Text 1, 964 rader
Skriven 2004-09-13 23:04:00 av KURT WISMER (1:123/140)
Ärende: News, Sept. 13 2004
===========================
[cut-n-paste from sophos.com]

Name   Troj/Psyme-AS

Type  
    * Trojan

How it spreads  
    * Web browsing

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * TrojanDownloader.VBS.Psyme-based

Prevalence (1-5) 2

Description
Troj/Psyme-AS is a JavaScript downloader Trojan which exploits the ADODB 
stream vulnerability associated with Microsoft Internet Explorer to 
silently download a file from a remote server to:

%Program Files%\Windows Media Player\wmplayer.exe,

replacing any existing file.

Advanced
Troj/Psyme-AS is a JavaScript downloader Trojan which exploits the ADODB 
stream vulnerability associated with Microsoft Internet Explorer to 
silently download a file from a remote server to:

%Program Files%\Windows Media Player\wmplayer.exe,

replacing any existing file.

Troj/Psyme-AS can arrive on the computer by browsing websites whose HTML 
pages contain the script or by visiting a HTML page that contains a SRC= 
link to an infected page. For example an HTML page may contain:

SRC='http:/psyme.com/exploit.chm::/exploit.htm

where exploit.chm is a compiled HTML help file containing Index.html and 
exploit.htm is a HTML file containing the Troj/Psyme-AS script.





Name   W32/Nyxem-C

Type  
    * Worm

How it spreads  
    * Email messages
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Deletes files off the computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * W32/MyWife.c@MM
    * I-Worm.Nyxem.d

Prevalence (1-5) 2

Description
W32/Nyxem-C is an internet worm which spreads via network shares and by 
sending itself to contacts in the Outlook address book, to Yahoo 
Messenger and Yahoo Pager contacts and to email addresses found within 
files that have an extension of HTM or DBX.

Advanced
W32/Nyxem-C is an internet worm which spreads via network shares and by 
sending itself to contacts in the Outlook address book, to Yahoo 
Messenger and Yahoo Pager contacts and to email addresses found within 
files that have an extension of HTM or DBX.

Message subject lines include:

"Beethoven's Symphony No", "New_Stories HighwayBlues", "Ohhh", "hi", 
"For You", "Free Pic's Video", "none", "[none]", "help me", "you", 
"Please Read", "Important" and "reactive now".

W32/Nyxem-C is attached to messages as moderater.baT, The_Members.BaT or 
as part of a ZIP archive whose filename contains one of the following 
strings:

"Download.3gpzip.z", "The_movie_3zip.z", "Nokia_6600zip.z", "part_4Zip",
"Video_Live.zip", "Beethoven's Symphony No", "New_Stories HighwayBlues",
"_DVD_Viedo.Zip.z", "_Audio_XP.GZ", "_Zipped_File.Z", ".XP2002.Zip.scr" 
or ".DvD_Xp.scr".

Harmless files may be included in the zip attachment with filenames such 
as Vide01.jpg.

The following spoof addresses may be used in the message:

Thomas, <thomas_gay6@iopus.com>
vip, <sandra@oxygen.com>
Lola Ashton, <linda200@gmail.com>
Bad Love, <user377@worldsex.com>
Ralph, <fack_back06@mail.com>
Genius, <gustes@msn.com>
Sweet Women, <admin@newmovies.com>
Sara GL, <hot_woman2362@freevideos.net>
The Moon, <lost_love705@yahoo.com>
Binnn MT, <King_sexy@hotmal.com>

W32/Nyxem-C copies itself to network shares as "Good music.scr" or with
filenames beginning "Beethoven's Symphony No" or 'New_Stories 
HighwayBlues'.

When run W32/Nyxem-C tries to mask its true purpose by launching the 
Microsoft Media Player executable.

W32/Nyxem-C copies itself to the following locations:

%Program Files%\Internet Explorer\Media Player.exe
%WINDOWS%\Task.exe
%SYSTEM%\Connection.exe
%SYSTEM%\Downloading.DVD_____________________________________.exe
%SYSTEM%\File-04-Music.DVD_____________________________________.scr
%SYSTEM%\SoundTrack01.CD_____________________________________.exe
%SYSTEM%\The_Members.BaT
%SYSTEM%\moderater.baT
%SYSTEM%\movie009.pif
%SYSTEM%\new-video977.DVD____________________________________.scr
%SYSTEM%\reactive_group.bAt

W32/Nyxem-C also copies itself to the system folder using the name of an 
existing executable file, but with an ending of 'm.exe' replacing the 
original extension, for example W32/Nyxem-C may copy itself to the 
system folder as NOTEPADm.exe, twunk_16m.exe or winhlp32m.exe.

W32/Nyxem-C also creates a new sub-folder of the Windows folder named 
VOLUME\ with the hidden attributes set and copies itself to this folder 
using the name of an existing file. The pathname of this copy is added 
to new sub-keys of the following registry entries so that it is run on 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

The following harmless files are created:

%SYSTEM%\About_BlackWorm.C.txt
%SYSTEM%\Beethoven's_Symphony_No.rm
%SYSTEM%\New_Stories__Highway_Blues.rm
%SYSTEM%\Vide01.jpg
%SYSTEM%\about.txt

The library DLL OSSMTP.DLL is dropped to the system folder and 
registered as a COM object creating registry entries under:

HKCR\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
HKCR\Interface\{3EC61E06-D128-41E3-8BBD-D8048BF6F2EC}
HKCR\Interface\{4F0A64F5-9E1E-42DB-9A58-34AEC4AA15DC}
HKCR\Interface\{7735921B-5977-4FE9-B28E-4DBE5E98C6A3}
HKCR\Interface\{98416333-DC4C-4F02-9A5B-F33C7580380E}
HKCR\Interface\{9ABAF239-5028-47C1-8B05-D9C50EE0CAC1}
HKCR\Interface\{CCD12224-C0E1-407C-A023-5FBB7DBA32BC}
HKCR\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
HKCR\OSSMTP.SMTPSession

OSSMTP.DLL is a legitimate COM library for Microsoft Visual Basic, 
providing functionality to send emails. To de-register OSSMTP.DLL run:

regsvr32 /U OSSMTP.DLL

W32/Nyxem-C also sets the following registry entries:

HKCU\Identities\Email
HKCU\Identities\Outlook Express
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\Name = "BlackWorm"
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\SN = "2AD00ED6"
HKCU\Software\Nico Mak Computing\WinZip\
caution\NoBetaMessage = "1"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu1 = "C:\WINDOWS\system32\2.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu2 = "C:\WINDOWS\system32\3.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu3 = "C:\WINDOWS\system32\1.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu4 = "C:\WINDOWS\system32\4.zip"
HKCR\.chm\Num = 2
HKCR\.chm\1 = "Beethoven's Symphony No"
HKCR\.chm\2 = "New Stories Highway Blues "
HKLM\SYSTEM\ControlSet001\Services\TlntSvr\Start = 2
HKLM\SOFTWARE\Microsoft\Active Setup\
Security = <pathname of W32/Nyxem-C executable>

W32/Nyxem-C tries to terminate and remove selected anti-virus and 
security related applications and deletes selected sub-keys of the 
following registry entries to prevent applications from running on 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

Sub-keys include: NPROTECT, ccApp, ScriptBlocking, MCUpdateExe, 
VirusScan Online, MCAgentExe, VSOCheckTask, McRegWiz, McVsRte, 
PCClient.exe, PCCClient.exe, PCCIOMON.exe, pccguide.exe, PccPfw, 
tmproxy, McAfeeVirusScanService, NAV Agent, SSDPSRV, rtvscn95, defwatch, 
vptray, Taskmon, KasperskyAv, system., msgsrv32, Windows Services Host, 
Explorer, Sentry, ssate.exe, winupd.exe, au.exe, OLE, gigabit.exe, 
Norton Antivirus AV, reg_key, Windows Update, _Hazafibb, win_upd.exe, 
JavaVM, Services, winupdt, Traybar, key, erthgdr, wersds.exe and Task.





Name   W32/Forbot-Q

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Wootbot.gen
    * W32/Gaobot.worm.gen.g1

Prevalence (1-5) 2

Description
W32/Forbot-Q is a worm and backdoor for the Windows platform.

W32/Forbot-Q spreads to networks shares and by exploiting the LSASS 
(MS04-011) vulnerability and backdoors opened by other malware.

Advanced
W32/Forbot-Q is a worm and backdoor for the Windows platform.

W32/Forbot-Q spreads to networks shares and by exploiting the LSASS 
(MS04-011) vulnerability and backdoors opened by other malware.

When run W32/Forbot-Q copies itself to the Windows system folder as 
ssvchost.exe. The worm adds the following registry entries to ensure 
that the copy is run each time Windows is started.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
window2 = "ssvchost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
window2 = "ssvchost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
window2 = "ssvchost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
window2 = "ssvchost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
window2 = "ssvchost.exe"

The backdoor component of W32/Forbot-Q may be used to launch distributed 
denial of service attacks, run a Socks proxy server or obtain 
information about the infected computer.

W32/Forbot-Q attempts to disable other worms, such as members of the 
W32/Bagle family.





Name   W32/Rbot-IT

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Rbot.gen
    * W32/Sdbot.worm.gen.i

Prevalence (1-5) 2

Description
W32/Rbot-IT is a worm which attempts to spread to remote network shares 
and allows unauthorised remote access to the computer via IRC channels.

Advanced
W32/Rbot-IT is a worm which attempts to spread to remote network shares 
and allows unauthorised remote access to the computer via IRC channels.

W32/Rbot-IT spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Rbot-IT copies itself to the file mswinc.exe in the Windows system 
folder and creates entries at the following locations in the registry so 
that the worm is run when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote Procedure Calls = mswinc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Remote Procedure Calls = mswinc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Remote Procedure Calls = mswinc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Remote Procedure Calls = mswinc.exe





Name   W32/Sdbot-OY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.SdBot.gen
    * W32/Sdbot.worm.gen.h1
    * WORM.SDBOT.QR

Prevalence (1-5) 2

Description
W32/Sdbot-OY is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

Advanced
W32/Sdbot-OY is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Sdbot-OY spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Sdbot-OY copies itself to the Windows system folder as sload32.exe 
and creates the following registry entries so that the worm is run when 
a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sload = sload32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
sload = sload32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sload = sload32.exe





Name   W32/Rbot-IO

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-IO is an IRC backdoor Trojan and network worm which can 
propagate by copying itself into the shared folders of network drives.

W32/Rbot-IO can also set registry entries to ensure that it is executed 
automatically upon restart.

Advanced
W32/Rbot-IO is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-IO spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-IO moves itself to the Windows system folder as WUAMGDR.EXE and 
creates registry entries at the following locations to run itself 
automatically on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = wuamgdr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Machine = wuamgdr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = wuamgdr.exe





Name   W32/Rbot-IL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * WORM_RBOT.OA

Prevalence (1-5) 2

Description
W32/Rbot-IL is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

Advanced
W32/Rbot-IL spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-IL copies itself to the Windows system folder as a random file 
name and creates the following registry entries so as to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft 
Update
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update

W32/Rbot-IL may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-IL may delete the C$, D$, E$, IPC$ and ADMIN$ network shares on 
the host computer.





Name   W32/Rbot-IK

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Downloads code from the internet

Aliases  
    * Backdoor.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-IK is a network worm with IRC backdoor functionality.

W32/Rbot-IK spreads to other machines affected by the Universal PNP 
(MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS 
(MS04-011) or DameWare (CAN-2003-1030) vulnerabilities, infected by one 
of several backdoors or running network services protected by weak 
passwords.

Advanced
W32/Rbot-IK is a network worm with backdoor functionality.

In order to run automatically when Windows starts up the worm copies 
itself to a file in the Windows system folder. The name of this file is 
either explore32 or a series of randomly chosen letters. The file 
extension is always EXE.

Once installed, W32/Rbot-IK connects to a preconfigured IRC server, 
joins a channel and awaits further instructions. These instructions can 
cause the bot to perform any of the following actions:

flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP server
start a command shell server
search for product keys
download and install an updated version of itself
show statistics about the infected system
kill antivirus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
close down vulnerable services in order to secure the machine
take screenshots
capture images from any detected webcam
show/flush the DNS cache
list/modify network shares/services
send emails

The worm spreads to machines affected by known vulnerabilities, running 
the network services protected by weak passwords or infected by common 
backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)

Services:

NetBios
NTPass
MS SQL

Backdoors:

W32/Bagle
Troj/Kuang
W32/MyDoom
Troj/NetDevil
Troj/Optix
Troj/Sub7

W32/Rbot-IK creates or modifies the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update 32 = <filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update 32 = <filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update 32 = <filename>

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = dword:00000001

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001

The worm terminates the following processes

regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe (sic)
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe

W32/Rbot-IK searches for product keys for the following software:

Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)





Name   W32/Sdbot-OV

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.SdBot.ry
    * W32/Sdbot.worm.gen.h
    * WORM_RANDEX.L

Prevalence (1-5) 2

Description
W32/Sdbot-OV is a worm for the Windows platform. The worm includes some 
backdoor functionality.

W32/Sdbot-OV spreads to shared folders on the local network.

Advanced
W32/Sdbot-OV is a worm for the Windows platform. The worm includes some 
backdoor functionality.

W32/Sdbot-OV spreads to shared folders on the local network.

When run the worm copies itself to usb32.exe in the Windows system 
folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Usb Driver = "usb32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Usb Driver = "usb32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32 Usb Driver = "usb32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Usb Driver = "usb32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Usb Driver = "usb32.exe"

W32/Sdbot-OV allows unauthorised access to the infected computer via IRC.

The backdoor function include distributed denial of service attacks, 
operating as a proxy server and stealing informatin relating to some 
popular games.





Name   W32/Sdbot-RY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.ry
    * W32/Sdbot.worm.gen.h

Prevalence (1-5) 2

Description
W32/Sdbot-RY is a worm and backdoor for the Windows platform.

The worm component attempts to spread to remote network shares and the 
backdoor allows a malicious user remote access to an infected computer 
via IRC channels while running in the background as a service process.

Advanced
W32/Sdbot-RY is a worm and backdoor for the Windows platform.

The worm component attempts to spread to remote network shares and the 
backdoor allows a malicious user remote access to an infected computer 
via IRC channels while running in the background as a service process.

W32/Sdbot-RY copies itself to the Windows system folder with the 
filename spoolsvc.exe and in order to run automatically when Windows 
starts up creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 System Spool=spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 System Spool=spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 System Spool=spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 System Spool=spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 System Spool=spoolsvc.exe.

W32/Sdbot-RY attempts to spread to network machines using various 
exploits including the LSASS vulnerability (see MS04-011).

W32/Sdbot-RY may function as a proxy server, delete network shares and 
steal information related to popular games.





Name   Troj/Delf-DU

Type  
    * Trojan

Aliases  
    * New

Prevalence (1-5) 2

Description
Troj/Delf-DU is a backdoor Trojan.

In order to run automatically when Windows starts up the Trojan copies 
itself to the file services.exe in the Windows system folder and creates 
the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Services = C:\Windows\system32\services.exe

Once installed Troj/Delf-DU connects to an IRC server and joins a 
channel from which it can receive further instructions. These 
instructions can cause the Trojan to kill specific processes or download 
files from arbitrary URLs and execute them.

The Trojan automatically terminates any processes whose filenames 
contain one the following patterns:
winnt35.exe
w.exe
mb.exe
~.exe
1.exe
2.exe
scan.exe
svshost.exe





Name   W32/Neveg-C

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * W32/Neveg.c@MM

Prevalence (1-5) 2

Description
W32/Neveg-C is a mass-mailing worm.

Advanced
W32/Neveg-C is a mass-mailing worm. When started the worm copies itself 
to the Windows system folder as services.exe and creates the following 
registry entries in order to auto-start on user logon or computer 
reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ccApps = <%SYSTEM%>\services.exe

The worm may also use any of the following instead of ccApps:

.Prog
FriendlyTypeName
TEXTCONV
Microsoft Visual SourceSafe
RegDone
BuildLab





Name   W32/Rbot-IP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Rbot-IP is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer

Advanced
W32/Rbot-IP is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running 
in the background as a service process.

W32/Rbot-IP spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-IP moves itself to the Windows system folder as DVLDR.EXE and 
creates entries in the registry at the following locations to run on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Automatic Updates = dvldr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Automatic Updates = dvldr.exe

HKCU\Software\Microsoft\OLE\
Windows Automatic Updates = dvldr.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)