Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   33421
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   0/201
DOORGAMES   0/2065
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33945
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24159
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4436
FN_SYSOP   41705
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13611
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16074
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22112
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   930
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1123
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3249
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13299
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/341
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4289
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   0/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 114, 1225 rader
Skriven 2006-04-29 18:51:00 av KURT WISMER (1:123/140)
Ärende: News, April 29 2006
===========================
[cut-n-paste from sophos.com]

Name   W32/Forbot-GI

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Forbot-GI is a worm and backdoor for the Windows platform.

W32/Forbot-GI includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
W32/Forbot-GI is a worm and backdoor for the Windows platform.

W32/Forbot-GI includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Forbot-GI copies itself to <Windows system 
folder>\drivers\ntndis.exe and creates the file <Windows system 
folder>\drivers\ntndis.sys.

The following registry entry is changed to run ntndis.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows system folder>\drivers\ntndis.exe

(the default value for this registry entry is "Explorer.exe" which 
causes the
Microsoft file <Windows folder>\Explorer.exe to be run on startup).

The file ntndis.sys is a rootkit detected by Sophos's anti-virus 
products as Troj/RKProc-F. Ntndis.sys is registered as a new system 
driver service named "ntndis", with a display name of "ntndis" and a 
startup type of automatic, so that it is started automatically during 
system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ntndis\





Name   W32/Bagle-GY

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Uses its own emailing engine
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Bagle-GY is a mass-mailing worm for the Windows platform.

W32/Bagle-GY may send email messages with blank message text and 
non-Roman subject lines.

Advanced
W32/Bagle-GY is a mass-mailing worm for the Windows platform.

W32/Bagle-GY may send email messages with blank message text and 
non-Roman subject lines.

W32/Bagle-GY includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Bagle-GY copies itself to <Windows>\csrss.exe and 
creates the file <Temp>\Message.hta.

The following registry entry is changed to run W32/Bagle-GY on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\explorer.exe
Debugger
<Windows>\csrss.exe





Name   Troj/BankSnif-J

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Spy.Win32.Banker.atw

Prevalence (1-5) 2

Description
Troj/BankSnif-J is a Trojan for the Windows platform.

Troj/BankSnif-J includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/BankSnif-J is a Trojan for the Windows platform.

Troj/BankSnif-J includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/BankSnif-J copies itself to <User>\order_????.exe 
and creates the file <User>\order_????.bin where ???? is a sequence 
of randomly chosen four letters.

The following registry entry is created to run order_????.exe on 
startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
order_Shell
<User>\order_????.exe





Name   W32/Kassbot-O

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
W32/Kassbot-O is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Kassbot-O runs continuously in the background, providing a 
backdoor server
which allows a remote intruder to gain access and control over the 
computer via IRC channels.

Advanced
W32/Kassbot-O is a worm and IRC backdoor Trojan for the Windows 
platform.

W32/Kassbot-O runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Kassbot-O copies itself to <System>\<random 
filename>

The following registry entries are created to run the worm on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Anti-Virus
<random filename>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Anti-Virus
<random filename>

Registry entries are set as follows:

HKCU\Software\Microsoft\OLE
Microsoft Anti-Virus
<random filename>

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1





Name   Troj/Bdoor-AAB

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer

Aliases  
    * Backdoor.Win32.Delf.nz

Prevalence (1-5) 2

Description
Troj/Bdoor-AAB is a backdoor Trojan for the Windows platform.





Name   W32/Brontok-AI

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Sends itself to email addresses found on the infected computer
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Email-Worm.Win32.Brontok.n
    * W32/Rontokbro.gen@MM
    * Win32/Pazetus.L
    * W32.Rontokbro.Z@mm
    * WORM_RONTKBR.GEN

Prevalence (1-5) 2

Description
W32/Brontok-AI is a mass-mailing worm for the Windows platform.

W32/Brontok-AI sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

From:
angelina_ph@<recipient's domain>
or
jennifer_sh@<recipient's domain>

If the recipient's address is Indonesian:

Subject line:
Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject:

My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attached file:

Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat 
runs Photo.bmp. Photo.bmp is an executable (currently detected as 
Troj/Dloadr-ADW) which attempts to download and execute a copy of the 
worm from a preconfigured website. At the time of writing, this 
website was unavailable.

Advanced
W32/Brontok-AI is a mass-mailing worm for the Windows platform.

W32/Brontok-AI sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

From:
angelina_ph@<recipient's domain>
or
jennifer_sh@<recipient's domain>

If the recipient's address is Indonesian:

Subject line:
Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject:

My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attached file:

Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat 
runs Photo.bmp. Photo.bmp is an executable (currently detected as 
Troj/Dloadr-ADW) which attempts to download and execute a copy of the 
worm from a preconfigured website. At the time of writing, this 
website is unavailable.

When W32/Brontok-AI is installed it copies itself to the following 
locations:

<User>\Local Settings\Application Data\dv<random1>\yesbron.com
<User>\Local Settings\Application Data\jalak-<random2>-bali.com
<Windows system folder>\n<random3>\b<random4>.exe
<Windows system folder>\n<random3>\c.bron.tok.txt
<Windows system folder>\n<random3>\csrss.exe
<Windows system folder>\n<random3>\lsass.exe
<Windows system folder>\n<random3>\services.exe
<Windows system folder>\n<random3>\smss.exe
<Windows system folder>\n<random3>\sv<random5>r.exe
<Windows system folder>\n<random3>\winlogon.exe
<Windows system folder>\c_<random6>.com
<Windows folder>\j<random7>.exe
<Windows folder>\o<random8>.exe
<Windows folder>\_default<random9>.pif
<Windows folder>\<random10>\ib<random11>.exe

where <random1> etc. are randomly-chosen numbers.

W32/Brontok-AI installs the following files:

\Baca Bro !!!.txt
<Windows folder>\Tasks\At1.job
<Windows folder>\Tasks\At2.job

The .job files each contain a scheduled task, instructing Windows to 
execute the installed copies of the worm once per day.

The .txt file, when opened, will cause the worm to display the 
following message:

######################### BRONTOK.C[22] #########################

-- Hentikanlah kebobrokan di negeri ini --

1. Penjarakan Koruptor, Penyelundup, Tukang Suap, & Bandar NARKOBA
( Send To NUSAKAMBANGAN )

2. Stop Free Sex, Aborsi, & Prostitusi
( Go To HELL )

3. Stop Pencemaran Alam, Pembakaran Hutan & Perburuan Liar.

4. SAY NO TO DRUGS !!!

-- Spizaetus Cirrhatus --

[ By JowoBot ]

+++++0000++++00000++++0000+++0+++++0++0000000+++0000+++0+++0+++++
+++++0++++0++0++++0++0++++0++00++++0+++++0+++++0++++0++0++0++++++
+++++0++++0++0++++0++0++++0++0+0+++0+++++0+++++0++++0++0+0+++++++
+++++00000+++00000+++0++++0++0++0++0+++++0+++++0++++0++00++++++++
+++++0++++0++0++0++++0++++0++0+++0+0+++++0+++++0++++0++0+0+++++++
+++++0++++0++0+++0+++0++++0++0++++00+++++0+++++0++++0++0++0++++++
+++++0000++++0++++0+++0000+++0+++++0+++++0++++++0000+++0+++0+++++

~~ Sedikit Jawaban u/ Membungkam Mulut Sesumbar 'Mereka' ~~

Nobron & Romdil = Otak Kosong, Mulut Besar, Cuma Bisa

Nobron = Satria Dungu = Nothing !!!

Romdil = Tukang Jiplak = Nothing !!!

Nobron & Romdil -->> Kicked by The Amazing Brontok

[ By JowoBot ]

W32/Brontok-AI closes windows whose titles contain any of the 
following:

ahnlab
alwil
anti
avg
avira
b.e
bitdef
BROWNIES
bugil
cewe
cillin
CLEANER
cmd.exe
command prompt
commander
computer management
ertanto
folder option
group policy
hijack
kaspersky
killbox
killer
mcafee
movzx
naked
nod32
norman
norton
pc-media
pcmedia
peid
porn
PROCESS EXP
registry
REMOVER
robknot
rontok
rontox
scheduled task
sex
symantec
SYSINTERNAL
system configuration
task manager
task view
telanjang
trendmicro
trojan
virus
washer
windows script
wintask
worm

W32/Brontok-AI adds entries to the system HOSTS file to prevent 
access to security-related domains.

W32/Brontok-AI may install a new version of the file <Windows system 
folder>\msvbvm60.dll.

The following registry entries are created to run the installed 
copies of the worm on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random>
<User>\Local Settings\Application Data\dv<random1>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random>
<Windows folder>\_default<random8>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows system folder>\n<random3>\sv<random4>r.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random>
<Windows folder>\j<random6>.exe

The following registry entries are changed to run j6321422.exe and 
o4321427.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows folder>\o<random7>.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows folder>\Explorer.exe to be run on 
startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<Windows system folder>\userinit.exe,<Windows folder>\<random6>.exe

(the default value for this registry entry is
"<Windows folder>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor 
(regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\





Name   W32/Feebs-T

Type  
    * Worm

How it spreads  
    * Peer-to-peer

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Feebs.dh
    * Infection:

Prevalence (1-5) 2

Description
W32/Feebs-T is a worm for the Windows platform.

Advanced
W32/Feebs-T is a worm for the Windows platform.

When run, W32/Feebs-T will create the file C:\Recycled\userinit.exe 
which is detected as W32/Feebs-Gen.





Name   W32/Tilebot-EO

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.SdBot.xd

Prevalence (1-5) 2

Description
W32/Tilebot-EO is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-EO spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-EO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-EO are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

Advanced
W32/Tilebot-EO is a worm and IRC backdoor for the Windows platform.

W32/Tilebot-EO spreads to other network computers by exploiting 
common buffer overflow vulnerabilities, including: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
WKS 
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx) 
(CAN-2003-0812), PNP 
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx) 
and ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx) 
and by copying itself to network shares protected by weak passwords.

W32/Tilebot-EO runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

When first run W32/Tilebot-EO copies itself to <Windows 
folder>\eltsass.exe.

The file eltsass.exe is registered as a new system driver service 
named "Windows Internet Services", with a display name of "Windows 
Internet Services" and a startup type of automatic, so that it is 
started automatically during system startup. Registry entries are 
created under:

HKLM\SYSTEM\CurrentControlSet\Services\Windows Internet Services\

W32/Tilebot-EO sets the following registry entries, disabling the 
automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\

The following patches for the operating system vulnerabilities 
exploited by W32/Tilebot-EO are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx





Name   Troj/Tibs-Z

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Packed.Win32.Tibs

Prevalence (1-5) 2

Description
Troj/Tibs-Z is a Trojan for the Windows platform.

Troj/Tibs-Z includes functionality to access the internet and 
communicate with a
remote server via HTTP to download and install software.

Advanced
Troj/Tibs-Z is a Trojan for the Windows platform.

Troj/Tibs-Z includes functionality to access the internet and 
communicate with a
remote server via HTTP to download and install software.

When first run Troj/Tibs-Z copies itself to <System>\kernels8.exe and 
creates
the following files:

<Temp>\1.dlb
<Temp>\4.dlb

The following registry entry is created to run kernels8.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<System>\kernels8.exe

The following registry entry is set, disabling the Windows task manager
(taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1





Name   Troj/BagleDL-BQ

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Bagle.ak

Prevalence (1-5) 2

Description
Troj/BagleDL-BQ is a Trojan for the Windows platform.

Troj/BagleDL-BQ includes functionality to communicate with a remote 
server via http.

Advanced
Troj/BagleDL-BQ is a Trojan for the Windows platform.

Troj/BagleDL-BQ includes functionality to communicate with a remote 
server via http.

When run, Troj/BagleDL-BQ modifies registry entries under:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
 




Name   W32/Rbot-DDF

Type  
    * Worm

How it spreads  
    * Network shares

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases  
    * Backdoor.Win32.Aimbot.dl

Prevalence (1-5) 2

Description
W32/Rbot-DDF is a worm and IRC backdoor for the Windows platform.

The worm attempts to spread by copying itself to remote network 
shares or by exploiting any of the following vulnerabilities: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).

W32/Rbot-DDF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-DDF includes functionality to access the internet and 
communicate with a remote server via HTTP.

The following patches for the operating systems vulnerabilities 
exploited by W32/Rbot-DDF are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

Advanced
W32/Rbot-DDF is a worm and IRC backdoor for the Windows platform.

The worm attempts to spread by copying itself to remote network 
shares or by exploiting any of the following vulnerabilities: LSASS 
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx), 
RPC-DCOM 
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx), 
ASN.1 
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx).

W32/Rbot-DDF runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Rbot-DDF includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run W32/Rbot-DDF copies itself to <Windows system 
folder>\algsys.exe.

The file algsys.exe is registered as a new system driver service 
named "ALGS", with a display name of "Application Layer Gateway 
System" and a startup type of automatic, so that it is started 
automatically during system startup. Registry entries are created 
under:

HKLM\SYSTEM\CurrentControlSet\Services\ALGS\

The following patches for the operating systems vulnerabilities 
exploited by W32/Rbot-DDF are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx





Name   Troj/Agent-BIU

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Modifies data on the computer
    * Downloads code from the internet
    * Installs itself in the Registry

Prevalence (1-5) 2

Description
Troj/Agent-BIU is a Trojan for the Windows platform.

Troj/Agent-BIU includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Agent-BIU is a Trojan for the Windows platform.

Troj/Agent-BIU includes functionality to access the internet and 
communicate with a remote server via HTTP.

When Troj/Agent-BIU is installed it creates the file 
<System>\mscom32.dll.

The file mscom32.dll is registered as a COM object and ShellExecute 
hook, creating registry entries under:

HKCR\CLSID\(487166B7-DA1D-4ec0-966B-DFF858ECE8FD)
HKLM\SOFTWARE\Microsoft\Windows 
\CurrentVersion\Explorer\ShellExecuteHooks\

Troj/Agent-BIU includes functionality to inject mscom32.dll code into 
EXPLORER.EXE and modify the HOSTS file.

Troj/Agent-BIU modifies the HOSTS file, changing the URL-to-IP 
mappings for selected websites, therefore preventing normal access to 
these sites. The new HOSTS file will typically contain the following:

192.168.0.101 www.trendmicro.com
192.168.0.101 trendmicro.com
192.168.0.101 rads.mcafee.com
192.168.0.101 customer.symantec.com
192.168.0.101 liveupdate.symantec.com
192.168.0.101 us.mcafee.com
192.168.0.101 updates.symantec.com
192.168.0.101 update.symantec.com
192.168.0.101 www.nai.com
192.168.0.101 nai.com
192.168.0.101 secure.nai.com
192.168.0.101 dispatch.mcafee.com
192.168.0.101 download.mcafee.com
192.168.0.101 www.my-etrust.com
192.168.0.101 my-etrust.com
192.168.0.101 mast.mcafee.com
192.168.0.101 ca.com
192.168.0.101 www.ca.com
192.168.0.101 networkassociates.com
192.168.0.101 www.networkassociates.com
192.168.0.101 avp.com
192.168.0.101 www.kaspersky.com
192.168.0.101 www.avp.com
192.168.0.101 kaspersky.com
192.168.0.101 www.f-secure.com
192.168.0.101 f-secure.com
192.168.0.101 viruslist.com
192.168.0.101 www.viruslist.com
192.168.0.101 liveupdate.symantecliveupdate.com
192.168.0.101 mcafee.com
192.168.0.101 www.mcafee.com
192.168.0.101 sophos.com
192.168.0.101 www.sophos.com
192.168.0.101 symantec.com





Name   Troj/Zlob-IK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Win32/TrojanDownloader.Zlob.MJ

Prevalence (1-5) 2

Description
Troj/Zlob-IK is a Trojan for the Windows platform.

Troj/Zlob-IK changes Start Page and search settings for Microsoft 
Internet Explorer.

Advanced
Troj/Zlob-IK is a Trojan for the Windows platform.

When Troj/Zlob-IK is installed the following files are created:

<Windows system folder>\simpole.tlb
<Windows system folder>\hp<rnd>.tmp

where <rnd> is a randomly generated string of characters. These files 
are also detected as Troj/Zlob-IK.

The file hp<rnd>.tmp is registered as a COM object and Browser Helper 
Object (BHO) for Microsoft Internet Explorer, creating registry 
entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}
HKCR\CLSID\{B0398ECA-0BCD-4645-8261-5E9DC70248D0}

Troj/Zlob-IK changes Start Page and search settings for Microsoft 
Internet
Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Search\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{b0398eca-0bcd-4645-8261-5e9dc70248d0}\(default)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
dcomcfg.exe
dcomcfg.exe





Name   W32/Mytob-HR

Type  
    * Worm

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Allows others to access the computer
    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Net-Worm.Win32.Mytob.el

Prevalence (1-5) 2

Description
W32/Mytob-HR is a mass-mailing worm with IRC backdoor Trojan 
functionality.

The worm spreads by sending emails containing links to a copy of the 
worm. Email addresses are harvested from files on the infected 
computer.

W32/Mytob-HR contains functionality to download and run further 
malicious code.

Emails sent by the worm take the following form.

FROM:

abuse@<harvested domain>

SUBJECT LINE:

Either a string of randomly chosen characters or one of the following:

Account Alert
ACCOUNT ALERT

MESSAGE TEXT:

Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<link to worm, spoofed to appear to point to a file at a harvested 
domain>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely, <harvested domain> Abuse Department.

W32/Mytob-HR attempts to terminate a number of processes, most of 
these corresponding to common anti-virus and security products.

W32/Mytob-HR modifies the system HOSTS file in order to prevent 
access to certain anti-virus websites.

Advanced
W32/Mytob-HR is a mass-mailing worm with IRC backdoor Trojan 
functionality.

The worm spreads by sending emails containing links to a copy of the 
worm. Email addresses are harvested from files on the infected 
computer.

W32/Mytob-HR contains functionality to download and run further 
malicious code.

Emails sent by the worm take the following form.

FROM:

abuse@<harvested domain>

SUBJECT LINE:

Either a string of randomly chosen characters or one of the following:

Account Alert
ACCOUNT ALERT

MESSAGE TEXT:

Dear Valued Member,

According to our terms of services, you will have to confirm your 
e-mail by the following link, or your account will be suspended 
within 24 hours for security reasons.

<link to worm, spoofed to appear to point to a file at a harvested 
domain>

After following the instructions in the sheet, your account will not 
be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any 
inconvenience.

Sincerely, <harvested domain> Abuse Department.

W32/Mytob-HR attempts to terminate a number of processes, most of 
these corresponding to common anti-virus and security products.

W32/Mytob-HR modifies the system HOSTS file in order to prevent 
access to certain anti-virus websites.

The following registry entries are created in an attempt to run the 
worm on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Task Manager
taskgmr.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Task Manager
taskgmr.exe





Name   Troj/VB-BAN

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan-Clicker.Win32.VB.mo
    * Win32/TrojanClicker.VB.LI
    * TROJ_CLICKER.IT

Prevalence (1-5) 2

Description
Troj/VB-BAN is a Trojan for the Windows platform.

Troj/VB-BAN includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/VB-BAN is a Trojan for the Windows platform.

Troj/VB-BAN includes functionality to access the internet and 
communicate with a remote server via HTTP.

The following registry entry is created to run Troj/VB-BAN on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mousepad
<pathname of the Troj/VB-BAN executable>

Troj/VB-BAN may hijack web-browsing and web-searches, redirecting 
URLs entered in Microsoft Internet Explorer to alternative websites.

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)