Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41705
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13611
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13299
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 107, 689 rader
Skriven 2006-03-11 12:30:00 av KURT WISMER (1:123/140)
Ärende: News, March 11 2006
===========================
[cut-n-paste from sophos]

Name   Troj/Banker-AML

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Records keystrokes
    * Installs itself in the Registry

Aliases  
    * PWS-Banker.gen.b
    * Trojan-Spy.Win32.Banker.aec
    * W32/Banker.IXB

Prevalence (1-5) 2

Description
Troj/Banker-AML is a data stealing Trojan for the Windows platform 
which attempts to capture confidential information related to 
internet banking.

Advanced
Troj/Banker-AML is a data stealing Trojan for the Windows platform 
which attempts to capture confidential information related to 
internet banking.

When first run Troj/Banker-AML copies itself to <System>\winlogin.exe.

The following registry entry is created to run winlogin.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update
<System>\winlogin.exe





Name   W32/Rbot-CLO

Type  
    * Spyware Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities
    * Used in DOS attacks

Aliases  
    * Backdoor.Win32.Rbot.gen
    * Backdoor.IRC.Bot
    * WORM_RBOT.DZY

Prevalence (1-5) 2

Description
W32/Rbot-CLO is a network worm with backdoor functionality for the 
Windows platform.

W32/Rbot-CLO spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting common buffer overflow vulnerabilities, including: 
Veritas (CAN-2004-1172) and ASN.1 (MS04-007)

W32/Rbot-CLO attempts to disable anti-virus and other security 
related software.

Advanced
W32/Rbot-CLO is a network worm with backdoor functionality for the 
Windows platform.

W32/Rbot-CLO spreads using a variety of techniques including:
-exploiting weak passwords on computers and SQL servers
-exploiting common buffer overflow vulnerabilities, including: 
Veritas (CAN-2004-1172) and ASN.1 (MS04-007)

W32/Rbot-CLO attempts to disable anti-virus and other security 
related software.

W32/Rbot-CLO can be controlled by a remote attacker over IRC 
channels. The backdoor component of W32/Rbot-CLO can be instructed by 
a remote user to perform the following functions:

- start an FTP server
- start a Proxy server
- start a web server
- take part in distributed denial of service (DDoS) attacks
- log keypresses
- capture screen/webcam images
- port scanning
- download/execute arbitrary files
- start a remote shell (RLOGIN)
- steal product registration information from certain software

The worm copies itself to a file named b4db0yz.exe in the Windows 
system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE
System Service
b4db0yz.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Service
b4db0yz.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Service
b4db0yz.exe

A patch for the operating system vulnerability exploited by 
W32/Rbot-CLO can be obtained from Microsoft at: MS04-007





Name   Troj/Dumador-AI

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * W32/Dumaru.gen@MM
    * Win32/Dumador
    * Backdoor.Nibu

Prevalence (1-5) 2

Description
Troj/Dumador-AI is a Trojan for the Windows platform.

Troj/Dumador-AI includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Dumador-AI can steal email and FTP passwords stored on the 
infected computer.

Advanced
Troj/Dumador-AI is a Trojan for the Windows platform.

Troj/Dumador-AI includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Dumador-AI can steal email and FTP passwords stored on the 
infected computer.

When first run Troj/Dumador-AI copies itself to <System>\winldra.exe 
and creates the following files:

<Temp>\fe43e701.htm
<Windows>\dvpd.dll
<Windows>\netdx.dat

The following registry entry is created to run winldra.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32
<System>\winldra.exe

Troj/Dumador-AI changes settings for Microsoft Internet Explorer by 
modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\

Registry entries are created under:

HKCU\Software\SARS\





Name   W32/Hilder-A

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer

Prevalence (1-5) 2

Description
W32/Hilder-A is a mass-mailing worm for the Windows platform.

W32/Hilder-A will attempt to run its own VBScript code in order to 
email itself to other computers using Microsoft Outlook if it is 
installed. W32/Hilder-A sends emails to addresses found in the 
Outlook address book with the subject line "GEIL!" and message text 
"Heisse Bilder im Anhang!".

W32/Hilder-A also includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Hilder-A is a mass-mailing worm for the Windows platform.

W32/Hilder-A is a hybrid worm comprising sections written in 
assembly, batch scripting language, and VBScript. Despite its EXE 
extension it is executed as a 16-bit COM executable.

When first run W32/Hilder-A copies itself to the following locations 
(if available) :

<user>\STARTM~1\progra~1\autost~1\wind0ws.exe
<Windows folder>\WINSECURITY\CSRSS.EXE
<Windows folder>\WINSECURITY\SERVICES.EXE
<Windows folder>\WINSECURITY\SMSS.EXE
<Windows folder>\WINSECURITY\SOCKET1.IFO
<Windows folder>\WINSECURITY\SOCKET2.IFO
<Windows folder>\WINSECURITY\SOCKET3.IFO
G:\wichtig.exe
A:\wichtig.exe
C:\FUUU.exe
C:\FU.exe
C:\me.exe
C:\by.exe
C:\u were infected.exe
<Windows folder>\INF3CTED.EXE
<Windows folder>\NET5KY.EXE
<Windows folder>\SA55ER.EXE
<Windows folder>\MYD00M.EXE
C:\Dokumente und Einstellungen\All Users\Dokumente\funny.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\unbelieveable.exe
<Windows folder>\TEMP\FU0001.TMP
<Windows folder>\TEMP\FU0002.TMP
C:\hiberfile.sys

W32/Hilder-A will also attempt to delete files from the following 
locations in order to disable anti-virus protection :

C:\programme\mcafee\*.*
C:\programme\symantec\*.*

This attempt is specifically aimed at the German version of Windows.

W32/Hilder-A will attempt to run its own VBScript code in order to 
email itself to other computers using Microsoft Outlook if it is 
installed. W32/Hilder-A sends emails to addresses found in the 
Outlook address book with the subject line "GEIL!" and message text 
"Heisse Bilder im Anhang!".

W32/Hilder-A also includes functionality to access the internet and 
communicate with a remote server via HTTP.





Name   W32/VB-ACS

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Aliases  
    * W32/Bactera.worm!p2p

Prevalence (1-5) 2

Description
W32/VB-ACS is a worm for the Windows platform.

W32/VB-ACS can spread via peer-to-peer networks.

Advanced
W32/VB-ACS is a worm for the Windows platform.

W32/VB-ACS can spread via peer-to-peer networks.

When first run W32/VB-ACS copies itself to:

\AntiVirScan.exe

\bac.exe

\bac2.exe

Registry entries are created under:

HKCU\Software\VB and VBA Program Settings\Bactera\BAC1\





Name   Troj/Runner-F

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Runner-F is a Trojan for the Windows platform.

Troj/Runner-F can be used in conjunction with other malware. The 
Trojan will run the program "dgfgql.exe"





Name   Troj/Dumaru-BZ

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Modifies data on the computer
    * Steals information
    * Uses its own emailing engine
    * Reduces system security
    * Records keystrokes
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Backdoor.Win32.Dumador.ft

Prevalence (1-5) 2

Description
Troj/Dumaru-BZ is a Trojan with password stealing capabilities.

Advanced 
Troj/Dumaru-BZ is a Trojan with password stealing capabilities.

When first run Troj/Dumaru-BZ copies itself to the Windows System 
folder as winldra.exe and creates the following registry entry so as 
to run itself on user logon:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32
<System>\winldra.exe

The following files may also be created:

<Windows>\dvpd.dll
<Windows>\sendlogs_dat
<Windows>\dvp.log
<Windows>\prntk.log
<Windows>\prntc.log
<Windows>\netdx.dat
<Temp>\fe43e701.htm

The files sendlogs_dat, dvp.log, prntk.log, prntc.log, netdx.dat and 
fe43e701.htm are non-malicious and may be safely deleted.

dvpd.dll is also being detected by Sophos as Troj/Dumaru-BZ.

Troj/Dumaru-BZ captures clipboard data, window text, cached passwords 
and confidential information from the protected storage area of 
Windows.

The Trojan has the ability to log keystrokes.

The Trojan also attempts to steal confidential information related to 
E-Gold, WebMoney, Total Commander and Far Manager account details as 
well as TCP/IP Interface settings, Internet Account Manager POP3 user 
names/passwords and Windows user names.

The Trojan creates the following registry entry:

HKCU\Software\SARS
SocksPort
<random hexadecimal port number>

The Trojan then uses this port number to set up a backdoor listening 
port to await for commands from a remote user.

The Trojan also changes the settings of Internet Explorer and Windows 
Explorer by creating the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main
AllowWindowReuse
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
Append Completion
yes

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
AutoSuggest
yes

Troj/Dumaru-BZ also appends the HOSTS file with the following 
mappings to deny access to anti-virus and security related websites:

127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com

The Trojan then injects the dropped DLL helper component dvpd.dll 
into the Windows Explorer process and begins keylogging functionality 
when Internet Explorer is started.

The keylogged information is then stored in the file prntk.log in the 
Windows folder. This file is then sent to a pre-configured website as 
a web form to a pre-configured attacker.

Once this data has been sent, the Trojan sets the following registry 
entry:

HKCU\Software\SARS
mailsended
<number>





Name   Troj/BrontDl-B

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/BrontDl-B is a downloading Trojan for the Windows platform.

Troj/BrontDl-B attempts to download and execute a file from a 
preconfigured location on the internet.

Advanced
Troj/BrontDl-B is a downloading Trojan for the Windows platform.

Troj/BrontDl-B attempts to download a file from a preconfigured 
location to <System>\dll\lsass.exec2u.bin and execute it.

At the time of writing, this file was unavailable for download.

When first run Troj/BrontDl-B copies itself to <System>\dll\lsass.exe.

The following registry entry is changed to run lsass.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\dll\lsass.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).





Name   W32/USKAF-A

Type  
    * Worm

How it spreads  
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Deletes files off the computer
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.VB.abe
    * W32/Generic.m
    * WORM_USKAF.A

Prevalence (1-5) 2

Description
W32/USKAF-A is a worm for the Windows platform.

Advanced
W32/USKAF-A is a worm for the Windows platform.

When first run W32/USKAF-A copies itself to

<Startup>\ImagViewer.exe
<Program Files>\GifAnimator.exe

and creates the file <Program Files>\Font1.Gif(harmless image file).

The worm may replace files with the following extensions with a copy 
of itself:

BMP
COM
GIF
JPG
LNK
MP3
PIF
PNG
SCR
TIF

The following registry entry is created to run GifAnimator.exe on 
startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ImagViewer
<Program Files>\GifAnimator.exe

The following registry entries are set, disabling the registry editor 
(regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

Registry entries are created under:

HKCR\keyfile\shell\open\command\





Name   Troj/PWS-KI

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Uses its own emailing engine
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * SennaSpy2001

Prevalence (1-5) 2

Description
Troj/PWS-KI is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

Troj/PWS-KI includes functionality to access the internet and 
communicate with a remote server via HTTP. The Trojan may send an 
email to inform a remote user when a computer has been compromised, 
and may also inform the remote user of the password used to connect 
to the internet.

Troj/PWS-KI modifies internet security settings.

Advanced
Troj/PWS-KI is a backdoor Trojan which allows a remote intruder to 
gain access and control over the computer.

Troj/PWS-KI includes functionality to access the internet and 
communicate with a remote server via HTTP. The Trojan may send an 
email to inform a remote user when a computer has been compromised, 
and may also inform the remote user of the password used to connect 
to the internet.

When first run Troj/PWS-KI copies itself to the Windows folder and to
<Startup>\Server.exe.

Troj/PWS-KI also creates the following files:

\sendhmtl.htm
<CurrentFolder>\regadd706.Reg

The file sendhmtl.htm can be deleted.

The file regadd706.Reg may cause the follwing registry entry to be 
set, so that the Trojan automatically runs on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft
<name of copy of Trojan in the Windows folder>

Note that the second copy of the Trojan, in the <Startup> folder, 
will also be started automatically.

The following registry entry is also set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\3
1601
0

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)