Virus information

This is the latest virus information that I think you should know about. Please protect your PC or Laptop by always downloading the latest antivirus files. It's a war out there so you need to be updated at all times. Try to use a antivirus program that will update automatically for you. Sometimes the function is there but you have to configure it and activate it.

Generic Downloader.aa

A recent variant of this threat was found in the wild in the form of an electronic Christmas greeting card, using a filename Christmas.exe. This variant may be downloading further malware from websites hosted on the waiguadown.{hidden}.net and user.free.{hidden}.net domains.
This is a generic detection for Downloader trojans.

W32/Stration.gen.dldr

Following BackDoor-CWA.dr and Generic Downloader.aa, Internet users should be cautious of the current spammed W32/Stration@MM discovered in the wild joining the other holiday-themed malware on Christmas day.

Many of these Downloaders install other malware including viruses as well as other Trojans.
Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor.

BackDoor-CWA.dr

A recent variant of BackDoor-CWA.dr was discovered in the wild with the filename Christmas+Blessing-4.ppt (1,085,440 bytes).

The dropper has been seen in several forms. One consists of a plain executable file. The other category includes PowerPoint (*.ppt) or Access database (*.mdb) files containing exploit and/or shell code to install BackDoor-CWA when opened.

The PowerPoint and Access documents encountered to date appear to pose as, or are derived from, presentations or database forms relating to the US Department of defense (generally involving clerical or human resources issues). It is unclear whether this was intended as a targeted social engineering effort to achieve installations of BackDoor-CWA on computers within the US DoD, although that is a possibility.

Infection occurs when the user runs the executable or opens the Trojan document file containing BackDoor-CWA with the appropriate Office application. In the case of Office documents, an exploit (e.g. Exploit-PPT.d) possibly assisted with shell code appear to be used to achieve infection of the host system.

W32/Sdbot.worm.gen.ai!

Sdbot worm filenames vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

In this case, copies of the worm have been seen using names such as "crcss.exe" (a variation of the legitimate Windows process "csrss.exe"). It is usual for them to create a value in the registry to ensure the worm is launched at each system boot.

Sdbot worms often propagate via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits.

Sdbot worms are known to probe MS SQL servers for weak administrator passwords and configurations. When successful, the virus could execute remote system commands via the SQL server access.