Text 10, 885 rader
Skriven 2004-11-07 17:15:00 av KURT WISMER (1:123/140)
Ärende: News, Nov. 7 2004
=========================
[cut-n-paste from sophos.com]
Name W32/Sdbot-QX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.gen
Prevalence (1-5) 2
Description
W32/Sdbot-QX is a network worm and a backdoor Trojan which runs in the
background as a service process and allows unauthorised remote access to
the computer via IRC channels.
As a backdoor, W32/Sdbot-QX can be used to install and execute programs
on your computer, retrieve system information and flood other computers
with network packets.
Advanced
W32/Sdbot-QX is a network worm and a backdoor Trojan which runs in the
background as a service process and allows unauthorised remote access to
the computer via IRC channels.
When executed W32/Sdbot-QX copies itself to the Windows system folder
with the filename BBSBW.EXE and sets the following registry entries to
ensure the worm is run at Windows login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
gdagdgajs = bbsbw.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
gdagdgajs = bbsbw.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
gdagdgajs = bbsbw.exe
W32/Sdbot-QX attempts to copy itself to remote network shares with weak
passwords.
As a backdoor, W32/Sdbot-QX can be used to install and execute programs
on your computer, retrieve system information and flood other computers
with network packets.
Name W32/Rbot-PA
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Aliases
* Backdoor.Win32.Rbot.gen
Prevalence (1-5) 2
Description
W32/Rbot-PA is a network worm with IRC backdoor functionality.
Advanced
W32/Rbot-PA is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file sdsa.exe in the Windows system folder.
Once installed, W32/Rbot-PA connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, FTP, rlogind or command shell server
transfer files via DCC
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
list/create/destroy network shares/services
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by the RPC DCOM (MS03-026,
MS04-012) or LSASS (MS04-011) vulnerabilities and to computers running a
MS SQL server protected by weak passwords.
W32/Rbot-PA creates or modifies the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
sads = "sdsa.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sads = "sdsa.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
sads = "sdsa.exe"
HKCU\Software\Microsoft\Ole\
sads = "sdsa.exe"
HKLM\Software\Microsoft\Ole\
EnableDCOM = "N"
HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001
Name W32/Rbot-OY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Rbot-OY is a network worm and IRC backdoor Trojan.
W32/Rbot-OY is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
Advanced
W32/Rbot-OY is a network worm and IRC backdoor Trojan.
W32/Rbot-OY is capable of spreading to computers on the local network
protected by weak passwords after receiving the appropriate backdoor
command.
W32/Rbot-OY may also spread by exploiting the following vulnerabilities:
LSASS (MS04-011)
DCOM (MS04-012)
Microsoft SQL servers with weak passwords.
W32/Rbot-OY may attempt to spread with a filename of log.exe.
When first run, W32/Rbot-OY moves itself to the Windows system folder as
winlogg.exe. In order to run each time Windows is started, W32/Rbot-OY
creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows debug logging = "winlogg.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows debug logging = "winlogg.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows debug logging = "winlogg.exe"
The worm runs continuously in the background providing backdoor access
to the infected computer.
The backdoor component of W32/Rbot-OY can be used to:
Initiate distributed denial-of-service (DDoS) attacks using ICMP, SYN,
UDP, PING, ACK and TCP flooding.
Redirect TCP and SOCKS4 traffic.
Provide a remote login shell.
Download, upload, delete and execute files.
Set up an HTTP, TFTP and FTP file server.
Steal passwords (including PayPal account information).
Log key presses.
Capture screenshots.
Capture webcam pictures and videos.
List and kill processes.
Stop, start and pause services.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Send emails as specified by the remote user.
Flush the DNS and ARP caches.
Shut down and reboot the computer.
Add and delete network shares and users.
Sniff network traffic for passwords.
W32/Rbot-OY may be used to steal registration and key details from
several computer games and applications.
W32/Rbot-OY may alter the following registry entries in order to
enable/disable DCOM and open/close restrictions on IPC$ shares:
HKLM\Software\Microsoft\Ole\
EnableDCOM
HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous
HKLM\System\ControlSet<NUMBER>\Control\Lsa\
restrictanonymous
W32/Rbot-OY may add and delete network shares and users on the infected
computer.
Name W32/Famus-F
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* I-Worm.Famus.c
* W32/Bilb.worm
* WORM_LIBR.A
Prevalence (1-5) 2
Description
W32/Famus-F is a mass-mailing worm.
W32/Famus-F spreads by sending email messages with itself as an
attachment. Email addresses to send to are obtained from the infected
machine.
Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:
'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'
W32/Famus-F may display a message box containing the text "File
corrupted or bad format".
Advanced
W32/Famus-F is a mass-mailing worm.
W32/Famus-F spreads by sending email messages with itself as an
attachment. Email addresses to send to are obtained from the infected
machine.
Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:
'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'
W32/Famus-F also sends an email to a predefined address, giving details
of the infected system.
W32/Famus-F may display a message box containing the text "File
corrupted or bad format".
W32/Famus-F copies itself to the Windows system folder. The worm may
also drop the file SMTP.OCX in the Windows system folder which appears
to be harmless.
W32/Famus-F may also drop a component as MICROSOFT OFFICE.PIF in <Start
Menu>\Programs\Startup. Further files may be dropped in C:\recycled\.
W32/Famus-F may create the following registry entries in order to run
itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sav32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NortonUtility
Name W32/Rbot-OX
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.gen
* W32/Sdbot.worm.gen.i
Prevalence (1-5) 2
Description
W32/Rbot-OX is a network worm with IRC backdoor functionality.
Once installed, W32/Rbot-OX connects to a preconfigured IRC server,
joins a channel and awaits further instructions.
Advanced
W32/Rbot-OX is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file NetConfs.exe in the Windows system folder.
Once installed, W32/Rbot-OX connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the backdoor to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, FTP, rlogind or command shell server
transfer files via DCC
send emails
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
list/create/destroy network shares/services
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by the RPC DCOM (MS03-026,
MS04-012) or LSASS (MS04-011) vulnerabilities.
W32/Rbot-OX creates or modifies the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Networks Configurator = "NetConfs.exe "
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Networks Configurator = "NetConfs.exe "
HKCU\Software\Microsoft\OLE\
Networks Configurator = "NetConfs.exe"
Name JS/QHosts21-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Reduces system security
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
JS/QHosts21-A is a JavaScript Trojan that redirects some banking
websites to a bogus website for the purpose of gathering information.
Advanced
JS/QHosts21-A is a JavaScript Trojan that redirects some banking
websites to a bogus website for the purpose of gathering information.
JS/QHosts21-A comes as a HTML email that will display the Google
website. As it is doing so it will add lines to the Windows Hosts file
that will cause requests for the following websites to be redirected:
www.unibanco.com.br
www.caixa.com.br
www.bradesco.com.br
Name W32/Rbot-OV
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-OV is a network worm with IRC backdoor functionality.
Advanced
W32/Rbot-OV is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file wint.exe in the Windows system folder.
Once installed, W32/Rbot-OV connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, FTP, rlogind or command shell server
transfer files via DCC
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
list/create/destroy network shares/services
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by the RPC DCOM (MS03-026,
MS04-012) or LSASS (MS04-011) vulnerabilities and to computers running
a MS SQL server protected by weak passwords.
W32/Rbot-OV creates or modifies the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Firewall Startup = "wint.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Sygate Personal Firewall Startup = "wint.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Sygate Personal Firewall Startup = "wint.exe"
HKCU\Software\Microsoft\Ole\
Sygate Personal Firewall Startup = "wint.exe"
HKLM\Software\Microsoft\Ole\
EnableDCOM = "N"
HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001
W32/Rbot-OV may attempt to terminate or disable the following processes:
bbeagle.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
msblast.exe
MSBLAST.exe
msconfig.exe
mscvb32.exe
navapw32.exe
navw32.exe
netstat.exe
PandaAVEngine.exe
Penis32.exe
rate.exe
regedit.exe
ssate.exe
sysinfo.exe
SysMonXP.exe
teekids.exe
wincfg32.exetaskmon.exe
winsys.exe
winupd.exe
zapro.exe
zonealarm.exe
Name W32/Bagz-F
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Forges the sender's email address
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* W32/Bagz.gen@MM
Prevalence (1-5) 2
Description
W32/Bagz-F is mass mailing network worm which also contains a backdoor
that allows an intruder to download and install further components.
W32/Bagz-F will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files. The worm uses harvested addresses both to send email
to and to spool the sender of the email. It may also attempt to
terminate anti-virus software processes.
Advanced
W32/Bagz-F is mass mailing network worm which also contains a backdoor
that allows an intruder to download and install further components.
W32/Bagz-F will attempt to harvest email addresses from TXT, HTM, DBX,
TBI and TBB files. The worm uses harvested addresses both to send email
to and to spool the sender of the email. It may also attempt to
terminate anti-virus software processes.
The email sent by W32/Bagz-F will have the following characteristics:
Subject line:
ASAP
please responce
Read this
urgent
toxic
contract
Money
office
Have a nice day
Hello
Russian's
Amirecans
attachments
attach
waiting
best regards
Administrator
Warning
text
Vasia
re: Andrey
re: please
re: order
Allert!
Attached file (ZIP format):
backup.zip
admin.zip
archivator.zip
about.zip
readme.zip
help.zip
photos.zip
payment.zip
archives.zip
manual.zip
inbox.zip
outbox.zip
save.zip
rar.zip
zip.zip
ataches.zip
documentation.zip
docs.zip
Attached file (EXE format):
backup.doc <lots of spaces> .exe
admin.doc <lots of spaces> .exe
archivator.doc <lots of spaces> .exe
about.doc <lots of spaces> .exe
readme.doc <lots of spaces> .exe
help.doc <lots of spaces> .exe
photos.doc <lots of spaces> .exe
payment.doc <lots of spaces> .exe
archives.doc <lots of spaces> .exe
manual.doc <lots of spaces> .exe
inbox.doc <lots of spaces> .exe
outbox.doc <lots of spaces> .exe
save.doc <lots of spaces> .exe
rar.doc <lots of spaces> .exe
zip.doc <lots of spaces> .exe
ataches.doc <lots of spaces> .exe
documentation.doc <lots of spaces> .exe
docs.doc <lots of spaces> .exe
sqlssl.doc <lots of spaces> .exe
W32/Bagz-F will keep a copy of the above files in the Windows system
folder. The worm also drops the following components, also in the
Windows system folder.
sysinfo32.exe
ipdb.dll
wdate.dll
jobdb.dll
W32/Bagz-F will also modify the Window hosts file in order to prevent
access to major anti-virus vendors websites.
It will create the services under the name "Xuy v palto " with imagepath
"<Windows system folder>\trace32.exe". As a side effect, it will create
registry entries in:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XUY_V_PALTO\
HKLM\SYSTEM\CurrentControlSet\Services\Xuy v palto\
The worm also disables KaZaA virus detection by deleting the following
registry entry:
HKCU\Software\Kazaa\Settings\Quarantine
Name W32/Rbot-OR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* WORM_SDBOT.CC
Prevalence (1-5) 2
Description
W32/Rbot-OR is a worm which attempts to spread to remote network shares
and contains backdoor Trojan functionality allowing unauthorised remote
access to the infected computer.
Advanced
W32/Rbot-OR is a worm which attempts to spread to remote network shares.
It also contains backdoor Trojan functionality, allowing unauthorised
remote access to the infected computer via IRC channels while running in
the background as a service process.
W32/Rbot-OR moves itself to the Windows system folder as atiphexx.exe
and creates the following registry entries to ensure it is run at system
logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
ati control panel = atiphexx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ati control panel = atiphexx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
ati control panel = atiphexx.exe
W32/Rbot-OR spreads to network shares with weak passwords and via
network security vulnerabilities including RPC-DCOM(MS04-012).
The worm may set the following registry entries:
HKLM\Software\Microsoft\Ole\EnableDCOM = N
HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymous = 1
W32/Rbot-OR will also download and execute remote files on the infected
computer and flood other computers with network packets.
Name W32/Rbot-OP
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-OP is a network worm with IRC backdoor functionality.
Advanced
W32/Rbot-OP is a network worm with IRC backdoor functionality.
In order to run automatically when Windows starts up the worm copies
itself to the file afilterplatform.exe in the Windows system folder.
Once installed, W32/Rbot-OP connects to a preconfigured IRC server,
joins a channel and awaits further instructions. These instructions can
cause the bot to perform any of the following actions:
flood a specified host with UDP, TCP, SYN, ICMP or ping packets
start a webserver offering the contents of the local drive
start a socks4 proxy server
redirect TCP connections
start a TFTP, FTP, rlogind or command shell server
transfer files via DCC
send emails
search for product keys
download and install an updated version of itself
show statistics about the infected system
show/flush the DNS cache
list/terminate running processes
list/create/destroy network shares/services
scan randomly- or sequentially-chosen IPs for infectable machines
start a keylogger
search for passwords in files, running processes and network traffic
read the contents of the clipboard
capture images from the screen or any attacked webcam
close down vulnerable services in order to secure the machine
The worm spreads to machines affected by the RPC DCOM (MS03-026,
MS04-012) or LSASS (MS04-011) vulnerabilities and to computers running a
MS SQL server protected by weak passwords.
W32/Rbot-OP creates or modifies the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Adobe Filter Platform = "afilterplatform.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Adobe Filter Platform = "afilterplatform.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Adobe Filter Platform = "afilterplatform.exe"
HKCU\Software\Microsoft\Ole\
Adobe Filter Platform = "afilterplatform.exe"
HKLM\Software\Microsoft\Ole\
EnableDCOM = "N"
HKLM\System\CurrentControlSet\Control\Lsa\
restrictanonymous = dword:00000001
Name W32/Leebad-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Reduces system security
* Records keystrokes
Aliases
* Worm.Win32.Leebad.a
* W32/Sautor.worm
* TROJ_ADDUSER.F
Prevalence (1-5) 2
Description
W32/Leebad-A is a worm for the Windows platform that copies files to the
root folder of all functional drives, including network drives.
Advanced
W32/Leebad-A is a worm for the Windows platform that will copy the
following files to the root folder of all functional drives, including
network drives:
* admin.bat, which sets a new administrator account with the password
abcd1234!@#
* autorun.inf, which runs system32.exe when opened
* System32.exe, the main worm component
* system32dll.dll, which includes keylogger functionality
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|