Text 142, 1713 rader
Skriven 2006-10-07 18:20:00 av KURT WISMER (1:123/140)
Ärende: News, October 7 2006
============================
[cut-n-paste from sophos.com]
Name W32/Looked-AC
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.ak
* Win32/Viking.AY
* W32.Looked.P
Prevalence (1-5) 2
Description
W32/Looked-AC is a virus for the Windows platform.
W32/Looked-AC infects EXE files found on the infected computer. The
virus may also attempt to spread via network shares.
Advanced
W32/Looked-AC is a virus for the Windows platform.
W32/Looked-AC infects EXE files found on the computer. The virus may
also attempt to spread via network shares.
When first run the virus copies itself to <Windows>\rundl132.exe and
<Windows>\logo1_.exe and creates the file <Windows>\Dll.dll which is
also detected as W32/Looked-AC. This file attempts to download
further executable code.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Many files with the name "_desktop.ini" are created in various
folders on the infected computer. These files are harmless text files.
Name Troj/ZlobDrop-J
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Zlob.anj
Prevalence (1-5) 2
Description
Troj/ZlobDrop-J is a Trojan for the Windows platform.
Name W32/Vanebot-Q
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Reduces system security
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.VanBot.u
* W32/Sdbot.worm!MS06-040
* Win32/IRCBot.UG
* BKDR_VANBOT.U
Prevalence (1-5) 2
Description
W32/Vanebot-Q is a worm and IRC backdoor for the Windows platform.
W32/Vanebot-Q spreads
to other network computers by exploiting common buffer overflow
vulnerabilities, including: SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger
W32/Vanebot-Q runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Vanebot-Q is a worm and IRC backdoor for the Windows platform.
W32/Vanebot-Q spreads
to other network computers by exploiting common buffer overflow
vulnerabilities, including: SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger
W32/Vanebot-Q runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Vanebot-Q copies itself to <Windows system
folder>\dllcache\sidmeier.exe.
The file sidmeier.exe is registered as a new system driver service
named "Sid Meier's Alpha Centauri Planetary Pack", with a display
name of "Sid Meier's Alpha Centauri Planetary Pack" and a startup
type of automatic, so that it is started automatically during system
startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Sid Meier's Alpha Centauri
Planetary Pack\
W32/Vanebot-Q sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Fili-B
Type
* Worm
How it spreads
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Modifies data on the computer
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Fili-B is a P2P worm for the Windows platform.
Advanced
W32/Fili-B is a P2P worm for the Windows platform.
W32/Fili-B includes functionalities to:
- download, install and run new software via HTTP
- disable AV related applications by modifying the registry
- allow unauthorised access to the infected computer
When run W32/Fili-B copies itself to:
<Program Files>\BearShare\Shared\E-gold Hack.exe
<Program Files>\Grokster\My Grokster\E-gold Hack.exe
<Program Files>\KaZaA\My Shared Folder\E-gold Hack.exe
<Program Files>\Limewire\Shared\E-gold Hack.exe
<Program Files>\Morpheus\My Shared Folder\E-gold Hack.exe
<Program Files>\Shareaza\Downloads\E-gold Hack.exe
<Program Files>\eDonkey2000\Incoming\E-gold Hack.exe
<Program Files>\emule\Incoming\E-gold Hack.exe
<Program Files>\icq\Shared Files\E-gold Hack.exe
<Program Files>\mirc\download\E-gold Hack.exe
<System>\toolsbar.exe
and creates the following files:
\dtask.reg (Can be safely removed)
<System>\drivers\driver\found\sara.descl (Can be safely removed)
The following registry entry is created to run toolsbar.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Service
<System>\toolsbar.exe
The worm modifies the file <System>\drivers\etc\host with the
following information:
127.0.0.1 arbitrage.webmoney.ru
The worm creates a Service with the display name of "Cdfs".
The worm also sets registry entry under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0
Name W32/Stratio-AQ
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Email-Worm.Win32.Warezov.bn
* W32/Stration@MM
* WORM_STRAT.CF
Prevalence (1-5) 2
Description
W32/Stratio-AQ is a worm for the Windows platform.
W32/Stratio-AQ includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Stratio-AQ is a worm for the Windows platform.
W32/Stratio-AQ includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Stratio-AQ is installed the following files are created:
<System>\hpzcpjlm.exe
<System>\miglntma.dll
<System>\msihhac.dll
The files hpzcpjlm.exe, miglntma.dll and msihhac.dll are detected as
W32/Strati-Gen.
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs
miglntma.dll
Name Troj/AdClick-DI
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/AdClick-DI is a Trojan for the Windows platform.
Name Troj/KillSec-G
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Aliases
* QHosts-66
Prevalence (1-5) 2
Description
Troj/KillSec-G is a Trojan for the Windows platform.
The Trojan has the functionality to:
modify host file located in <Windows system folder>\drivers\etc\hosts
steal information
disable anti-virus related applications
communicate with a remote server
silently download, install and run new software
Advanced
Troj/KillSec-G is a Trojan for the Windows platform.
The Trojan has the functionality to:
modify host file located in <Windows system folder>\drivers\etc\hosts
steal information
disable anti-virus related applications
communicate with a remote server
silently download, install and run new software
The Trojan creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Session Manager Subsystem
<Windows folder>\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows Logon Process
<Windows folder>\winlogon.exe
Name Troj/DwnLdr-FSP
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Win32/TrojanDownloader.Agent.ANM
Prevalence (1-5) 2
Description
Troj/DwnLdr-FSP is a DLL helper Trojan component for the Windows
platform.
Advanced
Troj/DwnLdr-FSP is a DLL helper Trojan component for the Windows
platform.
Once installed, Troj/DwnLdr-FSP sets the following registry entry to
run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<path to Trojan>
Registry entries are also set under:
HKLM\SOFTWARE\Microsoft\Internet Explorer
MkData
Name Troj/Banloa-AYR
Type
* Trojan
Affected operating systems
* Windows
Prevalence (1-5) 2
Description
Troj/Banloa-AYR is a downloader Trojan for the Windows platform.
Troj/Banloa-AYR includes functionality to access the internet and
communicate with a remote server via HTTP.
When run the Trojan will attempt to download and install a component
to <Windows>\msapptk32.dll.
Name W32/Vanebot-S
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Sdbot.worm!MS06-040
* Win32/IRCBot.UH
* TSPY_GOLDUN.GH
Prevalence (1-5) 2
Description
W32/Vanebot-S is a worm for the Windows platform. W32/Vanebot-S also
contains IRC backdoor Trojan functionality which allows a remote
intruder to gain access and control over the computer.
W32/Vanebot-S spreads
to computers vulnerable to common exploits, including SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger
Advanced
W32/Vanebot-S is a worm for the Windows platform. W32/Vanebot-S also
contains IRC backdoor Trojan functionality which allows a remote
intruder to gain access and control over the computer.
W32/Vanebot-S spreads
to computers vulnerable to common exploits, including SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx)
to MSSQL servers protected by weak passwords
to network shares
via MSN Messenger
via Yahoo Instant Messenger
W32/Vanebot-S may spread with the filename redworld.exe,
redworld2.exe or <random numbers>_redworld2.exe.
When first run W32/Vanebot-S copies itself to <Windows system
folder>\dllcache\msiupdate32.exe.
The file msiupdate32.exe is registered as a new system driver service
named "Microsoft update Service", with a display name of "Microsoft
update Service" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft update Service\
W32/Vanebot-S sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Vanebot-S attempts to terminate a number of processes related to
security
and anti-virus applications.
Name W32/Sdbot-CRY
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* IRC/SdBot
* W32.Spybot.Worm
Prevalence (1-5) 2
Description
W32/Sdbot-CRY is a worm and backdoor Trojan for the Windows platform.
Advanced
W32/Sdbot-CRY is a worm and backdoor Trojan for the Windows platform.
When first run W32/Sdbot-CRY copies itself to <Windows>\lsrvc.exe.
The following registry entry is created to run lsrvc.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wmplayer
<Windows>\lsrvc.exe
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
MeltMe
<pathname of the Trojan executable>
Name W32/Rbot-AGH
Type
* Spyware Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Uses its own emailing engine
* Downloads code from the internet
* Records keystrokes
Prevalence (1-5) 2
Description
W32/Rbot-AGH is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-AGH spreads to other network computers by exploiting the
buffer overflow vulnerabilites: LSASS and RPC-DCOM and by copying
itself to network shares protected by weak passwords.
W32/Rbot-AGH allows a remote user to control the infected computer
through IRC channels.
Advanced
W32/Rbot-AGH is a network worm with backdoor functionality for the
Windows platform.
W32/Rbot-AGH spreads to other network computers by exploiting the
buffer overflow vulnerabilites: LSASS and RPC-DCOM and by copying
itself to network shares protected by weak passwords.
The following patches for the operating system vulnerabilities
exploited by W32/Rbot-AGH can be obtained from the Microsoft website:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Rbot-AGH runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Rbot-AGH copies itself to <Windows system
folder>\LimeWire.exe.
The following registry entries are created to run LimeWire.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Limewire
LimeWire.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Limewire
LimeWire.exe
Name W32/Stratio-AR
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* Installs itself in the Registry
Aliases
* Win32/Stration.EV
* WORM_STRATION.XT
Prevalence (1-5) 2
Description
W32/Stratio-AR is a mass-mailing worm and backdoor Trojan for the
Windows platform.
W32/Stratio-AR spreads by sending emails with itself as an attachment
to email addresses harvested from the Windows Address Book (WAB).
Advanced
W32/Stratio-AR is a mass-mailing worm and backdoor Trojan for the
Windows platform.
W32/Stratio-AR spreads by sending emails with itself as an attachment
to email addresses harvested from the Windows Address Book (WAB).
The following registry entry is created to run W32/Stratio-AR on
startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
qediwdig.dll dmdsmp4s.dll
W32/Stratio-AR also includes functionality to download, install and
run new software.
These files are detected as W32/Strati-Gen.
Name W32/Burmec-A
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Modifies data on the computer
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Burmec-A is a worm for the Windows platform.
Advanced
W32/Burmec-A is a worm for the Windows platform.
When first run W32/Burmec-A copies itself to:
\Recycled\kernel.vdx
<Windows>\MiniGame.com
<Windows>\msgsrv16.com
<System>\cirsx.oxc
<System>\rpcsx.vdx
<System>\sndvol32.oxc
and creates the file C:\Burmecia. The file Burmecia contains the
following text:
A PIECE OF OUR LIFE WAS HERE FIND THE OTHER......(N)
*Author Unknown*
This file can be removed safely.
The worm may copy itself to all fixed, removable and mapped drives
with the following filenames:
command.com
cmd.exe
sfc.exe
scanregw.exe
regwiz.exe
Msconfig.exe
explorer.exe
Taskmgr.exe
REGEDIT.exe
SNDVOL32.COM
Wscript.exe
The worm has the functionality to disable AV related applications.
The worm creates the file \Recycled\desktop.ini and this file
contains the following text:
[.ShellClassInfo]
CLSID=(645FF040-5081-101B-9F08-00AA002F954E)
This file can be safely removed.
The worm displays a picture with a profile of a female head with the
following scrolling text at the top of the screen:
a piece of our life was here find the other
The worm has the functionality to replace files with itself or
corrupt files.
The following registry entry is changed to run msgsrv16.com on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe MSGSRV16.COM
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
The following registry entries are set or modified, so that
kernel.vdx, msgsrv16.com, cirsx.oxc and rpcsx.vdx are run when files
with extensions of BAT, COM, EXE, PIF and SCR are opened/launched:
HKCR\file\Shell\open\command
(default)
<Windows>\MSGSRV16.COM
HKCR\lnffile\shell\open\command
(default)
<System>\RPCSX.VDX
HKCR\nffile\shell\open\command
(default)
<Windows>\MSGSRV16.COM
HKCR\batfile\shell\open\command
(default)
<System>\CIRSX.OXC" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\CIRSX.OXC" "%1" %*
HKCR\exefile\shell\open\command
(default)
C:\RECYCLED\KERNEL.VDX" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\CIRSX.OXC" "%1" %*
HKCR\scrfile\shell\open\command
(default)
C:\RECYCLED\KERNEL.VDX" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr) and the command prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
DisableCMD
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
DisablePwdCaching
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
NoRealMode
1
HKCR\*\Shell\openas\command
(default)
<Windows>\MSGSRV16.COM
HKCR\*\shellex\OpenWith\command
(default)
<System>\SNDVOL32.OXC
HKCR\scrfile\DefaultIcon
(default)
C:\RECYCLED\KERNEL.VDX,0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\Hidden\SHOWALL
Type
radio
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\HideFileExt
Type
checkbox
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\ShowFullPath
Type
checkbox
HKCR\Word.Document.8\DefaultIcon
(default)
C:\RECYCLED\KERNEL.VDX,0
HKCR\comfile
(default)
File Folder
HKCR\comfile\DefaultIcon
(default)
<System>\shell32.dll,3
HKCR\exefile\shell\runas\command
(default)
<Windows>\MSGSRV16.COM
HKCR\rtffile\DefaultIcon
(default)
C:\RECYCLED\KERNEL.VDX,0
HKCR\scrfile
(default)
Microsoft Word Document
Registry entries are created under:
HKCR\.OXC\
HKCR\.VDX\
HKCR\.com \
HKCR\.exe \
HKCR\.zx\
HKCR\fffile\
HKCR\mxfile\
Name W32/Rbot-FPA
Type
* Spyware Worm
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Enables remote access
* Scans network for vulnerabilities
Aliases
* Backdoor.Win32.VanBot.w
* WORM_SPYBOT.LY
Prevalence (1-5) 2
Description
W32/Rbot-FPA is a worm and IRC backdoor for the Windows platform.
Advanced
W32/Rbot-FPA is a worm and IRC backdoor for the Windows platform.
W32/Rbot-FPA runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Rbot-FPA includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Rbot-FPA will attempt to spread by exploiting the following
Microsoft Windows vulnerabilities:
LSASS (MS04-011)
SRVSVC (MS06-040)
RPC-DCOM (MS04-012)
PNP (MS05-039)
ASN.1 (MS04-007)
When first run W32/Rbot-FPA copies itself to <System>\winlogon.exe.
The file <System>\winlogon.exe is registered as a new system driver
service named "WINLOGON", with a display name of "Windows NT Logon
Application" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\WINLOGON\
W32/Rbot-FPA sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Registry entries are set as follows:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
Name W32/Virut-I
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Virut-I is a virus and backdoor Trojan for the Windows platform.
W32/Virut-I runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Virut-I will also attempt to infect any executable that is
accessed by any process running on the system. Any files infected
will be detected as W32/Virut-A.
Advanced
W32/Virut-I is a virus and backdoor Trojan for the Windows platform.
W32/Virut-I runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
W32/Virut-I will also attempt to infect any executable that is
accessed by any process running on the system. Any files infected
will be detected as W32/Virut-A.
When first run W32/Virut-I copies itself to <Windows system
folder>\winfix.exe.
The following registry entries are created to run winfix.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Fixer
winfix.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Fixer
winfix.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Fixer
winfix.exe
Name W32/Tilebot-HF
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Enables remote access
* Scans network for vulnerabilities
* Scans network for weak passwords
Prevalence (1-5) 2
Description
W32/Tilebot-HF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-HF spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049)
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may
also spreads via network shares and MSSQL servers protected by weak
passwords.
W32/Tilebot-HF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HF includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-HF is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-HF spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049)
(CAN-2003-0812), PNP (MS05-039) and ASN.1 (MS04-007). The worm may
also spread via network shares and MSSQL servers protected by weak
passwords.
W32/Tilebot-HF runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-HF copies itself to
<Windows>\realplayers.exe and creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W.
The file rdriv.sys is registered as a new system driver service named
"rdriv", with a display name of "rdriv". Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\rdriv\
The file realplayers.exe is registered as a new system driver service
named "trojans", with a display name of "this change me" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\trojans\
W32/Tilebot-HF sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time Me
<Date and Time>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Record Me
272962
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Looked-AD
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-AD is a virus for the Windows platform.
Advanced
W32/Looked-AD is a virus for the Windows platform.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\Dll.dll, detected as W32/Looked-Gen. This
file attempts to download further executable code.
The virus sets the following registry entry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
The virus infects EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name W32/Licat-D
Type
* Worm
How it spreads
* Chat programs
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
Prevalence (1-5) 2
Description
W32/Licat-D is an MSN IM worm for the Windows platform.
W32/Licat-D includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Licat-D will attempt to send itself using an MSN IM client as
well as download and execute components from the web.
Advanced
W32/Licat-D is an MSN IM worm for the Windows platform.
W32/Licat-D includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Licat-D will attempt to send itself using an MSN IM client as
well as download and execute components from the web.
When run the worm will query the registry entry in:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\MSNMSGR.EXE\Path
to locate the path to msn. W32/Licat-D will then overwrite the MSN
client with itself.
Name Troj/DwnLdr-FSU
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Win32/TrojanDownloader.Small.NPA
* TROJ_AGENT.DLX
Prevalence (1-5) 2
Description
Troj/DwnLdr-FSU is a downloader Trojan for the Windows platform.
Name Troj/Clagger-AE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Clagger-AE is a Trojan for the Windows platform.
Troj/Clagger-AE attempts to download and execute files from a remote
website.
Advanced
Troj/Clagger-AE is a Trojan for the Windows platform.
Troj/Clagger-AE attempts to download and execute files from a remote
website.
When first run Troj/Clagger-AE copies itself to <System>\upnp.exe.
The following registry entry is created to run upnp.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
np
<System>\upnp.exe
Registry entries are created under:
HKCU\Software\unker\<original Trojan filename>\main\
HKCU\Software\unker\upnp\main\
Name W32/Rungbu-A
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.VB.du
* W32.Rungbu
* PE_RUNGBU.A
Prevalence (1-5) 2
Description
W32/Rungbu-A infects Microsoft Word DOC files by copying itself to
the same filename but with an SCR extension, appending the DOC file
to the SCR copy, and then hiding the original DOC file.
W32/Rungbu-A then sets the computer not to show hidden files (in
order to hide the DOC file), to give SCR files a Word icon (so the
SCR file looks like a Word file), and to hide file extensions (so the
SCR file just displays the filename, not the SCR extension). When the
SCR file is run, the Word document is displayed as normal.
Advanced
W32/Rungbu-A is a companion virus for the Windows platform.
W32/Rungbu-A infects Microsoft Word DOC files by copying itself to
the same filename but with an SCR extension, appending the DOC file
to the SCR copy, and then hiding the original DOC file.
W32/Rungbu-A then sets the computer not to show hidden files (in
order to hide the DOC file), to give SCR files a Word icon (so the
SCR file looks like a Word file), and to hide file extensions (so the
SCR file just displays the filename, not the SCR extension). When the
SCR file is run, the Word document is displayed as normal.
When W32/Rungbu-A is installed the following files are created:
<Current folder>\<Original filename>.doc
<Current folder>\<Original filename>`.!!!
<Temp>\Flu Burung.txt
<Program Files>\Microsoft Office\Office\docicon.exe
C:\Recycled\ctfmon.exe
C:\Recycled\smss.exe
C:\Recycled\spoolsv.exe
C:\Recycled\svchost.exe
The EXE files are all detected as W32/Rungbu-A. All the other files
are clean.
The following registry entries are changed to run W32/Rungbu-A on
startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "C:\recycled\SVCHOST.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows folder>\Explorer.exe to be run on
startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\recycled\SVCHOST.exe,
(the default value for this registry entry is "<Windows
folder>\System32\userinit.exe,").
The following registry entries are set in order to hide file
extensions:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\HideFileExt
UncheckedValue
1
The following registry entries are set in order to not show hidden
files:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder
\SuperHidden
UncheckedValue
0
The following registry entries are set in order to change the default
icon for Microsoft Word documents
HKCR\Word.Document.8\DefaultIcon
(default)
<Program Files>\Microsoft Office\Office\docicon.exe
(the default value for this registry entry is "<Program
Files>\Microsoft Office\Office\Winword.exe,1")
Registry entries are modified under HKCR\scrfile, including the
following:
HKCR\scrfile
(default)
Microsoft Word Document
Name W32/Looked-AF
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Looked-AF is a virus for the Windows platform.
W32/Looked-AF includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-AF is a virus for the Windows platform.
W32/Looked-AF includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-AF copies itself to <Windows>\rundl132.exe
and creates the following files:
<Windows>\Dll.dll - also detected as W32/Looked-AF
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name Troj/WOW-HL
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.WOW.ke
* PWS-WoW
Prevalence (1-5) 2
Description
Troj/WOW-HL is a password stealing Trojan for the Windows platform.
Advanced
Troj/WOW-HL is a password stealing Trojan for the Windows platform.
When first run Troj/WOW-HL copies itself to:
<Common Files>\iexplore.pif
<Program Files>\Internet Explorer\iexplore.com
<Windows>\1.com
<Windows>\Debug\DebugProgram.exe
<Windows>\ExERoute.exe
<Windows>\explorer.com
<Windows>\finder.com
<Windows>\smss.exe
<System>\command.pif
<System>\dxdiag.com
<System>\finder.com
<System>\msconfig.com
<System>\regedit.com
<System>\rundll32.com
The following registry entry is created to run Troj/WOW-HL on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TProgram
<Windows>\SMSS.EXE
The file iexplore.com is registered as a COM object, creating
registry entries under:
HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
Troj/WOW-HL changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe 1
HKCR\.bfc\ShellNew
Command
<System>\rundll32.com syncui.dll,Briefcase_Create %1!d! %2
HKCR\Drive\shell\find\command
(default)
<Windows>\explorer.com
HKCR\Unknown\shell\openas\command
(default)
<System>\finder.com <System>\shell32.dll,OpenAs_RunDLL %1
HKCR\cplfile\shell\cplopen\command
(default)
rundll32.com shell32.dll,Control_RunDLL %1,%*
HKCR\htmlfile\shell\opennew\command
(default)
<Common Files>\iexplore.pif" %1
HKCR\htmlfile\shell\print\command
(default)
rundll32.com <System>\mshtml.dll,PrintHTML "%1"
HKCR\inffile\shell\Install\command
(default)
<System>\rundll32.com setupapi,InstallHinfSection DefaultInstall
132 %1
HKCR\scrfile\shell\install\command
(default)
finder.com desk.cpl,InstallScreenSaver %l
HKCR\scriptletfile\Shell\Generate Typelib\command
(default)
<System>\finder.com" <System>\scrobj.dll,GenerateTypeLib "%1
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|