Tillbaka till svenska Fidonet
English   Information   Debug  
COMICS   0/15
CONSPRCY   0/899
COOKING   32953
COOKING_OLD1   0/24719
COOKING_OLD2   0/40862
COOKING_OLD3   0/37489
COOKING_OLD4   0/35496
COOKING_OLD5   9370
C_ECHO   0/189
C_PLUSPLUS   0/31
DIRTY_DOZEN   94/201
DOORGAMES   0/2061
DOS_INTERNET   0/196
duplikat   6002
ECHOLIST   0/18295
EC_SUPPORT   0/318
ELECTRONICS   0/359
ELEKTRONIK.GER   1534
ENET.LINGUISTIC   0/13
ENET.POLITICS   0/4
ENET.SOFT   0/11701
ENET.SYSOP   33903
ENET.TALKS   0/32
ENGLISH_TUTOR   0/2000
EVOLUTION   0/1335
FDECHO   0/217
FDN_ANNOUNCE   0/7068
FIDONEWS   24128
FIDONEWS_OLD1   0/49742
FIDONEWS_OLD2   0/35949
FIDONEWS_OLD3   0/30874
FIDONEWS_OLD4   0/37224
FIDO_SYSOP   12852
FIDO_UTIL   0/180
FILEFIND   0/209
FILEGATE   0/212
FILM   0/18
FNEWS_PUBLISH   4408
FN_SYSOP   41679
FN_SYSOP_OLD1   71952
FTP_FIDO   0/2
FTSC_PUBLIC   0/13599
FUNNY   0/4886
GENEALOGY.EUR   0/71
GET_INFO   105
GOLDED   0/408
HAM   0/16070
HOLYSMOKE   0/6791
HOT_SITES   0/1
HTMLEDIT   0/71
HUB203   466
HUB_100   264
HUB_400   39
HUMOR   0/29
IC   0/2851
INTERNET   0/424
INTERUSER   0/3
IP_CONNECT   719
JAMNNTPD   0/233
JAMTLAND   0/47
KATTY_KORNER   0/41
LAN   0/16
LINUX-USER   0/19
LINUXHELP   0/1155
LINUX   0/22093
LINUX_BBS   0/957
mail   18.68
mail_fore_ok   249
MENSA   0/341
MODERATOR   0/102
MONTE   0/992
MOSCOW_OKLAHOMA   0/1245
MUFFIN   0/783
MUSIC   0/321
N203_STAT   926
N203_SYSCHAT   313
NET203   321
NET204   69
NET_DEV   0/10
NORD.ADMIN   0/101
NORD.CHAT   0/2572
NORD.FIDONET   189
NORD.HARDWARE   0/28
NORD.KULTUR   0/114
NORD.PROG   0/32
NORD.SOFTWARE   0/88
NORD.TEKNIK   0/58
NORD   0/453
OCCULT_CHAT   0/93
OS2BBS   0/787
OS2DOSBBS   0/580
OS2HW   0/42
OS2INET   0/37
OS2LAN   0/134
OS2PROG   0/36
OS2REXX   0/113
OS2USER-L   207
OS2   0/4786
OSDEBATE   0/18996
PASCAL   0/490
PERL   0/457
PHP   0/45
POINTS   0/405
POLITICS   0/29554
POL_INC   0/14731
PSION   103
R20_ADMIN   1121
R20_AMATORRADIO   0/2
R20_BEST_OF_FIDONET   13
R20_CHAT   0/893
R20_DEPP   0/3
R20_DEV   399
R20_ECHO2   1379
R20_ECHOPRES   0/35
R20_ESTAT   0/719
R20_FIDONETPROG...
...RAM.MYPOINT
  0/2
R20_FIDONETPROGRAM   0/22
R20_FIDONET   0/248
R20_FILEFIND   0/24
R20_FILEFOUND   0/22
R20_HIFI   0/3
R20_INFO2   3221
R20_INTERNET   0/12940
R20_INTRESSE   0/60
R20_INTR_KOM   0/99
R20_KANDIDAT.CHAT   42
R20_KANDIDAT   28
R20_KOM_DEV   112
R20_KONTROLL   0/13273
R20_KORSET   0/18
R20_LOKALTRAFIK   0/24
R20_MODERATOR   0/1852
R20_NC   76
R20_NET200   245
R20_NETWORK.OTH...
...ERNETS
  0/13
R20_OPERATIVSYS...
...TEM.LINUX
  0/44
R20_PROGRAMVAROR   0/1
R20_REC2NEC   534
R20_SFOSM   0/340
R20_SF   0/108
R20_SPRAK.ENGLISH   0/1
R20_SQUISH   107
R20_TEST   2
R20_WORST_OF_FIDONET   12
RAR   0/9
RA_MULTI   106
RA_UTIL   0/162
REGCON.EUR   0/2056
REGCON   0/13
SCIENCE   0/1206
SF   0/239
SHAREWARE_SUPPORT   0/5146
SHAREWRE   0/14
SIMPSONS   0/169
STATS_OLD1   0/2539.065
STATS_OLD2   0/2530
STATS_OLD3   0/2395.095
STATS_OLD4   0/1692.25
SURVIVOR   0/495
SYSOPS_CORNER   0/3
SYSOP   0/84
TAGLINES   0/112
TEAMOS2   0/4530
TECH   0/2617
TEST.444   0/105
TRAPDOOR   0/19
TREK   0/755
TUB   0/290
UFO   0/40
UNIX   0/1316
USA_EURLINK   0/102
USR_MODEMS   0/1
VATICAN   0/2740
VIETNAM_VETS   0/14
VIRUS   0/378
VIRUS_INFO   0/201
VISUAL_BASIC   0/473
WHITEHOUSE   0/5187
WIN2000   0/101
WIN32   0/30
WIN95   0/4288
WIN95_OLD1   0/70272
WINDOWS   0/1517
WWB_SYSOP   0/419
WWB_TECH   0/810
ZCC-PUBLIC   0/1
ZEC   4

 
4DOS   0/134
ABORTION   0/7
ALASKA_CHAT   0/506
ALLFIX_FILE   0/1313
ALLFIX_FILE_OLD1   0/7997
ALT_DOS   0/152
AMATEUR_RADIO   0/1039
AMIGASALE   0/14
AMIGA   223/331
AMIGA_INT   0/1
AMIGA_PROG   0/20
AMIGA_SYSOP   0/26
ANIME   0/15
ARGUS   0/924
ASCII_ART   0/340
ASIAN_LINK   0/651
ASTRONOMY   0/417
AUDIO   0/92
AUTOMOBILE_RACING   0/105
BABYLON5   0/17862
BAG   135
BATPOWER   0/361
BBBS.ENGLISH   0/382
BBSLAW   0/109
BBS_ADS   0/5290
BBS_INTERNET   0/507
BIBLE   0/3563
BINKD   0/1119
BINKLEY   0/215
BLUEWAVE   0/2173
CABLE_MODEMS   0/25
CBM   0/46
CDRECORD   0/66
CDROM   0/20
CLASSIC_COMPUTER   0/378
Möte DIRTY_DOZEN, 201 texter
 lista första sista föregående nästa
Text 127, 1383 rader
Skriven 2006-07-09 23:49:00 av KURT WISMER (1:123/140)
Ärende: News, July 9, 2006
==========================
[cut-n-paste from sophos.com]

Name   Troj/Zlob-PI

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Zlob.we
    * Puper.dll

Prevalence (1-5) 2

Description
Troj/Zlob-PI is a Trojan for the Windows platform.

Advanced
Troj/Zlob-PI is a Trojan for the Windows platform.

When run Troj/Zlob-PI creates the following files
<Program files>\ZipCodec\uninst.exe
<System>\regperf.exe
<System>\ld100.tmp.

The uninst.exe is a harmless file that when run will delete itself 
and the <Program files>\ZipCodec folder. This file can be deleted.

The files <System>\regperf.exe and <System>\ld100.tmp are detected as 
Troj/Zlob-PI.

The following registry entry is set to run regperf.exe on startup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
wininet.dll
regperf.exe





Name   Troj/Lineage-VJ

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information

Aliases  
    * PWS-Lineage

Prevalence (1-5) 2

Description
Troj/Lineage-VJ is a password-stealing Trojan for the Windows platform.

Advanced
Troj/Lineage-VJ is a password-stealing Trojan for the Windows platform.

When Troj/Lineage-VJ is installed the following files are created:
<Windows>\svchost.exe
<System>\pdll.dll

Both of these files are detected as Troj/Lineage-VJ.

The following registry entry is changed to run Troj/Lineage-VJ on 
startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\svchost.exe,

(the default value for this registry entry is 
"<Windows>\System32\userinit.exe,").





Name   Troj/SpyDldr-J

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Aliases  
    * Hoax.Win32.Renos.dk
    * TFactory
    * Win32/Hoax.Renos.DK

Prevalence (1-5) 2

Description
Troj/SpyDldr-J is a Trojan for the Windows platform.

Troj/SpyDldr-J creates registry entries and drops corrupt executable 
files on the infected computer that indicate the presence the of 
malware or adware on the computer and may generate fake alerts on the 
presence of them.

Troj/SpyDldr-J may display the following fake error message:

Warning!

Local Security Authority Service ('lsass.exe') has encountered a 
serious problem (possible spyware infection).

Click OK button to visit Windows Security Center web site and 
download spyware remover to protect your
system against trojans, viruses and spyware. System scan is highly 
recommended by Windows Security Center.

'lsass.exe' terminated unexpectedly with status code -1073741819

Advanced
Troj/SpyDldr-J is a Trojan for the Windows platform.

Troj/SpyDldr-J creates registry entries and drops corrupt executable 
files on the infected computer that indicate the presence the of 
malware or adware on the computer and may generate fake alerts on the 
presence of them.

Troj/SpyDldr-J may display the following fake error message:

Warning!

Local Security Authority Service ('lsass.exe') has encountered a 
serious problem (possible spyware infection).

Click OK button to visit Windows Security Center web site and 
download spyware remover to protect your
system against trojans, viruses and spyware. System scan is highly 
recommended by Windows Security Center.

'lsass.exe' terminated unexpectedly with status code -1073741819

Troj/SpyDldr-J attempts to download and install further files from a 
remote website to the following locations:

<Windows system folder>\adobepnl.dll
<Windows system folder>\qjrkvy.exe
<Windows system folder>\reger.exe
<Windows system folder>\winflash.dll

Troj/SpyDldr-J attempts to download some of the following image files 
to the Windows folder:

about_spyware_bg.gif
about_spyware_bottom.gif
as.gif
as_header.gif
bg.gif
box_1.gif
box_2.gif
box_3.gif
button_buynow.gif
button_freescan.gif
close-bar.gif
download_box.gif
features.gif
footer_back.gif
footer_back.jpg
header_1.gif
header_2.gif
header_3.gif
header_4.gif
infected.gif
main_back.gif
rf.gif
rf_header.gif
scan_btn.gif
security-center-bg.gif
security-center-logo.gif
security_center_caption.gif
sep_hor.gif
sep_vert.gif
spacer.gif
spyware-detected.gif
star.gif
star_gray.gif
star_gray_small.gif
star_small.gif
ts.gif
ts_header.gif
warning-bar-ico.gif
warning_icon.gif
win_logo.gif

Troj/SpyDldr-J creates some of the following files to pretend the 
computer is infected with other malware and adware:

<Windows folder>\alexaie.dll
<Windows folder>\alxie328.dll
<Windows folder>\alxtb1.dll
<Windows folder>\BTGrab.dll
<Windows folder>\dlmax.dll
<Windows folder>\Pynix.dll
<Windows folder>\susp.exe
<Windows folder>\ZServ.dll
<Windows system folder>\a.exe
<Windows system folder>\alxres.dll
<Windows system folder>\bridge.dll
<Windows system folder>\dailytoolbar.dll
<Windows system folder>\jao.dll
<Windows system folder>\questmod.dll
<Windows system folder>\runsrv32.dll
<Windows system folder>\runsrv32.exe
<Windows system folder>\tcpservice2.exe
<Windows system folder>\txfdb32.dll
<Windows system folder>\udpmod.dll
<Windows system folder>\wstart.dll

Troj/SpyDldr-J creates some of the following registry entries to 
pretend the computer is infected with other malware and adware:

HKCR\AlxTB.BHO

HKCR\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}

HKCR\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}

HKCR\AppID\DailyToolbar.DLL
DailyToolbar
dailytoolbar.dll

HKCR\AppID\WStart.DLL
WStart
wstart.dll

HKCR\Bridge.brdg
Bridge

HKCR\CLSID\{58F9B276-E1CC-458e-8159-21CBC021874B}

HKCR\CLSID\{60e2e76b-60e2e76b-60e2e76b-60e2e76b-60e2e76b}

HKCR\CLSID\{80bb7465-a638-43b5-9827-8e8fe38dfcc1}

HKCR\CLSID\{8333C319-0669-4893-A418-F56D9249FCA6}

HKCR\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0}

HKCR\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81}
url_relpacer

HKCR\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}

HKCR\DailyToolbar.IEBand
DailyToolbar

HKCR\DailyToolbar.SysMgr
DailyToolbar

HKCR\IEToolbar.AffiliateCtl
IEToolbar

HKCR\Interface\{0BBB0424-E98E-4405-9A94-481854765C80}

HKCR\Interface\{0F3332B5-BC98-48AF-9FAC-05FEC94EBE73}

HKCR\Interface\{10195311-E434-47A9-ADBA-48839E3F7E4E}

HKCR\Interface\{3E60160F-0ED6-4DCC-B6B6-850CDE4FD217}

HKCR\Interface\{4FDBDBAD-FEFE-4C4C-9CC1-1181052AFB12}

HKCR\Interface\{A69107CC-BEC8-4A34-B474-211B0F46A764}

HKCR\Interface\{A6A68CBD-6673-41B1-B997-3F83A25B45B0}

HKCR\Interface\{ABAFA0B4-F78D-42E5-8C31-1A441D01C1DF}

HKCR\Interface\{B71C7D9A-DA43-4E8B-BB98-1684AC2AF324}

HKCR\Interface\{B7B84995-8B92-46BF-94AA-FA2F3DD23B84}

HKCR\Interface\{FA77AD79-09CF-41FB-B171-CC856F9E737F}

HKCR\jao.jao
jao

HKCR\PopMenu.Menu
PopMenu

HKCR\Popup.HTMLEvent.
HTMLEvent

HKCR\Popup.PopupKiller
PopupKiller

HKCR\TypeLib\{547AB549-4DD8-4ea0-B070-F6EA062148FF}

HKCR\TYPELIB\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27}

HKCR\url_relpacer.URLResolver
url_relpacer

HKCR\WStart.WHttpHelper

HKCR\WStart.WHttpHelper.1

HKCU\Software\Microsoft\IPCheck
IPCheck

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool 
service
Adware.Srv32

HKLM\SOFTWARE\Alexa Internet
Alexa Internet

HKLM\SOFTWARE\Alexa Toolbar
\Alexa Toolbar

HKLM\SOFTWARE\DailyToolbar
DailyToolbar

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00000000-59D4-4008-9058-080011001200}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00000000-C1EC-0345-6EC2-4D0300000000}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{00000000-F09C-02B4-6EC2-AD0300000000}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{7b55bb05-0b4d-44fd-81a6-b136188f5deb}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{8333c319-0669-4893-a418-f56d9249fca6}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{9c691a33-7dda-4c2f-be4c-c176083f35cf}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{e52dedbb-d168-4bdb-b229-c48160800e81}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{ffd2825e-0785-40c5-9a41-518f53a8261f}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adware.Srv32
<Windows system folder>\runsrv32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Transponder
<Windows system folder>\susp.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool 
service
Adware.Srv32

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge

HKLM\SOFTWARE\NIX Solutions\DailyToolbar
DailyToolbar

HKLM\SOFTWARE\RespondMiter
Adware.Srv32
<Windows system folder>\runsrv32.exe

HKLM\SOFTWARE\Software\TPS108
Adware.Srv32
<Windows system folder>\runsrv32.exe

HKLM\SOFTWARE\Transponder
Adware.Srv32
<Windows system folder>\runsrv32.exe

HKLM\SOFTWARE\WSoft
WSoft





Name   W32/Brontok-BB

Type  
    * Spyware Worm

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Brontok-BB is a mass-mailing worm for the Windows platform.

W32/Brontok-BB sends itself to email addresses found on the infected 
computer

Advanced
W32/Brontok-BB is a mass-mailing worm for the Windows platform.

W32/Brontok-BB sends itself to email addresses found on the infected 
computer.

Emails sent by the worm have the following characteristics:

If the recipient's address is Indonesian:

Subject: Fotoku yg Paling Cantik

Message text:

Hi,
Aku lg iseng aja pengen kirim foto ke kamu
Jangan lupain aku ya !.

Thanks

For all other addresses:

Subject: My Best Photo

Message text:

Hi,
I want to share my photo with you.
Wishing you all the best.

Regards,

Attachment name: Photo.zip

The zip file contains Photo.bmp and View-Photo.bat. View-Photo.bat 
runs Photo.bmp.

Photo.bmp is an executable (currently detected as Troj/DwnLdr-AYN) 
which attempts to download and execute a copy of the worm from a 
preconfigured website. At the time of writing, this website is 
unavailable.

W32/Brontok-BB closes windows whose titles contain any of the 
following:

task manager
baca bro !!!
registry
command prompt
system configuration
group policy
cmd.exe
computer management
scheduled task
killbox
hijack
SYSINTERNAL
PROCESS EXP
REMOVER
CLEANER
anti
washer
ertanto
BROWNIES
movzx
killer
pcmedia
pc-media
rontok
rontox
robknot
commander
windows script
norman
norton
symantec
cillin
trendmicro
bitdef
kaspersky
avg
avira
virus
trojan
worm
mcafee
b.e
folder option
wintask
alwil
sex
porn
naked
cewe
bugil
telanjang
nod32
task view
peid
ahnlab

When first run W32/Brontok-BB copies itself to:

<User>\Local Settings\Application Data\dv<random>\yesbron.com
<User>\Local Settings\Application Data\jalak<random>.com
<Windows>\_default<random>.pif
<Windows>\j<random>.exe
<Windows>\o<random>.exe
<Windows>\sa<random>\ib<random>.exe
<System>\c<random>.com
<System>\n<random>\b<random>.exe
<System>\n<random>\csrss.exe
<System>\n<random>\lsass.exe
<System>\n<random>\services.exe
<System>\n<random>\smss.exe
<System>\n<random>\sv<random>.exe
<System>\n<random>\winlogon.exe

where <random> is a sequence of randomly generated numbers.

and creates the following files:

Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt

These files can be deleted.

The .job files each contain a scheduled task, instructing Windows to 
execute the installed copies of the worm once per day.

W32/Brontok-BB may install a new version of the file 
<System>\msvbvm60.dll.

The following registry entries are created to run yesbron.com, 
_default<random>.pif, j<random>.exe and sv<random>.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
<random characters>
<User>\Local Settings\Application Data\dv<random>\yesbron.com

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
<random characters>
<Windows>\_default<random>.pif

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<random characters>
<System>\n<random>\sv<random>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<random characters>
<Windows>\j<random>.exe

The following registry entries are changed to run j<random>.exe and 
o<random>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o<random>.exe"

(the default value for this registry entry is "Explorer.exe" which 
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j<random>.exe

(the default value for this registry entry is 
"<Windows>\System32\userinit.exe,").

The following registry entry is set, disabling the registry editor 
(regedit):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

Registry entries are set as follows:

HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

Registry entries are created under:

HKCU\Software\Brontok\





Name   Troj/Banker-CSX

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Steals information
    * Forges the sender's email address
    * Uses its own emailing engine
    * Reduces system security
    * Installs itself in the Registry
    * Monitors browser activity

Aliases  
    * Trojan-Spy.Win32.Banker.ark

Prevalence (1-5) 2

Description
Troj/Banker-CSX is an internet banking Trojan for the Windows platform.

When run Troj/Banker-CSX attempts to disable software that may be 
running on the user's computer.

Troj/Banker-CSX then continuously monitors Microsoft Internet 
Explorer for certain strings related to internet banking websites.

Once a match is found, Troj/Banker-CSX will display a fake login 
screen, prompting the user to enter confidential information.

Advanced
Troj/Banker-CSX is an internet banking Trojan for the Windows platform.

When run Troj/Banker-CSX attempts to disable software that may be 
running on the user's computer.

Troj/Banker-CSX then continuously monitors Microsoft Internet 
Explorer for certain strings related to internet banking websites.

Once a match is found, Troj/Banker-CSX will display a fake login 
screen, prompting the user to enter confidential information.

Troj/Banker-CSX sends the harvested information to a remote address 
via SMTP.

Troj/Banker-CSX copies itself to <System>\nvcpll.exe.

Troj/Banker-CSX creates the following registry entry to run 
nvcpll.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nvcpll
<System>\nvcpll.exe





Name   Troj/Clagger-V

Type  
    * Trojan

Affected operating systems  
    * Windows

Prevalence (1-5) 2

Description
Troj/Clagger-V is a Trojan downloader for the Windows platform.

Troj/Clagger-V attempts to download a file from a remote website to 
<Windows>\new.exe and execute it.

Troj/Clagger-V drops the clean file 1.bat to the same folder as 
itself in order to delete itself.

Advanced
Troj/Clagger-V is a Trojan downloader for the Windows platform.

Troj/Clagger-V attempts to download a file from a remote website to 
<Windows>\new.exe and execute it.

Troj/Clagger-V sets the following registry entry in order to bypass 
the Windows firewall:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FiREWaLLpolicy\StAnDaRDPrOFiLe\AUtHorizedapplications\List
<Trojan filename>
<Trojan filename>:*:ENABLED:0

Troj/Clagger-V drops the clean file 1.bat to the same folder as 
itself in order to delete itself.





Name   Troj/Cimuz-AO

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals credit card details
    * Steals information
    * Installs itself in the Registry
    * Installs a browser helper object

Aliases  
    * Win32/Spy.Agent.EO
    * Spy-Agent.ba

Prevalence (1-5) 2

Description
Troj/Cimuz-AO is an information-stealing Trojan for the Windows 
platform.

Troj/Cimuz-AO attempts to steal information such as email account 
usernames and passwords, as well as creating screenshots to capture 
information such as banking details, and may send the stolen 
information to a remote user via FTP.

Advanced
Troj/Cimuz-AO is an information-stealing Trojan for the Windows 
platform.

Troj/Cimuz-AO attempts to steal information such as email account 
usernames and passwords, as well as creating screenshots to capture 
information such as banking details, and may send the stolen 
information to a remote user via FTP.

Troj/Cimuz-AO drops the file <System>\ipv6mons.dll, also detected 
as Troj/Cimuz-AO. This file is registered as a COM object and Browser 
Helper Object (BHO) for Microsoft Internet Explorer, creating 
registry entries under:

HKCR\CLSID\{73364D99-1240-4dff-B11A-67E448373048}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper ObJects\{73364D99-1240-4dff-B11A-67E448373048}

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\<Program 
Files>\Internet Explorer
IEXPLORE.EXE
"<Program Files>\\Internet 
Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

Troj/Cimuz-AO creates the following registry value:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control 
Panel\load\net_insll





Name   Troj/Ogre-A

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Steals information
    * Records keystrokes
    * Monitors browser activity

Aliases  
    * Trojan-Spy.Win32.Bancos.px
    * Win32/Spy.Bancos.IV

Prevalence (1-5) 2

Description
Troj/Ogre-A is a password-stealing Trojan for the Windows platform.

Advanced
Troj/Ogre-A is a password-stealing Trojan for the Windows platform.

Troj/Ogre-A attempts to steal confidential data when a user attempts 
to access Orkut.

Troj/Ogre-A will display a fake login screen for Orkut when a user 
accesses the website via a web browser.





Name   W32/Looked-B

Type  
    * Virus

How it spreads  
    * Network shares
    * Infected files

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Worm.Win32.Viking.n
    * Win32/Viking.N

Prevalence (1-5) 2

Description
W32/Looked-B is a Windows executable virus and network worm.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

Advanced
W32/Looked-B is a Windows executable virus and network worm.

When first run the virus copies itself to <Windows>\rundl132.exe and 
creates a file <Windows>\vDll.dll, also detected as W32/Looked-B. 
This file attempts to download further malicious code.

The virus infects EXE files found on the infected computer. The virus 
also attempts to copy itself to remote network shares.

Many files with the name "_desktop.ini" are created, in various 
folders on the infected computer. These files are harmless text files.

The following registry entry is created in order to run the virus on 
startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe





Name   Troj/Cimuz-AP

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Drops more malware

Aliases  
    * Spy-Agent.ak

Prevalence (1-5) 2

Description
Troj/Cimuz-AP is a Trojan for the Windows platform.

Advanced
Troj/Cimuz-AP is a Trojan for the Windows platform.

When Troj/Cimuz-AP is installed it creates the file 
<System>\ipv6mons.dll.

The file ipv6mons.dll is detected as Troj/Cimuz-Gen.

The file ipv6mons.dll is registered as a COM object and Browser 
Helper Object (BHO) for Microsoft Internet Explorer, creating 
registry entries under:

HKCR\CLSID\(73364D99-1240-4dff-B11A-67E448373048)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser 
helper obJects\(73364D99-1240-4dff-B11A-67E448373048)

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\StandardProfile\AuthorizedApplications\List\\Internet Explorer
IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet 
Explorer





Name   Troj/Agent-CDK

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Agent.nw
    * W32/Agent.XR
    * Downloader-LE.gen
    * Win32/TrojanDownloader.Agent.LG

Prevalence (1-5) 2

Description
Troj/Agent-CDK is a Trojan for the Windows platform.

Troj/Agent-CDK includes functionality to download, install and run 
new software.

Troj/Agent-CDK also contains functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/Agent-CDK is a Trojan for the Windows platform.

Troj/Agent-CDK includes functionality to download, install and run 
new software.

Troj/Agent-CDK also contains functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/Agent-CDK copies itself to <Windows system 
folder>\[random1]\[random2].exe. (Where random1 and random2 are a 
randomly generated names containing 6 and 5 characters respectively.)

The following registry entry is created to run cosvcx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[random2]
<Windows system folder>\[random1]\[random2].exe

The file [random2].exe is registered as a COM object, creating 
registry entries under:

HKCR\CLSID\{86999974-0C67-0C36-58D5-200AED9213EB}

Troj/Agent-CDK changes settings for Microsoft Internet Explorer by 
modifying values under:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\

The following registry entry is set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\ProxyServer





Name   Troj/Dloadr-YT

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet
    * Reduces system security
    * Installs itself in the Registry

Aliases  
    * Trojan-Downloader.Win32.Small.cul

Prevalence (1-5) 2

Description
Troj/Dloadr-YT is a downloading Trojan for the Windows platform.

Advanced
Troj/Dloadr-YT is a downloading Trojan for the Windows platform.

The Trojan includes functionality to access the internet and 
communicate
with a remote server via HTTP.

When first run Troj/Dloadr-YT copies itself to <System>\upnp.exe.

The file being downloaded was unavailable at the time of writing.

The following registry entry is created to run upnp.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
upnp
<System>\upnp.exe

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<original filename>:*:Enabled:<original filename>

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy
StandardProfile\AuthorizedApplications\List\
<System>\upnp.exe
<System>\upnp.exe:*:Enabled:upnp





Name   W32/Bagle-KN

Type  
    * Worm

How it spreads  
    * Email attachments

Affected operating systems  
    * Windows

Side effects  
    * Turns off anti-virus applications
    * Forges the sender's email address
    * Downloads code from the internet
    * Installs itself in the Registry
    * Leaves non-infected files on computer

Prevalence (1-5) 2

Description
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the 
Windows platform.

Emails sent by the worm have the following characteristics:

The sender's email address is spoofed.

Message text chosen from:

To the beloved
I love you

And appended with any of the following strings:

archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>

The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP

The file <random characters>.GIF contains a GIF image which contains 
the password to unzip the ZIP file.

The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely 
deleted
<random characters>.exe - detected as W32/Bagle-KN

Advanced
W32/Bagle-KN is a mass-mailing worm and downloader Trojan for the 
Windows platform.

When run W32/Bagle-KN creates the file <User>\Application 
Data\hidn\m_hook.sys. This file is also detected as W32/Bagle-KN and 
includes functionality to terminate anti-virus and system-related 
processes and to hide processes.

The file m_hook.sys is registered as a new system driver service 
named "m_hook", with a display name of "Empty" and a startup type of 
automatic, so that it is started automatically during system startup. 
Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK\
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\

The following registry entry is also set:

HKCU\Software\FirstRuxzx
FirstRun
1

W32/Bagle-KN also creates the file C:\error.gif. This is a GIF file 
which is also subsequently run and can be safely deleted.

Emails sent by the worm have the following characteristics:

The sender's email address is spoofed.

Message text chosen from:

To the beloved
I love you

And appended with any of the following strings:

archive password: <link to imagefile containing password>
The password is <link to imagefile containing password>
Password -- <link to imagefile containing password>
Use password <link to imagefile containing password> to open archive.
Password is <link to imagefile containing password>
Zip password: <link to imagefile containing password>
archive password: <link to imagefile containing password>
Password - <link to imagefile containing password>
Password: <link to imagefile containing password>

The email comes with 2 file attachments:
<random characters>.GIF
<random name>.ZIP

The file <random characters>.GIF contains a GIF image which contains 
the password to unzip the ZIP file.

The file <random name>.ZIP when unzipped contains 2 files:
<random characters>\<random characters>.dll - this file may be safely 
deleted
<random characters>.exe - detected as W32/Bagle-KN

W32/Bagle-KN may also copy itself to <User>\Application 
Data\hidn\hidn1.exe and sets the following registry entry to run 
hidn1.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
drv_st_key
<path to worm executable>





Name   W32/Oscabot-O

Type  
    * Worm

How it spreads  
    * Chat programs

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Installs itself in the Registry

Aliases  
    * Backdoor.Win32.Aimbot.v

Prevalence (1-5) 2

Description
W32/Oscabot-O is a Trojan for the Windows platform.

W32/Oscabot-O runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

Advanced
W32/Oscabot-O is a Trojan for the Windows platform.

W32/Oscabot-O runs continuously in the background, providing a 
backdoor server which allows a remote intruder to gain access and 
control over the computer via IRC channels.

W32/Oscabot-O spreads via AOL Instant Messenger.

When first run W32/Oscabot-O copies itself to <Windows>\msclean.exe.

The following registry entry is created to run msclean.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msclean
<Windows>\msclean.exe

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
msclean
msclean.exe<Windows>\msclean.exe





Name   Troj/LowZone-CX

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Reduces system security
    * Installs itself in the Registry
    * Modifies browser settings

Aliases  
    * Trojan.Win32.LowZones.dt
    * QLowZones-2.gen
    * Trojan.LowZones
    * TROJ_LOWZONE.AF

Prevalence (1-5) 2

Description
Troj/LowZone-CX is a Trojan for the Windows platform.

Troj/LowZone-CX includes functionality to access the internet and 
communicate with a remote server via HTTP.

Advanced
Troj/LowZone-CX is a Trojan for the Windows platform.

Troj/LowZone-CX includes functionality to access the internet and 
communicate with a remote server via HTTP.

When first run Troj/LowZone-CX copies itself to <Windows system 
folder>\bikini.exe.

The following registry entry is created to run bikini.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
bikini
bikini.exe

The following registry entry is set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\3
CurrentLevel
11





Name   Troj/Dloadr-ZL

Type  
    * Trojan

Affected operating systems  
    * Windows

Side effects  
    * Downloads code from the internet

Aliases  
    * Trojan-Downloader.Win32.Delf.qz

Prevalence (1-5) 2

Description
Troj/Dloadr-ZL is a Trojan for the Windows platform.

Troj/Dloadr-ZL includes functionality to download, install and run 
new software.

Advanced
Troj/Dloadr-ZL is a Trojan for the Windows platform.

Troj/Dloadr-ZL includes functionality to download, install and run 
new software.

When first run, Troj/Dloadr-ZL downloads a file from a remote server 
called manual.exe. This file is written to <System>\Explorer.EXE 
and executed. The file <System>\Explorer.EXE is detected by Sophos 
as Troj/Bnkmr-Fam.





Name   Troj/Sharp-S

Type  
    * Spyware Trojan

Affected operating systems  
    * Windows

Side effects  
    * Allows others to access the computer
    * Steals information
    * Downloads code from the internet
    * Installs itself in the Registry

Aliases  
    * Trojan.Win32.Enfal.f
    * Win32/Spy.Agent.M

Prevalence (1-5) 2

Description
Troj/Sharp-S is a backdoor Trojan for the Windows platform.

Troj/Sharp-S includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Sharp-S injects several threads into the explorer process space.

Advanced
Troj/Sharp-S is a backdoor Trojan for the Windows platform.

Troj/Sharp-S includes functionality to access the internet and 
communicate with a remote server via HTTP.

Troj/Sharp-S injects several threads into the explorer process space.

The Trojan copies itself to the Windows system folder as dllhst2d.exe 
and dt7x.exe.

Troj/Sharp-R will modify the following registry entry to ensure the 
Trojan is run on Windows Login:

HKLM\SOFTWARE\Microsoft\Windows NT\Winlogon
Userinit
<original registry entry data>,<Windows system folder>\dllhst2d.exe

 
--- MultiMail/Win32 v0.43
 * Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)