com adware, 3Find.com, Trojan-Clicker.Win32.Small.hn
From Author: 3Find.com is a free searching service with an ad supported search assist application called plook.exe From EULA: 3Find.com uses the information it gathers to tailor our content to suit our members' needs and to help our advertisers better understand our members' demographics. We will provide that information in aggregate form to our advertisers. 3Find.com's ads contain links to other sites.
PluginAccess is a premium-rate dialer that may be installed through pop-up ads, onexit code, browser exploits and more. It can also cause browser instability.
Also known as: TrojanDownloader.Win32.Pendix Contructor.Win32.Pendix
Basically, Poly-DL is a semi polymorphic web downloader that is very small. Its based on several different stubs, each having a different ammount of empty space throughout them. When the server is made, that space is filled in with random characters then packed, thus producing a different server every time and a psudo polymorphic affect. There is the option to mess up the packed header and add junk bytes at the end of the file too. To create a greater polymorphic affect, select the 15kb option, 10kb for a lesser affect, ect. 0 Bytes produces the smallest server (1kb!) but has the least ammount of randomness.'
Also known as: Trojan.Popper (Symantec) Windows Overlay Components
Downloads software without users knowledge. Installs itself as a Windows service and creates startup entries so it will run each time the computer is rebooted. Has the ability to monitor the startup entries and replace them if they are removed. Communicates with a host to receive update commands and display advertisements. An uninstaller is included with this trojan. It can be executed from the Add or Remove Progams. The uninstaller does not remove all files that have been downloaded and installed.
This is a Browser Hijacker.
http://www.popupdefence.com
Also known as: loads
Displays web advertisements.
http://www.popuppers.com
Displays popup advertisements. Checks back to a server to receive information to know what advertisements are to be displayed.
Popwin is a trojan that downloads and executes other malicious files. It also shows advertisements.
Also known as: Porn 385
A porn dialer that acts as a hijacker. This flavor did not have the "dialing" attributes.
http://www.porn385.com
This is another generic Porn Dialer.
This is an application that is distributed as a free pass to porn. It is bundled with rogue antispyware applications and mature toolbars in order to download it freely.
This is a multimedia program that centers around pornographic material. It is installed by other trojan downloaders related to New.Net.
Also known as: BackDoor-K Backdoor.PoD
Allows the attacker complete remote control over the victims PC. Another symptom of this trojan is it sends a message every two seconds reading: ""Keep Aliveeeeeeee". Functions: Standard windows beep Open the CD Drive Shows host name, program location, and number of connections Full access to systems drive Activates a red box on the hosts computer that will bounce across their screen over and over Opens a file, or common program Starts screen saver Gives options of shutdowns Caps lock key sticks on Unimplemented Send windows error messages Hides the taskbar Send a message to anyone else connected to the host Steal the host's Dial-up L/P's Sends text to host Moves mouse to x/y coordinates Swap mouse buttons Full featured scripting Real time keystroke logger Make a scripts Set/Change Password Remove server
Also known as: PortalOfDoom.100
This is a trojan that communicates through the infected PCs 3700 port.
PowerReg Scheduler is a registration scheduler. Periodically attempts to connect to the Internet. Gathers unknown information.
Also known as: Power Scan
http://www.isearchtech.com/
Also known as: power strip psocx
PowerStrip is an IE toolbar with a search field and link buttons. When you use a targeted merchant site, PowerStrip silently sets the afffiliate ID, so as to steal commission fees from your web shopping. Note: this is unconnected to the video output tweaking utility also called PowerStrip. PowerStrip/PSSetup and PowerStrip/PSOCX are two different versions of the ActiveX installer control used to install the toolbar and commission hijacker. Installed by ActiveX drive-by downloads in pop-up advertisements. Can download and install arbitrary unsigned code, as an update mechanism. Connects to its controlling server at verschk.com to ask for software and target list updates. Interesting: http://www.tenebril.com/kb/showitem.php?faq_id=242 Says: "Slingshot uses to intercept downloads from Internet Explorer is derived from the same demo code as these spyware titles were derived from. Any program that interfaces with Internet Explorer has a special signature (a CLSID) that it uses to identify itself to IE. Since the spyware titles and Slingshot share a CLSID, some anti-spyware software will think that Slingshot is spyware." Guys.... please! CLSID are supposed to be UNIQUE Indentifiers. That means that you should not copy&paste them from Microsoft demo code (as the adware writing retards do) but instead generate your own. Not only is this a Microsoft requirement, but it will also save you (and your users) a lot of headaches.
http://www.thepowerstrip.com/
This is a Browser Helper Objects that changes Internet Explorer error pages.It also sends error page URLs and search keywords to vmn.net.
http://www.powwa.com
PPHack is a password stealing application written in Turkey. It poses as an application centered around stealing paypal credentials. Once you enter in your username and password, it sends the information back to the creator.
Prayer when run, provides an attacker with the capability of remotely controlling a user's computer over the Internet. The victim's computer usually listens on the Internet for the attacker's commands.
Also known as: PrecisionTime
This software is distributed by the GAIN corporation. This will display adds on your computer.
http://www.precision-time.com/
Also known as: Precision Pop
Also known as: WindUpdates.PreviewAdService, Preview AdService, PrevAdService, Troj/Agent-CK (SOPHOS)
From the Author: Preview AdService is free ad delivery software which provides targeted advertising offers.
This is a rogue anti-spyware. This needs removed if found on your pc.
privacy-commander.com
Also known as: PrivacyDefender
Privacy Defender is a Rogue anti-spyware application to remove spyware from users computers. It always shows the same set of Registry keys and Cookies as Spyware detections, prompting user to buy license for Privacy Defender.
http://prizesurfer.com/
Also known as: Trojan.HTML.Probol
When a page containing this Trojan is opened, the browser will start to open additional windows.
A collection of dialers, and a control that allows any site to install new dialers (or any other software) Claims to be from "Proclaim Telecom" but web searches on this company turn up little or no information.
Also known as: Progetto1.int_ver32 Progetto1.int_ver34
This dialer is installed via an active X class ID. Once installed, it will dial toll numbers through a dial-up connection.
Also known as: Backdoor.Prorat.18 ProRat.exe
This Trojan captures keystrokes and sends it to the attacker.
Under investigation
Protected Storage PassView is a small utility that reveals the passwords stored on your computer by Internet Explorer, Outlook Express and MSN Explorer. The passwords are revealed by reading the information from the Protected Storage.
http://www.nirsoft.net/
Also known as: Proven Tactics
Internet Explorer toolbar that can redirect searches.
http://software.proventactics.com
Allows host to be used as an email relay, which is most likely to be used for sending spam messages.
Also known as: Proxy-TSOH.dll (McAfee) Trojan.Win32.WebSearch.i (Kaspersky) Win32/Daoser.D!Trojan (Computer Associates)
Displays pop-up messages and modifies the default Internet Explorer settings. Creates a random name directory under %windir%\system32\Services\ and stores all the files there.
It is a backdoor trojan that opens up a random port and listen for instructions from remote server. May runs a proxy server.
Also known as: Win32.Prutec.I (CA) E2G
Downloads other unwanted software and attempts to shutdown or disable security applications. Adaware,ZoneAlarm, Norton Internet Security, Yahoo Pest Patrol, Spybot Search & Destroy, Giant, Windows Antispyware Will check for and replace its missing files every 24 hours.
http://www.prutect.com/
PRW Hijacker is a browser hijacker implemented as a browser helper object. Further details are unknown at this time
Like most other rogue antispyware programs, PSGuard is often distributed through an exploit or trojan. Once installed it will provide the infected computer with false reporting of various spyware programs.
PSHope connects to some domains which start to display advertisement on user's machine.
Also known as: Infostealer.Gamania (Symantec) Trojan-PSW.Win32.Gamania (Sun-Belt)
This is a trojan that is designed to steal sensitive through the game: Gamania.
Also known as: Ptakks.215 Ptakks.217
From the Vendor: 'You must me connected to the server. It has the following features: - chat - captures remote desktop in jpg - Remote info - then server opens port 80 which means you can access the server with the browser Internet explorer even if the client is not connected all you need is the IP address then type it like any URL'
Also known as: PuritySCAN PuritySCAN.exe sear1.exe PuritySweep PScloner OIN OuterInfo
Purityscan scans Internet Explorer files such like: browser, cache, history, and cookies for adult related material. After scanning these files for adult related keywords then ads will be served up to your computer.
http://www.purityscan.com
from EULA(http://toolbar.push.com/legal/eula.php) Toolbar Services The Toolbar enables you to enjoy content, functionality and services, as may be changed from time to time (collectively, the "Toolbar Services") brought to you by Licensor and third party suppliers who provide content and services in conjunction with or through the Toolbar (the "Third Party Toolbar Suppliers"). The Toolbar Services may be provided within the Toolbar, within your browser, or within separate browser windows displayed over or under your principal browser window or by other means.
http://toolbar.push.com
This is a free sudoku game that bundles with several adware products in order to offer it for free.
Pvsec is a downloader trojan. This trojan is often dropped by another malware.
PW.Steal.MMMR drops files to steal passwords from Mozilla Firefox, Messenger , MS. Mail, remote desktop and has capabilities to steal passwords from other applications.
A small tojan that lets you connect to a computer,then open or close cd tray and send pop up messages to victem.Has Built in IP Tools.(I amWorking on a server that will load on startup for XP and 9x).
PWS-AHO is a spyware trojan that installs as a Browser Helper Object for IE. PWS-AHO monitors all the websites visited and values entered into the web pages silently and sends them to remote user.
Steals passwords when user enters their password on an internet banking site.
Also known as: Mal/DelpBanc-A(Sophos)
Attempts to steal users banking information from banking websites.
Also known as: Trojan-PSW.Win32.QQRob.gq (Kaspersky) Troj/PWS-ACR (Sophos)
PWS-Ga.Rob injects itself into the Explorer process to try and steal passwords. This trojan targets QQ Instant Messanger and related services.
This is a generic description for variants of banking password stealing trojans. PWS-gen-Banco is a password stealing trojan that collects username and password bank account information and attempts to send this information to a remote location. It is possible to send the information by SMTP, FTP, HTTP,open backdoor, and other methods.
Also known as: Trojan-PSW.Win32.Maran.dk (Kaspersky)
PWS-Maran installs a .dll as a Layered Service Provider (LSP) to WinSock for sniffing and stealing personal information.
Has the capability to steal passwords and send them to a remote computer by email or HTTP.
Steals login information from banking webpages.
Also known as: Backdoor.Win32.Agent.rnq (Kaspersky Lab)
PWS.Game.rnq steals authentication information for online games and other applications.
Also known as: Trojan.NSAnti.B
Also known as: Trojan-PSW.Win32.OnLineGames.ajy (Kaspersky) PSW.OnlineGames.ppu
PWS.OLGame captures online gaming passwords and login information.
PWS.XBpoint is a phishing tool designed to trick Xbox Live customers into posting their username and password in exchange for free Microsoft points. This information is immediately e-mailed to the attacker.
Also known as: TR/PSW.Lmir.art, TSPY_LEGMIR.AYN, PWS-LegMir!2eff06bc (McAfee)
PWSLegMir steals passwords for the game "Legend of Mir." Using its own email engine, PWSLegMir will send the passwords to a predefined email address.
Also known as: Password Steal
This Trojan steals passwords from the affected system and sends the information through e-mails.
Also known as: ZSMS
This is an adware program that creates a connection between the victim PC and various chinese ad networks. It also installs several hidden files that tamper with security settings on the infected PC.
Also known as: W32/QDialer.FM ( Authentium )
Dialer which dial to different locations without user consent.
This will display advertisements on your computer.
QQMuma is a chinese trojan that attacks a victim's Image File Execution Options. It redirects critical system processes to the key infection file. This file is stored in c:\Program Files\Common Files\Microsoft Shared\.
Also known as: QQPASS-AC (Sophos) PWS-QQpass, PWS-QQPass!940a1640 (McAfee) Trojan-PSW.Win32.QQShou.bn (CounterSpy) Win32/PSW.QQPass.VD Pws-QQGame(Mcafee)
QQPass records keystrokes on the infected machine and sends the data to a remote computer.
QQRob is a password-stealing trojan. It also has the ability to disable anti-virus products and security related utilities. This trojan modifies the registry entries so that it executes whenever any text file(*.txt) is opened. This trojan blocks access to certain sites by altering the hosts file in Windows.
This is a Korean based adware program that targets children websites. Once installed, it monitors user keyword searches.
Redirects searches when searching from Internet Explorer address bar.
Also known as: Quicktime.Adult content dialer
Dials premium sites without user knowledge.
Also known as: Hyperlinker Linkmaker ADW_Hyperlinker.A(Trend Micro)
This adware program uses common filenames in an attempt to feign legitamacy. Symptoms include an overabundance of pop-ups and other malicious activity on the infected machine. Users that have this infection typically have a folder in their Program Files directory titled "Jalmp". Quicklinks is commonly seen bundled by other trojan droppers such as Troj.Activate_crack and Agobot.
This adware product changes your start page to www.quickmetasearch.com once it is fully installed. It will create seemingly randomly generated autostarting values in an effort to avoid detection from several anti-malware scanners.
Also known as: Possible New Net variant.
Adware, also known as an Adbot, can do a number of things from profile your online surfing and spending habits to popping up annoying ad windows as you surf. In some cases Adware has been bundled (i.e. peer-to-peer file swapping products) with other software without the user's knowledge or slipped in the fine print of a EULA (End User License Agreement). Not all Adware is bad, but often users are annoyed by adware's intrusive behavior. Keep in mind that by removing Adware sometimes the program it came bundled with for free may stop functioning. Some Adware, dubbed a "BackDoor Santa" may not perform any activity other then to profile a user?s surfing activity for study. AdWare can be obnoxious in that it performs "drive-by downloads". Drive-by downloads are accomplished by providing a misleading dialogue box or other methods of stealth installation. Many times users have no idea they have installed the application. Often Adware makers make their application difficult to uninstall. A "EULA" or End User License Agreement is the agreement you accept when you click "OK" or "Continue" when you are installing software. Many users never bother to read the EULA. It is imperative to actually read this agreement before you install any software. No matter how tedious the EULA, you should be able to find out the intent BEFORE you install the software. If you have questions about the EULA- e-mail the company and ask them for clarification. If they cannot clarify this do not install the software
Also known as: WebEventLogger; Backdoor.Berbew (Symantec)Backdoor-AXJ dll.gen (McAfee)
Qukart-W is a trojan that is capable of reducing the Security settings level of Internet Explorer and opens up a backdoor.
This is an adware program thats displays advertisements that are based off of user preferences and settings.
http://rabio.com/
This is a rogue antispyware program.
http://rapidantivirus.com/
Also known as: Alyon (Pest Patrol)
RapidBlaster is a task run on Windows startup. When an internet connection is present it periodically connects to its servers to fetch advertising.
http://rapidblaster.com/
Also known as: Trojan.Win32.Dialer.cj
RASDial-E is an adult content dialer that dials premium numbers and also changes browser start page. This dialer shows license agreement when it starts, which you have to accept to run it. Once it runs, it changes the start page of browser and installs an ActiveX control.
Also known as: Rat.200
This is a trojan that has the ability to alter settings on the infected PC through port 2989.
Also known as: FobiaSoft Raven
FobiaSoft Raven server is the program where the actual keylogger is. The purpose with this program is to have the possibility to record everything typed into the computer it is set to monitor. The Raven has the option of beeing visible, or hidden from the user. It can be remotely controlled from anywhere in the world, as long as you have a internet connection. It also have the posibility to work quietly in the background and just save everything it records to a file for later retrivial.'
This is a chinese trojan that install other trojan downloaders and adware. It also alters the Hosts file of the infected PC.
It sends the search keywords to raxsearch.com
http://www.raxsearch.com
Also known as: W32.Wullik@mm (Symantec) W32/Wukill.worm (McaFee) Wukill.B (nod 32)
This is a mass mailing worm which when installed gives a false error message ?The File has been damaged?. The worm makes copy of itself in random locations. The worm copies itself as a file that matches the name of the folder.
Also known as: Troj/Istbar-BD(SOPHOS) Istbar
Unknowingly downloads unwanted software to users computer. Downloads and runs other downloader trojans.
This worm attempts to steal passwords.
Also known as: IRC-Sdbot W32.Spybot.Worm Win32.HLLW.MyBot W32/Rbot-BY Backdoor:Win32/Rbot Worm/Sdbot.39936.B Win32:SdBot-194-B IRC/BackDoor.SdBot.28.F Backdoor.SDBot.Gen Backdoor.Rbot.gen
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC
Also known as: Talkstocks Sinkin
This resets your page to an adult site.
Redgirl installs 2 files to the C:\Windows\System32 dir called redgirl.bat and redgirl.exe. Once installed it will phone home to http://www.newying.com/root/RedGirl/IP/86759.html
RedShell is a trojan that is capable of spawning a shell on a remote computer, allowing a user the ability to connect up to the remote computer, [port 1337], and execute any commands they wish.
Also known as: RedV Protector Suite Redv.net
http://www.adprotector.com
This is a Browser plugin. It displays advertisements. It also changes Internet Explorer search page to redzip.com.
http://www.redzip.com
This is a rogue anti-spyware. This comes bundled with Malware and will be installed on a users pc without consent.
http://www.regfreeze.net/
From Regifast website. Regifast fills out online forms and shopping carts for you! More surfing and less typing! Regifast fills out all fields instantly whenever you visit a site to purchase something or register, just one click is all it takes! When running the installer (7-24-06), other spyware and malware can be downloaded to the computer.
http://www.regifast.com/
It's yet another fake warning from a rogue security product, this time claiming...well, take a look for yourself: http://blog.spywareguide.com/2008/12/were-going-to-shut-you-down-ho.html
This came from a skype message spam. This is a rogue antispyware.
http://www.registryscan.cc
Also known as: lbbho
RelatedLinks is a browser toolbar which displays related, advertising links when you perform web searches, based on the keywords entered in the search form. It sends a request to their servers, includes the keyword query, time of day, browser type, default language setting, IP address, an anonymous unique ID, and a code which identifies the distribution source. RelatedLinks.lbbho is bundled with iMesh.
http://www.relatedltd.com/
Also known as: Netsetter ossproxy MarketScore InternetAccelerator OpinionSquare JDCouncil OpinionSquare Voice5 permissionresearch myvirtualdisk fileshield
MarketScore, calling itself "researchware" was originally marketed as an "internet accelerator service" through a CPA campaign on popular affiliate aggregators paying bounties of up to $5.00 or more for each user signing up for the service which promised not only a faster surfing experience but chances to win prizes. During the registration process and in the process of adding a computer to the Marketscore Network, the computer and browsers are configured to route ALL Internet communication automatically through the Marketscore Network. MarketScore assigns a unique ID so they can accurately and anonymously track Internet use. At this time MarketScore, formerly called Netsetter, no longer markets the so-called "Internet Accelerator" but provides a "FREE e-mail virus protection service through an award-winning, market leader in anti-virus technology." Although this market leader is not named. This is possibly due to the fact that the previous anti-virus technology provider, Symantec, cut ties with MarketScore after pressure from privacy activists. Reference: http://www.eweek.com/article2/0,1895,1831292,00.asp However, as of October 25, 2006 through their JDCouncil.org property, Marketscore prominently displays this option: Would you like to enable Symantec CarrierScan Server virus protection for your email at no cost? From their privacy policy located at : http://www.marketscore.com/privacy.aspx (Date: effective April 14, 2005.) Analysis of PP & EULA Metrics Number of Characters: 20935 Number of Words: 3474 Number of Sentences: 100 Avg Words per Sentence: 34.74 Flesch Score: 11.6 Flesch Grade: 20 = Beyond Twelfth Grade Reading Level Key extracts from EULA and Privacy Policy users should be aware of. Internet usage information: Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information. We make commercially viable efforts to develop automatic filters that would allow us to avoid collection of sensitive personally identifiable information such as UserID, password, and credit card numbers. Inadvertently, we may collect such sensitive information about our panelists; and when this happens, we will make commercially viable efforts to purge our database of such information. This application also tracks the pace and style with which you enter information online (for example, whether you click on links, type in webpage names, or use shortcut keys), the usage of cookies, and statistics about your use of online applications (for example, it may observe that during a given period of use of a computer, the computer downloaded X number of bytes of data using a particular Internet enabled gaming application). Please note: Our application does not examine the contents of your instant messages or e-mail messages. We may, however, review select e-mail header information from web-based e-mails as a way to verify your contact information and your online usage information. How is the information collected? This application monitors your Internet usage by transmitting to our servers information about the web pages that you visit and the actions that you take while online. In addition, we may ask for information about you using surveys, for which participation is completely voluntary. We may also combine the information that you provide us with additional information (such as select credit bureau and prescription information) or with information obtained from other sources (such as consumer preference reporting companies, credit reporting agencies, and prescription benefits managers) using confidential matching procedures. In these cases, we will: (i) provide only the personal information necessary to perform a match and, infrequently, to assist us performing statistical analysis; (ii) establish procedures and legal obligations that prohibit use of the information received for any other purpose or disclosure of this information to anyone else; and (iii) require destruction of the received information after completion of the match. The information that we obtain from other sources will not include sensitive personally identifiable information such as credit card numbers and account numbers. How is the collected information used? Market Research Reports: Applying concepts similar to those used by television-rating services, we use the information collected through our application and your survey responses, combined with information from other sources, to make statistically-based projections about current and future Internet user behavior and, more generally, to extrapolate data about potential economic trends. For certain commercial customers, we may provide individual-level information only after this information has been made anonymous. We make this data available so that these customers may enhance their own understanding of Internet usage and online commercial trends. In ALL cases, we do NOT provide our customers with any personally identifiable information. Our customers use our market research reports to: (i) modify online services and offerings; (ii) make more effective use of online data to understand both online and offline commercial behavior; and (iii) discern general economic trends and the business performance of specific entities for a wide range of business purposes including, but not limited to, identifying financial investment opportunities and understanding the value and interest in certain business enterprises. By Service Providers: From time to time, we may share your contact information with those third parties who help us deliver this program to you (for example, companies that administer incentive programs). When we do this, we provide only the necessary information for the service provider to perform its assigned function, and we contractually prohibit the use or disclosure of this information to anyone else unless you authorize it. As Required by Law: In rare cases, and as is done by any other business, if we are compelled to disclose certain information through a valid legal process, such as a court order, subpoena, or a search warrant, we would do so. However, we would comply by providing only the minimum information necessary Note additional notes from previous privacy policy agreement Date: 02.07.05 "Marketscore monitors all of your Internet behavior, including both the normal web browsing you perform, and also the activity you may have through secure sessions, such as when filling a shopping basket or filling out an application form that may contain personal financial and health information. Marketscore's proprietary and patent pending technology allows us to see the details of secure pages while protecting such content from parties other than the site to which you are connected." "In addition to the monitoring of your Internet behavior, we may also combine the information that you provide us with information such as credit or prescription information that we obtain from third parties such as consumer preference reporting companies, credit reporting agencies, and prescription benefits managers." During our testing in late 2004 we did not observe any significant speedup from using the now defunct accelerator service. However we have NOT observed any use of exploits or installation through security holes and users must go through a multi-page sign-up process. However independent researchers report the software can silently download and install arbitrary unsigned code from its controlling server, as a self-update feature and it can install its own trusted root certificates so it can intercept secure (SSL) connections made by your machine. These certificates are left behind even when the software is uninstalled, allowing MarketScore servers to impersonate any other domain. Source: http://marketscore.ucr.edu/ In the NS variant: Every web connection goes through a remote proxy server where everything you send and fetch (including 'secure' HTTPS connections such and online banking) is stored and analyzed. Because it works as a proxy itself, it won't connect properly through other external proxies. Source: http://marketscore.ucr.edu/ In the OS variant: Makes modifications to e-mail messages you receive or web pages you visit and then monitors/records your responses to the ads they insert. It sends back data to a controlling server. Source: http://marketscore.ucr.edu/ Marketscore does not show ads nor do they produce pop-ups or to our knowledge sell personal information. Their business model revolves around gathering detailed surfing and computer use information in aggregate for sale. In the small print of the agreement they mention they may log all your surfing traffic as well as machine behavior. This software is particularly invasive because they can monitor and view secure pages INCLUDING ENCRYPTED TRAFFIC FROM SENSITIVE ONLINE TRANSACTIONS. While they report to have numerous safeguards in place human beings still have access to this information, some which may be of a highly sensitive nature. Furthermore, this information can be released to authorities via subpoena.
http://www.marketscore.com/
From the Website: Remote HAVOC is simply the best prank program available on the Internet today! With the help of this program, you will be able to connect to any other networked computer and just go nuts! You'll get an arsenal of about 20 commands, all of which are COMPLETELY controlled by you, and can be executed at any time!
http://www.jokingaround.com/downloads/
Also known as: RemoteAnything.364
This is a RAT Trojan that has the ability for someone to gain remote access to your computer through port 3996.
Also known as: RemoteHack.100 RemoteHack.130 RemoteHack.110
This is a Trojan that has the ability to gain access to your computer through port 1480. Once contact is established, an adware payload is lauched on the infected PC.
Also known as: Mhxy~Killer
This is a trojan that installs several adware programs and other trojans designed to steal banking information. It also hijacks your start page to www.cartesiosys.com/home-over.html. Adware programs installed from this trojan are in Chinese.
Also known as: Revenger.100
This is a RAT Trojan that has the ability to gain access to the infected PC through port 7891.
Also known as: Backdoor.Reverb Backdoor.Weedbotz.14 BackDoor-XJ
http://www.angelfire.com/theforce/fritoz/files.html
A Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine.
1.File browser 2.Information on selected file,folder or drive 3.CGI notification as well as an online victim list 4.Minor additions to fun 5.Small bugs fixed 6.Changes to Spy
Also known as: Troj/Delf-DZX (Sophos)
Reyds.A downloads and tries to execute other software. It will try to terminate some security software and will modify the host file.
Also known as: Troj/Agent-AY (SOPHOS)
Installs as a Browser Helper Object and monitors user?s surfing habit to show porn popups. Can infect through MHTMLRedir file Exploit. Deletes the installation file once it is installed.
Also known as: Adware.RieMon
Bypasses the Firewall by adding itself to the Authorized Applications list of the Firewall Settings. Displays pop-up advertisements.
Also known as: BKDR_RINBOT.B (TREND MICRO), BackDoor-DKV (McAfee) ,Backdoor.Win32.IRCBot.yc
Rinbot is a backdoor trojan which connects to a remote IRC channel and waits for commands. Remote IRC server can provide commands to download and execute malicious files. This trojan drops and executes Kelvir.EB worm on the compromised computer.
Also known as: RipperPro.100
This is a Trojan that installs its adware payload through port 2023 once installed.
RK-70164 installs a Rootkit and downloads additional files.
Also known as: Backdoor.VB.ir
From the Website: Roach is a Remote Administration Tool, which allows you to control other Computers over Internet or LAN. Before using Roach be sure, that you are allowed to use this software, and/or the owner knows about the server and its functions. Readme.txt..... Roach Installer If you have any problems while running the client or the create server this could be caused by the missing OCX-files. This installer will full automatically copy the OCX-files to your system32-directory an register them.'
http://www.kornputers.com/board/portal_detail.php?lid=110&dbid=18&subid=22
Also known as: MS.Sh311
This trojan has sends ARP requests in order to map the victim network it is installed on. It also has the ability to execute remote code in order to send malware payloads across the network. Infected machines will have their Image File Execution Options altered for many good processes. Running these legitimate processes will run malware payloads.
Also known as: Rogue Drop
RogueDrop is responsible for false Windows alert messages and false Internet explorer warnings to force the user to download Rogue Applications. It also drops many files masquerading as malware files so that SpyAway, PerfectCleaner, SystemStable can detect them to convince the user to believe the computer is infected. More details can be found at http://blog.spywareguide.com/2007/06/rogue_security_applications_be.html
Also known as: jimmy limmy roings.com
Roimoi is a randomly-named adware .exe, and downloader ActiveX object, controlled by roings.com. Roimoi is closely related to Roings's SearchSprint toolbar, which is often bundled with it. Other parasites Roimoi has been seen to install include Wink/EasyDates, InternetOptimizer/Active, ISTbar/XXXToolbar, DownloadPlus/PowerScan, nCase, SaveNow/Search, ShopAtHomeSelect and Webhancer.
http://www.media-motor.net/
Also known as: W32.Rontokbro@mm(Symantec)
This is a mass mailing worm. It makes system unstable.
Roogoo installs a Layered Service Provider that monitors network traffic. It reports search terms back to its server and may display pop-up advertisements.
http://www.roogoo.com
Also known as: Trojan-Downloader.Win32.Small.czl
Set of tools used to maintain access to a compromised computer and hide the fact that the computer has been compromised.
Also known as: rootkit.win32.agent.q (Kaspersky )
This rootkit is used by adware like CommonName to hide their informations. It hides in "%System32%\drivers\" directory.
This is an adware program that drops an extremely large ammount of hijacked domains to your the infected PC's C:\WINDOWS\System32\Drivers\etc\hosts directory. These domains are all from the same IP originating in China.
Also known as: RoxRat.100 R0xr4t
This is a Trojan that has the ability to gain access to your computer through port 5050 with the intent to drop an adware payload onto your machine.
Also known as: Rtb666.160
This is a RAT Trojan that has the ability to gain access to the infected PC through port 623.
Also known as: Generic.Rootkit.D (Mcafee)
Also known as: Adware.Rugo (Symantec)
This is a chinese based adware that is installed in trojan bundles.
Also known as: Backdoor.Ruledor.c BackDoor.Ruller Backdoor:Win32/Ruledor.B ADW_RULEDOR.C BDC/Ruledor.C Win32:Ruledor BackDoor.Ruledor.C Trojan.Adware.Ruledor.C
This program is part of the backdoor family of malicious programs intended for remote administration. Some incidents have been detected where a wide range of AdWare and Trojans have been downloaded and installed.
This trojan creates a hidden rootkit named lzx32.sys in the C:\Windows\System32 folder. It has been known to be a part of other trojan bundles including VXgame and Xorpix.
RVP is a downloader which downloads video files.It monitors the user's browsing activity and display the video files based advertisements .
Also known as: Adware.RXBar (Symantec)
Sends keywords used in search engines to a remote server and logs websites visited.
Also known as: S Redirect
This looks to be a Cool Web Search variant Hijacker that redirects users to search portals. The applications copies several files into memory and rewrites the users home page to http://s-redirect.com/?b=n-ex or something similar.
Also known as: Trojan.Sabil Sario Troj/Sario-A Trojan:DOS/Sabil
This Trojan program is a DOS EXE file of 16KB written in QuickBasic. The C: disk may be reformatted when the computer is re-booted.
Also known as: Flooder.MailSpam.Sabotage.15
This trojan will flood the victims email box with email.
Also known as: Win32/Sadbiz.L [CA AV], Smalltroj.gen5 [NORMAN], Troj/AdClick-ER [Sophos], AdWare.Win32.BHO.agy [Kaspersky], Win32/Sogou [MS Onecare]
This trojan adds services related to bogus management utilities. The service created is called: dcommanager.
Also known as: Safeguard Protect SafeguardProtect.Veevo
SafeguardProtect.Veevo is an Internet Explorer browser helper object.
http://www.safeguardprotect.com/
Also known as: Turbofind
http://search.turbofind.com/index.html
This is a rogue antispyware. This should be removed if found. Website appears to be down.
safe-strip.com
Also known as: Safe Surfing
Logs keywords from web searches. Redirects searchs and displays advertisements.
Also known as: yhoo32.explr Ysnd
This infection comes from a .COM file, which is launched from a rogue webpage (Lamanweb. com) when the user visits it using IE. When run, files are then dropped in the infected PC's TEMP Folder and in a folder called YSND (hidden from view by default). The infection is twofold - first, a rogue browsing application called "Power Browser" / "Safety Browser" is installed with no uninstall facility. It also changes your homepage to Demoplanet.tv in IE, though this sometimes randomly changes to the Lamanweb website. Music is also played on the infected PC each time it boots up. The Ysnd file recieves commands from an additional file on the PC to pass the Lamanweb link via Yahoo IM. This appears to be a re-worked and updated version of an older, existing piece of malware.
Produces random file names - very hard to detect and remove. Additional information can be found on them at this address: http://www.memorywatcher.com http://www.sandboxer.com Produces random file names - very hard to detect and remove. From the Website: Sandboxer is your one-stop destination for playing some of the best free online games on the Internet. Our games are very popular because they are simple, highly addictive and, best of all, free! If you're finding yourself needing a quick gaming fix at the office or at home, then Sandboxer is the place for you. There are four types of games provided at Sandboxer: arcade, sports, card, and puzzle."
http://www.sandboxer.com
Sandesa is a downloader trojan that downloads and executes more malwares once it is executed. This trojan drops a file named "system.dll" into "SystemDrive"( usually c:\)and executes it. This file contains further instructions to download additional files. Author: JaNooNi
Also known as: W32.Sasser.Worm W32.Sasser.B.Worm Sasser - W32.Sasser.Worm
W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. This worm spreads by scanning randomly selected IP addresses for vulnerable systems.
http://www.elitec0ders.net/misc.htm
Also known as: Backdoor.Satan, Backdoor.SBD, Socken des Troja, Satanz Backdoor, SBD
This program is a trojan, designed to steal passwords. No pretences, that's what I made it for. When you connect to the trojan, a dialog box is popped up on the target system. It claims that an error has occurred, and to recover it requires the user's dialup username and password. The dialog looks *very* realistic. If the target looks in the End Task list, the server will show up as 'WINVMM32''
This Trojan attaches itself to the infected PC's browser through a BHO in order to send information to the attacker.
Also known as: Savings Hound
http://www.savingshound.com
Also known as: Scam IWIN
Scam.IWIN is installed through an infected Windows Meta File (WMF) which gets downloaded through an exploit.
Also known as: SCBar/SearchEnhancement SCBar/WindowEnhancer WebEnh Winex NetworkEssentials.SCBar
SCBar is a pop-up-opening toolbar and a search- and error-hijacker. Scbar's code is a descendant of the NetworkEssentials parasite. Scbar can download and execute arbitrary code when directed by its controlling server.
http://www.searchenhancement.com/
Porn Dialer - Spanish Website. The download site is an online shop for sex toys.
http://www.dinerotica.com
Also known as: GRCFrame
The Attacker can take control over the Victim's Machine once they dropped the server application.SchoolBus Trojan has the features to transfer file , take screenshots , delete particular files and find out the system information.It can send untraceble mails using any SMTP server.
Also known as: Gay_Sexy Dialer
Scom is a dialer application used to access adult content in the web. This dialer usually get installed into computer without user consent from certain web sites. It also sends information about infected computer to its remote server. This dialer application has option to uninstall it. But it does not completely remove it. Deletes only the shortcuts created.
Also known as: Screen Scenes
From their website: "ScreenScenes screensavers are provided free, because they are supported by advertising from the GAIN Network, which helps keep many popular software applications free in exchange for delivering advertising. As you surf the Web, you will occasionally see GAIN branded ads (pop-ups and others) selected based on your online activities. These ads are displayed by GAIN AdServer Software - not by any Web site." These screen savers can be bought or downloaded for "free". The free downloads are ad-supported.
http://www.screenscenes.com/
This is a botnet that installs mIRC in order for the distributor to gain a remove connection to the infected machine. Once the IRC client is installed, the computer is given a Nickname based off a separate text file that is dropped. Research has concluded that this botnet originates from a crack serial site.
Also known as: W32/Sdbot.worm.gen.ag Backdoor.SdBot.gen W32/Lolol.worm.gen W32.Spybot.Worm Win32.IRC.Bot.based W32/Spybot-CQ Win32/HLLW.SpyBot Worm/SpyBot.#3 Win32:SpyBot-GEN Worm/Spybot Backdoor.SDBot.Gen W32/Sdbot-PE
Allows remote access to users computer. The backdoor component contacts an IRC server and waits for commands from a remote attacker.
Also known as: Spyware.Sesui
This adware program affects the system while visiting one of the movie files which is located in se-sui.com domain. It chancges the start page and register itself in a pornographic service. When Internet Explorer starts it downloads a movie file and runs it.
http://se-sui.com
Also known as: SeekSeek SE assistant SearchAssistant
Browser Hijacker that points to a shopping portal called http://www.seekseek.com.
http://www.SeekSeek.com/
Also known as: Your Product
Displays popups based on keywords used in searches.
Also known as: SearchMiracle
Installs itself as an Internet Explorer toolbar and redirects search requests.
http://searchmiracle.com
Also known as: SearchRelevancy
This is a broswer hijacker, will also display adds.
http://www.searchrelevancy.com
SearchExe redirects the Internet Explorer searches to the site search-exe.com.
http://www.search123.com�
Also known as: 123search
This is a Browser Helper Object. Side effects will be a likely decrease in system performance. They have a pay-per-click search engine.
http://www.search123.com/directory.html
This is a browser plugin. It posted search keywords to VMN.net
Search4top may block or redirect preferred network connections, and can negatively impact your computer's performance and stability.
http://www.search4top.com
Search-Explorer is an IE toolbar providing the usual search features.
http://www.searchandbrowse.com/
Also known as: Search And Click
Also known as: Related to ISTbar
SearchBarCash's wants to provide adult and non-adult webmasters an opportunity to capitalize on their web traffic.
http://www.searchbarcash.com
Also known as: Gsim Inflow Search Centrix WinDirect eXpand Search Search Centrix MyGeek/Search-o-Matic2000 wzhelper
This will also redirect your searches. Installs a toolbar with Internet Explorer.
Also known as: SCA-plugin
At time of install there was no EULA presented. Delivers advertisements based on URLs and/or search terms you enter when navigating the Internet.
http://www.searchclickads.net/
Also known as: Hotlink Troj/AdwareDropper.A
Searchex is a homepage- and search-hijacker pointing at searchex.com. Instead of directly changing the Start Page setting directly, it uses an Internet Explorer Browser Helper Object to redirect newly-opened windows. This results in the original Start Page being briefly visible then being replaced. An IE Search Hook is used to redirect address bar searches and invalid domain name pages to cantfind.com. At times in the past this server redirected to MSN or 7Search. Searchex/HomePage was bundled with 'NetSpeed' software from winstream.com (the authors of Searchex). Searchex/Hotlink was distributed with an 'e-card' from valentines-ecard.com, which was heavily promoted by misleading junk e-mail.
Browsing the web with the toolbar enabled, every 3-4th page viewed has its URL and page title sent to tb.adpowerzone.com on leaving the page. If there are any targeted terms in either the server returns a piece of JavaScript code to pop up an advert
http://www.search-explorer.com/
Also known as: Search Fast
This program adds as a toolbar with Internet explorer. It hijacks start page, search page and error page. It tracks all user activities including the sites visited. It logs each and every URL of the page visited by the user and sends it to Alexa's server to get related links and shows it in toolbar.
http://www.searchfast.net
Also known as: Search for it The Search Mall AdShooter Searchmall
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, used to install a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web. The natural question is, what do BHOs do? The technical answer is "anything", but generally, it will have something to do with helping you browse the Internet. Of course, some BHOs are what is called "ad-ware" or "spyware": they do things like monitor the websites you visit and report this data back to their creators.
http://www.adshooter.com
Also known as: Unclassified.Deskware.BHO Deskware Searching All
SearchingAll adds a Desktop Search Box and a toolbar. It changes Start page, Search page and error page of browser. It places many unwanted links on the Desktop. From their site, "We offer you a free search toolbar, which has following great features: << Web Search: Search results from different search engines and pay-per-click directories, including Google.com. << Relevant Search Results: It also generates search results relevant to browsing behavior of a surfer. For example if you are searching for ?games? in a search engine like google.com or yahoo.com, our search toolbar will display a message ?We have found 300 results relevant to games?; When you click the message, you will be able to see a search result page for key word ?games?. << Popup Blocker: It blocks the annoying pop ups"
http://www.searchingall.com/toolbar/
Internet Explorer toolbar, distributed from searchinweb.com. Contains buttons, linked to www.searchinweb.com and third party unwanted sites. Registers itself as Internet Explorer Toolbar and Browser Helper Object.
http://www.searchinweb.com/
SearchitBar is a toolbar offering search features pointed at the generic portal searchit.com.
http://www.searchit.com/
Also known as: sidebar searchlocate.com
Origins unknown, has a tencendy to show up very uninvited. Redirects searches and error pages.
http://searchlocate.com/
Also known as: Virtual Maid
Searchmaid can be found in the computer's system folder called helper.exe. There is also an program files directory created by this adware program called Virtual Maid. This directory holds Virtual Maid.xml and Virtual Maid.dll. Several traces of this product can be seen in the registry. The website for this program, www.searchmaid.com, is currently unavailable.
Once installed on the victim's PC via an Active X control. it will alter their homepage to searchmeup.com. After the start page is altered, it has the ability to redirect you to their other sites depending on your search patterns. There is also a forum entirely in Russian related to this product.
Also known as: Adware-NuggetSearch.dr (McAfee), Adware.SearchNugget (Symantec)
SearchNugget Toolbar installs as a browser toolbar and changes the default search assistant and redirects mistyped urls. SearchNugget may comes bundled with other freeware softwares. From the Author: SearchNugget is a search toolbar add-on for Microsoft Internet Explorer (IE). It provides the following functionality: Search the Web from anywhere online using popular search engines, search the Web from Internet Explorer's Search button, block popup ads, and highlight words on the page you're visiting by placing a color bar over it.
http://www.searchnugget.com/
Also known as: Spyware.SearchPounder
This is an adware program that sends your search data to server so that it can provide you more advertisements related to your search activity.
http://www.search-pounder.com
Also known as: Search Scout
From the Website: The SearchScout Toolbar is free because it is part of the GAIN Network. This software also will occasionally display various forms of pop up ads based on your online surfing behavior.
http://www.searchscout.com/searchtoolbar_beta/
SearchSquire is an Internet Explorer sidebar containing paid links that opens when you use search engines. When using a search engine known to the software, the search terms are forwarded to SearchSquire's own search feature, returning advertisers' links in a sidebar. SearchSquire/v2 seems also to be capable of opening pop-up adverts on targeted sites.
http://www.searchsquire.com/
Also known as: Adware/Searchtool(Panda)
SearchTool is a Browser Helper Object,which will keep track of user's web activity.Other malwares use their service to deliver Advertisement
SearchWords is an Internet Explorer Toolbar, which modifies search requests and may display advertisements.
http://www.searchwords.com
SearchWWW changes the browser homepage to www.searchwww.com
http://www.searchwww.com
Also known as: W32.Secefa.D (Symantec)
Secefa is a backdoor trojan. Secefa downloads another threat(Surila.aw) into infected computer and executes it. This trojan blocks access to several security related sites. Disables Windows Firewall and adds itself into Windows Firewall Authorized application list.
Also known as: SecondPower Multimedia Speedbar
Shows ads for casinos and ads that may not be appropriate for minors.
This is a rogue antispyware. Remove this if found on your pc.
Also known as: Unclassified.SecureServicePack.BHO (SuperAdBlocker.com), HJTH.GoDOTLess; Secure Service Pack
SecureServicePack installs as a Browser Helper Object and shows advertisements for specific search terms entered in browsers. From the EULA: Secure Service Pack? (?Secure Service Pack?) offers free downloadable software that allows users to receive enhanced web features and search results in the form of but not limited to pop-up, pop-under or exit-pop HTML pages and I Frames which will appear during your internet session, while browsing the Web.
http://www.surfspeak.com/plugins.asp
Also known as: Scan & Repair Utilities
Security Alert Scanner scans computers and reports detections of malware that is not on the computer. Security Alert Scanner spreads through Skype spam and possibly other methods. Skype Spam message (messages may be different): Software Update ? says: WINDOWS REQUIRES IMMEDIATE ATTENTION ============================= ATTENTION ! Security Center has detected malware on your computer ! Affected Software: Microsoft Windows Vista Microsoft Windows NT Server 4.0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Win98 Microsoft Windows Server 2003 Impact of Vulnerability: Remote Code Execution / Virus Infection / Unexpected shutdowns Recommendation: Users running vulnerable version should install a repair utility immediately Your system IS affected, download the patch from the address below ! Failure to do so may result in severe computer malfunction. Skype users should block the username in Skype and report the user to abuse@skype.net.
http://scanandrepair.net/
Malicious toolbar that has been installed along with rogue antispyware applications.
http://www.seek99.com
Also known as: PWS-Dafdaf.htm JS.Exception.Exploit Trojan.Seeker.134 JS/DafDaf* JS_EXCEPTION.GEN BDS/Dewin.B1 JS/Seeker.Y VBS:Malware JS.Dropper.Dewin.B Trojan.JS.Seeker
This script written in JavaScript language quietly changes a browser's home page and search page without user confirmation.
Also known as: Seekmo Search
This search assistant from 180Solutions is the successor to 180 Search Assistant. It appears to be a rebranded version of their existing product. This is in the same way that nCase was to 180 Search Assistant. 180Solutions announced that this was to enforce some security on their affiliates who were abusing the software and pushing their product on customers. This Adware keep tracks on user browsing activities and disply ads according to that. This search assistant has been known to distribute large amounts of pop-up advertisements. Seekmo itself is a 'search based advertising application'. This means that it uses your search habits to show you advertisements you might be interested in.
http://www.seekmo.com/
Seekseek has the ability to monitor visited web sites and can also intercept search queries.
http://www.seekseek.com
This toolbar is no longer available for download.
http://www.seeq.com
Also known as: Dialer.Sexfiles
A type of software typically used by pornographic vendors. Once dialer software is downloaded the user is disconnected from their modem?s usual Internet service provider and another phone number and the user is billed. While dialers do not spy on users they are malevolent in nature and can rack up expensive and unwanted bills. Some dialers are used for "legit" purposes, meaning that a user knowningly accepts the charges in exchange for some "online content". But many times we have seen dialers used in sneaky ways, using various tricks to get it installed on a users machine, without them knowing what it going on. In general, if a dialer is detected on your system, you either know why and how it got there or it sneaked in illegally. By clicking on "Enter Website & Accept Terms!!" button you will be connected to a service featuring adult content where you will be charged $1.99 per minute via a premium rate call plus $1.99 connect fee.
http://www.sexfiles.nu/Default.aspx
Also known as: Dialer.Senow(SunBelt) Senow
Also known as: Sexxxpassport
Adds domains to the trusted sites zone of Internet Explorer. This can allow software to be downloaded without users consent. Installs website access that is used to access website and bill the user.
SexyBills is a software that dials a phone number using users computer's modem, without user awareness or permission to incur phone charges on the user's phone bill.
Also known as: Adware.SexyVideoScreenSaver
This is an adware program that has been known to bundle AdStatus.
Also known as: Share all
This Trojan will capture keystrokes and send it to the attacker.
http://www.s0ftpj.org/en/tools.html
Also known as: BackDoor.SHELLBOT(Symantec)
It sends Spam mails. It also affects the performance of the machine.
Also known as: ShitHeep.100 Backdoor.Shitheep
This is a Trojan that has the ability to communicate through the infected PCs 6912 port.
Also known as: Shop At Home Golden Retriever sah agent sah bundle ShopAtHome.Downloader.B
ShopAtHomeSelect is a Winsock 2 Layered Service Provider that redirects visits to merchant sites in order to take the affiliate fees from them automatically. Each visit to a merchant site is recorded by ShopAtHomeSelect's servers with a unique ID that could be used to track browsing habits. The software can download and execute arbitrary code from its controlling server, as a silent update feature.
http://www.shopathomeselect.com/
Also known as: Srng
ShopNav is a hijacker or it's distributed as an Internet Explorer Browser Helper Object. This program also launches an updater process run at startup to ensure all files are present on the infected computer. Address bar searches, the Search explorer bar, unknown domains, and, in some variants, non-www server names entered into the address bar without the preceding 'http://' will be sent to Srng's controlling server www.srng.net, which redirects to a search service at apps.webservicehost.com. When installed it sends details including your Windows account name and your previous search settings to its controlling server. Note: 11-30-05 It appears that Shopnav have taken their products down from there site. When visited it reads this: Thank you for your interest in our search enhancing products. Unfortunately, these products are no longer available. If you wish to uninstall, please click here.
http://www.srng.net/
Also known as: Shopper Reports
Shopperreports is an application provided to the hotbar installation. It works like hotbar in the sense that it collects none personally identifiable information so that it can better provide you with advertisements and shopping offers from their affiliates. Shopperreports will take search strings that are entered in search engines, such as Google.com, that match their search terms to offer you products from their side bar.
http://shopperreports.pricetool.com/
Also known as: DNSCatcher
Redirects searches from Intenet Explorer address bar,Google and Yahoo.
Displays advetisements. Showbehind website claims "THE SHOWBEHIND NETWORK WILL BE OFFICIALLY CLOSING BY NOVEMBER 1st, 2004"
http://www.showbehind.com
Also known as: ShowPassword Trojan.PSW.Misos
http://es.geocities.com/haresgod/hack.htm
SidebySide Search has the ability to take search strings that are entered into search engines and display competing offers in a side bar on your browser. From EULA: This software also provides our 411web Search Helper which displays pop up ads on your computer screen based on your online behavior. For example, 411web may use your IP address or browser language to determine which language to use when showing search results or advertisements. 411web may share information about you with advertisers, business partners, sponsors, and other third parties.
This adware will download various other adware programs to your computer. Also will hijack your broswer.
Also known as: lycos sidesearch SmartSearch Smart Search EZ-GreetsToolbar EZ-Greets Toolbar EZ Greets Toolbar
Program that changes some settings in your browser. Commonly: - Changing your "search" page to pass all searches to a certain pay-per-search site - Changing your default home page to a different page - Possible transmitting URLs viewed toward the company server Hijacks the Error page. Can update itself.
This is a RAT Trojan that drops its adware payload onto the infected PC through port 1001.
Silent Spy is a trojan used for controlling computers remotely. It has many features.
Also known as: SilentSpy.202 Backdoor.SilentSpy
This will display advertisements on your computer.
Also known as: Downloader.Y (Mcafee)
Downloads and executes unwanted software without users knowledge.
On first run, copies itself into Desktop and Start Menu under the name 'Blackpages'. Dials toll numbers.
SingWorm sends messages to users in Windows Live Messenger. The messages contain links to help spread the infection. Once this infection have compromised the PC, it will send messages to everyone on the victim's Windows Live Messenger contacts. The message reads: "here are new smiles for MSN, they are incredible!" This is followed by a URL that infects other machines.
This Trojan has the ability to kill many Anti-Virus and Firewall Programs.
Also known as: W32.Sixem.A@mm (Symantec), W32/Sixem-A (Sophos), Win32.HLLM.Soccer (DrWeb)
Sixem.A is a mass-mailing worm that spreads across other computer by sending itself as an e-mail attachment. This worm uses the e-mail addresses harvested from the infected computer. E-mails sent has the following characteristics: From address may be any of the following: newsworld@cnn.com newsreader@hotmail.com kellyjast@hotmail.com Note: These are fake addresses. Subject may have any of the following: Mad soccer fanats World Cup game set Please reply me Jerry Message Body may have any of the following: Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;) Crazy soccer fanats killed two teens, watch what they make on photos. Please report on this all who know. Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty Attachment may have any of the following: nudist_soccer.bmp.exe soccer_image.jpg.exe kelly_naked_imgs.jpg.exe This worm also sends the gathered e-mail addresses to its author. This worm downloads another file from a remote site and executes it. This file lowers the security settings by ending security related process and modifying registry entries. Disables Task Manager. Changes Windows Hosts File to block access to security related sites.
Also known as: Backdoor.SkyDance.36 SkyDance.220 SkyDance.229 SkyDance
From the website: Skydance 3.6 S.G (Gibson-Version) is a DDoS sample for win32 using RAW sockets. Source includes these features: Communication with ICMP Including a Syn Ack0 flood attack and a simple ping flood attack Can not be found with netstat A (ICMP) Can not be found with usual Port-Scanners (RAW) On win2k/XP-systems communication and attacks are spoofed (IP_HDRINCL :) Server size can be reduced to 17 K Client-source can be ported to UNIX because it is done as console app. (ICMP tunnel) file (<65kb) can be sent within a spoofed ICMP packet, executes it after receive.
http://www.megasecurity.org/trojans/skydance/Skydance3.6.html
Also known as: DIAL_SKYMASTER.A (TrendMicro) Dial/Chivio-S
This dialer registers some of the domains as valid domains. It changes the start page of Internet Explorer and also connects to X-Rated sites.
Skype-Defender's purpose is to steal skype usernames and passwords. The main executable acts as a fake skype login screen. Entering in your username and password and signing in using this application will send your login credentials to the attacker.
Also known as: Adware.Slagent
Adware.Slagent is an adware that runs without giving any notification to user after initial installation and can download and execute arbitrary files on the computer. After installation Adware.Slagent contacts a Web site for advertisement purposes.
Very dangerous worm that exploits a hole in MS SQL server to spread itself.
This is a toolbar that attaches itself to your IE browser through an Active X installation. This is a ISTBar variant.
http://www.slotchbar.com/
Also known as: Trojan.Peacomm (Symantec), Troj/Small-DOR (SOPHOS), Downloader-BAI (McAfee), Storm Worm, Pcom Win32/Fuclip
Small.DAM is a downloader trojan that comes into the user's computer as an attachment from spam mails. It uses rootkit components to hide its presence from the user. It spreads through spam mails
This Trojan is installs a very large package of malware that cripples the machine from functioning normally. Once installed, it opens up dangerous network connections to the attacker that allow unhindered access to the victim's PC.
Also known as: Troj/Small-EMA (Sophos) AdWare.Win32.BHO.cni
Small.EMA is a chinese malicious trojan designed to install several unwanted applications onto the victim's machine. Once installed, it attempts to uninstall several security applications, such as Kaspersky AntiVirus, in order to go unnoticed. Users who are infected with this trojan will almost immediately know there is a problem when chinese applications begin installing without their consent.
Also known as: SmallFun.110
This is a RAT Trojan that has the ability to gain access to the infected machien through port 7887.
Also known as: Home Search Assistant Shopping Wizard Search Extender HSA Smartfinder
Home Search Assistant- Puts useful links on your homepage. Shopping Wizard- Shows you pop-up ads to guide you fast and easily to the goods and services you are searching for. Search Extender- Extends the results of your searches in the gobal search systems. Runs in the background looking to show websites with information, offers and products that match keywords that you are looking for when either shopping or searching online.
http://looking-for.cc/smartfinder/
Also known as: SmartShopper
This shopping agent doesn't display pop-ups advertisements. When visiting certain sites, a sidebar will appear on the left hand side of your IE browser displaying smartshopper contextual ads. From Privacy Policy: SmartShopper collects and stores aggregated information about the web pages its users view and the data they enter in search engine search fields while using the SmartShopper software (the "Service"). SmartShopper uses this information to determine which alternative offers to display on your browser window pane. For every web page you view while using the Service, the SmartShopper software transmits from your computer to the SmartShopper server and stores the following information: your Internet Protocol (IP) Address; the Full Uniform Resource Locator (URL) of the web page you are visiting; general information about your browser and your computer's operating system; your SmartShopper cookie number and the date and time the above information is logged. We also collect and store the following SmartShopper usage statistics: what is clicked on the browser window pane; the amount of time the Service is used during each session; which keyword searches are performed and what alternative results are received during any given session. If you are only visiting our site (www.smartshopper.com), we collect the following information: the URL of the web page from which you came; your IP Address; the date and time of each page you view; the name of and information about any advertisement that brought you to our web site; and computer and connection information. If the URL of the page from which you came contains any PII about you, we will not attempt to determine your identity by analyzing the URL in any way. See full privacy policy here: http://www.smartshopper.com/Legal/SS_Privacy.htm
http://www.smartshopper.com/smartshopper/Browsing/Index.aspx
Also known as: Adware.SmartAdware (Symantec)
SmartAdware is an adware program that shows advertisements.
Smartallyes installs as a Browser Helper Object and shows advertisements.
Also known as: YBD, Smart Browser, Smart-Browser
SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.) EULA grants right to change and redirect 404 (page not found traffic) to their "publicity page". Can open pop-ups or redirect the browser to a different page when a targeted URL is visited. EULA demonstrates notable security risks. - "YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND" - "YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND" - "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS(PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON?T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND" - "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS."
SmartDove will display advertisements based on the user's Web surfing. May log browser activity and send data to a remote server.
Targets searches with keywords. Delivers additional content based on the websites most visited. SMARTPOPS END USER AGREEMENT IMPORTANT -- READ CAREFULLY: THIS END USER LICENSE AGREEMENT ("AGREEMENT") IS AN AGREEMENT BETWEEN LINCOLN SALES CORPORATION ("SmartPops") AND YOU (also referred to as "USER") FOR THE USE OF THE SMARTPOPS SOFTWARE APPLICATION ("SmartPops Software"). YOU MUST ENTER INTO THIS AGREEMENT IN ORDER TO DOWNLOAD THE SOFTWARE AND USE THE RESULTING SERVICES. SMARTPOPS RESERVES THE RIGHT TO CHANGE OR MODIFY THE TERMS AND CONDITIONS OF THIS LICENSE AND ANY OF THE POLICIES GOVERNING THE SERVICES AT ANY TIME IN ITS SOLE DISCRETION WITHOUT DIRECT NOTICE TO YOU. YOUR CONTINUED USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF ANY SUCH CHANGES. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT, DO NOT INSTALL THE SMARTPOPS SOFTWARE. 1. Definitions. (a) "Agreement" and/or "License Agreement" shall mean this License Agreement and any and all documents incorporated by reference, including but not limited to the SmartPops.com Privacy Policy Statement; (b) "you," and/or "your" shall mean the individual or a legal entity exercising rights under, and complying with all of the terms of, this Agreement; (c) "Licensed Software" shall mean SmartPops technology, which includes computer Software (including any upgrades or modified versions) and may include media, printed materials, and "online" or electronic documentation; (d) "Product" shall mean the combination of the Licensed Software and the underlying Software product in which the Licensed Software is incorporated; (e) "Demographic Information" shall mean any information that is not Personally Identifying Information, and shall include, but is not limited to your gender, age, zip code, browser type, operating system, and Internet protocol (IP) address and (f) "Personally Identifying Information" shall mean any information that identifies you to others, and shall include, but shall not be limited to your first and last name, home or other physical address including street name and name of city or town, e-mail address, and telephone number and (g) SmartPops shall mean SmartPops, and its licensees, licensors and agents, and (h) "auto update" shall mean the automatic updating of SmartPops technology or the technology of its partners on your computer. 2. Use of the Software. You acknowledge and agree that you shall not (a) modify or create any derivative works of the Licensed Software or documentation; (b) attempt to disable the Licensed Software by any means or in any manner; (c) attempt to decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for the Licensed Software (except to the extent applicable laws specifically prohibit such restriction); (d) redistribute, encumber, sell, rent, lease, sublicense, or otherwise transfer or disclose the Licensed Software to any other party; or (e) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in the Licensed Software or the Product. 3. Proprietary Rights. You acknowledge and agree that SmartPops owns all right, title, and interest in and to the Licensed Software. You agree that you shall take no action that might jeopardize, limit, or interfere in any way with SmartPops' ownership or other rights regarding the Licensed Software. You acknowledge that the Licensed Software is protected by copyright and other intellectual property laws, and by international treaties. You further acknowledge and agree that the remaining portions. 4. Auto Update. Due to the ever-changing nature of software distributed on the Internet, SmartPops has included an auto update feature to ensure that you have the most recently released version of the SmartPops software. You acknowledge that SmartPops or parties appointed by SmartPops may from time to time provide programming fixes, updates and upgrades to you, including automatic updates to SmartPops, through automatic electronic dissemination and other means. You consent to such automatic updates and agree that the terms and conditions of this Agreement will apply to all such updates. Unless explicitly stated otherwise, any new features that augment or enhance the current Software, including the release of new SmartPops properties, shall be subject to terms of this License. If you should elect not to have your software updated at any future time, SmartPops shall not be responsible for any incompatibilities that may arise on your system. IF YOU WISH TO UNINSTALL THIS SOFTWARE OR ANY OF ITS UPDATES, SMARTPOPS HAS PROVIDED AN UNINSTALL FEATURE. 5. Software Conflicts. Conflicts may occur with other software applications that may already be installed on your computer. The SmartPops software will report back to our servers what applications may be running on your system and will resolve these conflicts whenever possible. This will make our software more reliable and provide you with products and services that are compatible with your current system settings. 6. Third-Party Links. SmartPops may provide, links to World Wide Web sites or other Internet resources. Any third-party sites to which SmartPops may link are not under the control of SmartPops and SmartPops shall not be responsible or liable for any information, data, communications or materials available on such third-party sites. 7. Advertisements. To further enhance your media viewing experience, SmartPops reserves the right to run advertisements and promotions based on URLs and/or search terms you enter when navigating the Internet. This service is offered as a benefit to our members to obtain useful and informative information about entertainment or other related products and services offered by our sponsors. We do not transmit or collect your browsing activity and do not store any information that records your browsing behavior. We only collect aggregate statistics about the URLs and search terms you enter. We do not build profiles of our users or attempt to correlate demographic or personal information. By accepting the terms of this License, you agree that we have the right to run such advertisements and promotions without compensation to you. The timing, frequency, placement and extent of advertising within the pages comprising your SmartPops account is subject to change and shall be determined by us in our sole discretion. Your business dealings with, or participation in promotions of, advertisers found on or through SmartPops, including payment and delivery of related goods or services, and any other terms, conditions, warranties or representations associated with such dealings, are solely between you and the advertiser. You agree that SmartPops will not be responsible or liable for any loss or damage of any sort incurred as the result of any such dealings or as the result of the presence of such advertisers within the SmartPops network. 9. Limitation of Liability. THE LICENSED SOFTWARE IS BEING DELIVERED TO YOU "AS IS" AND SMARTPOPS MAKES NO WARRANTY AS TO ITS USE OR PERFORMANCE. NEITHER SMARTPOPS NOR ITS MEDIA, CONTENT OR OTHER SUPPLIERS WARRANT THE PERFORMANCE OR RESULTS YOU MAY OBTAIN BY USING SMARTPOPS SOFTWARE OR SUPPLEMENTAL SOFTWARE. SMARTPOPS AND ITS SUPPLIERS MAKE NO WARRANTIES, EITHER EXPRESS OR IMPLIED, AS TO NONINFRINGEMENT OF THIRD PARTY RIGHTS, MERCHANTABILITY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT WILL SMARTPOPS OR ITS SUPPLIERS BE LIABLE TO YOU FOR ANY INDIRECT, CONSEQUENTIAL, INCIDENTAL OR SPECIAL DAMAGES, INCLUDING ANY LOST PROFITS OR SAVINGS, LOSS OF GOODWILL, LOSS OF DATA OR OTHER INTANGIBLE LOSSES RESULTING FROM YOUR USE OF OR YOUR INABILITY TO USE DOWNLOADED SOFTWARE EVEN IF A SMARTPOPS REPRESENTATIVE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY ANY THIRD PARTY. SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES, OR THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY MAY LAST AND THEREFORE, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. 10. Governing Law and General Provisions. This Agreement will be governed by the laws of the State of California, U.S.A., excluding the application of its conflicts of law rules. This Agreement will not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this Agreement is found void and unenforceable, it will not affect the validity of the balance of the Agreement, which shall remain valid and enforceable according to its terms. You agree that the Software will not be shipped, transferred or exported into any country or used in any manner prohibited by the United States Export Administration Act or any other export laws, restrictions or regulations. This Agreement shall automatically terminate upon failure by you to comply with its terms. This Agreement may only be modified in writing signed by an authorized officer of SmartPops. 11. Privacy. You acknowledge that by accepting the terms and conditions documented herein you are also accepting the Privacy Policy, which is incorporated herein by this reference. Please click on Privacy Policy link below to review this document. In the event of a merger, acquisition, asset or stock sale, bankruptcy, or other asset transfer (regardless of legal formality), any of our assets may be transferred to An assignee, including personal information collected from visitors to our Web site. Licensed Software incorporated into this product collects personal information. To learn more about how this information is collected and used please read our Privacy Policy Statement. Our Privacy Policy Statement can be accessed via the World Wide Web at http://www.smartpops.com/privacy.html 12. Legal Compliance. You agree that you shall fully comply with all applicable laws, statutes, ordinances and regulations regarding your use of the Licensed Software and the Product. 13. Indemnification. You agree to indemnify and hold SmartPops, its successors, assigns, subsidiaries, affiliates, officers, directors, agents, and employees harmless from any claim or demand, including reasonable attorneys' fees, made by any third-party due to or arising out of your failure to comply with this Agreement or your violation of any applicable law, rule or regulation, or your infringement of the rights of any other party. 14. Termination. This Agreement shall be effective unless and until terminated. You acknowledge and agree that SmartPops may, without prejudice to any other rights under this Agreement or applicable law, terminate the license granted in this Agreement at any time without notice to you if you fail to comply with any of the terms and conditions of this Agreement. Upon termination of this Agreement, all rights granted to you in this Agreement shall immediately terminate. 15. Miscellaneous. (a) This Agreement constitutes the entire agreement between the parties concerning the subject matter hereof;(b) This Agreement and any dispute arising out of it shall be governed by the laws of the State of California, U.S.A.; (c) Unless otherwise agreed in writing, all disputes relating to this Agreement (excepting any dispute relating to intellectual property rights) shall be subject to final and binding arbitration in Los Angeles County, California; (d) This Agreement shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods; (e) If any provision in this Agreement should be held illegal or unenforceable by a court having jurisdiction, such provision shall be modified to the extent necessary to render it enforceable without losing its intent or severed from this Agreement if no such modification is possible, and other provisions of this Agreement shall remain in full force and effect; (f) A waiver by either party of any term or condition of this Agreement or any breach thereof, in any one instance, shall not waive such term or condition or any subsequent breach thereof; (g) The provisions of this Agreement that require or contemplate performance after the expiration or termination of this Agreement shall be enforceable notwithstanding said expiration or termination; (h) you may not assign or otherwise transfer by operation of law or otherwise this Agreement or any rights or obligations herein. (i) This Agreement shall be binding upon and shall inure to the benefit of the parties, their successors, and assigns; (j) Neither party shall be in default or be liable for any delay, failure in performance (excepting the obligation to pay), or interruption of service resulting directly or indirectly from any cause beyond its reasonable control. 16. US Government Restricted Rights Legend. The licensed Software and any documentation provided are commercial in nature and have been developed exclusively at private expense. Use, duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7103 or subparagraphs (c)(1) and (2) of the Commercial Computer Software-Restricted Rights section at 48 CFR 52.227-19, and any other successor regulations, as applicable. 17. Acknowledgment of Agreement. I acknowledge and understand that downloading and using the SmartPops Licensed Software constitutes an acceptance of the terms and conditions of this End User License Agreement. I further acknowledge and understand that refusing to accept these terms and conditions constitutes a rejection of the SmartPops Licensed Software.
http://www.smartpopups.com
This is a virus that manipulates victim's computer into using a malicious copy of explorer.exe in order to the let attacker to gain control. It also looks for and deletes critical anti-malware components related to QQDoctor and Eset Nod32.
Also known as: Best Offers Networks Smiley Source(Sunbelt) SmileySource
Smitfraud appears to users as a security application looking for malware. This trojan displays fake alerts to scare the user into paying for the program.
SmsDialer is an adult content dialer. Creates URL shortcuts on Desktop.
This is a smitfraud variant that is installed onto the victim PC through dubious pornographic material. Once installed it creates a remote connection and uses the victim PC to generate clicks from lesser known search engines.
This is a (polish) trojan that gives the hacker the ability to take control of the infected computer.
http://www.hacker.pnet.pl/Snape.htm
Also known as: Snid.120 Snid.212
This is a RAT Trojan that has the ability to gain access to your computer through port 1784.
This is a RAT trojan that has the ability to gain access to your computer through port 667.
Also known as: SoBar
This is a chinese based adware that is often installed in chinese trojan bundles.
Also known as: Adware.Sogou Adpush Software
Sogou delivers advertisements to user's computer. It also uses a Browser helper object to track user internet search queries.
Also known as: sohanad.U!worm.im (Fortinet) Win32/Sohanad.AI
Hijacks Yahoo Instant Messenger and Internet Explorer. Disables registry editing and Task Manager functions.
Also known as: Buddy
Usually comes bundled with Morpheus. Displays targetted pop up advertisments. Tracks websites visited.
Also known as: Backdoor.Solitaire
This Application is a Bundled Malware. It is a vector for WhenU products and Free Download Manager.
Softomate Toolbar variant of Chinese origin.
Also known as: W32/Polybot.l!irc (Mcafee)
SoundBot appears as Soundman.exe in the system32 directory of the infected computer. Once infected with this worm, it will map all endpoints on the victim's network. It specifically looks for open ports and weak login credentials. It also disables several security applications upon installation to avoid detection.
Also known as: Adware.SP2Update (Symantec)
SP2Update is an adware component that tracks the web pages visited by user and shows advertisements based on them.
The free version is ad supported. Though Hotbar states that you can disable ads through the preference menu.
http://www.spamblockerutility.com
Also known as: Trojan.Spambot.BXB (Sunbelt) Trojan.SpamThru (Symantec)
Changes the hosts file to prevent access to security and antivirus Web sites. Can allow remote access and use its own email engine.
Also known as: Trojan.Spamforo, Troj/ConycSp-G(SOPHOS)
Spamforo is a trojan that sends spam mails from the infected computer.
Also known as: Troj/Spammit-E, Troj/Spammit-H (SOPHOS), SpamTool.Win32.Agent.h
Spammit is an e-mail spamming trojan. It has its own e-mail engine.
Also known as: Spam-DComServ (McAfee) Troj/SpamThru-D(Sophos)
SpamThru uses its own email engine to send spam emails. Also this trojan blocks access to several security related sites by modifying Windows Hosts file.
Also known as: Special Offers Ez-Tracks EzTracks
Also known as: Backdoor.Specrem.60 for server.exe, STools.exe Backdoor.Specrem.61.b for SMessage.exe, Updater.exe Backdoor.Specrem.61.c for DelLogs.bat
From the Website: Total multi-control. You can control even the whole network at the same time. Full batching support. Control remote computer's files, windows, processes, services, desktop and many more. Wake-Up-on-LAN can be used to remotely power on several computers at the same time. Telnet-support. 128-bit secure encryption (not implemented in Alpha-version) is used. Telnet-connections work unencrypted. Supports connection routing from one server to another. Both, the client and the server, are fully multi-threaded. Client program supports grouping the addresses for large networks. WMI-features, like remote shutdown, service control, process control and remote command. Webupdater program to find and download the latest updates.
http://koti.mbnet.fi
Also known as: Trojan.Spector Spectre Trojan Horse The Spector Trojan:Spector TROJ_SPECTOR VGEN/265.0 Trojan.Spector
This trojan erases all files in current directory. It is a DOS COM file.
Also known as: Spedia Bar
Toolbar that pays you to surf the internet while showing adversisements.
http://www.spedia.net
Speer is a browser helper object which shows a lot of popups.
Also known as: Dialer.SPlanet (Symantec)
Changes Intenet Explorer start page and calls high-cost numbers using modem.
Also known as: Sp0rkeh
This virus is considered to be extremely dangerous. Aside from playing tricks on the victim like switching right and left clicks, and changing the load screen; Sp0rkeh also wipes out all information on the victim's hard drive. It also destroys several system processes so that the computer is unable to run.
Also known as: Flashtrack Spot On
An IE browser helper object. It monitors your communication files when you enter search terms into any search engine then attempts to deliver contextual ads
http://www.flashtrack.net/
Also known as: Spy Wiper,SpyDeleter, Spy Deleter
Created and sold by Seismic Entertainment Productions Inc., Smartbot.Net, Inc., and Sanford Wallace. We have also noted countless "affiliate" sites promoting this software. Rogue "anti-spyware" that uses adware mechanisms to deluge users with pop-up ads urging users to buy their solution. The FTC alleges the companies covertly installed the software on computers, causing systems to be deluged by pop-up advertisements, and then sending messages saying they needed to buy "Spy Wiper" or "Spy Deleter" for $30. The FTC also alleges the defendants have unfairly: changed consumers' Web browsers, installed advertising and other software programs, and compelled purchase of anti-spyware software. The FTC is asking the court to temporarily: Restrain defendants from publishing, disseminating or distributing software code, script or any other content on or through the Internet, Web and other places. Require defendants to remove the software script that exploits Web browser vulnerabilities from any Web site, Web page, and other places. Require defendants to produce documents relating to their Internet marketing.
Also known as: Infostealer.Bzup (Symantec)
Spy-Agent.bg steals infected users' computer information and send it to remote server. Steals sensitive banking information and information entered into HTML forms. Also reduces security settings. Installs as a Browser Helper Object for Internet Explorer.
Also known as: Troj/Bckdr-OWM (SOPHOS),Spyforms.A (Panda)
Spy-Agent.bg steals infected users' computer information and send it to remote server. Uses rootkit technology to cloak its files. May download other files. Also reduces security settings.
Also known as: Spy Shield
This rogue anti-spyware application is often distributed by means of misleading sponsored links. In order to install this application the user must agree to install "A Better Internet" adware also. From the EULA, Spy-Shield is integrated with a third-party ad-serving client which displays relevant, non-intrusive advertisements to the user. These advertisements ensure that we are able to keep providing users with the best free anti-spyware protection available. You acknowledge that you are aware of the placement of these advertisements within Spy-Shield and agree to their display.
http://www.spy-shield.com/
Also known as: Malware Destructor
This is a security application that lures customers into buying the product by displaying false positive malware detections on the victim's PC.
Also known as: Troj/Agent-BQK (SOPHOS)
Opens up a backdoor with a remote attacker. This trojan injects itself into explorer.exe and has the ability to send spam mails.
Also known as: spy assault ss32
Claims to be a spyware remove/scanner, but installs the Favouriteman spyware.
http://www.spyassault.com/
Also known as: Spy Away
SpyAway gets installed through false Windows alert messages and false Internet explorer warnings shown by a Trojan Downloader. This Trojan Downloader also drops many files masquerading as malware files so that SpyAway can detect them to convince the user believe the computer is infected.
Also known as: SpyTrooper, TopAntiSpy Spy Axe , Pot.SpyAxe
This rogue antispyware product that is normally bundled with different trojans as a way of installation. These trojans normally have the ability to alter your desktop to an html page that will warn the user of a spyware infection.
http://www.spyaxe.com
SpyBlast is a program that claims to detect intrusion attempts. Installed by ActiveX drive-by download, thought to be in pop-up adverts. Opens pop-up ads periodically. Created by Teknosurf, part of Advertising.com. From their own pages: "Examples of information that we collect include URLs of visited pages and your IP address."
Also known as: W32/SpyBot-CY(SOPHOS)
This worm attempts to disable security software and open ports on compromised computer. Has the ability to allow attacker to connect to computer to control keyboard, log keystrokes, run copy or delete files, setup a webserver to allow access to files, and control cdrom drive.
This rogue anti-spyware is found by going to the URL www.goggle.com Extremely deceptive advertising and activeX install. Also on the Rogue Anti-Spyware list at Spyware Warrior. http://www.spywarewarrior.com/rogue_anti-spyware.htm
From their website: "Spycar is a suite of tools designed to mimic spyware-like behavior, but in a benign form. Intelguardians created Spycar so anyone could test the behavior-based defenses of an anti-spyware tool. Spycar runs only on Windows, the same platform most targeted by spyware developers."
http://www.spycar.org/Welcome%20to%20Spycar.html
This is a Rogue antispyware that claims to make our system malware free, but shows false positives and ask for registration to clean it.
Spycrush uses overly aggressive advertising methods such as popups and misleading scan results as a scare tactic to lure the user to purchase the full version of the software.
This is a rogue anti-spyware application. Can be installed without users consent.
http://www.spydawn.com
Also known as: Spy Falcon
This rogue antispyware product that is normally bundled with different trojans as a way of installation. These trojans normally have the ability to alter your desktop to an html page that will warn the user of a spyware infection.
http://spyfalcon.com
This is a rogue anti-spyware. This is listed on the Rogue Anti-Spyware site from spywarewarrior. http://spywarewarrior.com/rogue_anti-spyware.htm
Also known as: Spy Heal
SpyHeal is a rogue antispyware which display false detections on user's machine and force them to buy the product.
http://spyheal.com/
This is a Rogue Anti-Spyware. http://spywarewarrior.com/rogue_anti-spyware.htm
http://www.spymarshal.com/
Also known as: Spy On This
SpyOnThis affiliate claims "...SpyOnThis is a powerful alternative to HijackThis for anyone facing problems with Spyware, Adware, and Hijackers on their PC...". Once installed it will provide many erroneous results in a clean Windows Operating System. Will not let you remove the program unless you purchase the full version. No valid uninstaller found in Windows Add and Remove programs. Uninstaller found in SpyOnThis program directory, but does not perform a complete uninstall. Also listed at: http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.spyonthis.net/index.html
Also known as: Spy Shredder
http://www.spy-shredder.com/
This is a Rogue Anti-Spyware. This rogue is listed on the Rogue Anti-Spyware list by Spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://spysoldier.com/
Also known as: Spy Spotter
Allegations of aggressive advertising (distribution via drive-by downloads) and false positives to goad purchase. Third parties document relationships with other "rogue" applications: #1 Spyware Killer, Max Privacy Protector, SpyDoctor, SpyFirewall, Spyinator, SpyKiller 2005, SpyLax, SpywareThis, & Spyware Protection Pro. Site Advisor Advisory: "Feedback from credible users indicates this site engaged in one or more negative or undesired activities." For additional information consult these references: Reference: http://www.spywarewarrior.com/rogue_anti-spyware.htm Reference: http://www.spywarewarrior.com/family_resemblances.htm Reference: http://www.siteadvisor.com/sites/spyspotter.com/summary/ Reference Prevx: http://virusinfo.prevx.com/pxparall.asp?PXC=b0d32688598 Reference Smart Computing: http://www.smartcomputing.com/QABoard/QAMain.aspx?search=fq&fqid=484364 Reference CastleCops: http://castlecops.com/startuplist-5901.html Product is currently under review, however as of 05.08.2006 the site reports: "Sorry for the inconvenience, SpySpotter is not available for download at this time. Please check back again soon."
http://www.spyspotter.com
This is a rogue anti-spyware. They are listed on the rogue anti-spyware list provided by spywarewarrior.com http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://spyvampire.com/
Also known as: SpywareCleaner
This rogue anti-spyware was run on a clean machine. False detections and false positives were prevalent. It was detecting good programs such as Ultra Edit. They are listed on Spyware Warriors rogue site: http://www.spywarewarrior.com/rogue_anti-spyware.htm
This is a rogue antispyware. This should be removed from your computer if found.
sguard2008m.com
Also known as: SpywareQuake
Spyware Quake is associated with SpyAxe, SpyFalcon & SpywareStrike. Spyware Quake is normally bundled with different trojans as a way of installation. These trojans normally have the ability to alter your desktop to an html page that will warn the user of a spyware infection. Spyware Quake can report false detections of spyware to scare the user into purchasing the product to remove the false infections.
http://www.spywarequake.com/
This is a rogue anti-spyware. They are listed on the rogue anti-spyware list provided by spywarewarriors.com http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.spyware-secure.com
Also known as: SpywareSoftStop
Spyware Soft Stop is a Rogue Anti-Spyware. Spyware Soft Stop installs six rouge files that it then detects and falsely displays as spyware in the scan results seemingly to scare the user into paying for the application. These same six junk files are displayed as spyware with a different name in the next scan.
http://www.spywaresoftstop.com
This is a rogue anti-spyware application that is installed as a part of the Troj.Winrar Crack. Executables are installed without the user's knowledge. The site is full of broken links and functionality. It is also impossible to buy the product from that site. None of the purchase links work. This is a rogue anti-spyware application that is installed as a part of the Troj.Winrar Crack. Executables are installed without the user's knowledge.
http://www.spyware-wiper.com/
This is a security program that is installed from the Zlob trojan. Once installed, it continues to prompt the user to purchase the full version of the program.
http://spylocked.com/
Also known as: Spyware No!
Rogue Anti-adware application Changes windows policy settings. Displays a warning from the system tray that your computer is infected with spyware. Will not let you remove the spyware unless you buy the full version. Changes the desktop wallpaper with a warning message."Your System Is Infected" Found bundled with 7 other adware products including a dialer from another website. The infection comes in the guise of winlogin.exe from this site: vxiframe.biz/adverts/progs/winlogon.exe. If you Google the file name it will yield a perfectly legitimate file from Windows. However, the contents of the file refer to this location C:\Program Files\SpywareNo\SpywareNo.exe.
http://www.spywareno.com
Also known as: SpySheriff
SpywareSheriff is a professed anti-spyware application to scan for and remove spyware from users computers. SpywareSheriff, is typically installed without notice or may come bundled with other Malware Threats. It fakes user to find spyware but will not remove the supposed spyware unless the user pays for the program. SpywareSheriff displays pop-ups on the desktop. Extracts from EULA: 1.Information we collect may include your name, address, telephone number, email address, credit card information, and personal interests. 2.What Information We Collect At various times, SpywareSheriff requests personal information. This can be done while you are visiting the site, or during a purchase via our Web site, phone, or fax. 3.Your consent By visiting and purchasing products through SpywareSheriff's Web site, you authorize SpywareSheriff to collect and use the information described above.
http://www.spywaresheriff.com
Spywarestrike is a rogue antispyware that acts with the other rogue antispyware program called Spyaxe. This program shows a message, which normally says that the compromised computer is infected with dangerous spyware parasites (that it has actually installed) and asks the user to download and install an anti-malware program, which actually is SpywareStrike. This rogue antispyware automatically starts up at every boot process.
http://www.spywarestrike.com
Also known as: Adware.SQuery (Symantec)
Displays advertisments while browsing the internet.
Also known as: Backdoor-CCT(Mcafee) TrojanSpy.Win32.Dumarin.g Backdoor.Nibu.E Winldra
Logs keystrokes and captures data from the windows clipboard, cached passwords,information from windows protected storage area and tries to steal Internet and mail account passwords and usernames. Attempts to log finiancial and other information using the window titles containing the following strings: Storm e-metal Money money WM Keeper Keeper Fethard fethard PayPal invest casino bookmak member Invest Casino Bookmak Member login Login Changes the behaviour of Internet Explorer and Windows Explorer and opens up a random listening port for remote access. Sets mappings in the windows host file to prevent access to Anti-virus and security sites. 127.0.0.1 www.trendmicro.com 127.0.0.1 trendmicro.com 127.0.0.1 rads.mcafee.com 127.0.0.1 customer.symantec.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 updates.symantec.com 127.0.0.1 update.symantec.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 secure.nai.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 mast.mcafee.com 127.0.0.1 ca.com 127.0.0.1 www.ca.com 127.0.0.1 networkassociates.com 127.0.0.1 www.networkassociates.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 kaspersky.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 viruslist.com 127.0.0.1 www.viruslist.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mcafee.com 127.0.0.1 www.mcafee.com 127.0.0.1 sophos.com 127.0.0.1 www.sophos.com 127.0.0.1 symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 us.mcafee.com/root/ 127.0.0.1 www.symantec.com
This is believed to be part of SurfSideKick. VCClient and other files are dropped. This is under investigation.
TCP Portscanner, MailBomber, Basic Keylogger, TCP Nuker
http://www.cppfrance.com/code.aspx?ID=9884
Also known as: Mainpean
This dialer comes in many different packages, most from porn sites.
http://www.stardialer.de/
This Trojan will allow the attacker to gain remote access.
This is a rogue anti-spyware. This is listed on the Rogue Anti-Spyware site by spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm
Also known as: hyperbar
Changes Intenet Explorer start page.
http://www.startnow.com
Also known as: JS/IEstart.gen Trojan Horse Trojan.Seeker.162 JS/Startpage.N* JS/StartPage.I Trojan.JS.StartPage.n
This Trojan is written in JavaScript. When launched, it changes the home page address of Internet Explorer.
Also known as: Trojan Horse (Symantec) Adware/Startpage.EG (Panda)
This is a CHM exploit. When the CHM file is ran it drops an executable file into system32 directory and executes it. Once the executable file is ran it changes Internet Explorer's start page and search page.
Also known as: Adware/StartPage.AVD
Changes browser settings of Internet Explorer such as Startpage, search URL, search assistant etc by changing the registry values. Sets the Startpage of Internet Explorer to res://msn.dll/index
This is an application that is used as surfing assisteance and suppressing popup advertisements. It changes Internet exploerer error pages.
http://www.startsurfing.com
Also known as: CursorCafe Cursor Cafe Smileytown Smilietown Smilytown
This adware program is in the form of a browser plugin. This toolbar program makes www.starware.com your IE browser's start page and 404 (page not found) error pages. Using this toolbar to search will give the user places where they can buy products from their affiliates. Even when you do not use this search engine for you searches(such as google.com), it will monitor the search behavior and display advertisements at the bottom on your IE browser.
http://www.starware.com/2.0.0.0/index.php
http://www.statblaster.com
Also known as: Troj/Banker-V(SOPHOS) Stawin PWS
Logs key strokes and stores them in windows\klogn.txt. Only logs this information from windows that have any of these strings in the title bar: . e-Bullion . e-gold . PayPal Sends the klogn.txt via email to afr55in@mail.ru
From the doc: 'a program that sends the copies of all outgoing emails. SER monitors outgoing traffic of email client software and intercepts all sending emails. Then program sends out intercepted emails to specified email addresses. Stealth Email Redirector (SER) do not intercepts emails are sending from web-based email services like a www.yahoo.com, www.hotmail.com etc.' This is a typical trojan program, with "server", "client", "server editor" etc. A really shame that they distribute it at sourceforge.
This is adware and also a Browser Hijacker.
Also known as: stoppopup
Claims to be a free popup ad killer. Adds its own advertising, EULA allows it log surfing behaviour, install other software. Assigns a unique tracking code to each installation. Redirects homepage, search page and "page not found error" pages. Installed by drive-by installs.
Also known as: DDoS.Win32.StormAttack.12
This will perform DDos attacks. This Trojan can also send information to the attacker.
http://hostcontrol.9p.org.uk/myprograms/myprograms.html
Also known as: Trojan.Storm QDel102 Trojan Horse Troj/QDel102 Trojan:Storm TROJ_QDEL.102 TR/Storm QDel102-Storm-B Trojan.Storm.A
Storm is DOS trojan. When Storm starts it destroys all files on all available drives starting with C:
STRAd32 is a Browser Helper Object.
Also known as: strip-player StripSetup
A downloader for a premium-rate phone dialler providing access to the porn site strip-player.com. Installed by ActiveX drive-by-download on porn-related pages from strip-player.com (which might be opened by pop-up advertising). Installation can happen totally automatically on versions of Internet Explorer older than IE6 Service Pack 1, as a security hole is exploited to add the manufacturers, 'Electronic Group', to the list of publishers you trust, allowing them to install any software they like. The 'StripSetup' ActiveX control can be used on any web page, by any author, to download and run any executable file. There are no security checks whatsoever.
Also known as: Trojan.Stwoyle (Symantec), Delf.AJ (research.sunbelt), Purstiu.A
Stwoyle installs as Browser Helper Object and sends system information to a remote server. Variants of Stwoyle are capable of downloading additional files and executing them.
Also known as: sub seven sub7 subseven Subseven.100 SubSeven.180 SubSeven.190 Subseven.200 Subseven.214 SubSeven2 Backdoor.SubSeven.22.a BackDoor-G22, BackDoor-Sub7 SubSeven.backdoor.v22 TROJ_SUB722
From the Website: Functions: Send messages or questions to the victim open the default browser at the specified address hide or show the Start button take a screen shot of the victim's desktop disable keyboard The SubSeven backdoor was first discovered in May, 1999. First samples of this backdoor were not packed, but later some packed versions appeared which were not easy to detect with contemporary anti-virus programs that had no Win32 'Aspack' file compressor unpacking support. The backdoor is usually distributed under different names via newsgroups and e-mails.
Also known as: HighTraffic Qual Net QualNet e2d e2g
HighTraffic is an Internet Explorer Browser Helper Object which opens advertising. It detects when you are using a search engine, and opens its own 'enhanced results' sidebar containing paid links. This is styled to look a bit like the search engine you are using at the time. SubSearch/HighTraffic was the original version from December 2002. Its controlling server is www.hightrafficads.com. There are two subvariants, /A (from 11th December) and /B (17th December) which seem to vary only in their class ID. SubSearch/v2 is a version rewritten as a single DLL, from January 2003. Its controlling server is www.popunder.info (with www.cpcads.com apparently acting as a backup). It opens a characteristic 'Enhanced Search' with sponsored links when you use any other search engine. SubSearch/v21 and SubSearch/v22 are updates to v2. v22 adds an explorer-bar-search hijacker pointed at www.dothesearch.com. Currently there is no unique ID or cookie being used to track search usage. It can be directed by any web page to download any file and write it anywhere to the filesystem, including over other program files which may then get run.
http://www.hightrafficads.com/
Also known as: Backdoor.SubSeven.22.a BackDoor-G22, BackDoor-Sub7 SubSeven.backdoor.v22 TROJ_SUB722
From the Website: Functions: Send messages or questions to the victim open the default browser at the specified address hide or show the Start button take a screen shot of the victim's desktop disable keyboard chat with the victim start/stop the victim's PC Speaker restart windows open/close the CD-ROM set the length of the victim's mouse trails set a password for the server get all the active windows on the victim's computer enable/disable a specified window disable the close button on a specified window get a list of all the available drives on the victim's computer turn monitor on/off show/hide the taskbar get more information about the victim's computer change the server name listen for all the pressed keys record sound get the file's size download/upload/execute file set wallpaper play file on the victim's computer reverse/restore mouse buttons set the online notification on/off close the server on the victim's computer
This is a trojan dropper that will set up a running process called winsysban8.exe or hpsw.exe. These running processes are started by randomly generated autostarters in the infected machine's registry.
http://www.supaseek.com
Also known as: SuperSpider, Melkosoft Cassandra, DNSErrObj, Sypware.MelkoSoft, Troj/Small-JU (Sophos)
This adware drops a file on to your file system and a few registry keys. This is a super low level threat - but will drain system resources. Drops many URL entries into Favorites Menu of IE. All files have Company Name as 'Melkosoft Corporation' under the Version Tab.
SuperBar is an IE toolbar offering search and form-filling features. Adds links to the results of other search engines, dressed up to look as if they come from the search engine itself; in fact they are from the site greasycow.com. The software can download and execute arbitrary code silently from its controlling servers. The SuperBar licence includes a clause stating that third-party software may be installed through this mechanism. From the EULA: You acknowledge that "Gigatech Software" may, at their sole discretion and for any purpose, provide updates, automatic or otherwise, to the "SuperBar" Program(s) (including but not limited to the advertising or other value-added software and technology described in paragraph 4, below); by your use of the "SuperBar" Program(s) you acknowledge your desire to receive these updates.
http://www.gigatechsoftware.com/
A hijacker that drops several files on your system taking up a fair amount of system resources.
http://www.Superlogy.com
Also known as: 6781Toolbar Adware-Baidu (McAfee)
SuperUtilBar is a search toolbar of Chinese origin. It is often installed in trojan bundles.
Also known as: Trojan.VMMSWM (Prevx)
This is a worm that spreads itself via MSN Messenger. The infected machine will send messages to everyone on its contact list a message such as "holy ****, have a look at this!!!!!! www.windowslivemessenger.biz/m...". This site downloads contactinfo.scr.
Monitors keywords typed in search engines and sends this information to a server. Displays popup advertisements.
This is a player to play different radio channels. This program is used for legitimate purpose also. It can display banner and pop-up advertisements.
Also known as: SurfSpeak
Surf Speak passes each keyword typed on Browser window through this url "http://<Something>:7777/SearchKeyword.dll?".
Also known as: divago
Surfairy is an error-page hijacker implemented as an Internet Explorer Browser Helper Object. When a domain name or 404 error is encountered, it redirects to a page specified by its controlling server www.divago.com. Divago are now believed to be defunct, as this page is now itself an error page. Surfairy/Hlp was the original version; Surfairy/PP is an update with different filename and class ID. Comes bundled with new Packard Bell computers in Europe. Causes IE6 Service Pack 1 to be unable to print any page. The page that surfairy changes you to is listed as for sale. Legacy versions may still be in circulation.
Also known as: AdPlus AdBar AFlooder JunkSurf.A Trojan.Win32.Dialer.c [Kaspersky], Win32/Dialer.C trojan [Eset]
Surferbar is an Internet Explorer toolbar that might be associated with a new version of a trojan horse program called AFlooder. It appears to be an ActiveX drive-by download. Isets your homepage to their website along with displaying popup ads. - The old homepage at surferbar.com seems to have died. - The new AFlooder variant is an irc trojan/spybot that uses worm techniques to spread to machines via web pages. It is apparently coded to have qualities of remote access trojans, IRC bots, keyloggers, and even seems to have the capability to carry out DDoS attacks if the owner orders it to. It uses an exploit to write and execute its' injector program to machines without the user's acceptance or knowledge, then it uses NTFS's alternate file streams to hide itself where there's very little chance of finding it -- in the actual windows folder system32.
http://www.adbars.com
Also known as: SurfSideKick3 Surf Side Kick
Downloads and displays advertisements. This has been known to install without user consent by way of active X installation. The installer they provide does not uninstall surfsidekick completely. After uninstallation, you will be asked to reboot. The next time you open up a browser a file called sskrepairinstall.exe will run and reinstall the application. The .exe is then deleted by SurfSideKick.
http://www.surfsidekick.com/
Also known as: Troj/Surila-I(SOPHOS)
Surila.aw is a backdoor trojan. Adds itself into Windows Firewall Authorized application list. This trojan also sends spam mails from the infected computer.
Also known as: Adware.SweetBar (Symantec) ADW_SWEETBAR.A (TrendMicro) SweetBox Sweet Box Sweet bar
Displays advertisements and contacts certain website for configuration information.
Also known as: Switch dialer
Also known as: Backdoor.Win32.Delf.ak , MS7531
Swporta is a trojan that changes the browser?s start page to a local file. This local file is capable of running an ActiveX script.
Also known as: Flyyulov, Spyfly, Win32.Agent.aww
May download other malicious files from remote server. Adds itself as an authorized application with the Windows firewall. Sends/Receives UDP datagrams to remote servers to download/upload configuration information.
Also known as: Adware.SyncroAd winupdates
Also known as: Atztecmarketing
An adware application that serves ads to your computer and in some cases will Hijack your start page.
Also known as: Spy-Agent.da
This is a group of trojans that are designed to sit and listen for a specific URL related to user's inserting sensitive information such as username and password. Once a certain site is navigated to, it posts the username and password data to a remote site accessible to the attacker.
Creates a directory in the common files directory that sets up an autorun service, and update service, and the core executable for the worm. The worm spreads itself by e-mailing itself out through Microsoft Outlook.
Also known as: AdClicker-DF (McAfee) BHO Plugin
System Process installs as a Browser Helper Object for Internet Explorer and displays popup advertisements. It also changes Internet Explorer browser settings. Adds a lot of site names under "Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\" and sets their value to "5". During the uninstallation process, the value is changed to "1", so that they are always allowed. From the site liscense: (http://www.system-processes.com/liscense.php) System Process does anonymously collect and use the information of the following kinds: At times we may ask you to participate in a voluntary survey. In the event that System Process merges with any other company, transfers, or sells substantially all of its assets or capitol stock, to a third party, all collected information would be included in the merger (?Merger?), transfer or sale and that company would be bound by these Terms and Conditions, just as we are bound today. Distribute advertisements and internet search results to the user or other users using the System Process software as part of System Process's network.
Also known as: Soap Pro
This is another toolbar that will display advertisements. It is installed without your knowledge.
http://www.systemsoap.com
Also known as: System Doctor
This is a miscellaneous antispyware and optimization tool whose unregistered trial version is installed in many Trojan bundles.
SystemStable is a Rogue anti-spyware application which shows infected objects on completely clean computers. SystemStable gets installed through false Windows alert messages and false Internet explorer warnings shown by a Trojan Downloader. This Trojan Downloader also drops many files masquerading as malware files so that SystemStable can detect them to make the user believe the computer is infected in order to convince the user to buy this Rogue anti-spyware.
Dialers are software that dials a phone number. This usually happens without the end user knowing about it - causing long distance charges.
Also known as: Sysupd.exe
A Trojan written in Visual Basic 6. Some of the trojan options are: open close cd draw, hide mouse, send message, disconnect internet, flip mouse buttons.
http://www.tafbar.com
TagAsaurus is a simple search engine query client installed from other malware without users knowledge and consent.
Also known as: BackDoor-AIN trojan, Backdoor.TALADRATOR.30 , Backdoor Program [Panda], Backdoor.Taladrator.20, Backdoor.Taladrator.2003, Backdoor.Taladrator.31, Backdoor.Win32.Taladrator.21.a [Kaspersky], BackDoor-AMU [McAfee],BitArts [Kaspersky], Trojan.Win32.Cuhmap
Taladrator provides an attacker with the capability of remotely controlling victims machine.
Also known as: Tanya Babe W32/Agent-GCG [Sophos]
Tanya Babe sends messages to users in Windows Live Messenger. The messages contain links to help spread the infection. Once this infection have compromised the PC, it will send messages to everyone on the victim's Windows Live Messenger contacts.
Also known as: target net
Also known as: Target Savers Target saver targetsaver
Monitors windows for key words stored in a vocabulary file. Displays advertisements based on words found in windows.
TBT Nightmare Trojan can take control over the victim's machine once the server application executed.The attackers can open the website on victim's machine, send messages, manage the control panel and able to execute any application in victim's machine.
http://www.am20forces.cjb.net
This is a task bar that seems to be directly related to porn sites.
http://www.tdak.com/searchbar.html
This is a dialer that is downloaded onto the victim PC via an Active X control.
Also known as: Dialer.Telemedia.C
Telemedia is an adult content dialer program.
Also known as: ZeroPopup ZeroPopUpBar
Uses "viral" marketing techniques to send an email message to all contacts found in the Windows Address Book and Eudora Address Book. The user does not have sufficient opportunity to agree to the End User License Agreement (EULA) displayed on the web page associated with this installer. A link to the web page containing an installer for this trojan may arrive in an email message. The ads are for an application called "ZeroPopups", which changes your homepage and search page in Internet Explorer.
http://www.zeropopup.com/
Also known as: Force.155 TerrorTrojan.100
This is a trojan that has the ability to drop its adware payload onto your computer through ports 3456 and 8811.
Also known as: TGDC IE Plugin Tgdc.exe shopforgood.com MarketDart
A plugin for IE that someone seems to know where it came from. References in the code point to shopforgood.com
CUPASS uses techniques to guess the password of ANY user on a WindowsNT/W2K server or domain. CUPASS uses a flaw in the implementation of Microsoft?s NetUserChangePassword API to guess/change the users password. This release is the proof of concept code for the THC-Paper "CUPASS and the NetUserChangePassword Problem"
http://people.freenet.de/rechenzentrum/2003.html
Also known as: UCMore UCmore XP UCmore Toolbar ucmie
This is installed via P2P programs. It's suppose to speed up searches - but you are directed to a portal, not of your choice. UCmore is an Internet Explorer toolbar. When shown, it displays links to other sites it deems connected to the current page
http://www.ucmore.com/
Also known as: Trojan.JS.Snake
Trojan with a client, server, edit-server.
Also known as: RUX The TIc.K 4.0
http://littlehack.free.fr/test/rnstick40.htm
Also known as: Theef.20 Theef.4
http://theef.4-all.org/
Also known as: TheefLE.100 Theef
This is a RAT Trojan that has the ability to gain access to the infected machine through port 9580.
Also known as: TheFlu.100
This is a trojan that has the ability to add functionally unrelated software and remotely connect to the infected machine through port 5534.
This adware payload is promoted as a site for desktop themes and wallpapers for Windows Vista. In order to download the free desktop themes, you must download several other adware related programs.
Also known as: Backdoor.TheThing.16 Thething.100 Thething.150
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage.
Also known as: Think-Adz, Enhanced Ads by Zeno ,ThinkAdz Zenotecnico.Think-Adz (CounterSpy)
Can displays pop-ups, pop-unders of special offers and services at the moment that they are most relevant to the user.
http://think-adz.com
Also known as: Backdoor.Throd.a BackDoor-CEV Backdoor.Sysdot BackDoor.Throda Troj/BDThr-A Backdoor:Win32/Throd.A BDS/Throd.A.2.B Win32:BMP-SYS Backdoor.Throd.A
Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server.
Also known as: telepay sexdialer tbs browserplugin websiteviewer directplugin TIB Browser
This is a premium-rate dialer program for adult sites and contains a browser component.
http://www.tibsystems.com/
Also known as: TrojanDownloader.Tibser Trojan-Downloader.Win32.Tibs.df
This Trojan downloads a lot of files without user knowledge. The downloaded files in turn download many other malware and possibly rouge anti-spyware applications. It also disables Task manager .
This search assistant is a little different from the others. Instead of attaching itself to your IE browser, it opens up a autostarter in the system tray. When the item in the system tray is activated it opens a toolbar like application. Any search made in this toolbar will bring you to one of their sites.
http://tinkopal.com/
An Internet Explorer toolbar implemented as an HTML file, which may offer a search feature pointed at a generic portal
http://www.tinybar.com
Also known as: TitanShield
This is a ROGUE AntiSpyware. We are seeing logs where users are hijacked to www.antispywarebox.com. Uses False Postives to goad purchase. Please see the Rogue antispyware list created by Eric Howes here. http://spywarewarrior.com/rogue_anti-spyware.htm
Also known as: Backdoor:Win32/Tofsee.F [Microsoft]
Tofsee is a trojan targeted to the gaming community in China. Once infected, it will monitor the victim's network for specific hosts looking to login to gaming sites. It then stores the stolen information in a .ini file to be sent to the attacker at their convenience. It also disables several useful security applications by applying the appropriate Image File Executions Options.
ToneLoc is a dual purpose wardialer. It can look for either dialtones or modem carriers. It is useful for finding PBX's, Loops, LD carriers, and other modems. It works well with the USRobotics series of modems, and most hayes-compatible modems. The exe file can be executed from the command prompt. From the Website: Wardialer / Scanner for the PC | A small yet powerful DOS based phone exchange scanning/dialing utility.
http://www.cotse.com/tools/phone.htm
ToolBar.SBSoft.h is a toolbar for Internet Explorer that may show pop ups.
Also known as: ToolbarCC - Rnd
ToolbarCC is an Internet Explorer Browser Helper Object. When it detects you making a Google search, it redirects the query to its controlling server, two.toolbar.cc, which may redirect to another page or return you to Google. ToolbarCC/Rnd variants use a random four-letter filename. Other variants use four random letters appended to a prefix chosen to sound like a Windows filename. ToolbarCC/Win files are prefixed 'win'; ToolbarCC/Pre uses prefixes that are themselves random; 'ms', 'com', 'wdm', 'kbd' and 'd3d' have been seen so far. It is currently unknown where ToolbarCC is coming from. The URLs of targeted search pages (including queries) are sent to the controlling server.
Also known as: CWS.ToonComics
tooncomics.com domain is getting re-directed to porn sites
Also known as: CouponsandOffers WebSavingsfromEbates topmoxie MoeMoneyMaker
Sends ads to your computer or changes out core links with affiliate tracking links. Such ads may or may not be targeted, but popup, and are not merely displayed within the form of an ad-sponsored application. Top Moxie powers several shopping bars for large incentive shopping properties including Limewire, Upromise, General Mills BoxTops4Education and Ebates among others. The application is centered around user loyalty, "loyalty ware", and providing cash or other rebates to users who make purchases with their merchant partners. Appears to have the ability to log all activity in the click stream. Recent reports show the MoeMoneyMaker application, by Ebates, being installed via a browser security flaw.
http://www.topmoxie.com
Looks like a variant of ToolbarCC
http://www.topresults.com
Also known as: Topconverting.Crazywinnings Topconverting.SPEYLOD
Downloads other malware without user knowing.
Also known as: Topfivesearch (eTrust) Top five search
It changes Internet Explorer's search page and redirects searches.
http://www.topfivesearch.com/searchassist.html
Also known as: toppicks top picks
The only thing TOPicks reports is surfing data feedback that is aggregated for the purpose of ranking all sites and identifying the top picks of the web.
http://www.topicks.com/download/
Also known as: Adware.Topsearch
Topsearch provides advertising content for Grokster and Kazaa users. TopSearch is also used as a search engine.
Browser toolbar, often bundled with other programs, created "to provide you with alternate text search results when you are looking for something". Creates its own search results bar. Taken directly from their own page http://www.zsearchtoolbar.com/privacy.htm : What information is collected: - The web pages you view while surfing the Internet - How and if you respond to the search results - Your computer type, internet connection, operating system, browser and basic system set-up (screen resolution, time zone selected, etc.). - What software you have on your computer Also, there is a mention of a "randomly assigned marker that is tied to your computer" What is done with this information: "We then take this aggregated and anonymous information about our Software users and share it with our current and potential clients"
http://www.zsearchtoolbar.com/
This is a trojan that has the ability to drop its adware payload onto your computer through port 1111.
Reported to create porn pop-ups. Site seems to be down for the moment.
http://www.tradeexit.com
Also known as: TransmissionScout.100 TransmissionScout.110
This is a RAT Trojan that has the ability to gain access to your computer through port 1999.
Downloads and installs other programs. It also sends information about the affected machine to a remote server.
Transponder.kz515 is a VX2 transponder variant that installs itself as a Browser Helper Object and redirects browser.
Also known as: Backdoor.Delf.fv
An Iranian trojan. Gives full control to the attacker over the victims machine: log keystrokes, take screenshots, record audio, and mess with various files and system settings. The "server" program can be customised by the attacker, and is usually compressed with UPX.
Also known as: Trex.trojan
This Trojan attempts to connect to a Web site, download a binary file, and execute it on the local computer. After it runs, the Trojan attempts to restart the computer.
Also known as: TFN2K
Also known as: Backdoor.Tripod Backdoor.Trojan BackDoor.Tripod Backdoor:Win32/Tripod Win32:Trojan-gen. BackDoor.Tripod.A Backdoor.Tripod
This backdoor program obtains a file from the Internet and spawns it on a victim's machine in hidden mode. Upon being run, the backdoor copies itself to the windows system directory.
Also known as: Hocus (Sunbelt)
Tro.Hocus is installed behind a game.
Also known as: Omert? v1.2 (Sunbelt)
Tro.Omerta is an application that Provides means to remotely control a user's computer.
Tro.S7crack is an application that allows a hacker to remotely control user's computer for malicious intention.
Also known as: Trojan-hackaim.irc, hackaim, hack aim
Troj-hackaim.irc poses as hacking tool that claims to exploit a vulnerability in AIM to allow users to obtain other accounts passwords. It prompts the user to enter the target AIM screen name which the user desires to be "hacked". The machine reboots and at this point the trojan connects to IRC server in the background and gives a message to the user that AOL has fixed the vulnerability. It then connects to various websites and downloads files of a malicious nature. Payload may change. Offers uninstaller of primary HackAim program but leaves behind malicious files designed to turn computer into a drone.
Also known as: TRO.DOWNLOADER.ACTIVATE_CRACK (Sunbelt)
Tro.Activate_crack is a trojan downloader used to download and install a number of malware threats. This trojan installs itself through an active X control from crack sites. Troj.Activate_crack takes control of your desktop and changes the background. Troj.Activate_crack then displays ads all over your computer making exploring the internet very difficult. What makes this trojan different from other trojans like it (such as Winfixer, Puper, Vundo, etc...) is that the desktop is altered by an html page, not a hidden window.
This is a chinese born trojan that install a hidden .dll file to your system32 directory called 3721.2.dll. It installs adware related to CNSMin.
This site spreads"http://www.pupinini.com.br" trojans through Java Script included in the HTML.It Installs automatically when the the Users Browser Hits the page.It then sends users Mac address, Home Page,Time to a email address.
Troj.BankAsh-A is a banker and password stealing Trojan. Troj.BankAsh-A will spy on a user's internet access. When certain banking and finance websites are accessed, the Trojan can display a fake login page or log keyboard presses in order to steal username and password information. Targeted banks include the following: Barclays, Cahoot, Halifax, HSBC, Lloyds TSB, Nationwide, NatWest, Smile The Trojan can also steal email login details and passwords from the protected store. Periodically, this trojan will send the stolen details to a remote FTP site. Will also attempt to disable the beta version of Microsoft AntiSpyware. The Trojan may also attempt to deny access to a number of security-related and anti-virus websites.
Also known as: TrojanDownloader.Win32.Dler.11.a PWS-CZ Trojan Horse Trojan.Recure Troj/WebDL PWS:Dler.A Win32:Trojan-gen. Downloader.Dler
From Viruslist.com When run, the Trojan installs itself to the system. While installing, the program downloads Trojans from a remote hacker's site and runs them. Optionally, it can install downloaded Trojans in the Windows registry to start automatically.
This is a Trojan that installs a file called Googlebot.exe in the system32 directory of the compromised machine. Once running, it contacts several search engines looking for specific search strings usually related to pornography. It also adds itself as an allowed application through the firewall.
Also known as: PWS-Lineage(McAfee)
This is a trojan designed to steal passwords for the massive multiplayer RPG, Lineage.
This is a trojan that has the ability to distribute itself by mass mailing from the infected PC's contacts.
Troj.orkfotos spreads through orkut.This trojan once installed sends system information through e-mail.It disables shut down of the system.When clicked on the link in orkut scrap book it disguises itself as msn messenger installer.
This trojan installs various applications designed to monitor your surfing habits. The primary goal of this trojan is to install as many applications as possible that will watch and redirect your internet habits.
This trojan releases a massive payload that includes several other trojans in its actual payload.
This trojan disguises its infected files as key windows components in locations such as C:\WINNT\Help\Help\services.exe and C:\WINNT\WinSecurity\services.exe. A common symptom of this infection is random filenames in the running processes.
This is a trojan that originates from China. Troj.Soundmix drops several .dll files to the infected PC's system32 directory without an internet connection. These .dll files are disguised as important sound card resources.
This is part of a botnet installation. Once installed, it will use your computer to send spam e-mails.
This is a trojan downloader program that installs many other infections once it is locked into your system. Many times, this trojan comes with either spywarestrike or spyaxe.
Attempts to log open window titles to text files, keystrokes, and steal passwords. Periodically sends information to a remote user. Closes security warning messages displayed by some anti-virus and security applications. Downloads and executes additional files.
This trojan installs several files that are intented to look legitimate. Users should be cautious of sms_msn40.exe as well as any random filenames suddenly appearing in their running processes. Other parts of this trojan include a CLISD in the BHO section of the registry as well as autostarters that start up the infection when the computer reboots.
Also known as: Windir Trojan Windir SXS (Prevx)
This is a trojan that drops an adware payload that is related to Maxsearch's Toolbar888.
Also known as: Winrar Crack, Trojan.Nebuler (Symantec)
This trojan comes from an Active X driveby download from porn and crack sites. The payload from this trojan includes a crippling amount of adware. Creates several entries in the users IE Trusted Zones section in the registry.
Also known as: Sysctl Desktop Handler, Trojan-Dropper.Win32.Small.nn, Agent.CL (BitDefender)
Troj/Agent-CL is a downloader trojan that downloads more malware and executes them without informing the user of the process. It has been known to be installed through help file exploits.
Also known as: Troj/Agent-GC Troj/Agent-EL(SOPHOS)
Troj/Agent-EL is a DLL which allows downloads and execution of files through HTTP.
Also known as: Proxy-Agent.ar (McAfee)
May download other threats. May provide remote attackers the ability to route internet traffic through the infected computer.
Also known as: TrojanDownloader.Win32.Agent.ABM
Troj/Agent.BA is a downloader trojan that downloads other threats. Comes bundled with DCPlusPlus-0.668. DCPlusPlus-0.4032 also has this Trojan bundled in it. When DCPlusPlus-0.668 is executed it generates cserv32.exe and ouapcker.exe. When ouapcker.exe is executed it creates a temp file and downloads ISTBar from slotch.com. Also it generates the following files. %windir%\gripo32.exe ? A variant of ISTBar %windir%\msodwo.exe %windir%\ouiast.exe ? On execution this file create webdir.dll which is detected as Webdir Adware
Usually dropped by other trojan downloaders. Sends notification message containing information about compromised computer to remote server. May steal sensitive information from the infected computer and send it to remote server. This trojan mainly targets financial institutions in brasil.
Also known as: Trojan.shellhook, Trojan.Clicker.Agent.tu , Trojan.Agent.ix , PWS-Hook.dll
This trojan adds a scheduled task in order to run it at regular intervals. Also shows advertisement in seperate windows.
Also known as: Win32/PSW.Agent.IM
Troj/PWS-ADS is a spyware trojan. This trojan deletes the Windows Hosts File from %windir%\system32\drivers\etc\
Also known as: QHosts Troj/Hosts-C (Sophos) Troj_Qhost.F (Trend Microscan)
This trojan attacks Windows firewall settings. Troj/QHosts-S is usually propagated through Spam mails. When users unknowingly extract the zip file of the Trojan, they will get infected. When the Trojan executed, it drops a file into SYSTEM32 Folder. It modifies the start page of Internet Explorer to www.teengb.com. It also modifies HOSTS file, and redirects certain web-sites to an html page that will warn the user of the spyware infections. If we click on the page it redirects you to download an Rogue Anti-Spyware(Razespyware).
Also known as: Win32.Prexot
Troj/Surila-F is a backdoor Trojan. Blocks access to several security related web sites. Disables System File Checker to stop 'Windows File Protection' from scanning for changes in protected files. This backdoor trojan bypasses Windows Firewall by changing the Windows registry settings. May terminate many Windows processes and security related processes.
Also known as: Trojan-Krepper
Changes web browseer behavior, displays advertising and has ability to download unwanted software.
Also known as: Trend Micro Name TROJ_RELAID.A
From Trend Micro This Trojan arrives as a .OCX file. It is usually installed via other malware applications. As a BHO, it is activated every time Internet Explorer (IE) is loaded. It is able to monitor user activity over the Internet Explorer. This Trojan modifies the registry to disable multilink capabilities with RAS (Remote Access Service) connections. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Demonstrates ability to Opens and scans user's email address book. This trojan also has keylogging capabilities. Changes file type executions, browser settings, and the user's homepage. It replicates itself numerous times on target machine and creates run keys to autostart. May install other malicious programs. Modifies the Hosts file and counter attacks security software. Has been linked to blended attack, dropped from instant messenger.
Also known as: Trojan Clicker TrojanClicker
A program designed to generate requests to certain Web URLs.
Trojan-Downloader.Engage drops many Adwares and Trojans on the User's Machine.
Also known as: Dropper.Agent.mu (ewido)
Trojan-Downloader.mu is a downloder which used by Adware vendors to drops Trojans , Adware and keyloggers on user's machine.It does not have an uninstaller.
Also known as: TR/Dldr.Small.bgv.1 Downloader-OV trojan Win-Trojan/Downloader.12528
When executed, drops a file called "msblank.html". Internet Explorer's start page changes with msblank.html. This file downloads and installs dialer applications.
This is a trojan that downloads and executes remote files and sends confidential system information to a remote attacker.
This Trojan will download a payload of other Trojans and Adware.
This trojan drops rogue anti-spyware. Will also drop a payload of malware.
This trojan will redirect your browser and download and adware payload.
This trojan will hijack your browser,start pages and search pages. This will also download an adware payload.
Also known as: kl.exe Anserin
Anserin Trojan can take control over the victim's system. It can record the keystrokes and personnal information like UserID and password.
Also known as: TSPY_BANCOS.ASC (Trend Micro), Banker.CDV(Panda) Trojan-Spy.Win32.Bancos.xe (Kaspersky) W32/Bancos.XE!tr.spy (Fortinet) W32/Bancos.ITW (Authentium) Trojan.Banker.Delf.DE (BitDefender)
Trojan.Banker-Q is a password stealing trojan for various online services. It is often downloaded into user computer by a downloader Trojan. It steals sensitive information when a user enter login details into any of the following web sites. http://mail.yahoo.com https://mail.yahoo.com barclays.co.uk hsbc.co.uk olb2.nationet.com deutsche-bank.de nwolb.com co-operativebank.co.uk my.if.com smile.co.uk cahoot.com webbank.openplan.co.uk anbusiness.com mybank.alliance-leicester.co.uk officebanking.cl santandersantiago.cl https://www.bbvanet.cl/bbvanet abbeynational.co.uk It also monitors the Internet Explorer for the web sites with following strings in its title to steal sensitive information. Banco en Linea Empresas en Linea Documento BBVAnet Personas Alguno de los datos ingresados es incorrecto. Por favor considere lo siguiente: BBVAnet Empresas Sends the stolen information to remote server, but it requires Windows NT Server.
This trojan attempts to steal your login information to your finicial instittution.
If an end user clicks on a malicious link passed to them via Instant Messaging, Remote Administration Server, a commercially available application produced by Famtech, is automatically installed via a ?beh.exe?. The install is designed to hide the application in the systray with no interaction from the end user. Once this application is installed, the end user's computer is compromised and can be accessed remotely, at which point additional malware applications installed on the desktop. One application of note is ?Carder? a perl script designed specifically to uncover exploits in several shopping cart applications including Comersus Cart, CactuShop, CCBill and others that are used by many popular ecommerce sites. If a vulnerability is identified by this file, the backend database containing credit card and account information (e.g. credit card numbers, home addresses, usernames and passwords) may be stolen off the ecommerce site. Personal information may also be stolen from the infected PC itself through, Protected Storage PassView, from NirSoft, another application that can be remotely loaded onto infected PCs
This Trojan will attempt to disable security programs.
This Trojan will hijack your web browser.
Also known as: Content Match Software
This trojan downloads its adware payload to C:\WINDOWS\w3.
This drops an autostarter called "stonedrv" onto the infected PC.
Also known as: Win32/Spy.Banker.AWA
This trojan opens access to your computer from other locations, allowing for theft of personal data, including passwords and Internet banking information.
Trojan.Cryptic is a family of trojan downloaders. They may be installed via IE exploits or other trojan downloaders.
Also known as: Spy-Agent.h(McAfee) , Troj/Brave-A(SOPHOS) Winhound (Panda)
This will change the desktop configuration of your PC. Changes the Desktop wallpaper. Turns off the Appearance, changing wallpaper and display color of Display in Control Panel by changing the system registry. Variants of this trojan may shows fake warning messages from system tray.
Also known as: Troj/Dload-BB (SOPHOS)
Downloads files and then proceeds to install them.
Trojan loads malware applications ranging from XXXtoolbar to Bargains.
This application comes bundled with another spyware application called ?Unclassified Spyware 61?. It Connects to a site called web-nexus.net, which is a precision-based adserving technology site, downloads and displays advertisements in the form of pop-ups.
Also known as: Trojan-Proxy.Win32.Small
This Trojan adds Executable and dll files with random names to System32 Folder.
Trojan which droped by other Trojan downloader.
Also known as: Aida
Downloads unwanted programs without users knowledge.
Also known as: TROJ_FAVADD.G (Trend Micro) Trojan.Win32.Favadd.c (CA)
This trojan is installed on the victims PC through exploits such as the WMA exploit.
Also known as: Win32/Spy.Goldun.NBD (NOD32)
1. Password stealing Trojan for E-Gold online bank. 2. Lowers security settings. 3. Adds itself into Exception List in Windows Firewall to gain full access to the compromised system. 4. Copies itself as svchost.exe into Windows directory. 5. Creates a Mutex to ensure only one copy of Trojan is running at a time.
This is a Trojan Downloader. This will attempt to download other adware or spyware to your computer.
Also known as: Dimpy.win32VBsy
Trojan.Hrvst gains the control over the victim's machine.It logs the keytrokes and passwords and send back to the attacker.This trojan is also installing through exploits(WMF , CreateTextRange ).
Also known as: Troj/Digidor-A (SOPHOS) Trojan.Startpage.Q
Disables the Windows Task Manager and changes Internet Explorer's home page. Is capable of downloading and executing files. Also this trojan hides its files by changing registry entries. Does not allows the users to view the hidden files.
http://joyiex.com/
Also known as: Trojan.Jupdrop.A Jupillites
Downloads malware from the internet and drop into victim's machine.
Also known as: SysCovert(Prevx)
Downloads malware, updates itself, can send information and possibly provide access to the infected computer. Tries to disable security software. When trying to access the Mcafee VirusScan console, an error message pops up stating "Could not access the local computer. Confirm you have appropriate privileges and the product is properly installed."
Also known as: eMediaCodec eMedia Codec Trojan.Emcodec (Symantec) Troj/ZlobDrop-F (SOPHOS) PWS-Puper.dr (McAfee) Trojan Media-Codec vCodec Emcodec zCodec HQCodec dvdcodec iCodecPack PlayerCodec GoldCodec Gold Codec MediaCodec Video AX Object VideoAXObject VideoAX Object
Trojan.Media-Codec is a downloader trojan that often drops more threats into an infected computer and executes them. This trojan typically uses deceptive tactics, like pretending to be a codec for Windows Media Player in order for the user to install it. Spotted on adult material sites, but also spotted using advanced search engine spamming. Drops rogue anti-spywares. A License Agreement is shown during the installation process which states that: Licensor may change homepage on user's computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.
This is a trojan that has the ability to monitor network traffic.
This is a trojan that has the ability to log keystrokes and sends senstive information through a remote connection. It creates several hidden directories in the system32 directory that hook into key Windows processes in order to log keystrokes.
This Trojan will show itself in the system32 folder as testtestt.exe. Will also create an autostarter entry as SystemTools.
Also known as: BKDR_ODERDOOR.S (ThreatExpert)
ODOOR creates a backdoor on a victim machine that continually searches potentially dangerous websites with the intention on downloading another infection and more instructions from the attacker.
Also known as: TROJ_ONECLICK.A (Trend Micro),Trojan-Downloader.Win32.OneClickNetSearch.f (Kaspersky Lab)
OneClickNetSearch installs as a BHO and tracks the users browsing habits.
Also known as: Troj/Paymite-E(Sophos)
Trojan.PayTime modifies the default browser start page to a spyware-related URL. Can change the startpage to point to the file secure32.html.
This Trojan will hide some running processes.
This Trojan modifies the host file and will change your browser settings.
Also known as: Troj/Haxdoor-AX (Sophos), Trojan-Spy.Win32.Goldun.hw ,BackDoor-BAC.gen.dr
Trojan.Prt is a Backdoor Trojan for the Windows platform, with capabilities of dropping more malware, modifying system Firewall settings and allows others to access the computer. Some dropped files are hidden from Windows API.
Also known as: Puper-D Trojan Puper.UpdateSearches stealthSWs114.h!dll
This a Trojan, which drop into user's machine without their knowledge and start executing.
Also known as: SMALL.ABD Downloader Win32.Small.ABD
Added by a variant of the SMALL.ABD downloader TROJAN Can allow attackers access to your computer for stealing passwords and personal data.
Creates an autostarter O4 - Startup: w32.exe. Will also drop other Trojans. (TrojanDropper)
This Trojan will capture screenshots and attempts to send them to the attacker. Also allows remote connect.
Trojan.svchost is spreading through LimeWire P2P, which shows a fake message like "The setup file is corrupted". Later it creates a file in Global startup and start to phoning home.It phones home to different domains on its each execution. Trojan will not allow the user to access Task manager and Regedit (Windows Registry Editing utility)
This Trojan would allow remote access and control of the victim.
Also known as: Troj/Cosiam-I (Sophos), Trojan-Proxy.Win32.Small.bo
Trojan.TrueType acts as a proxy server on users Computer. This proxy server runs in stealth mode continuously in the background snooping on port 8359. The proxy server may be used for spamming.
This Trojan would attempt to disable any security software running on the infected machine.
Also known as: Fake Scanner Trojan (Sunbelt)
Fake trojan scanner that removes files instead of finding trojans.
This Trojan allows attackers to access your computer, stealing passwords, Internet banking and personal data
Also known as: TR/Ozdok.B
Under Investigation
This Trojan will penetrate the machine hijacking the browser. Will also download an adware payload from the internet. Most of the time the payload will include rogue anti-spyware applications. Removal is difficult.
Also known as: Trojan.Win32.Dialer.db (Kaspersky Lab),TrojanDownloader:Win32/Wintrim.AU (RAV), TROJ_WINTRIM.AU (Trend Micro),Win32:Trojan-gen.(ALWIL),Downloader.Wintrim.2.M (Grisoft),Trojan.Downloader.Wintrim.AU (SOFTWIN),Dialer.B (Panda), Win32/TrojanDownloader.Wintrim.AU (Eset)
Trojan.Win32.db is capable to have payloads or to do other malicious things. It adds some Registry Keys to modify system settings.
This is a Dialer trojan that generally is installed onto the users machine through game related sites.
Also known as: BackDoor-AA [McAfee], destructive program [F-Prot], Eway, Trojan.Win32.FTP_Attack [Kaspersky] Trojan.Win32.FTP Attack [Pest Patrol]
This is a trojan that drops its adware payload onto the victim's machine by contacting a foreign FTP server.
Also known as: BDS/Hupigon.bhi (AntiVir) W32/Threat-HLLIN-based! (Authentium) BackDoor.Pigeon.36 (DrWeb) W32/Threat-HLLIN-based!Maximus (F-Prot4) Backdoor.Win32.Hupigon.bap (Kaspersky) BackDoor-SO (McAfee) Troj/GrayBr-Gen (Sophos)
Trojan.Win32.Sky will open a port to connect the attacker's remote machine.
Also known as: Win32.small.hs TrojanDownloader.Win32.Small.kq
A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site.
Also known as: Troj/Agent-BJA (Sophos) Trojan.Win32.Spabot.x
Trojan.Win32.Spabot connects to the internet to access a list of email address and email templates to use to send spam. Trojan.Win32.Spabot also reports back to the remote server how many emails were successfully or unsuccessfully sent.
This Trojan is a downloader that will install other files usually from an FTP site.
This Trojan will download an adware payload.
This Trojan will allow remote connect to the infected machine.
Also known as: Trojan-Downloader.Win32.Wintrim.bj
Downloads software without users knowledge. There are other variants of this trojan that will try to change security settings in Internet explorer.
Also known as: Infostealer.Wowcraft (Symantec), PWS-Wo.dll (McAfee)
This is a family of Trojans designed to steal password and other credential information related to World of Warcraft online game. This trojan will drop bad files in your C:\windows\system32 folder and well as a file in your Warcraft folder. There will also be a service that will launch. Look for seictrl (Security Control) If you open your services you will see a description that will look like this ???????????????????????????????????????????????? You will want to stop this service first then delete it.
Also known as: Backdoor.Eterok.C (Symantec), Troj/Xorpix-F (Sophos) Trojan-Proxy.Win32.Xorpix
Trojan.Xorpix is a backdoor trojan that allows a remote attacker to connect to the infected computer through random port.
Also known as: Trojan.Zlob.D DESKTOPSCAM [SunBelt] DESKTOP SCAM
This trojan will display warnings that appear similar to Windows warnings in order to trick the user into buying a rogue anti-spyware product.
Also known as: Trojan.Zlob.E (Symantec)
Opens a window warning the user the computer is infected with spyware. This is used to get user to purchase some antispyware program listed on the website it redirects to. Modifies Internet Explorer hompage and redirects searches. May encrypt data gathered from the compromised computer by adding an encryption key to these directory locations. %UserProfile%\Application Data\Microsoft\Crypto\RSA %UserProfile%\Application Data\Microsoft\Protect
Trojan.Zyn is trojan originating from China. It is commonly seen distributed through peer-to-peer channels such as Kazaa. Once infected, the user will be prone to more attacks and even potential identity theft. It sends several remote login requests to the victim's PC as well as tunnel http traffic.
This will attempt to download an adware payload.
This trojan will attempt to download additional files to your computer.
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage. This is a downloader designed to download additional files to complete the functionality of the program.
Also known as: Qoologic Kavsvc Qoolaid(Mcafee)
Kavsvc creates random 6 character filenames and usually hides these in the windows\system32\ directory. Qoologic is a downloader program designed to retrieve and install additional files, when run.
This will attempt to download files to your computer.
Also known as: vivia.f
This will attempt to download and install files from the internet.
Also known as: W32/Tumbi.worm.dll, TrojanSpy/Win32.Small.Q, TrojanSpy.Win32.Small.q, W32/Francette-I, Win32/Spy.Small.Q, W32/Francette.F.wor
This Trojan spy program steals user details for electronic payment systems. The Trojan then extracts a .dll file of 6144 bytes, called HookerDll.Dll to the Windows directory. This file intercepts data entered via the keyboard. The program then creates a file named krk.txt in the Windows directory and copies all data entered via the keyboard to this file.
This is a drive by download Infection. This Trojan adds some malicious files to Temporary folder.
Also known as: Backdoor.Tron
Upload/Download files. File commands: copy file, move file, delete file, rename file, size of file. Directory commands: dir, cd, cd.., cd\ List running processes, kill process, and spawn process. Show picture on screen: Displays a picture of choice in the centre of the remote system. Play WAV file. Open/Close CD-ROM. System shut down.
Also known as: Trust Cleaner
TrustCleaner is a miscellaneous antispyware which will detect other antispyware products. From the EULA ( which collected from the domain ) Display of Advertising. The Licensed Software will run in the background on your computer and may periodically direct you to our sponsors' websites. By installing and/or using the Licensed Software you grant permission for TrustIn to periodically display sponsors' websites to you. The frequency of these advertisements will vary depending on your use of the Internet. On occasion, you may search for a website and receive an error from your browser software indicating that the site can not be found. When this occurs, the Licensed Software includes a function which may redirect your web browser to our sponsor's websites based on the content of the website address, or URL, which you entered. You hereby consent to these actions.
http://trustcleaner.com
Also known as: Trustin Cash
Installs as a Browser Helper Object and shows pop-up Advertisements when the user browses the Web. Can update itself. Extract From EULA: By installing and/or using the Licensed Software you grant permission for TrustIn to periodically display sponsors' websites to you. May redirect your web browser to our sponsor's websites based on the content of the website address, or URL, which you entered. The advertisements that the Licensed Software presents are provided in a separate browser window. By installing the Licensed Software, you grant permission for TRUSTIN to collect and use certain information.
http://www.trustinbar.com/
Shows Popup advertisements.
From the EULA: By using the Toolbar, you consent to the collection and use of your information as described in these policies. Certain services and content made available through, or accessible from, the Toolbar may be provided by third parties.
Also known as: Try2find Try 2 find Try to find trytofind
Try2Find allows advertisers to list their site in our search engine and receive visitors at a cost-per-click basis, as low as $.01 per click. Our service is much more cost effective than other advertising methods because our service is highly targeted. Instead of having your banner show up randomly on different sites and hoping people will click your link, surfers visit our site looking for specific content using keywords that relate to your website or business, just like any other search engine. This method of advertising is one of the most effective methods of increasing your sales conversion rate (i.e. number of visitors VS. number of sales). Try2Find.com lets your advertising dollar go much further and accurately than traditional means.
http://www.try2find.com/#
Also known as: Inet-cash
This is a German dialer. It is no longer active. Their homepage is dead.
This is a trojan that drops several files that hook into key Windows processes in order to steal account information.
Also known as: tvmd tvmedia
Secretly installed on users Pc, used to display advertisements.
http://www.totalvelocity.com
Also known as: Twaintec
Provides a DLL for "ad supported software". In short this means that some shareware authors incorporate this system which pops up ads in exchange for some of the revenue this generates. If you uninstall this some "advertiser supported software" will probably cease to function. Some analysis of the system shows that this has the capability of sending out (in XML format) various information about where it is installed, like PC information (RAM, Diskspace,...) and a list of installed applications. It also containst some references to "VX2".
http://www.twain-tech.com/
Also known as: TX Trojan
This Trojan is a downloader. This will attempt to download an adware payload.
Also known as: TX4.audiosrv32 (kephyr) TX 4 BrowserAd Adware (sysinfo.org)
Possibly linked to the TX Trojan, but, it changes the browser's settings.
Also known as: IE Spy2
Downloader: A program or application that's usually very small and designed to install additional files to complete the setup of the program.
Also known as: UDefender Ultimate Fixer Ultimate Defender WinReanimator
Ufixer is a rogue security application that is installed through trojan downloaders. Once installed, it impersonates the Windows Security Center as a way of tricking users into using their product.
Ultimate Cleaner is a rogue Anti Spyware / Adware product, which shows fake malware detections on users machine.It also installs through Exploits , Malware bundlers.
http://www.ucleaner.com/
This is a rogue antispyware application that is part of a trojan payload. When visiting certain security related websites, users are prompted to download Ultimate Defender thinking that it is related to the security sited visited.
Ultrabar is a Browser Helper Object which display pop up advertisement based on the user browsing activity.
Also known as: Dialer.Ulubione (Symantec)
Modifes the browser settings. The Internet Explorer home page was modified from its default setting of "About Blank" to the porn site - www.maxxxhosters.com/search.php It is possible that the startpage can be changed to other porn sites. Lots of porn related pop-up advertisements can be displayed.
Thousands of adware and spyware related sites.
Unidentified malicious components and software not associated with a product or creator. Infections vary in this group of Trojans. Users affected by anything unclassified could have varying symptoms of behavior.
Also known as: Tiny.100 Undetected.230 Undetected.300 Undetected.310 Undetected.320 Undetected.330 Undetected.331 Undetected.332
This is a RAT trojan that has the ability to access your computer through port 777.
This is a BHO adware that is installed through Chinese trojan bundles.
This is a RAT trojan that has the ability to access your computer through port 668.
From the author's description, UnSecure is a Brute Forcing program to exploit flaws with the worlds current Internet Security. This program is able to try every possible password combination, and pinpoint the users password. UnSecure can currently break into most Windows 95/98, Windows NT, Mac, Unix and other OS servers with or without a firewall. Some people say the time to Brute Force a server can take years. This is not true considering the way hardware is being sped up. This is a password cracking tool.
Also known as: Scan and protect your PC
UnSpyPC is a Rogue Antispyware which displays false detections and force the user to buy the product for spyware removal. This application identifies popular security products and well-known file system tools as spyware.
http://www.unspypc.com
Up&Run is an application that Provides means to remotely control a user's computer.
This is a trojan that is installed with SpySheriff.
Toolbar that possibly can download unwanted software.
http://www.upspiral.com
Also known as: Url 2 DWORD (Sunbelt)
From Author : "Zone Spoofing Vulnerability" It uses a Exploit for Vulnerable systems: Microsoft Internet Explorer 4.x Microsoft Internet Explorer 5.x The EXPLOIT is : Microsoft Internet Explorer security is dependant on different 'security zones'. These zones (Local Intranet zone and Internet zone) can have different security settings in regards to scripting and ActiveX execution. A lot of individuals and companies (including Microsoft) are depending on these zones to allow custom written ActiveX controls (unsigned and unsafe for scripting) to run on their internal intranet or network. A flaw has been discovered in Internet Explorer that can bypass these zones and 'fool' the browser into believing an Internet site resides in the local intranet zone.This has as result that malicious website owners could potentially operate (and execute malicious code) in the users local intranet zone by luring surfers to their site with specially crafted URL's. In order for this Flaw to be dangerous,the user would have to have lower security settings in the intranet zone then in the Internet zone.
Also known as: Backdoor.Vampire.12
Trojan or Trojan Horse is a general term that refers to programs that appear desirable, but actually contain something potentially harmful. It gets its name from the Trojan Horse that was an instrument of war used by the Greeks to gain access to the city of Troy. It looked like a gift of a giant wooden horse, but actually concealed soldiers inside. The harmful contents could be anything, for example you may download what looks appears to be a free game, but when you run it, it opens up a port on your computer where a hacker can "remote control" your machine. A trojan's may also carry other payloads like a virus or worm, which then spread more damage. From the Website: Sends email password, (ras and cache), phone number, ip address, dns address, win address, and more.
Also known as: Mssys Trojan (Sunbelt); Backdoor.Avstral
Vanta.A Trojan is capable of downloading other threats, changing system level settings and adding the websites to Trusted zone.
VB.azi is a downloader trojan for Windows Operating System.
Also known as: Trojan.VBS.StartPage VBS/IEstart.gen.e VBS.StartPage VBS_STARTPAGE.D VBS/StartPage.D Startpage
Startpage is a Trojan horse written in Visual Basic Script (VBS). When started it alters the address for the MS Explorer starting page in the Windows system registry.
Also known as: CommonSearch 5 CommonSearch.VCatch 5 v catch
From the Website: VCatch is a free anti-virus. VCatch Free versions are ad supported software. All the ad related components in VCatch Free versions were written by us - including the part that serves ads.
http://www.vcatch.com/home.html
This is a codec that is needed to complete the download of movie clips. What really happens is that you are agreeing to an adware and spyware payload. Here are some statements from there EULA: In return for the right to access this Content, you acknowledge and agree that the Software contains additional software products provided to Codec Cash by its suppliers which will periodically deliver additional Content such as, but not limited to, advertisements and promotional messages to your computer Updates to Software. You acknowledge and agree that Codec Cash or third parties designated by Codec Cash may from time to time provide automatic programming fixes, updates and upgrades to the Software (collectively, the ?Updates?). Updates may include installation of third party applications, through automatic electronic dissemination and other means. The information that Web Search Toolbar/Web Search Tools and Win-Tools Easy Installer collects is used to provide website ranking and traffic details for the Webranking service native to the WebSearch Toolbar 2.0. Web Search Toolbar/Web Search Tools and Win-Tools Easy Installer are identifiable in the .Add/Remove Programs.
http://www.codeccash.com/
Also known as: Hot_Tarts, Wink/HotTarts, France Sex (Sunbelt), Video Dialer
VideoDialer is an adult content dialer. It is one of many dialer variants of Wink parasite.
Also known as: Troj.Pev67
VideoPorn is installed as a fake update for Internet Explorer. After accepting the installation, the victim's computer will be unable to run several key processes as well as be redirected to different webpages when trying to surf the internet.
Also known as: ViewPoint Beta
Internet Explorer toolbar that offers a number of graphical enhancements to browsing and skinning the toolbar as well as pop-up blocking. This toolbar does not generate pop-ups. We do not consider it spyware. The graphical comparison searching feature displays are paid advertisements provided by Overture.
http://www.viewpoint.com
Also known as: spywarelabs
Claims to be an adware remover. It drive-by installs, phones home after install, gives itself the right (in the EULA) to download and install software from its servers, and you have to *pay them* for a "subscription" with a credit card to have it removed, then opt out of having the "subscription" automatically renewed. Because you must pay to have to removed, some have dubbed this "extortion ware".
http://www.virtualbouncer.com/
Also known as: Adware.VirtuMonde(Symantec) Virtumonde(PandaSoftware)
Displays regular pop-up ads.
Virusblast is an application that may be installed by a trojan downloader without the concern of the user. This application is promoted on websites like http://protectionbar.com/remove_spyware/ that recommend the use of other rogue security programs. It hooks Internet Explorer and causes Internet Explorer to delay opening for several minutes.
http://www.virusblast.com
This is a rogue security program. Can be installed via exploit and usually without the users consent. This is listed on the Rogue Anti-Spyware site at spywarewarrior.com http://spywarewarrior.com/rogue_anti-spyware.htm
http://www.virusburst.com/
This is a rogue anti-spyware. This can be installed without the users knowledge.
This is a rogue antispyware. Goads user to buy with false positives. Also has been force installed on users systems.
http://www.virusprotectpro.com/
This is a rogue anti-spyware. Goads user into purchase with False Positives.
http://virusray.com
This is a rogue anti-spyware. This should be removed.
http://virus-trigger.com/
Slows Down the performance of Internet Explorer.
Also known as: Vivid Gal
VividGal dials a phone number using user's computer's modem, without user awareness or permission to incur phone charges on the user's phone bill.
Also known as: DownloadClass econnect
Allows automatic download and running of software from the internet. After the control is installed, any web page has the ability to run any executable file on the local machine.
Attempts to load HTML Popups when Internet Explorer is launched
Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the user running the vulnerable application. Original article can be found at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462
Also known as: Transponder.Freephone (Sunbelt)
This is a spyware program that is part of the transponder variant. VoiceIP.dll can also be under various other names to make it harder to remove.
Also known as: Rootkit.Win32.Agent.di (Kaspersky)
This is a trojan that is installed in Chinese related trojan bundles. It installs a rootkit called voodoo.sys in C:\Windows\System32\drivers.
This is a trojan that drops its adware payload onto the infected machine throug port 1245.
Also known as: Tafbar Taftoolbar
Diplay popup advertisements
http://www.voonda.com/
Also known as: Trojan.Voxom (Symantec)
Once this trojan is on the victim's PC it attacks the network through any mapped network drives.
Also known as: Travelling Salesman
This installs a BHO. Typically downloaded with an adware payload.
http://vsolutions.ourtoolbar.com
Also known as: Trojan.Vundo VirtuMonde
This is a trojan dropper. This will drop a payload of adware on your computer. Winfixer2005 seems to be with this in nearly every log we have seen.
Also known as: Transponder Blackstone TPS108 AADCOM NetPal DigitalRooster MSView VX2.Transponder Transponder.TPS108
The software goes along with the user of the software as they are surfing around the web and builds reports on the activity. The software monitors the click stream activity of the consumer and communicates with servers. The software monitors some activity of the PC and communicates with servers. Seen in numerous incarnations.
Also known as: Trojan.VXgame
Trojan.vxgame downloads adware, shows fake warning messages and slows down the system.
The worm comes in the form of an attachment. The file we tested was a.exe. When the the file was executed it attempts to email everyone in your address book the same file. Newer versions of this worm have the ability to steal paypal passwords. It creates a service in order to keep in contact with a server. This service is called "Windows Management Instrumenta". It will send a text file called ip.txt with the information if it exists on your computer.
Also known as: Win32/TrojanDownloader.Ani.Gen trojan
W32.Ani.Gen.Downloader downloads other malware to victim's machine.
Also known as: Win32.Annoying Annoy
This worm spreads via Microsoft's MSN Messenger program.
Also known as: W32/Bagle-H@mm I-Worm.Bagle.h Win32/Bagle.H W32.Beagle.H@mm WORM_BAGLE.H W32/Bagle.du@MM
This email worm will copy itself to a shared folder on your hard drive. For instance this was found in this directory.C:\Program Files\funwebproducts\Shared. Funwebproducts and this worm are UNRELATED. This was just an example as to where we found this. It will use the following filenames: windown longhorn beta leak.exe xxx hardcore images.exe adobe photoshop 9 fu??.exe winamp 5 pro keygen crack update.exe porno screensaver.scr ahead nero 7.exe windows sourcecode update.doc.exe acdsee 9.exe winamp 6 new!.exe matrix 3 revolution english subtitles.exe opera 8 new!.exe serials.txt.exe CAUTION: DO NOT delete the file names listed above even if you find them on your computer. Use a cleaning application to identify infection and remove it. You can find a freeware cleaner that picks up this infection at http://www.xblock.com/installer.shtml.
Also known as: Backdoor.Win32.IRCBot.st Win32/IRCBot.OO
Instant messaging worm and backdoor for the Windows platform. Spreads via AOL Instant Messenger. Can disable other software, shuts off the Windows firewall, able to download other malicious programs, perform basic DOS attacks on other machines. The worm propagates by sending itself as a file named "wgavn.exe" to people in the user's Buddy List.
Also known as: Win32/Dialer.Agent.D
This is a pornographic dialer.It forcly open pornograhic sites and temp users to click on it.
This Trojan connects to different remote location to download Rogue Antispyware application and other adware binaries
W32.elm.cmd worm is spreading through yahoo email services.It connects more than one SMTP servers and send spam to random mail ids.
This worm attempts to steal passwords.
Also known as: W32/Holar.d@MM, WORM_HOLAR.D, I-Worm.Hawawi, I-Worm.Hawawi.e, Win32.Holar.F
This is a worm that creates it own SMTP server and other applications like ICQ, PalTalk, Yahoo Messenger and others. The subject line will vary but will probably look like: Co0o0o0o0oL Fw: Heeeeeeeeeeeeeeeey Love Speaks it all Wussaaaaaaaap? Why Do We FOk? WoW But not for NoW The worm will overwrite files with these extentions: mpeg rm wav sql mde php cpp swf ram mp3 frm dpr rar mpg jpg pdf pps ppt txt htm html zip doc mdb xls
Also known as: VirtualCard, heart worm
The infection spreads by running a file in circulation on Russian webhosting sites claiming to have a "virtual card" waiting for them - when the file is run, a picture of a heart containing a poem is launched, and the infected user will pass the infection link to their contacts on MSN Messenger with the phrase "olha o que eu fiz pra vc....curti ai...[url removed]" Immediately after installation, it downloads a file from a Russian domain. Then it opens up a .gif. Then it makes a call back to the before mentioned domain and downloads another file. It also sends information about your computer to the distributor's e-mail address through an SMTP connection. This includes internal network information such as devices on the network.
W32.homepage.hta disables the registry editor.It adds some chinese sites into favorites.This trojan is written in VB.
This is a chinese based trojan infection. Visiting a site that distributes this trojan drops a .com file into your Temp file. This .com file installs a file called pp.exe.
Also known as: Kmeth Worm, Meth Worm
This worm downloads and installs itself through javascript code exploiting IE. It will install 2 files to the infected PCs Temp directory and run them. It can then distribute itself through Yahoo's Instant Messenging program whether the user knows it or not. It manipulates the status message in Yahoo's IM which leads to an infection link. Newer versions of this worm can disable vital Windows diagnostic tools such as Task Manager and the Registry Editor.
Also known as: Uglyphotos Licat.a Licat.b Licat.c Licat.d Licat.e Licant.f variants
The link looks like a website or jpg, usually propogates via IM, but may be web based in some variants. Once you click the link, the worm will be downloaded to your computer and attack MSN messenger replacing it with another file. The worm will send it self to all contacts on target's MSN list, and then download and install numerous malware and spyware applications- notably dollar revenue.
Research has shown this email worm will use random filenames. These were actually found inside the directory - C:\Program Files\Common Files\GMT which is a Gator directory. Here is a list of some of the filenames. support tools.exe mmc.exe autoexec.bat winhlp32.exe msdn.zip.pif documents and settings.txt.exe microsoft office.exe client.exe windows media player.zip.exe xcopy.exe internet explorer.bat cain.pif findpass.exe windowsupdate.pif i386.exe winrar.exe There is nothing relating the files to Gator but simply shows at this point that the infection can be dropped anywhere. CAUTION: DO NOT delete the file names listed above even if you find them on your computer. Use a cleaning application to identify infection and remove it. You can find a freeware cleaner that picks up this infection at http://www.xblock.com/installer.shtml
Also known as: Troj/MSNMk-I (SOPHOS) W32 MSNmaker
W32.MSNmaker is a worm that spreads through MSN Messenger. This worm arrives as a file manually sent by a malicious user via MSN Messenger. When executed, this worm rename the original file as msrr.exe and replaces the original MSN Messenger executable file msnmsgr.exe with a copy of itself. When the worm is executed, it also executes msrr.exe to avoid immediate detection.
W32.Mytob.AM@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm spreads by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
Also known as: W32/Mytob-ET (SOPHOS) W32.Mytob.KE@mm (Symantec)
Mass-mailing worm that has its own SMTP engine to send emails to addresses that it gathers from compromised computers. Opens ports to allow remote attacker access to computer. Lowers Internet Explorer security zones. Can contain one of the following subject lines: *WARNING* Your Email Account Will Be Closed *DETECTED* Online User Violation Your new account password is approved Your password has been successfully updated You have successfully updated your password Your Account is Suspended For Security Reasons Warning Message: Your services near to be closed. Important Notification Can contain one of the following or other message bodies: Dear user {Username}, You have successfully updated the password of your {domain} account. If you did not authorize this change or if you need assistance with your account, please contact {domain} customer service at: {someone@domain} Thank you for using {domain}! The <domaim> Support Team +++ Attachment: No Virus (Clean) +++ {domain} Antivirus - www.{domain} Dear user {Username}, It has come to our attention that your {domain} User Profile ( x ) records are out of date. For further details see the attached document. Thank you for using {domain}! The {domain} Support Team +++ Attachment: No Virus (Clean) +++ {domain} Antivirus - www.{domain} Dear {domain} Member, Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership. Virtually yours, The {domain} Support Team +++ Attachment: No Virus found +++ {domain} Antivirus - www.{domain} Dear {domain} Member, We have temporarily suspended your email account {usersemailaddress}. This might be due to either of the following reasons: 1. A recent change in your personal information (i.e. change of address). 2. Submiting invalid information during the initial sign up process. 3. An innability to accurately verify your selected option of subscription due to an internal error within our processors. See the details to reactivate your {domain} account. Sincerely,The {domain} Support Team +++ Attachment: No Virus (Clean) +++ {domain} Antivirus - www.{domain} Can contain one of the following or other attachments: account-info account-details account-report email-details email-password updated-password accepted-password new-password important-details info-text password Modifies the hosts file to block access to security web sites. 127.0.0.1 avp.com 127.0.0.1 ca.com 127.0.0.1 customer.symantec.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 download.mcafee.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 mast.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 nai.com 127.0.0.1 networkassociates.com 127.0.0.1 rads.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 sophos.com 127.0.0.1 symantec.com 127.0.0.1 trendmicro.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.avp.com 127.0.0.1 www.ca.com 127.0.0.1 www.f-secure.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.mcafee.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.my-etrust.com 127.0.0.1 www.nai.com 127.0.0.1 www.networkassociates.com 127.0.0.1 www.sophos.com 127.0.0.1 www.symantec.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.viruslist.com
Wintask.exe is a process which is registered as the W32.Navidad.16896 (Symantec) worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open the hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
W32.Netlip.Worm is a worm that attaches itself to email messages each time that you send email to anyone from an infected computer. The virus may trick a user into running it since it has Windows folder icon association - on a default system where extensions of known file types are hidden, the file will appear exactly like a Windows folder.
Also known as: W32.Opanki.D (Symantec), W32/Opanki.worm (McAfee), WORM_OPANKI.Y (Trend Micro)
Provides a backdoor which allows a remote intruder access and control over the computer via IRC. Sends malicious URLs through instant messenger programs.
Also known as: W32/Pykse.A ( F-Secure )
W32.PapaiWorm propagates through Skype by sending infection URL to contacts. The worm shows a .jpg file, which deceives the user from the infection. The worm catches all the contact information and send the infection URL to all with emotions and scraps. It also changes the status message to ?Do Not Disturb?.This particular worm drops many other binaries to the victims machine.
This is a chinese trojan that has the ability to hijack the user's start page to a chinese porn site.
Also known as: W32/RBOT-PL
Installs a randomly generated file in the system32 folder. This file is autostarted by a process called "Winfix Service".
W32.Redzed is a mass-mailing worm.
W32.Scane is a worm that attempts to spread by exploiting the Microsoft Windows LSASS Buffer Overrun Vulnerability. (Symantec)
W32.Silly is a worm that spreads through network shares and infects all files in the infected computer. It also download other threats from remote sites and executes them. W32.Silly disables wide range of security tools. Variants of W32.Silly can Disable Windows AutoUpdate feature. Infect Non-executable Files only.
This is a mass mail network worm.
This is a mass mailing worm that will attempt to steal passwords.
W32.Ticton.A, a mass-mailing worm harvests addresses from a number of sources, spreads over mapped network drives and accessible Windows shares, and can insert propagation code into existing HTML documents to spread through IIS.
W32.Troj.365soft connects to a domain which drops more binaries on user's machine.It uses maximum virtual memory which cause to crash the system.
Also known as: Trojan.LowZones.ED TROJ_HOLICA (Trend Micro)
W32.Trojan.cert is an Italy based infection, which drops other malware binaries.It hijack the internet explorer and add the malicious domains in Trusted zone.
W32.trojan.gen Opens different port and connects to remote location
Also known as: Trojan.Mespam - Symantec Spam-Mespam - McAfee
Connects to different domains and send massive spam mails to random e-mail ids.
Also known as: mezzi codec
MezziCodec is a trojan downloader, which drops other malwares over user's machine
W32.USBWorm spreads through USB drives. Prevents user from using Firefox, shows message which reads, "I DNT HATE MOZILLA BUT USE IE OR ELSE..." The message header reads, "USE INTERNET EXPLORER YOU DOPE." Firefox is then closed by force. Also blocks "Orkut" and "YouTube" sites.
Also known as: VBS.Zodgila ( Symantec )
W32.VBS.Godzilla spreads through Flash drives ( USB drives ).It looks for the flash drive once got infected.It creates Autorun.inf file to execute the malware while mounting the flash drive.Then it copies the files to all the Phisical drives. It also hacks the Internet Explorer and change the window title to "Hacked by Godzilla".
Also known as: Banload.BBX (F-Secure) Troj/Banloa-AMT (Sophos)
If the user infected with W32.Videoworm, sends the following message before starting the conversation with another buddy in the contacts list, "veja soh do que uma camera escondida eh capaz rsrsrsrs!!!<Clickable URL> When the buddy clicks this link, downloads video.exe and starts spreading through MSN messenger and starts sending spam mails.
Also known as: W32/Sohana-R (Sophos) IM-Worm.Win32.Sohanad.t (Kaspersky) W32.Yautoit (Symantec) Win32/YahLover.AO (CA) Worm/Sohanad.NAK (Avira)
W32.YahooWorm.SVCHOST is spreading through USB devices as well as Yahoo Messenger. It installs the malware to the user's machine and execute automatically. It uses AutoIt Script to collect all the users from the buddy list and send the malicious link, which leads infection.This worm disable Taskbar,registry interface,msconfig and folder option.
Also known as: W32/Opanki-K (SOPHOS) W32/AIM.552-B Lockx
Instant messaging worm that attempts to spread by sending a message containing a link to the worm to all users on the contact list. Allows remote control of computer by a backdoor via IRC channels. This particular variant starts with an AOL Instant Messenger (AIM) user being asked to open a link, apparently at the request of an AOL contact. Clicking on this link initiates the infection sequence, which may or may not start with the dropping of a number of adware files, and the rootkit software itself, lockx.exe. Once on the computer, the malware attempts to shut down active antivirus software and then installs software that allows the computer to be remotely controlled by IRC, and open a backdoor for future attack. It also contains an SMTP engine which can be used to collect e-mail addresses. Of significant note is this has been classified as being the first rootkit spread via IM because of the way it attempts to hide traces of its existence. The rootkit file's use of IRC is also considered especially dangerous because it allows attackers to execute remote commands.
Also known as: picture22.com
This worm infiltrates AIM. Once it is fully active it will give everyone on the user's buddy list the same worm. This worm is very dangerous because it will not only drop a suspicious service, but it will also spread itself on your buddy list. That way if the infection is terminated, it will most likely return.
This is a mass mailing worm and also spreads through Peer 2 peer applications.It when executed for the first time opens notepad.It then makes changes in "HKCU\Software\Microsoft\Params" which eventually lowers the security settings on the machine.It drops files like "1.exe","2.exe" in folders which has the name like share.It downloads files from certain web sites.
Also known as: TROJ_BAGLE.AJ (TREND MICRO), Trojan.LodAV.A (Symantec), Win32.Fantibag.H (Computer Associates)
W32/Bagle.dm is a trojan that disables security related processes and blocks access to security related sites. Once installed, this trojan does DNS lookup for a list of domains to get their IP addresses. It then uses these IP addresses to block access to the domains.
Also known as: Win32.Mitglieder.CT [Computer Associates],Trojan-Proxy.Win32.Mitglieder.dl [Kaspersky Lab],Trojan.Mitglieder.Q [Symantec].
This worm opens a backdoor on TCP port 23422.It Connects to many web sites and sends system Info to them.It downloads Block_list.txt from the website and drops it under the system folder.It disables Windows Firewall on Winxp-Sp2 machine.
Also known as: W32.Spybot.Worm ( Symantec )
This worm is spreading through LimeWire P2P application.
Also known as: Trojan.Downloader.Delf.QY
W32/Troj.drv creates a folder named Driver Load. It then drops a copy of itself as WINDRV.EXE in it. It Creates 5 auto-starters: DSystemDriver ,FDriver ,ADriver ,CDriver , DDriver. When a user restarts the system, this Trojan also executes WINDRV.EXE five times, once for every entry. Connects to a remote location where it downloads other files. Connects to adult websites and downloads adult content. W32/Troj.drv can displays porn related pop-up advertisements.
W32/Troj.Fam opens TCP port 6667 on the infected machine and passes user information to a IRC server.It waits for commands from a hacker.
W32/Zafi-D is a mass mailing worm and peer-to-peer worm. Copies itself to the Windows system folder with the filename Norton Update.exe. Creates a number of files in the Windows system folder with filenames consisting of 8 random characters and a DLL extension. Some of these are exact or zipped copies of the worm, detected as W32/Zafi-D, while others are log files created by the worm. Harvests email addresses from the Windows Address Book and from files found on the hard drive. Copies itself to folders with names containing share, upload, or music as ICQ 2005a new!.exe or winamp 5.7 new!.exe. Displays an fake error message box with the caption "CRC: 04F6Bh" and the text "Error in packed file!"
This is a spyware macro program from France. It steals emails and addresses in an infected user?s contact list and then sends the information to a hacker?s email address
WareOut claims: " ..is the Latest and Most Advanced Spyware Detection and Removal application on the Internet. We will prevent anyone from "spying" on your Internet activites." This site does not contain a privacy statement. We monitored the process list while executing this program. It dropped several bogus entries in the Auto starter location of the registry then reported them as spyware. In fact, everything listed in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run was reported as spyware. The files referenced from the auto starting value simply did not exist on the test machines. Spywareguide also monitored this applications activity while it ran a spyware scan and the only activity was dropping bogus entries. Furthermore, when we deleted the software key in HKEY/LOCALMACHINE it was regenerated with a fresh new list of randomly generated Autostarting values. When Spywareguide ran a scan with the application it picked up a list of everything in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and reported it as being spyware. The test machine was a fresh image. Further investigation via Google correlated this program with about:blank and or CWS variant. Process list attached. 55 19.30372603 WareOut.exe:556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\teqq32 SUCCESS "Trayz.exe" 56 19.30406574 WareOut.exe:556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\br0ken SUCCESS "syspanel.exe" 57 19.30441411 WareOut.exe:556 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kargo SUCCESS "abrek.exe" 58 19.30444903 WareOut.exe:556 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F 59 19.30487590 WareOut.exe:556 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\jopplerg SUCCESS "install2.exe" 60 19.30528517 WareOut.exe:556 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XTermInit This was the first drop in the registry: O4 - HKCU\..\Run: [ERTYDF] O4 - HKCU\..\Run: [JAguAr] O4 - HKCU\..\Run: [NsCplTray] O4 - HKCU\..\Run: [PrcIdle] O4 - HKCU\..\Run: [utsgmon] O4 - HKCU\..\Run: [TForm1] O4 - HKCU\..\Run: [teqq32] O4 - HKCU\..\Run: [br0ken] O4 - HKCU\..\Run: [Kargo] The second drop: O4 - HKLM\..\Run: [RtlFindVal] O4 - HKLM\..\Run: [uio] O4 - HKLM\..\Run: [jopplerg] O4 - HKLM\..\Run: [XTermInit] O4 - HKLM\..\Run: [ParisM] O4 - HKLM\..\Run: [ExchangeMaster]
http://www.wareout.com/
Also known as: Wartrojan.160 Wartrojan.200
This is a RAT Trojan that has the ability to gain access to your computer through port 4201.
This is a RAT Trojan that has the ability to gain access to your computer through port 8011.
Also known as: SearchBlaster SBar
An IE toolbar providing search features.
http://www.wazam.com
Also known as: WCTrojan.100
Also known as: Weather Scope
From the Website: Weatherscope is provided free by GAIN Publishing, Inc. This application is part of the GAIN Network. This software occasionally displays pop up ads on your computer screen based on your online Web surfing behavior.
http://www.weatherscope.com/
Also known as: mach
This is a BHO that looks to write data to a file called mach.cvs in the windows folder. Seems to be a "clientman" variant.
Also known as: Web 3000
Web3000 displays advertisements and redirects searchs in Internet Explorer.
http://www.web3000.com
Its an Ad supported software. Gives points to the user while connected to the net and showing ads.
Also known as: Email-Worm.Win32.Botter.a ,W32/Dref-E(Sophos),WORM_DREFIR.D (TrendMicro)
WebCam Worm is an IRC Backdoor that gives its author control of an infected computer through Internet Relay Chat (IRC). One of the malicious exe files acts as a Server exchanging commands. It creates a folder 'Programs' ( path C:\WINDOWS\system32\Programs ) , which contains 46 variants of same malicious file , but with different names. This worm propagates via Internet Relay Chat (IRC). It connects to the following IRC servers: * eu.undernet.org * irc.dal.net * irc.efnet.net * irc.fr.ircnet.net * irc.ircnet.ee * irc.quakenet.org * irc.rizon.net * irc.us.ircnet.net * random.ircd.de * us.undernet.org It then joins a chatroom and initiates Direct Client-to-Client (DCC) sessions to send copies of itself with different file names it has in 'Programs' folder to users in the same chatroom as the affected system. This worm Disables Anti Virus Notifications, Disables Firewall Notifications, Overrides Firewall, Disables Updates Notifications, disabling the automatic startup of other software. It adds False IP's to more than 50 popular anti virus companies urls in the Host file.
Also known as: Adware.WebDir (Symantec)
WebDir is an Internet Explorer Browser Helper Object that modifies specific URLs of the web page visited to include an affiliate ID. Downloads an encrypted file from its controlling server that contains URL instructions and stores it in %Temp% directory.
Also known as: Webhancer Ad Client Customer Companion
Comes bundled with a freeware program (splitter.exe). Sends the URLs visited to its Server. Can update itself.
http://www.webhancer.com/
WebMiner allows to easily extract files from any number of web sites.
http://download.cnet.com/WebMiner/3000-2071_4-10060172.html
Also known as: web rebates top rebates toprebates
Tracks the user's Internet activity and pops up rebate messages for certain sites. This is typically bundled with other software.
Also known as: Web Search TROJ_NARRATOR.A (Trend Micro) ADW_WEBSEARCH.B WebSearchToolbar
This is related to Huntbar.
http://www.websearch.com/
Also known as: Web Secure Alert
DateManager is tool that will occasionally displays pop up ads on your computer screen based on your online Web surfing behavior.
http://www.websecurealert.com/
Also known as: WebThis WebThat , Web This Web That
WebThisWebThat adware removes the First and Second search results and shows in place of that paid advertisements.The only difference being that they don't have the "cached version" link available.A Click on these leads you to a "search engine" that returns nothing but paid advertisements.
Also known as: Web Buying
Web Buying has developed a product for both the consumer and advertisers in the form of contextualy relevant advertisements. These ads display products and services related to the interest of the shopper. Using advanced online shopping manager, it's possible for an advertiser to target specific keywords, URL's and regions to get the most for each ad dollar spent.
http://webbuying.net/
Also known as: Wahzit whazitt
Highjacks browser pages and pops up ad windows. Related to N-Case from 180Solutions. Their domain name is listed for sale. Legacy versions still may be circulating on the internet.
http://www.whazit.com/
Also known as: WhenUsearch SideFinder WhenU-Search BrowserToolbar
The Toolbar selects which ads and offers to show you based on several factors, including: which webpages you visit, search terms you use while searching online, your local zip and/or country code, and content of the webpages you view. The Toolbar displays contextual ads and offers in the form of rotating text links accessible from within the application. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.whenu.com/pc_whenusearch.html
Also known as: ClockSync
From the Website: The ClockSync! software bundle from WhenU.com includes both Save! and ClockSync. By downloading the Save/SaveNow software ("the software"), you give permission to WhenU.com ("WhenU") to display relevant contextual information and offers. The software selects which ads and offers to show you based on several factors, including: which Web pages you visit, search terms you use while searching online, content of the Web pages you view and your local zip code (if you have supplied it). The software protects your privacy by uploading a database of content in small chunks to your desktop and then determining on your desktop whether to retrieve information from WhenU or third-party servers. To protect your privacy, the same database of content is sent to all desktops. Decisions regarding which ads to retrieve to an individual desktop are all processed on the individual user's desktop - and isolated from WhenU servers. In this way, WhenU is able to deliver to you relevant coupons, information and advertisements without sending all of your browsing activity back to WhenU and without establishing any profile about you (even anonymously) on WhenU servers. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.clock-sync.com/
Also known as: WUSearchBar WhenU-Search WhenU Desktop Bar
From their website: Exclusive Savings and Search Results Always on your Desktop The SearchBar provides immediate access to powerful Internet search and navigation functionality, while delivering contextually relevant text-based offers, discounts, and coupons. Unlike traditional browser toolbars, WhenU's unique SearchBar allows you to have quick access to the Internet, search and email without ever opening a browser window. Additionally, the contextual slider continuously presents you with non-intrusive text-links embedded within the toolbar as you continue to navigate the Internet. Displays advertising content. Monitors internet traffic, collects search profiles, and can execute code from a remote server using its update feature only. Relevant searches may cause it to display a special offer, coupon, or other advertising content. The adware may also display advertisements. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.whenu.com/products_whenusearch.html
From the EULA: The Toolbar selects which ads and offers to display to you based on several factors, including: URLs associated with webpages you visit, search terms that you type into search engines and into the Toolbar, your local zip and/or country code, and HTML content of the webpages you view. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.fanzonetoolbar.com
Also known as: PriceBandit Toolbar Price Bandit WhenUSearch PriceBandit WhenUShop
From the Website: PriceBandit's mission is to save Internet shoppers time, money and aggravation. WhenU.com, Inc. ("WhenU.com") respects the privacy of PriceBandit users, and at the same time tries to provide highly valuable and useful services. In order to achieve this: WhenU.com's policy is not to share any user's personal information or usage behavior with third parties, unless permission to do so is given by the user. Users may periodically receive an email alerting them to various offers or information (from WhenU.com or from others). WhenU.com may collect user information such as gender, age and zip code to compile anonymous trend information about Internet and WhenU.com usage patterns. WhenU.com compiles statistics by aggregating information across large numbers of users. These statistics may be provided to third parties. When you elect to download there toolbar you also get Savenow. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.pricebandit.com/Pbandit
Also known as: SaveNow Save Now Save
From thier website: Relevant Offers When You Need Them SaveNow, with TrueRelevance, is a program that delivers you relevant offers, coupons, comparison shopping results and advertisements based on your browsing habits. The goal of SaveNow is to show users information about relevant products and services ? right at the moment when they need it. However, to ensure that our consumers have an enjoyable online experience, WhenU limits the frequency of these offers so as not to be intrusive. When consumers download the popular music-swapping software BearShare, they are also downloading SaveNow, which comes bundled with it.SaveNow is either a comparison-shopping service or a form of adware, depending on who's describing it. Displays advertising content. Monitors internet traffic, collects search profiles, and can execute code from a remote server using its update feature only. Relevant searches may cause it to display a special offer, coupon, or other advertising content. The adware may also display advertisements. Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove. It resides on consumers hard drives and pops up advertisements and coupons. The ads are served from the WhenU.com site and are now more clearly labeled. WhenU claims they do not track user data they do not use cookies, track clickstream data ,compile a centralized database of users that they do not engage in any type of user profiling. It is notable the advertisements that SaveNow serves will set cookies for 3rd party affiliate/tracking networks. Comments submitted by Ben Edelman, a Harvard Law student and PhD candidate, to the FTC cite possible violation of WhenU's privacy agreement. Excerpt from Edelman's comments: 16. I have reviewed the WhenU privacy policy, and I have concluded that WhenU violates this policy when it transmits to its servers some of the specific URLs viewed by WhenU users. The policy reads, in relevant part, as follows: 'As the user surfs the Internet, URLS visited by the user (i.e. the user's 'clickstream data') are NOT transmitted to WhenU.com or any third party server.' 17. In my examinations, it is true that WhenU software does not transmit to its server all URLs visited by WhenU users. But WhenU software does transmit to its server some URLs visited by WhenU users. Since WhenU's privacy policy seems to promise not to transmit any URLs visited by WhenU users ('URLs are not transmitted'), I consider WhenU's transmissions to be in violation of its privacy policy. Mr. Edelman full article can be viewed at: http://www.benedelman.org/spyware/whenu-privacy Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.whenu.com/products_savenow.html
UControl is a WhenU product - but its in collaboration with Aluria Software. SearchBar may also include a pop-up blocker and anti-spyware software. The anti-spyware software will scan your system for potentially dangerous spyware and remove such programs. The privacy policy for the UControl anti-spyware software that may be included with your SearchBar is available at http://www.aluriasoftware.com/other/privacy/ Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.peer2mail.com/whenu/
WeatherCast is a free software application that provides continuous access to your local weather directly from your system tray ? with instant access to a detailed 5-day forecast, as well as maps and radar images. WeatherCast features include: * Current temperature, wind speed, humidity, wind chill, UV index, and heat index * 5-day forecast for all major U.S. and cities * 48-hour detailed forecast * U.S. and worldwide radar images Note: WhenU has made changes in distribution practices and to our knowledge no longer uses third parties or bundling to distribute their application. Distribution appears to be in-house only and bundles only contain WhenU products. Research shows that WhenU now makes it clear that advertising will be shown in the End-User License Agreement (EULA) Users who desire this shopping application should not remove.
http://www.whenu.com/products_weathercast.html
It displays advertisements.
http://www.whileyousurf.com
Internet Explorer browser tool allows you to view and access information including local weather conditions, local and national news headlines, market and stock watch, Web searches, movie listings, TV listings and jokes. Displays advertisements.
http://www.whistlesoftware.com
This virus' intent is to completely hinder the victim's PC by deleting all help files as well as thousands of critical system files.
Also known as: Wierd on the Web Weirdontheweb Weird on the Web
This is an adware program that originates from www.weirdontheweb.net. Once installed on your computer, it will autostart and begin to show you advertisements. It does have a standard uninstaller that can be found in the add/remove programs.
http://www.weirdontheweb.net
Also known as: Dial/Direct-B (SOPHOS), Direct Dialer Wild Flics
WildFlics is a dialer program that dials international number to access adult content sites. By the Author: By using this software, your modem will dial a domestic premium telephone number. Domestic premium rates apply.
This is a trojan that runs a bot service that can transmit sensitive information to the attacker.
Also known as: Trojan.Win16.BadSector Snake.b Trojan 2575 Troj/Shell32-A Trojan:Win/BadSector TROJ_IE TR/BadSector Win:Shell32 Trojan.Badsector.A
From Viruslist.com This Trojan was sent to several Internet newsgroups in August 1998. The Trojan itself is a 25Kb Windows executable file (NE format) written in Pascal. It accesses the network and sends random messages to the Internet. When run for the first time, the Trojan just installs itself in the system. It copies itself to the Windows system directory with the SHELL32.EXE name and registers in the system Registry in HKEY_LOCAL_MACHINE section: SOFTWARE\Microsoft\Windows\CurrentVersion\Run shell32.exe
This Trojan downloads many executable.It changes the autostarter randomly. It also hijacks the desktop and puts a wall paper saying that the system is affected and advertises a sites ?smart-security.info?.It duplicates each and every file which the user creates with the same name and in the same Directory.
Win32.Agent.dn is a IRC backdoor Trojan , which runs continuously in the backdrop, providing a backdoor server on port 6667. It connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for instructions. The supposed instructions are implemented locally on affected machines.
Also known as: Win32 AIM IMG54741
This worm sends one of the following messages to buddies in the AIM contact list on the infected machine: great picture :) <Clickable URL> OR not a right time to take a picture haa :-) <Clickable URL> When the buddy clicks this link, it will cause files such as lockbr.exe to be downloaded and executed, which in turn downloads and installs programs such as 'Zango','180 Search Assistant','Windupdates' and its variants, 'Media Access' and 'Media Gateway'.
Also known as: TROJ_COLLECTOR.A (Trend Micro)
On Execution it connects to http://la.private.armterdamlivexxx.com.
Also known as: Trojan-Downloader.Win32.Delf.bgk(Sunbelt) Trojan-Downloader.Delf.N
Downloads files from a preconfigured website, then executes the files.
Also known as: DIAL_PegasusTelecom (TrendMicro) Trojan.Win32.Dialer.cj
This is a Russian born dialer that downloads a file called syswin.exe into the WINDOWS directory. Once it is installed, it will create an autostarter to begin as soon as the computer starts. It is installed by exploiting Windows Media Player 10.
win32.Dialer.gsa try to connects to the pornographic site using dial up modem.
Win32.Downloader.biz is a Trojan downloader which connects to a Business Information Zone (BIZ) Domain and drop Trojans , worms and spywares over the users machine.More than one malwares inject user's machine, which cause huge damage on system.
Also known as: TrojanDownloader.Win32.Dyfuca.a Download.Trojan Dial/DyFu-A Trojan:Win32/Dyfuca Win32:Trojan-gen. Dialer Trojan.Downloader.Dyfuca.A
This family of Trojans is designed to download a variety of adware and spyware to victim machines. It spreads via the Internet as the Internet Optimzer utility;
This is a trojan dropper.
Also known as: EXP/MS05-002.Ani.A (AntiVir) Win32:AniExploit (Avast) Exploit.Win32.MS05-002.Gen (Bit Defender) Trojan-Downloader.Win32.Ani.c (KasperSky) Exploit:Win32/MS05-002 (Microsoft)
Win32.MS05-002 exploit is a generic detection of animated cursor/icon files. This malware drops .anr file into users machine and attempt to exploit vulnerability in cursor and icon file format handling. More information are available Here: http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
Also known as: JS/MS05-054!exploit (CA)
The impact of this vulnerability is execution the malicious code remotely. For more information Visit : http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx
Also known as: TrojanSpy.Win32.GreenScreen.099
This is spyware that installs itself to the system, hides itself and then captures screen images and saves them to disk files in encrypted form. Thus it allows a hacker to watch screen images.
Also known as: TrojanDownloader.Win32.Greetyah.a Trojan.GreetCard.3072 NED-09 TrojanDownloader:Win32/Greetyah Win32:Greetman Downloader.Greetyah.A Trojan.Downloader.Greetyah.A
From Viruslist.com Greetyah downloads a file from the internet and sets an auto-run key in the system registry in order to establish automatic starts. A mass mailing of this trojan program was detected on March 17th, 2003. Message text appears as follows: Date: Mon, 17 Mar 2003 14:57:57 From: replymsg@g1.gc.vip.sc5.yahoo.com To: Ivan Petrov Subject: Elena_M sent you a Yahoo! Greeting Yahoo! Greetings Surprise! You've just received a Yahoo! Greeting from from "Elena_M" (elena_m@mail.ru)! To view this greeting card, click on the following Web address at anytime within the next 30 days. http://view.greetings.yahoo.com/greet/view?*********** If that doesn't work, go to http://view.greetings.yahoo.com/pickup and copy and paste this code: BJWU37Y2S4A Enjoy! The Yahoo! Greetings Team c 1996-2003 Yahoo! Greetings http://greetings.yahoo.com/ The program's size is 3072 bytes and is written in the Assembler programming language. At start the program displays the following message box: Next the program downloads the file: sysman32.exe from the site: http://view-greetings-yahoo.com The file "sysman32.exe" contains the other trojan program: Trojan.WebMoney.WMPatch.b The trojan program copies this file to the Windows system directory and establishes an auto run key (for automatic starts) in the system registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemManager=\sysman32.exe The program also contains the following encrypted strings: Error Error on line 25: invalid object Do you want to debug? InternetOpenA InternetOpenUrlA InternetReadFile RegOpenKeyA RegSetValueExA RegCloseKey CloseHandle CreateFileA GetSystemDirectoryA WriteFile wininet.dll advapi32.dll kernel32.dll
Also known as: TrojanSpy.Win32.KeyLogger
This has a keyboard logging function, which is intended to steal information from users of a range of on-line payment systems. Once the information has been stolen it is then sent to the author's email.
Also known as: TrojanSpy.Win32.Avl TrojanSpy.Win32.DKS TrojanSpy.Win32.KIM TrojanSpy.Win32.VB
This trojan horse works under Windows and hidden saves all opening windows and pressing button. It creates log-file with a name "key.dl" in directory when Windows installed.
Also known as: Trojan-Downloader.Win32.Ladder
Also known as: Backdoor.Litmus(Symantec)
Win32.Litmus allows a remote hacker to control the system through IRC channels.
Also known as: mvenu loader
Trojan downloader which downloads Adware applications to display Popup Advertisement.
Also known as: Win32/Mechbot.D (NOD32) Win32:Mechbot EnergyMech
Once this product is installed through its main executable (postcards.exe), it drops an invisible IRC client that communicates with the distributor through undernet.org. This trojan may be more of a danger to larger networks due to the length of information it sends back to the distributor.
Also known as: Win32.Opasoft.a Win32.Opasoft.b Win32.Opasoft.d Win32.Opasoft.e Win32.Opasoft.i Win32.Opasoft.j Win32.Opasoft.l Win32.Opasoft.o Win32.Opasoft.p Win32.Opasoft.q
The worm attempts to connect to the site of a Ukrainian mobile services provider http://sim-sim.com and send an SMS containing the IP address of the victim machine to +7050196XXXX.
Also known as: W32/Rbot-ECQ(sophos) Backdoor.Win32.IRCBot.qc(Research-sunbelt.com)
This is a P2P related worm. When running on the machine, it invokes the P2P application and starts spreading its copies as WINRAR archives. It also downloads other malware that may crash the whole system. It installs a service that runs in background and invokes P2P application, each time it is terminated.
Also known as: Win32.Image23, Pipeline Worm Image23
This is a worm that affects AIM. Once infected, a running process called csts.exe will start. This file will make constant calls to suspicious websites that will slow down your internet use. This file also creates a service called RPC Debug Control that starts with Windows. There is also evidence of another service called "Print Spooler Service" being related to this botnet worm. This worm spreads itself through the infected users AIM buddy list. They will receive a message giving the user some excuse click a link that will end in an image. Clicking on the link will run an image#.com file to infect the machine and make it part of the botnet. Users should also be on the lookout for the process " wowexec.exe" in the task manager that do not have any memory useage. This process is directly related to the rootkit that is also installed by this worm.
Also known as: Trojan.Win32.Sevgi.a
Being run, this Trojan horse shows a message box with an animated picture and starts to change the mouse pointer cursor position every half a second, making its operation difficult or even impossible. Also the Trojan blocks several keyboard keys including ESC, CTRL, ALT, DEL and others. The Trojan installs itself to a system as SYSFILE.EXE into \Windows\System\ a folder and modifies the Registry to be run upon the next Windows startup. After reboot, working with an infected computer will be impossible.
Also known as: W32/Dropper.ADV (Authentium) Trojan-Dropper.Win32.Small.ue (Kaspersky) Generic Downloader.g (McAfee)
Win32.Small.ue is a trojan downloader, which drops malware binaries over the user's machine.
w32.spin is a fake hacking application. It poses as a way to attack MSN users. Instead, it opens up several webpages to prank websites.
Also known as: svcproc
Intermittently changes Internet Explorer settings.
Also known as: Warezov
W32.Stration is a mass-mailing worm that sends itself to all the email addresses gathered from the compromised computer. It also blocks access to several security related web sites by modifying Windows Hosts file.
Also known as: Backdoor.Win32.Surila.k BackDoor-CEB Backdoor.Nemog.D W32/Surila-C
Win32.Surila.k is a program that allows an infected computer to be used as an email relay and http proxy. It also blocks access to several security-related Web sites.
This is a trojan download originating from a Christian related forum site.
Also known as: Trojan.BHO.KB290333, Adware-BHO.gen.b (McAfee), Win32/JCopen!DLL!Trojan, Trojan.Win32.Agent.fc (Kaspersky)
Win32.Tansid.A is a downloader Trojan that installs as a browser Helper Objects.
Also known as: Trojan.Win32.Tepille
This trojan does not destroy data on the computer, but locks it instead. On next Windows startup the trojan is auto-started, locks the system and displays an image of eyes and lips. Keyboard and mouse is locked, and the only way to exit is Reset key, but on next startup the trojan is started again.
Also known as: P2P-Worm.Win32.Tibick W32.Tibick Win32.HLLW. WORM_TIBICK. Worm/Tibick.f.2 Worm/Tibick.F Win32.Worm P2P.Tibick.F Worm.P2P.Tibick.F W32/Tibick.C.worm Win32/Tibick.G
This worm is spread via Peer to Peer. Here is a list of the filenames that this worm will use. half-life 2 vu games crack.exe counter-strike condition zero keygen.exe enter the matrix atari crack.exe doom 3 activision crack.exe age of mythology - the titans no cd crack.exe half-life 2 no cd crack.exe heroes of might & magic iv no cd crack.exe diablo 2 no cd crack.exe adobe acrobat reader crack.exe final fantasy xii role-playing square enix crack.exe all macromedia products keygen.exe halo 2 crack.exe dragon ball z - budokai 3 atari crack.exe adobe photoshop all.exe final fantasy vii - advent children psp role-playing square enix crack.exe flashfxp v1.4.1 crack.exe backyard baseball 2003 no cd crack.exe harry potter and the sorcerers stone no cd crack.exe crusader kings strategy paradox entertainment crack.exe age of mythology no cd crack.exe fire emblem - seima no kouseki gba role-playing nintendo crack.exe flashfxp v2.0 crack.exe battlefield vietnam multiplayer online crack.exe icewind dale 2 no cd crack.exe driv3r atari crack.exe battlefield vietnam ea games crack.exe freedom force no cd crack.exe flashfxp v2.2 crack.exe blitzkrieg - burning horizon strategy cdv software gmbh crack.exe jedi academy no cd crack.exe dungeon siege no cd crack.exe call of duty activision crack.exe geist gc nintendo crack.exe forgotten realms - demon stone atari crack.exe city of heroes role-playing ncsoft crack.exe kingdom hearts ii role-playing square enix crack.exe dark age of camelot - trials of atlantis no cd crack.exe adobe golive v6.0 keygen.exe grand theft auto 3 no cd crack.exe goblin commander - unleash the horde strategy jaleco entertainment crack.exe classic nes series - the legend of zelda gba role-playing nintendo crack.exe imesh patch.exe knights apprentice memoricks adventures games crack.exe dark matter - the baryon proj crack.exe adobe imageready v1.0 crack.exe grand theft auto vice city no cd crack.exe grand theft auto san andreas no cd crack.exe command & conquer - generals zero hour no cd crack.exe dragon warrior viii role-playing square enix crack.exe divx player and codec.exe age of empires ii the age of kings no cd crack.exe half-life 2 keygen.exe harry potter and the prisoner of azkaban adventure ea games crack.exe credit card generator.exe ad-aware pro crack.exe far cry ubisoft crack.exe alias acclaim crack.exe halo - combat evolved - microsoft no cd crack.exe download accelerator plus (spyware free).exe adobe photoshop 7 keygen.exe fable role-playing microsoft crack.exe flashfxp 2 rc2 crack.exe avant browser.exe harry potter & the sorcerers stone no cd crack.exe dragon ball z - supersonic warriors gba atari crack.exe adobe serial generator v2.0.exe final fantasy xi - square enix usa no cd crack.exe flashfxp v1.4.3 crack.exe battlefield 1942 no cd crack.exe hidden & dangerous 2 no cd crack.exe cubase audio xt 3.x crack.exe backyard wrestling 2 - there goes the neighborhood eidos interactive crack.exe forgotten realms - demon stone crack.exe flashfxp v2.1 crack.exe besieger strategy dreamcatcher interactive crack.exe icq pro 2003b.exe dungeon lords role-playing dreamcatcher interactive crack.exe blinx 2 - masters of time & space microsoft crack.exe full spectrum warrior strategy thq crack.exe flashget.exe call of duty no cd crack.exe joint operations - typhoon rising novalogic crack.exe espn nfl 2k5 sega crack.exe command & conquer - generals zero hour strategy ea games crack.exe gran turismo 4 scea crack.exe front mission 4 strategy square enix crack.exe civilization iii crack.exe icq 4.exe juiced acclaim crack.exe f.e.a.r. vu games crack.exe adobe illustrator v10.0 time limit crack.exe grand theft auto iii no cd crack.exe grand theft auto - san andreas rockstar games crack.exe command & conquer - generals no cd crack.exe doom 3 no cd crack.exe limewire server scanner.exe deus ex invisible war no cd crack.exe adobe pagemaker v7.0 keygen.exe gta crack.exe CAUTION: DO NOT delete the file names listed above even if you find them on your computer. Use a cleaning application to identify infection and remove it. You can find a freeware cleaner that picks up this infection at http://www.xblock.com/installer.shtml
Also known as: Trojan.Win32.Trasher
The Trojan "sleeps" for about three minutes, and then creates a TRASH.BIN file in the Windows directory, and then writes to this file garbage in an endless loop; thus, decreasing hard-drive free space by filling it with useless data.
Also known as: NTRootKit-R (McAfee) Win32/TrojanProxy.Agent.JL (NOD32)
Win32.Troj.proxyagent when run creates a file msdirect.sys.It also downloads number of other trojans and also connects to porn sites.
This Trojan is installed by trojan downloader and will connect to the remote servers.
Also known as: Trojan.Win32.Small.mi
This trojan is spreading through the computer using encrypted javascript.It downloads another malware binairies
Also known as: Trojan Backdoor.Win32.VB.aw (Trend Micro)
This is a trojan backdoor that allows the attacker to gain full access to the compromised PC. Once installed, the attacker can also chat with the victim through files installed through the trojan package.
This is a mass mailing worm.
Win32.Wisria is a worm that spreads to contacts stored in Skype Instant Messenger. This is done by sending skype chat message containing a malicious link in it to all contacts in Skype. Once the link is clicked, a malware file is downloaded and executed which in turn downloads additional files and spreads further. This worm has the ability to check whether or not it is being debugged, so that it can modify its behavior.It also targets some security applications. More information about this threat can be found at http://blog.spywareguide.com/2007/05/new_skype_worm_variant.html
This worm will drop more binaries in infected machine and connects to random SMTP server to send spam mails.
Also known as: Trojan.Win32.Xalnaga.a
This Trojan when run modifies the Registry keys. The resulting effect of the Trojan running is the fact that Windows stays mostly non-functional: all icons on Desktop are removed, so it is not possible to reboot the machine in the usual way.
Win32/Downloader.Wren is a family of Trojan horse programs that try to download and install other files from the internet without the user?s consent or knowledge. This family of Trojans is not runtime compressed.
Also known as: Win32/Sinowal.CP(FSecure)
Win32/Sinowal is a information stealing trojan. It also drops other malicious files into infected computer. It injects its dll into other processes to monitor them.
Also known as: W32.HLLW.Gaobot.BB (Symantec)
This worm connects to cracks sites and updates the serials of the software?s present in the computer. It adds files like cmd.com, netstat.com, ping.com that basically executes before the actual command processor executes. Uses Port 135.
If installed, attackers will get complete control over your computer.
Connects to the internet and post data to its server.
Also known as: Twisted Humor Winad windupdates
This is a parasite loaded to your computer by downloading games and animations from Twistedhumor.com.
http://www.twistedhumor.com
Also known as: Winadiscount (Sunbelt)
Winadiscount Toolbar is an add supported Internet Explorer search toolbar. The search on toolbar takes you to a page of sponsored links on the Winadiscount website. The toolbar includes a pop-up blocker feature, which is not working currently.The pop-up manager link gives a page not found error.There are two additional buttons for Shopping and Movies, which link to sponsored links.
http://www.winadiscount.com
Also known as: WinAntiSpyware 2005 WinAntiSpyware 2006
A rogue anti-spyware application which displays false positives in order to goad the user into registering.
http://www.winantispyware.com
Also known as: win antivirus WinAntiVirus winantivirus 2005 winantivirus 2006 winantivirus 2007 antivirus xp 2008
WinAntivirus may collect the user's information. From the Privacy Policy: They may disclose collected user information to advertisers and/or business partners. Known to issue questionable false positives on clean installs of Windows XP.
http://www.winantivirus.com
Also known as: WinCrash.100 WinCrash.103
WinDialer is a user-friendly Internet Dialer that connects you to your ISP and makes Internet easier to access and monitor. It also integrates a POP3 e-mail client, that can periodically check your Inbox for new mail. Its main features are :Support for multiple providers, Cost Tracking for each provider, Auto-Reconnect feature, Comprehensive Warning System, Keep Alive function, Tweaking the Dial-Up Networking, Custom Sounds for various events. It is unknown if legacy versions of this software are still in circulation.
From the Author: Windows AdService is free ad delivery software which provides targeted advertising offers.
This is an ad-ware related browser plug-in tool. Once installed, it will match keywords the user searches for in search engines to keywords it a DAT file to show you advertisements.
Also known as: Windows searchbar
Relatively new adware, not much known about it. There are reports of it creating a file in: C:\WINDOWS\SYSTEM\SearchBar.htm
This Program is a BHO.It Hijacks the searches and gives its own search results. A file called Camplugin.exe downloads it. Windrv is a startup Program.
Also known as: Windows AdTools winad DeskAd Service DeskAd.Service
From the Website: You downloaded Wind Updates from a Website that is able to offer its content for free because it shows the Wind Updates ActiveX popup. You also specifically agree to abide by the Software Licensing Agreement and Terms and Conditions of Golden Palace.com, n-CASE Privacy Policy, BetterInternet End User License Agreement and Bargain Buddy License Agreement.
http://www.windupdates.com/
Also known as: Bridge Adware.WinFavorites WinFavorites Flingstone Bridge
Also known as: Winfixer2005 Winfixer 2005 misc.winsoftware.winfixer
Typically installed though exploits and bundled with spyware/malware, Winfixer scans automatically after installation and reports errors of broken links, registry problems and other errors - even on a clean install of Windows. You have to register the product in order to discover what the errors actually are. Winfixer reports details are vague. Winfixer also communicates with a tracking server for tracking its affiliate program.
http://www.winfixer.com
Also known as: TROJ_LOLAWEB.B, TROJ_LOLAWEB.C
LolaWeb.winhost, drops a copy of itself name WINTT.EXE or WINH.EXE in WinDir and add itself in the registry to make it start each time a user logs in. This will also steal passwords.
This is a rogue anti-spyware. This will show the user false positives in order to get them to purchase. Can also be installed through exploits.
Also known as: Spyre.A (Grisoft) TROJ_TOPANTSPY.C (Trend) Adware/TopSpyware (Panda) Troj/Spyre-C (Sophos) Trojan.Win32.TopAntiSpyware.l (Kaspersky)
Changes the windows desktop background to black and displays a message that you are in danger. Clicking on the fake text takes you to antivirus-gold.com.
Also known as: Winpage Blocker (Paretologic)
It is a Browser Changer. It modifies the default home page of Internet Explorer and points it to the website www.netspry.com It also logs the internet activity of the browser.
http://www.netspry.com
Winpop displays pop-up advertisements.
Also known as: Winpup.exe winpup32.exe
This is an adware component that generates a lot of adware via popups. This file will generate other file names called winpup32.exe, winpup.exe and random.exe.
Also known as: Backdoor.WinShell.50 BackDoor-TC
As reported from Symantec: Backdoor.WinShell.50 is a server program that allows unauthorized access to an infected computer. The Backdoor will listen on port 8719. This piece of malware, along with Trojan.Stealther.B, has recently been found on systems that the Microsoft DCOM RPC vulnerability has exploited.
Also known as: SearchV
Winshow is a pop-up opener implemented as an Internet Explorer Browser Helper Object, controlled by 00hq.com. The origin is currently unknown. When a targeted word or phrase is spotted in a web site you are viewing in Internet Explorer, Winshow may open a pop-up advert. So far adverts have been served from 00hq.com and 8ad.com. Can download and execute arbitrary unsigned code from its controlling server, as a self-updating feature. Currently used by "SearchV" They used to be a (yet another) search engine site, but now every page requested redirects to porn. The SearchV program changes your homepage to their own.
http://www.00hq.com
Winspoe will hijack your browser.
Also known as: Troj.Winsync (Sun-Belt) Web-nexus
This program drops several randomly generated file names onto the user's machine. There is an uninstaller, but it must be downloaded from their site separately. Please refer to the section on Manual Removal for their uninstall information. Monitors user?s browser activities and it shows advertisements based on users viewing habbits.
http://www.web-nexus.net/index.php
Also known as: winsysupd Troj/Winsysba-A(SOPHOS) Troj/Winsysba-C(SOPHOS)
Downloads files without users consent.
Also known as: Trojan-Downloader.Matcash (SunBelt)
Wintouch downloads additional files and displays pop-up advertisements.
This is a rogue antispyware. This should be removed from your computer if found.
winwebsecurity.com
A vulnerability has been identified in Winzip version 10.0 Build 6667 which is exploited by remote attackers to execute arbitrary commands. The first flaw is due to errors in the "WZFILEVIEW.FileViewCtrl.61" ActiveX control that does not validate input passed to CreateNewFolderFromName methods.
Also known as: Wish Bone
Wishbone adds a toolbar with Internet Explorer. It changes Internet Explorer's homepage and search page.
Also known as: Backdoor.WishMaster
This is a trojan that installs files in order to remotely control partial activity of the victim PC. Once fully installed, it will run searches in lesser known search engines that are usually pornographic in nature. Removal is difficult due to its use of rootkits.
Installed via downloads from the "Twisted Humor" website (twistedhumor.com). These executable downloads include games and animations with a .exe extension. Upon installing a TwistedHumor download, the installer writes the following other files in addition to the game/animation program: wnad.exe wnad.dat wnad-update.exe The program may also write a wnad.log file. It then adds a registry key in HKEY_LOCAL_MACHINE\Software\Microsfot\Windows\CurrentVersion\Run so that wnad.exe is executed every time the computer is started. Upon successful install, wnad.exe initiates a connection to www.twistedhumor1.com that appears to be a sort of "registration" for the program via SSL: https://www.twistedhumor1.com/addorder.asp?a=0.02&c=1033145308-548335&b=confirm It creates and transmits a GUID. The wnad.exe software then performs a key exchange with the server and transmits encrypted (SSLv3) information. We are presently unable to decrypt this transmission. As directed by its controlling servers, the software may enter a 'sleep mode' for at least ten days after its initial installation. During this sleep mode, it will 'lay low' by not displaying ads. During normal operation, the program will contact Web sites including, but not limited to, the following for the purpose of downloading advertising for display, and for obtaining configuration/display instructions: www.rankyou.com www.twistedhumor.com www.srv2cpt.com The wnad.exe program is coded to detect Web browsers installed on your system, most likely to coordinate the opening of new popups with Web browser activity. The version we examined looks for iexplore.exe (Internet Explorer), netscape.exe (Netscape Navigator), and AOL.exe (AOL browser/software). The path to each program is taken from the Registry keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ The program may also attempt to alter the "Open" command for the browser so that it loads a page of advertising when opened.
Also known as: Wollf.130
This is a trojan that drops its adware payload onto the infected PC through port 7614.
Also known as: Wonderland Dialer
Wonderland is a simple ActiveX-controlled dialler originating in Italy. When activated by any web site, it immediately disconnects the current internet connection and dials a premium-rate number without prompting. On some DSL setups, if no additional modem/ISDN connection is available, Wonderland will be unable to dial up and will cause Internet Explorer to hang indefinitely.
http://www.porno-vision.net
Also known as: WM/Formats WM.FormatS.A WM.Trojan WM/FormatS WM/FormatS.A WM_FORMATS.A WM/_FormatC.B:Troj WM/FormatS.A MW:FormatS-A WM/FormatS.A WM.FormatS.A Macro.Word.Trojan.Format
This is a Word macro-Trojan. It contains one macro: AutoOpen. This Trojan inserts into the file AUTOEXEC.BAT commands that delete files and format the hard drive.
Also known as: Macro.Word.Trojan.Nikita W97M/Generic WM.Nikita MACRO.Virus W97M/Trojan.Nikita.A1 W97M/Nikita.B
This is a Word macro trojan. It contains two macros: AutoOpen and Fun.
Also known as: W97M/Thief Trojan.W97M.Thief.A Trojan.Thief WM97/Thief-A W97M/Thief.A W97M_THIEF.A W97M/Thief.A W97M/Thief.A MW97:Thief W97M.Thief.A Macro.Word97.Trojan.Thief
This Trojan macro steals information from the system registry. It extracts the registered name and company of a Windows user, information about AOL users registered on this computer, and also account information of the Internet Account Manager. The collected information the Trojan sends to a site on the Internet.
Also known as: W97M/Tvang.a W97M.Tvang.A.trojan W97M.Tvang WM97/Tvang-A W97M/Tvang.A W97M_TVANGESTE.A W97M/Tvang.A W97M/Tvang.A MW97:Tvang W97M/Tvang W97M.Tvang.A Macro.Word97.Trojan.Tvangeste
This is a Trojan horse written as a MS Word97 macro-program. When it is activated, it appends to the end of a AUTOEXEC.BAT file a set of commands that delete all data on the C:,D:,E: drives.
Also known as: WorldAntiSpy World Anti Spy
This is a miscellaneous security app that is most commonly found in trojan installations. Once the trojan is installed on your machine, this security software will be promoted to you as a way to remove the infection.
http://www.WorldAntiSpy.com
Also known as: IIS-Worm.CodeRed.a Code Red Bady
CodeRed is an Internet worm that replicates between Windows 2000 servers running Microsoft's IIS (Internet Information Services) and the Microsoft Index Server 2.0 or the Windows 2000 Indexing Service. It does this by exploiting a bug known as "Unchecked Buffer in the Index Server ISAPI Extension," described by Microsoft in the Microsoft Security Bulletin MS01-033, released on June 18th, 2001
Worm.RBot.AF is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
Collects information that may be used for targeted advertising and tracking users surfing habits. Their site has been listed as deactive. It is unknown if legacy versions still existence.
http://www.wotch.com
Also known as: Trojan.WUDisable (SunBelt)
This is a chinese based trojan that installs other trojan bundles.
Also known as: Morpheus Shopping Club WURLD Shopping Community BuyersPort WurldMedia-mbho
An IE browser helper object that detects visits to known sites and redirects them through a third-party server in order to generate affiliate fees.
http://www.wurldmedia.com/
Also known as: X-Password Manager
From the EULA Licensor may change homepage on user's computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.
Also known as: x con
X-Con Spyware Destroyer is a Rogue Antispyware which displays false spyware information. In our sterile test environment we seen several legitimate applications being detected as malicious software.
http://x-con.freedomofidiom.ca/
Also known as: Xdiver X Diver
Shows a "Microsoft" clone screen claiming to be an "update of your dialup software". Object is called internally "XDIVER.XDIVER.201" and seems to be related to a plugin called "npxd32.dll"
A Dialer is an application that can make toll calls that show up on your phone bills. Most of the time the end user is unaware. You can even have items charged to your phone bill.
http://www.eops.de/
This is a MP3 finder tool that connects to jugalug.com to search Mp3 files. This SOFTWARE PRODUCT is "advertiser supported software".
Browser plugin which provide links to porn sites. Redirects the default 404 error (Page cannot be displayed)to www.xbarre.com/barre/dns_error.cgi?, which is again redirected to http://fr.ca.search.msn.com/dnserror.aspx?FORM=DNSAS&q=
http://www.xbarre.com
Also known as: DialX
An Japanese ActiveX-based premium rate dialler. Installed by ActiveX drive-by-download on porn site pop-up ads from pctlca.com This program is for Mac OS 8.5 or higher.
Also known as: bangkokshuho.com Dialer, BANGKOK SHUHO
Japanese porn dialer.
Also known as: Dial/Xgen-A (SOPHOS) Dialer.Erostars (Symantec) Erostars
Xgen-A is a dialer application used to access adult content materials on the internet. This dialer program shows 'BY USING THIS SERVICE YOUR COMPUTER WILL CALL A PREMIUM RATE OR INTERNATIONAL RATE TELEPHONE NUMBER'.
Xgratos is used to access pornographic websites by dialing a high-cost phone number using a modem.
Also known as: xgenius
A German ActiveX installer control for premium-rate diallers. With XLoader installed, any site can direct it to download and execute code from its controlling servers.
http://www.anygate.de/dialer/
Also known as: Xlocator Winlocator
This program installs as a toolbar, provides links to many adult sites and adds a link to favorites folder for easy access to adult material. Provides access to adult chats and the search box is used to search for adult material. From the author's description, IWI(International Web Innovations, Inc.) OFFERS USERS THE OPPORTUNITY TO DOWNLOAD THESE MATERIALS FOR FREE IN EXCHANGE FOR THE USER?S AGREEMENT TO ACCEPT ADVERTISING AND OTHER PROMOTIONAL MESSAGES DELIVERED TO HIS OR HER COMPUTER BY IWI OR OTHERS. Acceptance of these Terms and Conditions authorizes IWI to download and install the 'XLOCATOR AdServer' software, which delivers 'XLOCATOR' branded advertising, software, and various informational or promotional messages to computer screens while users view Internet Web pages ('XLOCATOR Ads'), and is a prerequisite to downloading or installing these ad-supported software applications.
http://www.xlocator.com/
XLog is a remote spying tool to monitor access of an off-site computer via keyboard logging. Keyboard logging means that when the "Start keylog" button is pressed, a log file is created, and every key pressed by the user is logged. It can be ended or even uninstalled remotely as well. Other features such as retrieval of the log file at any time, fetching of host information, and deletion of the log file are available. The new persistent keylogging feature means that keylogging begins as soon as the program starts (by default)! Freeware program. Claims to be for monitoring only your own machines, but features various tips for "improving stealth".
"A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability." Microsoft Product Security Original Article can be found at: http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx
This is a rogue anti-spyware. This should be removed from your computer if found.
Also known as: AntiVirus2008 AntiVirus 2008 Antivirus 2008 XP
http://www.xpantivirus.com/
Also known as: BHO.NameShifter.IH (Sunbelt) Camplugin
An adware component that installs as a browser helper object. Downloads configuration information from its server every time it starts. Posts back the search keywords entered to its server. Displays pop-up advertisements.
A Dialer that loads pornographic material. The url information shows Hardcore Ponographic pages. Registrant Name: Vasiliy Pupklindtovich Registrant Organization: Pizdataya Compania Inc. Registrant Address1: Grlrznih Drovosekov 15 Registrant City: Urupinsk Registrant Postal Code: 195156 Registrant Country: Cocos (Keeling) Isl. Registrant Country Code: CC Registrant Phone Number: +91.4896785423 Registrant Email: justgoldfinger@yahoo.co.uk Administrative Contact ID: DI_362203 Administrative Contact Name: Vasiliy Pupklindtovich Administrative Contact Organization: Pizdataya Compania Inc. Administrative Contact Address1: Grlrznih Drovosekov 15 Administrative Contact City: Urupinsk Administrative Contact Postal Code: 195156 Administrative Contact Country: Cocos (Keeling) Isl. Administrative Contact Country Code: CC Administrative Contact Phone Number: +91.4896785423 Administrative Contact Email: justgoldfinger@yahoo.co.uk Loads also MHTMLRedir.Exploit/Trojan.ByteVerify (they call it BlackBox Applet) Their site is no longer active.
WMF infection that downloads adware,trojans and slows down the system speed.
http://www.Xrenoder.com
Also known as: XTCP.200 XTCP.201
Also known as:
The program is bundled with another application called SaveNow which installs alongside the product.
http://www.harmonyhollow.net/
Also known as: XupiterToolbar sqwire OrbitExplorer
Apart from the hijacking and added links, the software will show pop-under advertisements when its controlling servers direct it to. Xupiter consists of an Internet Explorer toolbar containing link buttons to the search engine at xupiter.com and a task run at Windows startup which downloads updates to the software and may launch pop-ups. It also contains functionality to periodically hijack your home page and search settings to point to xupiter.com, and add links pointing to xupiter.com to your bookmarks.
http://www.Xupiter.com
Also known as: Troj/Dloader-QG(SOPHOS), Xload, CSKWare
Xware changes browser settings and also capable of showing porn advertisements.
A dialer is an application usually dedicated to adult material. Some types of dialers will make long distance charges.
Also known as: xxx toolbar
This is a Brower helper Object that distributes adult material.
http://www.xxxtoolbar.com
Also known as: Backdoor.Y3KRAT.16 Y3KRat.160 Y3KRat.170 Y3KRat.110 Y3KRat.120 Y3KRat.140 Y3KRat.100 Y3KRat.150
From Darkside Industries: "Designed to be used with a trojan. Upload it and then run it and it'll ask for userID and password, storing them in winsys.dll in the C:\Windows directory as pain text. Download that file and open in Notepad and voila you have the password."
Also known as: yapsearch yapcash
Upon installation numerous sources have documented behavior of redirecting misspelled domains to other allegedly UA pornographic sites.
From Yazzle website. Play Cowabanga, the crazy heifer-whackin' game, anytime with our free download! Adware supported desktop game. Usually installed through a security exploit or from a malware bundle. When installed this way the EULA is not displayed.
http://yazzle.net/
Also known as: Yazzle.SnowBallWar Snow Ball War Yazzle SnowBallWar
Yazzle SnowBallWar is an another Ad supported product from ClickSpring LLC.It delivers Advertisement to the user's machine. From the End User License Aggrement : As a result of installing the Company?s Software, user will see occasional banner ads, pop-up or pop-under ads, or other types of ads selected based on your online activities. It tracks the user browsing activity to deliver advertisements.
Also known as: Adw.Yazzle.Sudoku (Sunbelt)
This is a 'free' game. This game is ad supported. You must install extra components, such as Surfsidekick, to use this software.
http://www.yazzle.net/
Also known as: Trojan.Win32.Dialer.hc (eTrust) dialer.yeaknet (Symantec) Dialer.Sgrunt Sgrunt Yeak Net
From the EULA, "The FREE PLUGIN software provide You the opportunity to download a software product that periodically deliver advertisements and promotional messages to Your computer based. The frequency and the functioning of these messages are described thereinafter." Once this dialer is installed onto the PC, it adds several pornography related sites to the IE trusted zone.
Also known as: Yellow Pages AutoSearch
Once this trojan is installed on the infected PC, it redirects IE to an infected file called iexplroer.exe in order to monitor which sites are being visited. It also disables several security components in order to prevent its removal.
Also known as: Trojan.Yigather (Symantec)
Yigather connects to a remote computer to retrieve configuration details and displays advertisements while user browses the internet.
Also known as: Generic.LNF (GRISoft), Trojan.Win32.Aditer.a (Kaspersky)
YIM-Flooder is a flooder trojan designed to send spam messages to Yahoo chat clients in an effort to induce them into visiting porn websites. Another threat may drop this trojan.
This is a worm that is spread through Yahoo Messenger. The most common message seen distributing this worm is: "never click into the links like something in this image http://quicknews.info/dontclick.jpg !!!" Once the worm is on the infected PC it has the ability to: Disable the Task Manager Disable the Registry Editor Disable the System Restore Hides the 'Run' option from the Start Menu Also will remove all bookmarks from Firefox. Manipulates Lsass.exe. Hijacks Internet Explorer. Drops a Rootkit.
Also known as: You Could Win This
Displays advertisements and adds http://awbeta.net-nucleus.com to Internet Explorer's Trusted Zone. Downloads and installs other malware without users knowledge.
Also known as: YourScreen freeze.com
This is an application provided by Freeze.com, LLC that enables the user the ability to alter their desktop at the price of installing adware applications. Freeze.com, LLc's Privacy Policy (last updated on Feb. 2 2006) states that in order to make their services free, it will be bundled with third party advertisers. It specifically states: " * Relevant Knowledge, an Internet customer of Knowledge Company and a service of Comscore Networks, Inc. For more information regarding Relevant Knowledge, please visit its web site at http://www.relevantknowledge.com. The Relevant Knowledge Privacy Policy and User License Agreement is available at http://www.relevantknowledge.com/RKPrivacy.aspx. * Your personal information will be shared with subsidiaries of Freeze, including without limitation, Freeze Media, LLC and Gamepoint, Inc. for purposes of sending you the Email Offers." The latest bundles of Your Screen do not install Marketscore or any RelevantKnowledge products. Instead it installs New.net, WebHancer, and WhenU SaveNow.
http://www.freeze.com
From the Website: YourSiteBar is an affiliate program that lets you build and customize your own toolbar using our web interface. Not only does that let you promote your own toolbar with your links and logos, but you also get paid each time a surfer installs it! This program is perfect to increase traffic to your site, build user loyalty and make money all at the same time. YourSiteBar is sure to make you rich! Great promotional materials such as banners and full page ads for all niches
http://www.yoursitebar.com
This trojan will allow the attacker to gain remote access to your pc.
Also known as: Backdoor.Zagaban (Symantec), AVG.PSW.Generic.DLE
Zagaban is a backroor trojan that runs a covert proxy on the compromised computer system. Also changes the Host File.
Also known as: IEEnhancer 680180.net
Zamingo, also known as 680180.net, is an adware that displays popup ads every now and then when you are using Internet Explorer. The adware records urls visited and keywords typed and contacts to its controlling server ( Zamingo.com or 680180.net ) to retrieve related advertisements to display them as popup ads which is very annoying.
Zango is an adware application that is installed from 180 Solutions as a way of providing free games. Zango provides you with free online games at the cost of being completely supported by advertisements from their affiliates. Their program operates as a search assistant that runs on your IE browser. It also includes an agent that operates from the taskbar. Main distribution site for the Zango family of products which include games, YouSendIt, CD and DVD burning software. From their website: With Zango you get FREE online games and downloadable games: arcade, board & card, word puzzles, mahjong and adventure games. Plus, Zango connects you to free music, videos, media sites, desktop applications and much more.
http://www.zango.com
From their website: Expert or novice, be the master of mastering, burning and grabbing CDs and DVDs. Create your own music or video compilations in just a few clicks! CD burning program that bundles adware called 180Solutions.SearchAssistant.
http://www.zango.com/downloads/zangograbandburn.aspx
Also known as: 180Solutions.Zango.Tvtimes (Sunbelt) Zango Times
Zango-TVTimes installs along with Zango SearchAssistant and displays popup advertisements based on browsing habits. From EULA ; While the Licensed Software is installed on your computer, Zango may collect information about you and the websites you visit. The frequency of these advertisements will vary depending on your use of the Internet. You acknowledge that the Licensed Software includes an anonymous user ID and an electronic cookie that enables Zango to display this targeted advertising to you.
From their Website: Zango is a new way to access free programs and tools to make life a little easier and lots more fun. With Zango, you get to play free games, download valuable programs and enjoy some of the most interesting sites on the web.
Also known as: ZangoTV 180Solutions.ZangoTv
ZangoTV Installs other adware products Zango search assistant , toolbar and 180 solutions. From EULA ; While the Licensed Software is installed on your computer, Zango may collect information about you and the websites you visit. The frequency of these advertisements will vary depending on your use of the Internet. You acknowledge that the Licensed Software includes an anonymous user ID and an electronic cookie that enables Zango to display this targeted advertising to you.
http://zango.com/destination/catalog/listing.aspx?tag=downloads
Also known as: Adw.Zango.AirHockey (Sunbelt) Zango Air Hockey
Zango Games that also add other Zango Products. From the EULA: The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: 180Solutions.Zango.Astrology (Sunbelt) Zango Astrology
Zango-Astrology is installed along with Zango SearchAssistant and displays popup advertisements based on browsing habits of the User. From EULA: The Licensed Software may collect, and transmit to Zango (referred to in the EULA as "we" or "Zango"), information about the websites you visit ("Usage Data") By installing and/or using the Licensed Software you grant permission for Zango to periodically display sponsors? websites to you You acknowledge that the Licensed Software includes an anonymous user ID and an electronic cookie that enables Zango to display this targeted advertising to you.
Also known as: Adw.Zango.Checkers (Sunbelt) Zango Checkers
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: Adw.Zango.Chess (Sunbelt) Zango Chess
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: David vs Goliath
It is a game from zango.com which bundles 180solutions.
http://www.zango.com
Also known as: Adw.Zango.Foosball (Sunbelt) Foosball
Zango Games that also add other Zango Products. From the EULA: The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
This is a game distributed by Zango games and contains 180 search assistant bundled with it.
http://games.zango.com/downloads/games/jadeshadow.aspx
Also known as: Adw.Zango.Libraryoftheages (Sunbelt) Library of the ages
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: 180Solutions.Zango.Movietimes (Sunbelt) Zango Movie Times
Zango Movie Times is no longer available on Zango website. From EULA: While the Licensed Software is installed on your computer, Zango may collect information about you and the websites you visit. The frequency of these advertisements will vary depending on your use of the Internet. You acknowledge that the Licensed Software includes an anonymous user ID and an electronic cookie that enables Zango to display this targeted advertising to you.
Also known as: Adw.Zango.Muncher (Sunbelt) Zango Muncher
Zango-Muncher installs along with Zango Search Assistant and displays popup advertisements based on browsing habits of user.
Also known as: Adw.Zango.SecretChamber (Sunbelt) Secret Chamber
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: Adw.Zango.Shuffleboard (Sunbelt) Zango Shuffleboard
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: Adw.Zango.Solitaire (Sunbelt) Zango Solitaire
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
Also known as: Adw.Zango.WallsofJericho (sunbelt) Zango Walls Of Jericho
Zango-WallsofJericho is a vector for Zango's Search Assistant and displays popup advertisements based on websites visited. From EULA : The Licensed Software may collect, and transmit to Zango (referred to in the EULA as "we" or "Zango"), information about the websites you visit ("Usage Data"), as described in more detail below. While the Licensed Software is installed on your computer, Zango may collect information about you and the websites you visit. The frequency of these advertisements will vary depending on your use of the Internet. The advertisements that the Licensed Software presents are provided in a separate browser window and are not endorsed by or affiliated with the websites that trigger their appearance.
Also known as: Adw.Zango.WindWords (Sunbelt) Zango Windwords Zango Wind Words
Zango Games that also add other Zango Products. The Licensed Software may collect, and transmit to Zango, information about the websites you visit. By installing the Licensed Software, you grant permission for Zango to collect this information, including the websites you visit while connected to the Internet.
http://www.zango.com
This Trojan allows an intruder to gain access to the system through Mirc Channels. When installed it drops the following files Users.ini control.ini mirc.ico mirc.ini nicks.txt remote.ini nicks.txt ident.txt fullname.txt script.ini servers.ini sup.bat svchost.exe ? is a legitimate copy of Mirc installer. When the malware is installed it the Mirc installer follows the instructions in the ?.ini? and ?.txt? and connects to the IRC servers.
http://www.zapspot.com
This is a RAT trojan that can gain access to your computer through port 660.
Also known as: Adw.Zenotecnico(SunBelt) Adware.ZenoSearch(Symantec) Adware-Zeno(McAfee)
Displays advertisements based on keywords used in search engines.
Also known as: ZeroPopUpBar ZeroPopUp Companion ToolBar
From their website: It will stop all annoying Popup windows from poping in your face - NO EXCEPTIONS ! It's a small, FREE and very effective popup killer software, it stops 100% annoying popup ADS without human intervention. Improved smart blocking Technology lets you open those windows that you realy want to see and blcok the automated ones. From their EULA: Each time you run the SOFTWARE PRODUCT you agree to have your IE search page and/or HomePage set to our search engine, for the purpose of performing a web search. Changes Internet Explorer's homepage and search pages. There is no connection to the ZeroPopup made by Tooto Technologies.
http://zeropopup.com/
Also known as: Look2me.com
Adware that monitors visited websites and attempts to deliver ads based off what the user is searching for.
http://www.zestyfind.com
This will display Chinese advertisements.
http://www.zinanjing.com
This Trojan will give the attack control of the victims PC. User can steal private information.
A typical search bar bundled with System Soap and also InternetWasher Pro.
http://www.zipclix.com
http://www.zippylookup.com/faq.php
Also known as: Backdoor.Win32.Zomby.b (Kaspersky Lab) W32/Kernl (McAfee) W32.Ernl (Symantec) Troj/Kernl (Sophos)
This Trojan attempts to steal information from the victim PC. It attempts to steal the following information: Harddrive space Passwords Active connections It also has the ability to download and delete files, launch programs, and manipulate directories.
Also known as: Troj/Swizzor-AW (SOPHOS) Swizzor.gen (Mcafee) Download Plugin
Snippets from the license agreement: Plugin is an Ad-Ware software which enables the broadcasting of advertisements, and execution of e-commerce and other internet related services on the user-interface of the software. You agree to receive, from time to time, advertisements and other contents through the Download Plugin. By accepting this agreement you acknowledge that in order for this software to function properly it must communicate with its host network via the Internet from your computer. Zone-Plugin software is advertising supported and provides additional content based on keywords in the websites you visit. Communicates with host. Can download additional software.
http://www.zone-media.com/
Also known as: Trojan.Win32.ZoneKiller.a
This Trojan will disable Zone Alarm Firewall.
http://www.geocities.com/somefiles12345/killers.html
This application is installed after AdBlaster is installed. It fails to offer users a privacy policy and has little information on the company providing the service.
This is a toolbar that can monitor the users search habits. This allows them to deliver relevant pop-up advertising. The toolbar can be turned off by right clicking in the toolbar section of the browser. The name will be blank. Uncheck the value that is empty to turn off the toolbar. You must download their uninstaller to remove this toolbar.
http://www.zoombar.net/
Also known as: W32/Zotob.worm.b (Mcafee) W32.Zotob.B (Symantec)
This is a trojan that drops a .dat file onto the infected PC. After this is installed, it drops infected system files into the system32 directory.
http://zserv.biz/
Also known as: Adware.Ztoolbar(Symantec) ADW_SEARCHBAR.D(Trendmicro) ZToolbar(ca) Trojan.Magise(Symantec) TROJ_MAGISE.A(Trendmicro)
ZToolbar adds a search toolbar, changes Internet Explorer's start page and adds many links to the favorites directory.
Also known as: Adware.OpenSite Armbender, TrojanClicker.Win32.VB.br UCSearch W32.Adclicker.F.Trojan
Adware.OpenSite is an adware program that displays advertisements based on keywords in the address bar. It may also change the default home page in Internet Explorer.
http://www.zuvio.com
Also known as: ZyncosMark (Paretologic)
It gets installed as a BHO. Slows down the browser and uses a lot of the system's resources (both CPU and RAM).
zzToolbar is a Chinese toolbar application that has been known to be installed through a FTP connection.