Text 144, 1626 rader
Skriven 2006-10-03 02:10:00 av KURT WISMER (1:123/140)
Ärende: News, October 3 2006
============================
[cut-n-paste from sophos.com]
Name W32/Stratio-AN
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
Prevalence (1-5) 3
Description
W32/Stratio-AN is a mass-mailing worm for the Windows platform.
Subject line:
Mail server report.
Message text:
Mail server report.
Our firewall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer
unnoticeably.
After the penetrating into the computer the virus harvests all the
e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
Attached file:
Update-KB7859-x86.exe inside Update-KB7859-x86.zip
or
Subject lines include:
hello
Status
Server Report
picture
test
no message text
Attached files include:
doc.elm.pif inside doc.zip
message.msg.exe inside message.zip
readme.log.bat inside readme.zip
body.elm.pif inside body.zip
message.txt.pif inside message.zip
message.log.pif inside message.zip
Advanced
W32/Stratio-AN is a mass-mailing worm for the Windows platform.
Subject line:
Mail server report.
Message text:
Mail server report.
Our firewall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer
unnoticeably.
After the penetrating into the computer the virus harvests all the
e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
Attached file:
Update-KB7859-x86.exe inside Update-KB7859-x86.zip
or
Subject lines include:
hello
Status
Server Report
picture
test
no message text
Attached files include:
doc.elm.pif inside doc.zip
message.msg.exe inside message.zip
readme.log.bat inside readme.zip
body.elm.pif inside body.zip
message.txt.pif inside message.zip
message.log.pif inside message.zip
When run, W32/Stratio-AN copies itself to <Windows>\t2serv.exe.
W32/Stratio-AN sets the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
t2serv
<Windows>\t2serv.exe
W32/Stratio-AN disables the Service named "wuaserv".
Name W32/Sdbot-CRR
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Sdbot-CRR is a worm for the Windows platform.
W32/Sdbot-CRR contains functionality to allow remote access via a
backdoor.
Advanced
W32/Sdbot-CRR is a worm for the Windows platform.
W32/Sdbot-CRR contains functionality to allow remote access via a
backdoor.
When installed, W32/Sdbot-CRR will copy itself to the following
filename:
<Windows>\windows.exe
and create the following file:
<System>\rdriv.sys - detected as Troj/Rootkit-W
W32/Sdbot-CRR may also create a new service with the name "Java
development
Services" and ImagePath of "<Windows>\windows.exe" to allow it to
automatically
start up.
Name Troj/Haxdoor-DE
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Haxdoor-DE is a Trojan for the Windows platform.
Advanced
Troj/Haxdoor-DE is a Trojan for the Windows platform.
When Troj/Haxdoor-DE is installed the following files are created:
<System>\lgn1216a.dll
<System>\mm77lgn.sys
The file lgn1216a.dll is detected as Troj/Haxdor-Fam and the file
mm77lgn.sys is detected as Troj/Haxdor-Gen.
The following registry entries are created to run code exported by
lgn1216a.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\lgn1216a
DllName
lgn1216a.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\lgn1216a
Startup
lgn1216a
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\lgn1216a
Impersonate
1
The file mm77lgn.sys is registered as a new system driver service
named "mm77lgn", with a display name of "MM77lgn control service".
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mm77lgn\
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS
Explorer.EXE
<Windows>\Explorer.EXE:*:Enabled:explorer
Name W32/Looked-Z
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Steals information
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-Z is a virus for the Windows platform.
Advanced
W32/Looked-Z is a virus for the Windows platform.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\Dll.dll, also detected as W32/Looked-Z. This
file attempts to download further executable code.
The virus infects EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name W32/Looked-AA
Type
* Worm
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Downloader.Win32.Agent.awz
* W32/HLLP.Philis.ax
* Win32/Viking.AP
Prevalence (1-5) 2
Description
W32/Looked-AA is a virus for the Windows platform.
W32/Looked-AA includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-AA also may spread through available network shares.
Advanced
W32/Looked-AA is a virus for the Windows platform.
W32/Looked-AA includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-AA also may spread through available network shares.
When W32/Looked-AA is installed the following files are created:
<Windows>\Dll.dll
<Windows>\Logo1_.exe
<Windows>\rundl132.exe
where Dll.dll is also detected as W32/Looked-AA.
W32/Looked-AA creates a number of files with the name "_desktop.ini"
are created, in various folders on the infected computer. These files
are harmless text files.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
Name W32/Dasher-F
Type
* Worm
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Net-Worm.Win32.Dasher.d
* W32/Dasher.worm
* the Exploit-SqlExp
* WORM_DASHER.H
Prevalence (1-5) 2
Description
W32/Dasher-F is a worm for the Windows platform.
Advanced
W32/Dasher-F is a worm for the Windows platform.
When first run W32/Dasher-F copies itself to
<System>\wins\svchost.exe and creates the file
<System>\wins\SqlExp.exe.
Name Troj/WowPWS-AA
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.WOW.jg
* PWS-Hook.dll
* Infostealer.Wowcraft
Prevalence (1-5) 2
Description
Troj/WowPWS-AA is a password-stealing Trojan for the Windows platform.
Troj/WowPWS-AA targets the online game World of Warcraft, and
attempts to steal account details.
Troj/WowPWS-AA includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/WowPWS-AA is a password-stealing Trojan for the Windows platform.
Troj/WowPWS-AA targets the online game World of Warcraft, and
attempts to steal account details.
Troj/WowPWS-AA includes functionality to access the internet and
communicate with a remote server via HTTP.
When run Troj/WowPWS-AA copies itself into <Windows system
folder>\Launcher.exe and creates the file <Windows system
folder>\mywow.dll.
The following registry entry is created to run <Windows system
folder>\Launcher.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
wow
<Windows system folder>\Launcher.exe
Name W32/Tilebot-HB
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Records keystrokes
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for vulnerabilities
* Scans network for weak passwords
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Tilebot-HB is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-HB spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), and ASN.1 (MS04-007). The worm may
also spreads via network shares protected by weak passwords.
W32/Tilebot-HB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HB includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- start a remote shell (RLOGIN)
- take part in Distributed Denial of Service (DDoS) attacks
- steal information from Protected Storage
Advanced
W32/Tilebot-HB is a worm with backdoor functionality for the Windows
platform.
W32/Tilebot-HB spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: SRVSVC (MS06-040),
WKS (MS03-049) (CAN-2003-0812), and ASN.1 (MS04-007). The worm may
also spreads via network shares protected by weak passwords.
W32/Tilebot-HB runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HB includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- set or remove network shares
- port scanning
- packet sniffing
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- start a remote shell (RLOGIN)
- take part in Distributed Denial of Service (DDoS) attacks
- steal information from Protected Storage
When first run W32/Tilebot-HB copies itself to <System>\arci.exe.
The file arci.exe is registered as a new system driver service named
"ARCPLUG", with a display name of "ARC Plugin" and a startup type of
automatic, so that it is started automatically during system startup.
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ARCPLUG\
W32/Tilebot-HB sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name Troj/Zhengtu-A
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.Agent.ib
* TSPY_AGENT.EUA
Prevalence (1-5) 2
Description
Troj/Zhengtu-A is an information stealing Trojan for the Windows
platform.
Advanced
Troj/Zhengtu-A is an information stealing Trojan for the Windows
platform.
When run Troj/Zhengtu-A copies itself to <System>\explore.exe and
<System>\myztr.dll. The file <System>\myztr.dll is also detected as
Troj/Zhengtu-A.
Troj/Zhengtu-A silently monitors for user access to the Chinese
online game "Zhengtu" and begins storing information. The stolen
information is subsequently sent to a remote address using HTTP POST.
Troj/Zhengtu-A then creates the following registry entry to run
itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
rx
<System>\explore.exe
Name Troj/Dloadr-ANV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads updates
Aliases
* Trojan-Clicker.Win32.Small.kj
Prevalence (1-5) 2
Description
Troj/Dloadr-ANV is a downloader Trojan for the Windows platform.
When installed the Trojan copies itself to
<Windows>\svchost.exe
Troj/Dloadr-ANV includes functionality to access the internet and
attempt to download a file from a remote address. The downloaded file
was unavailabe at the time of writing.
Name Troj/Wombat-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Deletes files off the computer
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Wombat-A is a Trojan for the Windows platform.
Advanced
Troj/Wombat-A is a Trojan for the Windows platform.
When Troj/Wombat-A is installed the following files are created:
<Temp>\bt<random numbers>.bat
<current folder>\DELTREE.EXE
<current folder>\POPUP.EXE
<current folder>\TERMINATE.exe
<current folder>\wupdmgr.exe
The file DELTREE.EXE is a clean executable. All the other files are
detected as Troj/Wombat-A.
<Windows>\mui\222.exe
<Windows>\mui\TERMINATE.exe
<Windows>\mui\internet.bat
<System>\temp.bat
<System>\deltree.exe
<Windows>\temp.bat
The file bt<random numbers>.bat drops the following files:
<current folder>\internet.bat
<current folder>\TEMP.BAT
<current folder>\tweaks.reg
C:\WINDOWS\mui\internet.bat
C:\WINDOWS\system32\TEMP.BAT
C:\WINDOWS\system\TEMP.BAT
C:\WINDOWS\TEMP.BAT
The files called internet.bat are detected as Troj/Wombat-A and will
attempt to shut down the computer with the message "life owner
strikes again". The files called TEMP.BAT are also detected as
Troj/Wombat-A and attempt to rename files with certain extensions in
the same folder as themselves to have the extension bJJ. The file
tweaks.reg is clean and may be deleted.
The file bt<random numbers>.bat then copies the files DELTREE.EXE,
POPUP.EXE, TERMINATE.EXE and wupdmgr.exe to the following locations:
C:\WINDOWS\system32\DELTREE.EXE
C:\WINDOWS\mui\222.exe
C:\WINDOWS\mui\TERMINATE.exe
C:\WINDOWS\system32\wupdmgr.exe
The following registry entries are set to run some of these dropped
files on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MiXed1
C:\WINDOWS\system32\TEMP.BAT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MiXed2
C:\WINDOWS\system\TEMP.BAT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MiXed3
C:\WINDOWS\TEMP.BAT
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TWITCH
C:\WINDOWS\mui\internet.bat
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mike3
C:\WINDOWS\mui\222.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TERMINATE
C:\WINDOWS\mui\TERMINATE.exe
Troj/Wombat-A attempts to delete a number of Windows files and
folders from the infected computer.
The file POPUP.EXE displays a message box with the following text:
YOUR COMPUTER HAS BEEN INFECTED WITH A VIRUS
HAVE A NICE DAY :)
The file TERMINATE.EXE attempts to terminate and delete a number of
files related to security and anti-virus applications.
The file wupdmgr.exe attempts to shut down the infected computer with
the message "trying to update your computer, you are a very naughty
boy, now you are going to pay for it".
Troj/Wombat-A sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
DisableRegistryTools
1
HKCU\Software\Microsoft\Internet Explorer\Main
Window Title
UNLUCKY
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoCDBurning
1
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions
0
HKLM\SYSTEM\CurrentControlSet\Services\ACPI\Parameters
AMLIMaxCTObjs
04 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\ACPI\Parameters
Attributes
70
HKLM\SYSTEM\CurrentControlSet\Services\ACPI\Parameters\WakeUp
FixedEventMask
20 05
HKLM\SYSTEM\CurrentControlSet\Services\ACPI\Parameters\WakeUp
FixedEventStatus
00 84
HKLM\SYSTEM\CurrentControlSet\Services\ACPI\Parameters\WakeUp
GenericEventMask
18 50 00 10
HKLM\SYSTEM\CurrentControlSet\Services\ACPI\Parameters\WakeUp
GenericEventStatus
10 00 ff 00
Name Troj/Mondo-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Drops more malware
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Mondo-B is a Trojan for the Windows platform.
Advanced
Troj/Mondo-B is a Trojan for the Windows platform.
When Troj/Mondo-B is installed it creates the file
<System>\traffic.exe. This file is detected as Troj/Mondo-Gen.
The file traffic.exe is registered as a new system driver service
named "traffic.exe", with a display name of "traffic.exe" and a
startup type of automatic, so that it is started automatically during
system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\traffic.exe\
Name W32/Brontok-BR
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Email-Worm.Win32.Brontok.n
Prevalence (1-5) 2
Description
W32/Brontok-BR is a worm for the Windows platform.
W32/Brontok-BR will also overwrite the HOSTS file so as to prevent
access to various anti-virus and security related websites.
Advanced
W32/Brontok-BR is a worm for the Windows platform.
When first run W32/Brontok-BR copies itself to:
<User>\Local Settings\Application Data\dv6122400x\yesbron.com
<User>\Local Settings\Application Data\jalak-931224015-bali.com
<Windows>\_default32142.pif
<Windows>\j6321422.exe
<Windows>\o4321427.exe
<Windows>\sa13188\ib6108.exe
<System>\c_32142k.com
<System>\n5817\b6108.exe
<System>\n5817\csrss.exe
<System>\n5817\lsass.exe
<System>\n5817\services.exe
<System>\n5817\smss.exe
<System>\n5817\sv711224030r.exe
<System>\n5817\winlogon.exe
and creates the following non-malicious files:
\Baca Bro !!!.txt
<Windows>\Tasks\At1.job
<Windows>\Tasks\At2.job
<System>\n5817\c.bron.tok.txt
These files may be safely deleted.
W32/Brontok-BR may install a new version of the file
<System>\msvbvm60.dll.
The following registry entries are created to run yesbron.com,
_default32142.pif, j6321422.exe and sv711224030r.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
y1959sar
<User>\Local Settings\Application Data\dv6122400x\yesbron.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
A5118r
<Windows>\_default32142.pif
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
y1959sar
<System>\n5817\sv711224030r.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
A5118r
<Windows>\j6321422.exe
The following registry entries are changed to run j6321422.exe and
o4321427.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<Windows>\o4321427.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<Windows>\j6321422.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entry is set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Brontok
Message
Look @ "C:\Baca Bro !!!.txt"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
Registry entries are created under:
HKCU\Software\Brontok\
W32/Brontok-BR will also overwrite the HOSTS file so as to prevent
access to various anti-virus and security related websites.
Name Troj/Cimuz-AX
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Drops more malware
* Installs itself in the Registry
Aliases
* Win32/Spy.BZub
* Trojan-Spy.Win32.BZub.dt
Prevalence (1-5) 2
Description
Troj/Cimuz-AX is a Trojan for the Windows platform.
Troj/Cimuz-AX includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Cimuz-AX is a Trojan for the Windows platform.
Troj/Cimuz-AX includes functionality to access the internet and
communicate with a remote server via HTTP.
When Troj/Cimuz-AX is installed the following files are created:
<Temp>\124622.gif
<Windows system folder>\hook.dll
<Windows system folder>\ipv6monl.dll
<Windows system folder>\msn.exe
The files hook.dll, msn.exe and 124622.gif are detected as
Troj/Cimuz-AW and the file ipv6monl.dll is detected as Troj/Cimuz-AX.
The following registry entry is created to run msn.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSN
<Windows system folder>\msn.exe" /INITSERVICE
The file ipv6monl.dll is registered as a COM object and Browser
Helper Object (BHO) for Microsoft Internet Explorer, creating
registry entries under:
HKCR\CLSID\{73364D99-1240-4dff-B11A-67E448373048}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser
helper obJects\
{73364D99-1240-4dff-B11A-67E448373048}
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall
Policy\
StandardProfile\AuthorizedApplications\List\<Program Files>\Internet
Explorer
IEXPLORE.EXE
<Program Files>\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet
Explorer
Name Troj/BagleDl-BV
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/BagleDl-BV is a downloader Trojan for the Windows platform.
Advanced
Troj/BagleDl-BV is a downloader Trojan for the Windows platform.
Troj/BagleDl-BV includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/BagleDl-BV copies itself to <System>\hldrrr.exe.
The following registry entries are created to run hldrrr.exe on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
hldrrr
<System>\hldrrr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hldrrr
<System>\hldrrr.exe
Registry entries are created under:
HKCU\Software\FirstRRRun\
Name Troj/Dloadr-ANZ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Prevalence (1-5) 2
Description
Troj/Dloadr-ANZ is a downloader Trojan for the Windows platform.
When run, the Trojan creates the file C:\temp1.exe and this file is
detected as Troj/PWS-ACN.
Name W32/Vanebot-P
Type
* Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* W32/Opanki.worm.gen
Prevalence (1-5) 2
Description
W32/Vanebot-P is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Vanebot-P spreads:
- to computers vulnerable to common exploits, including SRVSVC
(MS06-040)
- to MSSQL servers protected by weak passwords
- to network shares
- via MSN Messenger
- via Yahoo Instant Messenger
W32/Vanebot-P runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
Advanced
W32/Vanebot-P is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Vanebot-P spreads:
- to computers vulnerable to common exploits, including SRVSVC
(MS06-040)
- to MSSQL servers protected by weak passwords
- to network shares
- via MSN Messenger
- via Yahoo Instant Messenger
W32/Vanebot-P runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
When first run W32/Vanebot-P copies itself to
<System>\dllcache\svhba.exe.
The file svhba.exe is registered as a new system driver service named
"Microsoft Windows BDA Service", with a display name of "Microsoft
Windows BDA Service" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\Microsoft Windows BDA Service\
W32/Vanebot-P sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates
the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Tilebot-HD
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Aliases
* Backdoor.Win32.SdBot.aad
Prevalence (1-5) 2
Description
W32/Tilebot-HD is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-HD spreads
to computers vulnerable to common exploits, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
to MSSQL servers protected by weak passwords
to network shares protected by weak passwords
W32/Tilebot-HD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HD includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Tilebot-HD is a worm and IRC backdoor for the Windows platform.
W32/Tilebot-HD spreads
to computers vulnerable to common exploits, including: LSASS
(http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx),
SRVSVC
(http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx),
RPC-DCOM
(http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx),
WKS
(http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx)
and ASN.1
(http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx)
to MSSQL servers protected by weak passwords
to network shares protected by weak passwords
W32/Tilebot-HD runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HD includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Tilebot-HD copies itself to <Windows
folder>\lsass.exe.
The file lsass.exe is registered as a new system driver service named
"Spool SubSystem App", with a display name of "Spool SubSystem App"
and a startup type of automatic, so that it is started automatically
during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Spool SubSystem App\
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d
Name Troj/Psyme-DD
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Exploit.JS.ADODB.Stream.e
* VBS/Psyme
Prevalence (1-5) 2
Description
Troj/Psyme-DD is a HTML-based downloader Trojan which exploits the
ADODB
stream vulnerabilty associated with Microsoft Internet Explorer to
silently
download a file from a remote website to the affected computer.
Name Troj/WOW-HI
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-PSW.Win32.WOW.jf
Prevalence (1-5) 2
Description
Troj/WOW-HI is a password stealing Trojan for the Windows platform.
Advanced
Troj/WOW-HI is a password stealing Trojan for the Windows platform.
When first run the Trojan copies itself to:
<Common Files>\INTEXPLORE.pif
<Program Files>\Internet Explorer\INTEXPLORE.com
<Windows>\Debug\DebugProgram.exe
<Windows>\exert.exe
<Windows>\lsass.exe
<System>\dxdiag.com
<System>\msconfig.com
<System>\regedit.com
The file INTEXPLORE.com is registered as a COM object, creating
registry entries under:
HKCR\CLSID\(871C5380-42A0-1069-A2EA-08002B30309D)
Troj/WOW-HI changes settings for Microsoft Internet Explorer by
modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
The following registry entry is set:
HKCR\htmlfile\shell\opennew\command
(default)
<Common Files>\INTEXPLORE.pif" %1
Registry entries are created under:
HKCU\Software\VB and VBA Program Settings\Microsoft Soft
Debuger\Settings\
Name Troj/Zapchas-CN
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Drops more malware
* Leaves non-infected files on computer
Aliases
* Backdoor.IRC.Zapchast
* IRC/Zapchast.K
* IRC/Zapchast.H
* IRC/Cloner.AT
Prevalence (1-5) 2
Description
Troj/Zapchas-CN is a mIRC-based backdoor Trojan for the Windows
platform.
Advanced
Troj/Zapchas-CN is a mIRC-based backdoor Trojan for the Windows
platform.
Troj/Zapchas-CN creates the following files in the C:\WINDOWS\system\
folder:
fullname.txt
ident.txt
nicks.txt
aliases.ini
control.ini
mirc.ini
remote.ini
script.ini
servers.ini
users.ini
sup.bat
svchost.exe
mirc.ico
sup.reg
popups.txt
Troj/Zapchas-CN also creates the following folders in the
C:\WINDOWS\system\ folder:
download
logs
sounds
The file svchost.exe is a mIRC application infected with
W32/Parite-B. The file script.ini is also detected as
Troj/Zapchas-CN. The remaining files are clean and may be deleted.
After these files have been installed, svchost.exe is executed,
causing it to connect to a preconfigured IRC server and join a
channel in which a remote attacker can control the infected computer.
Name W32/Looked-AB
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Trojan-PSW.Win32.Delf.qo
* Win32/Viking.AT
* W32/HLLP.Philis.ba
* PE_LOOKED.FY-O
* W32.Looked.P
Prevalence (1-5) 2
Description
W32/Looked-AB is a virus for the Windows platform.
The virus infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\Dll.dll, also detected as W32/Looked-AB.
This file attempts to download further executable code.
Advanced
W32/Looked-AB is a virus for the Windows platform.
The virus infects EXE files found on the infected computer and
attempts to spread to remote network shares with weak passwords.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\Dll.dll, also detected as W32/Looked-AB.
This file attempts to download further executable code.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name Troj/Bdoor-ABH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
Aliases
* Backdoor.Win32.Webdor.an
* BackDoor-CGZ
Prevalence (1-5) 2
Description
Troj/Bdoor-ABH is a Trojan for the Windows platform.
Troj/Bdoor-ABH includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Bdoor-ABH is a Trojan for the Windows platform.
Troj/Bdoor-ABH includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Bdoor-ABH copies itself to <Windows>\msncomm.exe
and creates the following files:
\%CurrentFolder%\dcat.log
<Windows>\wints.ini
The following registry entry is created to run msncomm.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Timer
<Windows>\msncomm.exe /i
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|