Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   1/15
CONSPRCY   1/899
COOKING   32432
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   1/189
C_PLUSPLUS   1/31
DIRTY_DOZEN   0/201
DOORGAMES   1/2049
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   1/18295
EC_SUPPORT   1/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   1/11701
ENET.SYSOP   33886
ENET.TALKS   1/32
ENGLISH_TUTOR   0/2000
EVOLUTION   1/1335
FDECHO   1/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24037
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   1/180
FILEFIND   1/209
FILEGATE   1/212
FILM   1/18
FNEWS_PUBLISH   4379
FN_SYSOP   41673
FN_SYSOP_OLD1   71952
FTP_FIDO   1/2
FTSC_PUBLIC   0/13597
FUNNY   1/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   1/408
HAM   1/16068
HOLYSMOKE   1/6791
HOT_SITES   1/1
HTMLEDIT   1/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   1/29
IC   1/2851
INTERNET   1/424
INTERUSER   1/3
IP_CONNECT   719
JAMNNTPD   1/233
JAMTLAND   1/47
KATTY_KORNER   0/41
LAN   1/16
LINUX-USER   1/19
LINUXHELP   1/1155
LINUX   1/22085
LINUX_BBS   1/957
mail   18.68
mail_fore_ok   249
MENSA   1/341
MODERATOR   1/102
MONTE   1/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   1/783
MUSIC   1/321
N203_STAT   922
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   1/10
NORD.ADMIN   1/101
NORD.CHAT   1/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   1/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   1/453
OCCULT_CHAT   0/93
OS2BBS   1/787
OS2DOSBBS   1/580
OS2HW   1/42
OS2INET   1/37
OS2LAN   1/134
OS2PROG   1/36
OS2REXX   1/113
OS2USER-L   207
OS2   1/4786
OSDEBATE   1/18996
PASCAL   1/490
PERL   1/457
PHP   1/45
POINTS   1/405
POLITICS   1/29554
POL_INC   1/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   1/893
R20_DEPP   1/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   1/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   1/3
R20_INFO2   3191
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13244
R20_KORSET   1/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   1/340
R20_SF   1/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   1/9
RA_MULTI   106
RA_UTIL   1/162
REGCON.EUR   1/2056
REGCON   1/13
SCIENCE   1/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   1/14
SIMPSONS   1/169
STATS_OLD1   1/2539.065
STATS_OLD2   1/2530
STATS_OLD3   1/2395.095
STATS_OLD4   1/1692.25
SURVIVOR   1/495
SYSOPS_CORNER   0/3
SYSOP   1/84
TAGLINES   1/112
TEAMOS2   1/4530
TECH   1/2617
TEST.444   1/105
TRAPDOOR   1/19
TREK   1/755
TUB   1/290
UFO   1/40
UNIX   1/1316
USA_EURLINK   0/102
USR_MODEMS   1/1
VATICAN   1/2740
VIETNAM_VETS   0/14
VIRUS   1/378
VIRUS_INFO   1/201
VISUAL_BASIC   0/473
WHITEHOUSE   1/5187
WIN2000   1/101
WIN32   1/30
WIN95   1/4282
WIN95_OLD1   1/70272
WINDOWS   1/1517
WWB_SYSOP   1/419
WWB_TECH   1/810
ZCC-PUBLIC   1/1
ZEC   4

 
4DOS   1/134
ABORTION   1/7
ALASKA_CHAT   1/506
ALLFIX_FILE   1/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   1/152
AMATEUR_RADIO   0/1039
AMIGASALE   1/14
AMIGA   1/331
AMIGA_INT   1/1
AMIGA_PROG   1/20
AMIGA_SYSOP   1/26
ANIME   1/15
ARGUS   1/924
ASCII_ART   1/340
ASIAN_LINK   1/651
ASTRONOMY   1/417
AUDIO   1/92
AUTOMOBILE_RACING   0/105
BABYLON5   1/17862
BAG   135
BATPOWER   1/361
BBBS.ENGLISH   0/382
BBSLAW   1/109
BBS_ADS   1/5290
BBS_INTERNET   0/507
BIBLE   1/3563
BINKD   1/1119
BINKLEY   1/215
BLUEWAVE   1/2173
CABLE_MODEMS   0/25
CBM   1/46
CDRECORD   1/66
CDROM   1/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 1, 964 rader
Skriven 2004-09-13 23:04:00 av KURT WISMER (1:123/140)
Ärende: News, Sept. 13 2004
===========================
AREA:DIRTY_DOZEN
<CTRL-A>TID: PX/Win v3.0pr5 PX96-0466M2
<CTRL-A>MSGID: 1:123/140 58911530
<CTRL-A>TZUTC: -0400
[cut-n-paste from sophos.com]

Name   Troj/Psyme-AS

Type  
    * Trojan

How it spreads  
    * Web browsing

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * TrojanDownloader.VBS.Psyme-based

Prevalence (1-5) 2

Description
Troj/Psyme-AS is a JavaScript downloader Trojan which exploits the ADODB 
stream vulnerability associated with Microsoft Internet Explorer to 
silently download a file from a remote server to:

%Program Files%\Windows Media Player\wmplayer.exe,

replacing any existing file.

Advanced
Troj/Psyme-AS is a JavaScript downloader Trojan which exploits the ADODB 
stream vulnerability associated with Microsoft Internet Explorer to 
silently download a file from a remote server to:

%Program Files%\Windows Media Player\wmplayer.exe,

replacing any existing file.

Troj/Psyme-AS can arrive on the computer by browsing websites whose HTML 
pages contain the script or by visiting a HTML page that contains a SRC= 
link to an infected page. For example an HTML page may contain:

SRC='http:/psyme.com/exploit.chm::/exploit.htm

where exploit.chm is a compiled HTML help file containing Index.html and 
exploit.htm is a HTML file containing the Troj/Psyme-AS script.





Name   W32/Nyxem-C

Type  
    * Worm

How it spreads  
    * Email messages
    * Email attachments
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Deletes files off the computer
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * W32/MyWife.c@MM
    * I-Worm.Nyxem.d

Prevalence (1-5) 2

Description
W32/Nyxem-C is an internet worm which spreads via network shares and by 
sending itself to contacts in the Outlook address book, to Yahoo 
Messenger and Yahoo Pager contacts and to email addresses found within 
files that have an extension of HTM or DBX.

Advanced
W32/Nyxem-C is an internet worm which spreads via network shares and by 
sending itself to contacts in the Outlook address book, to Yahoo 
Messenger and Yahoo Pager contacts and to email addresses found within 
files that have an extension of HTM or DBX.

Message subject lines include:

"Beethoven's Symphony No", "New_Stories HighwayBlues", "Ohhh", "hi", 
"For You", "Free Pic's Video", "none", "[none]", "help me", "you", 
"Please Read", "Important" and "reactive now".

W32/Nyxem-C is attached to messages as moderater.baT, The_Members.BaT or 
as part of a ZIP archive whose filename contains one of the following 
strings:

"Download.3gpzip.z", "The_movie_3zip.z", "Nokia_6600zip.z", "part_4Zip",
"Video_Live.zip", "Beethoven's Symphony No", "New_Stories HighwayBlues",
"_DVD_Viedo.Zip.z", "_Audio_XP.GZ", "_Zipped_File.Z", ".XP2002.Zip.scr" 
or ".DvD_Xp.scr".

Harmless files may be included in the zip attachment with filenames such 
as Vide01.jpg.

The following spoof addresses may be used in the message:

Thomas, <thomas_gay6@iopus.com>
vip, <sandra@oxygen.com>
Lola Ashton, <linda200@gmail.com>
Bad Love, <user377@worldsex.com>
Ralph, <fack_back06@mail.com>
Genius, <gustes@msn.com>
Sweet Women, <admin@newmovies.com>
Sara GL, <hot_woman2362@freevideos.net>
The Moon, <lost_love705@yahoo.com>
Binnn MT, <King_sexy@hotmal.com>

W32/Nyxem-C copies itself to network shares as "Good music.scr" or with
filenames beginning "Beethoven's Symphony No" or 'New_Stories 
HighwayBlues'.

When run W32/Nyxem-C tries to mask its true purpose by launching the 
Microsoft Media Player executable.

W32/Nyxem-C copies itself to the following locations:

%Program Files%\Internet Explorer\Media Player.exe
%WINDOWS%\Task.exe
%SYSTEM%\Connection.exe
%SYSTEM%\Downloading.DVD_____________________________________.exe
%SYSTEM%\File-04-Music.DVD_____________________________________.scr
%SYSTEM%\SoundTrack01.CD_____________________________________.exe
%SYSTEM%\The_Members.BaT
%SYSTEM%\moderater.baT
%SYSTEM%\movie009.pif
%SYSTEM%\new-video977.DVD____________________________________.scr
%SYSTEM%\reactive_group.bAt

W32/Nyxem-C also copies itself to the system folder using the name of an 
existing executable file, but with an ending of 'm.exe' replacing the 
original extension, for example W32/Nyxem-C may copy itself to the 
system folder as NOTEPADm.exe, twunk_16m.exe or winhlp32m.exe.

W32/Nyxem-C also creates a new sub-folder of the Windows folder named 
VOLUME\ with the hidden attributes set and copies itself to this folder 
using the name of an existing file. The pathname of this copy is added 
to new sub-keys of the following registry entries so that it is run on 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

The following harmless files are created:

%SYSTEM%\About_BlackWorm.C.txt
%SYSTEM%\Beethoven's_Symphony_No.rm
%SYSTEM%\New_Stories__Highway_Blues.rm
%SYSTEM%\Vide01.jpg
%SYSTEM%\about.txt

The library DLL OSSMTP.DLL is dropped to the system folder and 
registered as a COM object creating registry entries under:

HKCR\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
HKCR\Interface\{3EC61E06-D128-41E3-8BBD-D8048BF6F2EC}
HKCR\Interface\{4F0A64F5-9E1E-42DB-9A58-34AEC4AA15DC}
HKCR\Interface\{7735921B-5977-4FE9-B28E-4DBE5E98C6A3}
HKCR\Interface\{98416333-DC4C-4F02-9A5B-F33C7580380E}
HKCR\Interface\{9ABAF239-5028-47C1-8B05-D9C50EE0CAC1}
HKCR\Interface\{CCD12224-C0E1-407C-A023-5FBB7DBA32BC}
HKCR\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
HKCR\OSSMTP.SMTPSession

OSSMTP.DLL is a legitimate COM library for Microsoft Visual Basic, 
providing functionality to send emails. To de-register OSSMTP.DLL run:

regsvr32 /U OSSMTP.DLL

W32/Nyxem-C also sets the following registry entries:

HKCU\Identities\Email
HKCU\Identities\Outlook Express
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\Name = "BlackWorm"
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\SN = "2AD00ED6"
HKCU\Software\Nico Mak Computing\WinZip\
caution\NoBetaMessage = "1"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu1 = "C:\WINDOWS\system32\2.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu2 = "C:\WINDOWS\system32\3.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu3 = "C:\WINDOWS\system32\1.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu4 = "C:\WINDOWS\system32\4.zip"
HKCR\.chm\Num = 2
HKCR\.chm\1 = "Beethoven's Symphony No"
HKCR\.chm\2 = "New Stories Highway Blues "
HKLM\SYSTEM\ControlSet001\Services\TlntSvr\Start = 2
HKLM\SOFTWARE\Microsoft\Active Setup\
Security = <pathname of W32/Nyxem-C executable>

W32/Nyxem-C tries to terminate and remove selected anti-virus and 
security related applications and deletes selected sub-keys of the 
following registry entries to prevent applications from running on 
startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

Sub-keys include: NPROTECT, ccApp, ScriptBlocking, MCUpdateExe, 
VirusScan Online, MCAgentExe, VSOCheckTask, McRegWiz, McVsRte, 
PCClient.exe, PCCClient.exe, PCCIOMON.exe, pccguide.exe, PccPfw, 
tmproxy, McAfeeVirusScanService, NAV Agent, SSDPSRV, rtvscn95, defwatch, 
vptray, Taskmon, KasperskyAv, system., msgsrv32, Windows Services Host, 
Explorer, Sentry, ssate.exe, winupd.exe, au.exe, OLE, gigabit.exe, 
Norton Antivirus AV, reg_key, Windows Update, _Hazafibb, win_upd.exe, 
JavaVM, Services, winupdt, Traybar, key, erthgdr, wersds.exe and Task.





Name   W32/Forbot-Q

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Wootbot.gen
    * W32/Gaobot.worm.gen.g1

Prevalence (1-5) 2

Description
W32/Forbot-Q is a worm and backdoor for the Windows platform.

W32/Forbot-Q spreads to networks shares and by exploiting the LSASS 
(MS04-011) vulnerability and backdoors opened by other malware.

Advanced
W32/Forbot-Q is a worm and backdoor for the Windows platform.

W32/Forbot-Q spreads to networks shares and by exploiting the LSASS 
(MS04-011) vulnerability and backdoors opened by other malware.

When run W32/Forbot-Q copies itself to the Windows system folder as 
ssvchost.exe. The worm adds the following registry entries to ensure 
that the copy is run each time Windows is started.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
window2 = "ssvchost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
window2 = "ssvchost.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
window2 = "ssvchost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
window2 = "ssvchost.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
window2 = "ssvchost.exe"

The backdoor component of W32/Forbot-Q may be used to launch distributed 
denial of service attacks, run a Socks proxy server or obtain 
information about the infected computer.

W32/Forbot-Q attempts to disable other worms, such as members of the 
W32/Bagle family.





Name   W32/Rbot-IT

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Rbot.gen
    * W32/Sdbot.worm.gen.i

Prevalence (1-5) 2

Description
W32/Rbot-IT is a worm which attempts to spread to remote network shares 
and allows unauthorised remote access to the computer via IRC channels.

Advanced
W32/Rbot-IT is a worm which attempts to spread to remote network shares 
and allows unauthorised remote access to the computer via IRC channels.

W32/Rbot-IT spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Rbot-IT copies itself to the file mswinc.exe in the Windows system 
folder and creates entries at the following locations in the registry so 
that the worm is run when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Remote Procedure Calls = mswinc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Remote Procedure Calls = mswinc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Remote Procedure Calls = mswinc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Remote Procedure Calls = mswinc.exe





Name   W32/Sdbot-OY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.SdBot.gen
    * W32/Sdbot.worm.gen.h1
    * WORM.SDBOT.QR

Prevalence (1-5) 2

Description
W32/Sdbot-OY is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

Advanced
W32/Sdbot-OY is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Sdbot-OY spreads to network shares with weak passwords and via 
network security exploits as a result of the backdoor Trojan element 
receiving the appropriate command from a remote user.

W32/Sdbot-OY copies itself to the Windows system folder as sload32.exe 
and creates the following registry entries so that the worm is run when 
a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sload = sload32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
sload = sload32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sload = sload32.exe





Name   W32/Rbot-IO

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-IO is an IRC backdoor Trojan and network worm which can 
propagate by copying itself into the shared folders of network drives.

W32/Rbot-IO can also set registry entries to ensure that it is executed 
automatically upon restart.

Advanced
W32/Rbot-IO is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

W32/Rbot-IO spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-IO moves itself to the Windows system folder as WUAMGDR.EXE and 
creates registry entries at the following locations to run itself 
automatically on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = wuamgdr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update Machine = wuamgdr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update Machine = wuamgdr.exe





Name   W32/Rbot-IL

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * WORM_RBOT.OA

Prevalence (1-5) 2

Description
W32/Rbot-IL is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running in 
the background as a service process.

Advanced
W32/Rbot-IL spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-IL copies itself to the Windows system folder as a random file 
name and creates the following registry entries so as to run itself on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft 
Update
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update

W32/Rbot-IL may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"

W32/Rbot-IL may delete the C$, D$, E$, IPC$ and ADMIN$ network shares on 
the host computer.





Name   W32/Rbot-IK

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Downloads code from the internet

Aliases  
    * Backdoor.Rbot.gen

Prevalence (1-5) 2

Description
W32/Rbot-IK is a network worm with IRC backdoor functionality.

W32/Rbot-IK spreads to other machines affected by the Universal PNP 
(MS01-059), WebDav (MS03-007), RPC DCOM (MS03-026, MS04-012), LSASS 
(MS04-011) or DameWare (CAN-2003-1030) vulnerabilities, infected by one 
of several backdoors or running network services protected by weak 
passwords.

Advanced
W32/Rbot-IK is a network worm with backdoor functionality.

In order to run automatically when Windows starts up the worm copies 
itself to a file in the Windows system folder. The name of this file is 
either explore32 or a series of randomly chosen letters. The file 
extension is always EXE.

Once installed, W32/Rbot-IK connects to a preconfigured IRC server, 
joins a channel and awaits further instructions. These instructions can 
cause the bot to perform any of the following actions:

flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP server
start a command shell server
search for product keys
download and install an updated version of itself
show statistics about the infected system
kill antivirus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
close down vulnerable services in order to secure the machine
take screenshots
capture images from any detected webcam
show/flush the DNS cache
list/modify network shares/services
send emails

The worm spreads to machines affected by known vulnerabilities, running 
the network services protected by weak passwords or infected by common 
backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
LSASS (MS04-011)
DameWare (CAN-2003-1030)

Services:

NetBios
NTPass
MS SQL

Backdoors:

W32/Bagle
Troj/Kuang
W32/MyDoom
Troj/NetDevil
Troj/Optix
Troj/Sub7

W32/Rbot-IK creates or modifies the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update 32 = <filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update 32 = <filename>

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update 32 = <filename>

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM = "N"

HKLM\SYSTEM\ControlSet001\Control\Lsa\
restrictanonymous = dword:00000001

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001

The worm terminates the following processes

regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe (sic)
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe

W32/Rbot-IK searches for product keys for the following software:

Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road to Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need for Speed Hot Pursuit 2
Need for Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)





Name   W32/Sdbot-OV

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.SdBot.ry
    * W32/Sdbot.worm.gen.h
    * WORM_RANDEX.L

Prevalence (1-5) 2

Description
W32/Sdbot-OV is a worm for the Windows platform. The worm includes some 
backdoor functionality.

W32/Sdbot-OV spreads to shared folders on the local network.

Advanced
W32/Sdbot-OV is a worm for the Windows platform. The worm includes some 
backdoor functionality.

W32/Sdbot-OV spreads to shared folders on the local network.

When run the worm copies itself to usb32.exe in the Windows system 
folder and adds the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Usb Driver = "usb32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Usb Driver = "usb32.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Win32 Usb Driver = "usb32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Win32 Usb Driver = "usb32.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Win32 Usb Driver = "usb32.exe"

W32/Sdbot-OV allows unauthorised access to the infected computer via IRC.

The backdoor function include distributed denial of service attacks, 
operating as a proxy server and stealing informatin relating to some 
popular games.





Name   W32/Sdbot-RY

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.ry
    * W32/Sdbot.worm.gen.h

Prevalence (1-5) 2

Description
W32/Sdbot-RY is a worm and backdoor for the Windows platform.

The worm component attempts to spread to remote network shares and the 
backdoor allows a malicious user remote access to an infected computer 
via IRC channels while running in the background as a service process.

Advanced
W32/Sdbot-RY is a worm and backdoor for the Windows platform.

The worm component attempts to spread to remote network shares and the 
backdoor allows a malicious user remote access to an infected computer 
via IRC channels while running in the background as a service process.

W32/Sdbot-RY copies itself to the Windows system folder with the 
filename spoolsvc.exe and in order to run automatically when Windows 
starts up creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 System Spool=spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 System Spool=spoolsvc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32 System Spool=spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Win32 System Spool=spoolsvc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Win32 System Spool=spoolsvc.exe.

W32/Sdbot-RY attempts to spread to network machines using various 
exploits including the LSASS vulnerability (see MS04-011).

W32/Sdbot-RY may function as a proxy server, delete network shares and 
steal information related to popular games.





Name   Troj/Delf-DU

Type  
    * Trojan

Aliases  
    * New

Prevalence (1-5) 2

Description
Troj/Delf-DU is a backdoor Trojan.

In order to run automatically when Windows starts up the Trojan copies 
itself to the file services.exe in the Windows system folder and creates 
the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Services = C:\Windows\system32\services.exe

Once installed Troj/Delf-DU connects to an IRC server and joins a 
channel from which it can receive further instructions. These 
instructions can cause the Trojan to kill specific processes or download 
files from arbitrary URLs and execute them.

The Trojan automatically terminates any processes whose filenames 
contain one the following patterns:
winnt35.exe
w.exe
mb.exe
~.exe
1.exe
2.exe
scan.exe
svshost.exe





Name   W32/Neveg-C

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases  
    * W32/Neveg.c@MM

Prevalence (1-5) 2

Description
W32/Neveg-C is a mass-mailing worm.

Advanced
W32/Neveg-C is a mass-mailing worm. When started the worm copies itself 
to the Windows system folder as services.exe and creates the following 
registry entries in order to auto-start on user logon or computer 
reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ccApps = <%SYSTEM%>\services.exe

The worm may also use any of the following instead of ccApps:

.Prog
FriendlyTypeName
TEXTCONV
Microsoft Visual SourceSafe
RegDone
BuildLab





Name   W32/Rbot-IP

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Rbot-IP is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer

Advanced
W32/Rbot-IP is a worm which attempts to spread to remote network shares. 
It also contains backdoor Trojan functionality, allowing unauthorised 
remote access to the infected computer via IRC channels while running 
in the background as a service process.

W32/Rbot-IP spreads to network shares with weak passwords as a result of 
the backdoor Trojan element receiving the appropriate command from a 
remote user.

W32/Rbot-IP moves itself to the Windows system folder as DVLDR.EXE and 
creates entries in the registry at the following locations to run on 
system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Automatic Updates = dvldr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Automatic Updates = dvldr.exe

HKCU\Software\Microsoft\OLE\
Windows Automatic Updates = dvldr.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
SEEN-BY: 20/11 205/0 237/10
<CTRL-A>PATH: 123/140 500 106/1 20/11