Text 131, 849 rader
Skriven 2006-08-05 15:15:00 av KURT WISMER (1:123/140)
Ärende: News, August 5 2006
===========================
[cut-n-paste from sophos.com]
Name Troj/Agent-CIQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Deletes files off the computer
* Drops more malware
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.rb
* TROJ_AGENT.CDV
Prevalence (1-5) 2
Description
Troj/Agent-CIQ is a Trojan for the Windows platform.
Advanced
Troj/Agent-CIQ is a Trojan for the Windows platform.
Troj/Agent-CIQ may attempt to delete files.
When first run Troj/Agent-CIQ copies itself to <System>\VKTServ.exe
and creates the following files:
<System>\drivers\ksdt1983.sys - detected by Sophos as Troj/RKProc-G
<System>\svchost.bat - this file may be deleted.
The file KSDT1983.sys is registered as a new system driver service
named "KSDT1983", with a display name of "KSDT1983". Registry entries
are created under:
HKLM\SYSTEM\CurrentControlSet\Services\KSDT1983\
The file VKTServ.exe is registered as a new system driver service
named "VKTServ", with a display name of "VKTServ" and a startup type
of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\VKTServ\
Name Troj/Banker-DAG
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Banker-DAG is an internet banking Trojan for the Windows platform.
Troj/Banker-DAG includes functionality to send notification messages
to remote locations.
Advanced
Troj/Banker-DAG is an internet banking Trojan for the Windows platform.
Troj/Banker-DAG includes functionality to send notification messages
to remote locations.
When Troj/Banker-DAG is installed the following files are created:
<Windows>\Expert_Corp.exe - detected as Troj/Banker-DAG
<Windows>\Windows.ini - harmless
The following registry entry is created to run Expert_Corp.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<Windows>\Expert_Corp.exe
Name Troj/Zapchas-BX
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Leaves non-infected files on computer
Aliases
* Backdoor.IRC.Zapchast
* IRC/Zapchast.J
* IRC/Zapchast.H
Prevalence (1-5) 2
Description
Troj/Zapchas-BX is an mIRC-based backdoor Trojan for the Windows
platform.
Advanced
Troj/Zapchas-BX is an mIRC-based backdoor Trojan for the Windows
platform.
Troj/Zapchas-BX creates the following files in the C:\Windows\system\
folder:
fullname.txt
ident.txt
nicks.txt
aliases.ini
control.ini
mirc.ini
remote.ini
script.ini
servers.ini
users.ini
sup.bat
svchost.exe
download\
logs\
sounds\
mirc.ico
sup.reg
popups.txt
yaddress.ico
You Have Been HaCkeD By Me.jpg
svchost.exe is the mIRC application, infected with W32/Parite-B.
script.ini is also detected as Troj/Zapchas-BX. The remaining files
are harmless.
After these files have been installed, svchost.exe is executed,
causing it to connect to a preconfigured IRC server and join a
channel in which a remote attacker can control the infected computer.
Name Troj/Adclick-CT
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Aliases
* not-virus:Hoax.Win32.Renos.dy
* New
Prevalence (1-5) 2
Description
Troj/AdClick-CT is a Trojan for the Windows platform.
Troj/AdClick-CT includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/AdClick-CT is a Trojan for the Windows platform.
Troj/AdClick-CT includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/AdClick-CT is installed it creates the file
<CurrentFolder>\pmmon.exe. This file is also detected as
Troj/AdClick-CT.
The following registry entry is created to run Troj/AdClick-CT on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
pmsngr.exe
<pathname of the Trojan executable>
Registry entries are also created under:
HKCU\Software\Internet Security\
When run, Troj/AdClick-CT may display the following messages:
"Please read this message carefully.
System detected virus activities. Your computer may be infected with
spyware
or potentially other unwanted software if you see more pop-up
advertisements,
if your settings have changed, or if your Web browser contains
additional
components that you don't remember downloading.Click "OK" to help
protect your
computer from spyware by downloading antivirus software packages that
include
anti-spyware components."
"Errors found:
- Your computer has slowed down.
- Your Internet connection speed has decreased.
- You get popups and annoying ads when you're online or sometimes
even offline
- Your default home page has been changed to the one you didn't ask for
These are true signs that you may have spyware or other unwanted
software installed on your computer.
'Click "OK" to download spyware scan and protect your computer from
spyware."
"Please read this message carefully.
Your PC is infected by spyware. Spyware and other unwanted software
refers to
programs that perform certain tasks on your computer, typically
without your
consent. This can include installing pop-up advertising or collecting
your
ppersonal information. Anti-spyware tools can only help rid your
computer of
spyware.
Click "OK" to get software and special offers on antivirus software."
The Trojan also tries to connect to the internet and displays
websites that claim to sell anti-malware products.
Name Troj/Countof-B
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
Aliases
* Trojan-Spy.Win32.Agent.kg
* W32/Agent.AUJ
* Spy-Agent.am
Prevalence (1-5) 2
Description
Troj/Countof-B is a Trojan for the Windows platform.
Troj/Countof-B collects details about the infected computer and sends
them to a preconfigured host via HTTP form submission.
Advanced
Troj/Countof-B is a Trojan for the Windows platform.
Troj/Countof-B collects details about the infected computer and sends
them to a preconfigured host via HTTP form submission.
Information collected by the Trojan includes the versions of various
installed applications, the type of network connection and the
specifications of attached hardware.
Name Troj/Zlob-QC
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Zlob.yt
Prevalence (1-5) 2
Description
Troj/Zlob-QC is a Trojan for the Windows platform.
Advanced
Troj/Zlob-QC is a Trojan for the Windows platform.
When Troj/Zlob-QC is installed the following files are created:
<current folder>\isaddon.dll
<current folder>\isamini.exe
The following registry entry is created to run Troj/Zlob-QC on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
homepage.monitor.exe
<pathname of the Trojan executable>
Troj/Zlob-QC changes search settings for Microsoft Internet Explorer
by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
Name W32/Medbot-B
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* BackDoor-CMQ
Prevalence (1-5) 2
Description
W32/Medbot-B is a multi-component worm for the Windows platform.
W32/Medbot-B may attempt to create a service called "Windows Log".
W32/Medbot-B may attempt to spread to unprotected netshares.
Name Troj/Dloadr-AKY
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Agent.asf
* Downloader-AAP
Prevalence (1-5) 2
Description
Troj/Dloadr-AKY is a Trojan for the Windows platform.
Troj/Dloadr-AKY includes functionality to access the internet and
communicate with a remote server via HTTP.
Troj/Dloadr-AKY may arrive as an attachment to an email with the
following characteristics:
From address: "Ebay.de" <endofitem@ebay.de>
Subject line: eBay International AG Rechnung vom 01 Juli 2006
Message body:
Sie sind fur das Lastschriftverfahren angemeldet. Der Rechnungsbetrag
wird innerhalb der nachsten funf bis sieben Tage von Ihrem
Bankkonto abgebucht. (Der Abbuchungsbetrag kann von Ihrem
Rechnungsbetrag abweichen, wenn Sie im Zeitraum zwischen der
Rechnungserstellung und dem Abbuchungsdatum Zahlungen geleistet oder
Gutschriften erhalten haben.)
Attachment filename: ebay.de-rechnung.pdf.exe
Name Troj/Banker-DBA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals credit card details
* Steals information
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-Spy.Win32.Banker.axc
* TSPY_BANKER.DMN
* Win32/Spy.Banker.NNU
Prevalence (1-5) 2
Description
Troj/Banker-DBA is a Trojan for the Windows platform.
Troj/Banker-DBA includes functionality to send notification messages
to remote locations.
Advanced
Troj/Banker-DBA is a Trojan for the Windows platform.
Troj/Banker-DBA includes functionality to send notification messages
to remote locations.
When first run Troj/Banker-DBA copies itself to
<Windows>\Expert_Corp.exe and creates the file <Windows>\Windows.ini.
The file windows.ini is a simply text file, not malicious, and can be
deleted.
The following registry entry is created to run Expert_Corp.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<Windows>\Expert_Corp.exe
Name Troj/Zlob-QF
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Modifies browser settings
* Installs a browser helper object
Aliases
* Win32/TrojanDownloader.Zlob.SA
Prevalence (1-5) 2
Description
Troj/Zlob-QF is a Trojan for the Windows platform.
Troj/Zlob-QF changes search settings for Microsoft Internet Explorer.
Advanced
Troj/Zlob-QF is a Trojan for the Windows platform.
When Troj/Zlob-QF is installed the following files are created:
<System>\issearch.exe
<System>\ixt0.dll
The following registry entry is created to run issearch.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
issearch.exe
issearch.exe
The file ixt0.dll is registered as a COM object and Browser Helper
Object (BHO) for Microsoft Internet Explorer, creating registry
entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\(7fcf04b6-6354-47ef-b45e-a48268e92757)
HKCR\CLSID\(7fcf04b6-6354-47ef-b45e-a48268e92757)
Troj/Zlob-QF changes search settings for Microsoft Internet Explorer
by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Search\
Name W32/Tilebot-GE
Type
* Worm
How it spreads
* Network shares
* Chat programs
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Reduces system security
* Installs itself in the Registry
Aliases
* Backdoor.Win32.SdBot.aqj
Prevalence (1-5) 2
Description
W32/Tilebot-GE is an internet worm and IRC backdoor for the Windows
platform.
W32/Tilebot-GE spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares.
W32/Tilebot-GE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Tilebot-GE is an internet worm and IRC backdoor for the Windows
platform.
W32/Tilebot-GE spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), WKS MS03-049) (CAN-2003-0812), PNP (MS05-039)
and ASN.1 (MS04-007) and by copying itself to network shares.
W32/Tilebot-GE runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When W32/Tilebot-GE is first run, it copies itself to
<Windows>\win325b.exe.
The file win325b.exe is registered as a new service named
"win32socket", with a display name of "win32 socket and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\win32socket\
The worm creates the clean file \drivers\oreans32.sys . This file
oreans32.sys is registered as a new service named "oreans32", with a
display name of "oreans32".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\
Registry entries are set as follows, affecting system security:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Name W32/IRCBot-QU
Type
* Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Backdoor.Win32.IRCBot.qu
Prevalence (1-5) 2
Description
W32/IRCBot-QU is a worm for the Windows platform.
When first run W32/IRCBot-QU copies itself to <System>\vmmon32.exe.
Advanced
W32/IRCBot-QU is a worm for the Windows platform.
When first run W32/IRCBot-QU copies itself to <System>\vmmon32.exe.
The following registry entries are created to run vmmon32.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Printer
<System>\vmmon32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Printer
<System>\vmmon32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Printer
<System>\vmmon32.exe
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Tfactory-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
* Downloads updates
* Installs a browser helper object
Aliases
* not-virus:Hoax.Win32.Renos.dm
Prevalence (1-5) 2
Description
Troj/Tfactory-A is a Trojan which claims to remove spyware and adware
from the computer.
Troj/Tfactory-A sets various registry entries and downloads various
dummy files, so that it can then report these dummy installations of
spyware and adware, in an attempt to coerce users into buying spyware
and adware removal software.
Advanced
Troj/Tfactory-A is a Trojan which claims to remove spyware and adware
from the computer.
Troj/Tfactory-A sets various registry entries and downloads various
dummy files, so that it can then report these dummy installations of
spyware and adware, in an attempt to coerce users into buying spyware
and adware removal software.
Troj/Tfactory-A displays popup messages with text such as:
'This notice is brought to you by Windows Security Center.'
'Download spyware remover now and run full system scan to remove
trojans, viruses and spyware from your PC...'
'Your computer running slower than usual! It maybe infected with
dangerous spyware or adware. Full system scan is highly recommended
to remove possible malicious spyware from your computer.'
'Windows Security Center - Alert!'
'Windows Security Center has detected spyware activity on your
computer! Click here to remove spyware...'
'Click here to remove spyware and adware from your computer
immediately...'
'Click to remove spyware and adware from your computer...'
'Click here to remove spyware, adware, trojans and viruses from your
computer...'
'Protect your computer. Download spyware remover to remove spyware
and protect your data and privacy.'
'Windows has detected spyware on your computer! Full system scan is
highly recommended to remove spyware.'
'Danger! Spyware activity detected on your computer...'
Troj/Tfactory-A installs itself as follows:
<System>\office_pnl.dll
<System>\officescan.exe
<System>\smartdrv.exe
<System>\winblsrv.dll
Troj/Tfactory-A downloads and installs the following additional files:
<Windows>\bg_bg.gif
<Windows>\big_red_x.gif
<Windows>\buy_now.gif
<Windows>\click_for_free_scan.gif
<Windows>\close_ico.gif
<Windows>\download.gif
<Windows>\download_product.gif
<Windows>\free_scan_red_btn.gif
<Windows>\icon_warning_big.gif
<Windows>\infected.gif
<Windows>\infected_top_bg.gif
<Windows>\logo.gif
<Windows>\navibar_bg.gif
<Windows>\navibar_corner_left.gif
<Windows>\navibar_corner_right.gif
<Windows>\product_box.gif
<Windows>\red_warning_ico.gif
<Windows>\remove_spyware_header.gif
<Windows>\safe_and_trusted.gif
<Windows>\spyware_detected.gif
<Windows>\win_logo.gif
<Windows>\yellow_warning_ico.gif
<Windows>\alexaie.dll
<Windows>\alxie328.dll
<Windows>\alxtb1.dll
<Windows>\BTGrab.dll
<Windows>\dlmax.dll
<Windows>\Pynix.dll
<Windows>\susp.exe
<Windows>\ZServ.dll
<System>\mshtml32.tdb
<System>\a.exe
<System>\alxres.dll
<System>\bridge.dll
<System>\dailytoolbar.dll
<System>\jao.dll
<System>\questmod.dll
<System>\runsrv32.dll
<System>\runsrv32.exe
<System>\smaexp32.dll
<System>\tcpservice2.exe
<System>\txfdb32.dll
<System>\udpmod.dll
<System>\winlogon.ini
<System>\wstart.dll
The file office_pnl.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{B53455DB-5527-4041-AC41-F86E6947AA47}
HKCR\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}
HKCR\office_pnl.office_panel
HKCR\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}
HKCR\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}
Troj/Tfactory-A sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adware.Srv32
<System>\runsrv32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool
service
Adware.Srv32
<no value>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool
service
Adware.Srv32
<no value>
HKCR\AppID\WStart.DLL
WStart
wstart.dll
HKCR\AppID\DailyToolbar.DLL
DailyToolbar
dailytoolbar.dll
HKCR\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}
(Default)
<no value>
HKCR\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}
(Default)
<no value>
Troj/Tfactory-A creates the following registry entries:
HKLM\SOFTWARE\Transponder
HKLM\SOFTWARE\Software\TPS108
HKLM\SOFTWARE\RespondMiter
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar
HKCU\Software\Microsoft\IPCheck
HKLM\SOFTWARE\WSoft
HKLM\SOFTWARE\NIX Solutions\DailyToolbar
HKLM\SOFTWARE\DailyToolbar
HKLM\SOFTWARE\Alexa Toolbar
HKLM\SOFTWARE\Alexa Internet
HKCR\WStart.WHttpHelper.1
HKCR\WStart.WHttpHelper
HKCR\url_relpacer.URLResolver
HKCR\Popup.PopupKiller
HKCR\Popup.HTMLEvent.
HKCR\PopMenu.Menu
HKCR\jao.jao
HKCR\IEToolbar.AffiliateCtl
HKCR\DailyToolbar.SysMgr
HKCR\DailyToolbar.IEBand
HKCR\Bridge.brdg
HKCR\AlxTB.BHO
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|