Text 129, 967 rader
Skriven 2006-07-23 17:52:00 av KURT WISMER (1:123/140)
Ärende: News, July 23 2006
==========================
[cut-n-paste from sophos.com]
Name Troj/Agent-CIG
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Spy-Agent.at
* Trojan.Win32.Agent.vp
* Win32/Agent.NBR
Prevalence (1-5) 2
Description
Troj/Agent-CIG is a Trojan for the Windows platform.
Troj/Agent-CIG will attempt to communicate with several different web
addresses.
Advanced
Troj/Agent-CIG is a Trojan for the Windows platform.
When executed Troj/Agent-CIG will create a copy of itself with a
random name in
the <system> folder and will create registry entries under
HKCR\CLSID\(2ee25147-37d4-4640-832c-fccfac8b21d9) and
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects
Troj/Agent-CIG will attempt to communicate with several different web
addresses.
Name Troj/Banker-CZP
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Banker.anv
* PWS-Banker.gen.aa
Prevalence (1-5) 2
Description
Troj/Banker-CZP is a Trojan for the Windows platform.
Troj/Banker-CZP includes functionality to send notification messages
to remote locations.
Advanced
Troj/Banker-CZP is a Trojan for the Windows platform.
Troj/Banker-CZP includes functionality to send notification messages
to remote locations.
When first run Troj/Banker-CZP copies itself to:
<Startup>\msnmsgr.exe
<Windows>\Config\msnmsgr.exe
The following registry entry is created to run msnmsgr.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msnmsgr
<Windows>\Config\msnmsgr.exe
Name W32/Feebs-AX
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Drops more malware
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Worm.Win32.Feebs.hc
* W32/Feebs.DW
* JS/TrojanDropper.Tivso.gen
Prevalence (1-5) 2
Description
W32/Feebs-AX is a worm for the Windows platform.
W32/Feebs-AX spreads by sending itself to email address harvested
from the infected computer and via file sharing on P2P networks.
Emails sent by the worm have the following text:
You have received <random text>
To read the message open the attached file.
User ID: <number>
Password: <number>
Keep your password in a safe place.
Advanced
W32/Feebs-AX is a worm for the Windows platform.
W32/Feebs-AX spreads by sending itself to email address harvested
from the infected computer and via file sharing on P2P networks.
Emails sent by the worm have the following text:
You have received <random text>
To read the message open the attached file.
User ID: <number>
Password: <number>
Keep your password in a safe place.
When first run W32/Feebs-AX drops the file C:\Recycled\userinit.exe,
detected as W32/Feebs-Gen. This file also copies itself to <Windows
system folder>\ms??.exe and drops the file <Windows system
folder>\ms??32.dll, detected as W32/Feebs-AT, where ?? are randomly
chosen characters.
This dropped file also copies itself to P2P folders with the
following filenames:
3dsmax_9_(3D_Studio_Max)_new!_full+crack.zip
ACDSee_9_new!_full+crack.zip
Adobe_Photoshop_10_(CS3)_new!_full+crack.zip
Adobe_Premiere_9_(2.0_pro)_new!_full+crack.zip
Ahead_Nero_8_new!_full+crack.zip
DivX_7.0_new!_full+crack.zip
ICQ_2006_new!_full+crack.zip
Internet_Explorer_7_new!_full+crack.zip
Kazaa_4_new!_full+crack.zip
Longhorn_new!_full+crack.zip
Microsoft_Office_2006_new!_full+crack.zip
winamp_5.2_new!_full+crack.zip
The following registry entry is created to run code exported by the
worm library on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayL
oad
ms??32.dll
<clsid value>
The file ms??32.dll is registered as a COM object, creating registry
entries under:
HKCR\CLSID\<clsid value>
Name Troj/Dloadr-AIZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.VB.me
Prevalence (1-5) 2
Description
Troj/Dloadr-AIZ is an downloader Trojan for the Windows platform.
When executed, the Trojan may attempt to download a file from a
remote address to C:\messenger.exe and execute it.
The downloaded file was unavailable at the time of writing.
Name Troj/Xorpix-H
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Dropped by malware
Aliases
* Trojan-Proxy.Win32.Xorpix.ab
Prevalence (1-5) 2
Description
Troj/Xorpix-H is a Trojan for the Windows platform.
Troj/Xorpix-H is dropped by Troj/Dropper-KT.
Name W32/Tilebot-GC
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.aad
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Tilebot-GC is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GC spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Tilebot-GC is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-GC spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
(CAN-2003-0812), PNP
(http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
and by copying itself to network shares protected by weak passwords.
W32/Tilebot-GC runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Tilebot-GC copies itself to <Windows
folder>\wincrypt32.exe.
The file wincrypt32.exe is registered as a new system driver service
named "wincrypt32.exe", with a display name of "Windows Decrypt
manager" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\wincrypt32.exe\
W32/Tilebot-GC sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name Troj/Servu-DD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Leaves non-infected files on computer
Aliases
* Backdoor.Win32.ServU-based
* Serv-U.dr
Prevalence (1-5) 2
Description
Troj/Servu-DD is a hacked version of a commercially available FTP
server that will listen on a port for incoming commands from a remote
attacker.
Troj/Servu-DD will create a text file called patch.dll in the current
folder.
Name Troj/Dloadr-AJG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Small.cxh
Prevalence (1-5) 2
Description
Troj/Dloadr-AJG is a Trojan for the Windows platform.
Advanced
Troj/Dloadr-AJG is a Trojan for the Windows platform.
Troj/Dloadr-AJG has the functionality to silently download, install
and run new software.
When run, the Trojan may create the following files
c:\ntldr1.exe (Detected as Troj/DwnLdr-BON)
c:\ntldr2.exe (Detected as Troj/Prelo-A)
c:\ntldr3.exe (Detected as Troj/DownLdr-QK)
c:\ntldr4.exe (Detected as Troj/Harnig-AK)
c:\ntldr5.exe (Not available at time of writing)
Name Troj/Ranck-EP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Ranky.fw
Prevalence (1-5) 2
Description
Troj/Ranck-EP is a proxy Trojan that allows a remote intruder to
route HTTP traffic through the computer.
Advanced
Troj/Ranck-EP is a proxy Trojan that allows a remote intruder to
route HTTP traffic through the computer.
The following registry entry is created to run Troj/Ranck-EP on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services
<pathname of the Trojan executable>
Troj/Ranck-EP runs continuously in the background listening on a port.
Troj/Ranck-EP has been seen pretending to be a version of Google
Toolbar.
Name Troj/Dropper-KY
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Leaves non-infected files on computer
Aliases
* Trojan-Spy.Win32.Banbra.gi
* PWS-Banker.gen.b
Prevalence (1-5) 2
Description
Troj/Dropper-KY is a Trojan dropper for the Windows platform.
Advanced
Troj/Dropper-KY is a Trojan dropper for the Windows platform.
Troj/Dropper-KY creates temporary files in the current or Windows
folder with filenames starting "SXE", often SXE1.TMP, SXE2.TMP and
SXE3.TMP. Two files are related to a clean DLL, the third is detected
as Troj/Banker-CZS.
Name W32/Rbot-ETT
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.Rbot.aym
* WORM_RBOT.NV
Prevalence (1-5) 2
Description
W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform.
W32/Rbot-ETT spreads to computers vulnerable to common exploits,
including: RPC-ETTCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx)
and WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
to MSSQL servers protected by weak passwords to network shares
W32/Rbot-ETT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Rbot-ETT is a worm and IRC backdoor for the Windows platform.
W32/Rbot-ETT spreads to computers vulnerable to common exploits,
including: RPC-ETTCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx)
and WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
to MSSQL servers protected by weak passwords to network shares
W32/Rbot-ETT runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-ETT copies itself to <Windows system
folder>\msconfigs.exe.
The following registry entries are created to run msconfigs.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Configoration Service
msconfigs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Configoration Service
msconfigs.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Configoration Service
msconfigs.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Configoration Service
msconfigs.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Configoration Service
msconfigs.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Configoration Service
msconfigs.exe
HKCU\Software\Microsoft\OLE
Microsoft Configoration Service
msconfigs.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Configoration Service
msconfigs.exe
Name Troj/Hyder-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.vp
Prevalence (1-5) 2
Description
Troj/Hyder-A is a Trojan for the Windows platform.
Troj/Hyder-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Hyder-A is a Trojan for the Windows platform.
Troj/Hyder-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Hyder-A is installed, the Trojan creates a hidden local
admin account on the compromised computer. It also creates the
following file:
<Common Files>\System\<name>.exe, where <name> is either lpt or com
and a number. This file is also detected as Troj/Hyder-A.
The file <name>.exe is registered as a new system driver service
named "<random characters>", with a display name of "<random
characters>" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\<random characters>\
After a certain amount of time, Troj/Hyder-A will attempt to download
files from a remote location. At the time of writing, the files were
unavailable for download.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
<random characters>
0
Name W32/VB-CAI
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Virus.Win32.VB.p
* Infection:
* trojan
Prevalence (1-5) 2
Description
W32/VB-CAI is a Peer-to-peer worm for the Windows platform.
Advanced
W32/VB-CAI is a P2P worm for the Windows platform.
When first run W32/VB-CAI copies itself into <Windows>\config_.com
and various
file sharing folders under different names like for example
\My Music\My Music.exe
\My Shared Folder\My Shared Folder.exe
<Program Files>\KaZaA\KaZaA.exe
<Program> Files>\Kmd\Kmd.exe
<Program Files>\Limewire\Limewire.exe
and creates the file \Autorun.inf. This file can be deleted.
W32/VB-CAI also copies itself to the startup folder, creating an
entry under
<Startup>\startupFolder.com.
The following registry entry is created to run config_.com on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Explorer
<Windows>\config_.com
Name Troj/Danmec-S
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
Aliases
* Win32/Spy.Gepost
* W32.Mytob@mm
Prevalence (1-5) 2
Description
Troj/Danmec-S is a backdoor Trojan for the Windows platform.
The Trojan provides functionality to a remote attacker including the
ability to send emails, terminate security processes and modify the
system HOSTS file.
Name Troj/QQRob-QX
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Steals information
* Records keystrokes
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.QQRob.0708
* Win32/PSW.QQRob.NAC
Prevalence (1-5) 2
Description
Troj/QQRob-RX is a Trojan for the Windows platform.
Troj/QQRob-RX steals passwords and may attempt to disable security
applications.
Troj/QQRob-RX includes functionality to access the internet and
communicate
with a remote server via HTTP.
Advanced
Troj/QQRob-RX is a Trojan for the Windows platform.
Troj/QQRob-RX steals passwords and may attempt to disable security
applications.
Troj/QQRob-RX includes functionality to access the internet and
communicate
with a remote server via HTTP.
When first run Troj/QQRob-RX copies itself to <System>\NTdHcP.exe and
creates
the file <Windows>\Deleteme.bat.
The following registry entry is created to run NTdHcP.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NTdhcp
<System>\NTdhcp.exe
Name Troj/SrchSpy-C
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Small.ez
Prevalence (1-5) 2
Description
Troj/SrchSpy-C is a Trojan for the Windows platform.
Troj/SrchSpy-C monitors Internet Explorer activity, and may retrieve
information about browsing habits as well as inspecting and modifying
search queries.
Advanced
Troj/SrchSpy-C is a Trojan for the Windows platform.
Troj/SrchSpy-C monitors Internet Explorer activity, and may retrieve
information about browsing habits as well as inspecting and modifying
search queries.
When first run, Troj/SrchSpy-C creates the following files:
<System>\IEFilter.dll
<System>\Service.exe
On NT based systems, Service.exe is registered as a service with a
display name of Service, creating registry entries under the following:
HKLM\SYSTEM\CurrentControlSet\Services\Service\
The following registry entry is created to run code exported by the
Trojan IEFilter.dll:
HKCR\CLSID\(3DCE4CF1-0504-402C-9860-ADCADE4B32C1)\InprocServer32
<System>\IEFilter.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad
IEFilter
(3DCE4CF1-0504-402C-9860-ADCADE4B32C1)
Registry entries are also created under:
HKLM\SOFTWARE\Microsoft\Filter\
Name W32/Sdbot-CCR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.yx
* W32/Sdbot.worm.gen.z
Prevalence (1-5) 2
Description
W32/Sdbot-CCR is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-CCR spreads to other network computers by exploiting common
buffer
overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP
(MS05-039) and
ASN.1 (MS04-007) and by copying itself to network shares protected by
weak
passwords.
W32/Sdbot-CCR runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
Advanced
W32/Sdbot-CCR is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Sdbot-CCR spreads to other network computers by exploiting common
buffer
overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP
(MS05-039) and
ASN.1 (MS04-007) and by copying itself to network shares protected by
weak
passwords.
W32/Sdbot-CCR runs continuously in the background, providing a
backdoor server
which allows a remote intruder to gain access and control over the
computer via
IRC channels.
When first run W32/Sdbot-CCR copies itself to <Windows>\Mscfg.exe.
The following registry entries are created to run Mscfg.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Ms System Config
Mscfg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ms System Config
Mscfg.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Ms System Config
Mscfg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Ms System Config
Mscfg.exe
W32/Sdbot-CCR sets the following registry entries, disabling the
automatic
startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the
Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Ms System Config
Mscfg.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Ms System Config
Mscfg.exe
HKCU\Software\Microsoft\OLE
Ms System Config
Mscfg.exe
HKLM\SOFTWARE\Microsoft\Ole
Ms System Config
Mscfg.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|