Text 146, 1941 rader
Skriven 2006-10-22 23:44:00 av KURT WISMER (1:123/140)
Ärende: News, October 22 2006
=============================
[cut-n-paste from sophos.com]
Name Troj/Nebuler-K
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Installs itself in the Registry
Aliases
* Trojan.Win32.Agent.vg
* BackDoor-CVT
Prevalence (1-5) 2
Description
Troj/Nebuler-K is a Trojan for the Windows platform.
Advanced
Troj/Nebuler-K is a Trojan for the Windows platform.
Troj/Nebuler-K gathers details relating to dialup services and sends
collected information to a remote site via HTTP. The Trojan may
inject code into other processes in an attempt to remain hidden.
When Troj/Nebuler-K is installed the following files are created:
<System>\win<xxx>32.dll
Where <xxx> are random letters.
The following registry entries are created to run code exported by
win<xxx>32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
DllName
win<xxx>32.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
Impersonate
0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\win<xxx>32
Startup
EvtStartup
Registry entries are created under:
HKCR\MezziaCodec.Chl\CLSID\
HKLM\SOFTWARE\Microsoft\MSSMGR\
Name W32/Brontok-BY
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-BY is a worm for the Windows platform.
Advanced
W32/Brontok-BY is a worm for the Windows platform.
When first run W32/Brontok-BY copies itself to:
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
\kERe.exe
<Windows>\kERe.exe
<System>\IExplorer.exe
<System>\MrBugs.scr
<System>\shell.exe
and creates the file \Pesan.txt. This file can be safely removed.
The following registry entries are created to run W32/Brontok-BY on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kERe
<Windows>\kERe.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-BY on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\MRBugs.scr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\IExplorer.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr), the command prompt and
system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\Shell.exe
HKCR\exefile
(default)
File Folder
Name W32/Brontok-BY
Type
* Worm
How it spreads
* Email attachments
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Sends itself to email addresses found on the infected computer
* Reduces system security
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Brontok-BY is a worm for the Windows platform.
Advanced
W32/Brontok-BY is a worm for the Windows platform.
When first run W32/Brontok-BY copies itself to:
<Startup>\Empty.pif
<User>\Local Settings\Application Data\windows\csrss.exe
<User>\Local Settings\Application Data\windows\lsass.exe
<User>\Local Settings\Application Data\windows\services.exe
<User>\Local Settings\Application Data\windows\smss.exe
<User>\Local Settings\Application Data\windows\winlogon.exe
\kERe.exe
<Windows>\kERe.exe
<System>\IExplorer.exe
<System>\MrBugs.scr
<System>\shell.exe
and creates the file \Pesan.txt. This file can be safely removed.
The following registry entries are created to run W32/Brontok-BY on
startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
kERe
<Windows>\kERe.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Servicesara
<User>\Local Settings\Application Data\WINDOWS\SERVICES.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Logonsara
<User>\Local Settings\Application Data\WINDOWS\CSRSS.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Monitoring
<User>\Local Settings\Application Data\WINDOWS\LSASS.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MSMSGS
<User>\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
The following registry entries are changed to run W32/Brontok-BY on
startup:
HKCU\Control Panel\Desktop
SCRNSAVE.EXE
<System>\MRBugs.scr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "<System>\IExplorer.exe"
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\IExplorer.exe
(the default value for this registry entry is
"<Windows>\System32\userinit.exe,").
The following registry entries are set or modified, so that shell.exe
is run when files with extensions of BAT, COM, EXE and PIF are
opened/launched:
HKCR\lnkfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\batfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\comfile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\exefile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
HKCR\piffile\shell\open\command
(default)
<System>\shell.exe" "%1" %*
The following registry entries are set, disabling the registry editor
(regedit), the Windows task manager (taskmgr), the command prompt and
system restore:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableCMD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableConfig
1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
DisableSR
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Disabled
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
DisableMSI
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
Debugger
<System>\Shell.exe
HKCR\exefile
(default)
File Folder
Name Troj/Psyme-DH
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Exploits system or software vulnerabilities
Aliases
* Trojan-Downloader.JS.gen
* VBS/Psyme
* HTML/Exploit.IESlice
* EXPL_SSLICE.GEN
Prevalence (1-5) 2
Description
Troj/Psyme-DH is a downloader Trojan for the Windows platform.
Troj/Psyme-DH attempts to download a file to C:\autoexec.exe and
execute the downloaded file.
Name W32/Looked-AI
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.an
* Win32/Viking.AZ
* PE_LOOKED.GP
Prevalence (1-5) 2
Description
W32/Looked-AI is a virus for the Windows platform.
W32/Looked-AI includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-AI also may spread through available network shares
Advanced
W32/Looked-AI is a virus for the Windows platform.
W32/Looked-AI includes functionality to access the internet and
communicate with a remote server via HTTP.
W32/Looked-AI also may spread through available network shares.
Upon execution W32/Looked-AI creates the following files:
<Windows>\Dll.dll
<Windows>\Logo1_.exe
<Windows>\rundl132.exe
where Logo1_.exe and rundl132.exe are copies of the virus host, and
Dll.dll is a downloading component of the virus.
These files are also detected as W32/Looked-AI.
The following registry entry is created to run rundl132.exe on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
Registry entries are created under:
HKLM\SOFTWARE\Soft\DownloadWWW\
The virus infects PE EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name W32/Looked-AJ
Type
* Virus
How it spreads
* Infected files
Affected operating systems
* Windows
Side effects
* Modifies data on the computer
* Drops more malware
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Looked-AJ is a virus for the Windows platform.
Advanced
W32/Looked-AJ is a virus for the Windows platform.
When first run the virus copies itself to <Windows>\rundl132.exe and
creates a file <Windows>\Dll.dll, detected as W32/Looked-AH. This
file attempts to download further executable code.
The virus sets the following registry entry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
load
<Windows>\rundl132.exe
The virus infects EXE files found on the infected computer.
Many files with the name "_desktop.ini" are created, in various
folders on the infected computer. These files are harmless text files.
Name Troj/Xorpix-X
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Trojan-Proxy.Win32.Xorpix.ar
* TROJ_XORPIX.AU
Prevalence (1-5) 2
Description
Troj/Xorpix-X is a proxy Trojan for the Windows platform.
Advanced
Troj/Xorpix-X is a proxy Trojan for the Windows platform.
Troj/Xorpix-X includes functionality to connect to the internet and
communicate with a remote server using HTTP.
Troj/Xorpix-X allows a remote attacker to route internet traffic
through the infected computer.
When first run Troj/Xorpix-X creates the file <Documents and
Settings>\All Users\Documents\Settings\winsys2freg.dll. This file is
also detected as Troj/Xorpix-X.
The Trojan also creates the following file <Documents and
Settings>\All Users\Documents\Settings\Desktop.ini.
This file may be safely deleted.
Registry entries are created under the following in order to run code
exported by winsys2freg.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winsys2freg\
Troj/Xorpix-X stops and removes the "SharedAccess" and "wscsvc"
services, affecting system security.
Name Troj/Redplut-B
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Redplut-B is a Trojan for the Windows platform.
Advanced
Troj/Redplut-B is a Trojan for the Windows platform.
Troj/Redplut-B copies itself to the following locations:
<System>\servlogon.exe
<System>\smhost.exe
Troj/Redplut-B sets the following registry entries:
HKCU\SOFTWARE\Microsoft\Command Processor
AutoRun
echo off|<System>\servlogon.exe|cls
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPCall_<ComputerName>
<System>\smhost.exe /register
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemFileProtection
ShowPopups
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RPCall_<ComputerName>
<System>\smhost.exe /register
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run
System handler
<System>\servlogon.exe /register
Troj/Redplut-B may also modify the following registy entries as shown:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows
load
<System>\smhost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe <system>\smhost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
<system>\smhost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<system>\userinit.exe,<System>\servlogon.exe,
Name Troj/VB-CRJ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Reduces system security
* Installs itself in the Registry
Aliases
* Trojan.Win32.VB.amm
* Win32/VB.AMM
* Generic VB.b
* TROJ_VB.BLD
Prevalence (1-5) 2
Description
Troj/VB-CRJ is a Trojan for the Windows platform.
Advanced
Troj/VB-CRJ is a Trojan for the Windows platform.
When first run Troj/VB-CRJ copies itself to:
<User>\My Documents\dlhost.exe
<Windows>\lodctr32.exe
<System>\note.exe
and creates the file <User>\My Documents\about.html.
The following registry entry is changed to run lodctr32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe lodctr32.exe
(the default value for this registry entry is "Explorer.exe" which
causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
The following registry entry is set or modified, so that note.exe is
run when files with extensions of TXT are opened/launched:
HKCR\txtfile\shell\open\command
(default)
<System>\NOTE.EXE %1
The following registry entries are set, disabling the registry editor
(regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\
Group Policy Objects\LocalUser\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Group Policy Objects\LocalUser\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoFind
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
NoRun
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ClassicViewState
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DisableCAD
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ClassicViewState
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
.BoRaX.BoRaX.BoRaX.BoRaX.BoRaX.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
.BoRaX.BoRaX.BoRaX.BoRaX.BoRaX.
HKCR\Directory\DefaultIcon
(default)
<Windows>\lodctr32.exe
HKCR\Folder\DefaultIcon
(default)
<Windows>\lodctr32.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\Security Center\
Name W32/Looked-AK
Type
* Virus
How it spreads
* Network shares
* Infected files
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Leaves non-infected files on computer
Aliases
* Worm.Win32.Viking.bb
* W32/HLLP.Philis.bd
* W32/HLLP.Philis.dll
* Win32/Viking.BM
Prevalence (1-5) 2
Description
W32/Looked-AK is a worm and prepending virus for the Windows platform.
W32/Looked-AK spreads via file sharing on P2P networks.
Advanced
W32/Looked-AK is a worm and prepending virus for the Windows platform.
W32/Looked-AK spreads via file sharing on P2P networks.
W32/Looked-AK runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AK includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run W32/Looked-AK copies itself to \windows\rundl132.exe.
The worm changes the following registry entry in order to be run
automatically on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
<Windows>\rundl132.exe
Name Troj/Mdrop-BLO
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
Troj/Mdrop-BLO is a Trojan for the Windows platform.
Troj/Mdrop-BLO will appear to be a legitimate winrar installation
program, which it does install but will also silenty install the
potentially unwanted application "Ardamax Keylogger".
Advanced
Troj/Mdrop-BLO is a Trojan for the Windows platform.
Troj/Mdrop-BLO will appear to be a legitimate winrar installation
program, which it does install but will also silenty install the
potentially unwanted application "Ardamax Keylogger".
When Troj/Mdrop-BLO is installed the following files are created:
<Temp>\wrar361.exe - detected as Troj/Mdrop-BLO
<System>\Sys\Explorer.001
<System>\Sys\Explorer.002
<System>\Sys\Explorer.006
<System>\Sys\Explorer.007
<System>\Sys\Explorer.exe
The files created within the <System>\Sys folder are detected as the
potentially unwanted application "Ardamax Keylogger".
Name Troj/Spammit-H
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Steals information
* Forges the sender's email address
* Uses its own emailing engine
* Installs itself in the Registry
* Enables remote access
Aliases
* SpamTool.Win32.Delf.m
Prevalence (1-5) 2
Description
Troj/Spammit-H is a Trojan for the Windows platform.
Advanced
Troj/Spammit-H is a Trojan for the Windows platform.
Troj/Spammit-H includes functionality to:
- access the internet and communicate with a remote server via HTTP
- send notification messages to remote locations
When first run Troj/Spammit-H copies itself to:
<Windows>\Media\Call32.exe
<System>\Outlook Express.exe
and creates the following files:
\win.ini
<Windows>\netaps2.txt
<System>\ftpd.dll
The following registry entries are created to run Call32.exe and
Outlook Express.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Outlook
<System>\Outlook Express.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Call32
<Windows>\MEDIA\Call32.exe
Name Troj/Clagger-AG
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* Downloader-AAP
Prevalence (1-5) 2
Description
Troj/Clagger-AG is a Trojan for the Windows platform.
Troj/Clagger-AG attempts to download further executable code.
The Trojan may arrive as an attachment to spam email messages.
When first run the Trojan displays the following fake error message:
Acrobat 6 - Error "Warning" 20225
Advanced
Troj/Clagger-AG is a Trojan for the Windows platform.
Troj/Clagger-AG attempts to download further executable code.
The Trojan may arrive as an attachment to spam email messages.
When first run the Trojan displays the following fake error message:
Acrobat 6 - Error "Warning" 20225
The Trojan copies itself to <System>\ipf.exe and creates the
following registry entry in order to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ifp
<System>\ipf.exe
The Trojan drops a file <System>\drivers\winut.dat. This is a
harmless text file.
The following registry entry is also created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
windowsshell
1
Name Troj/Bagle-QQ
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Installs itself in the Registry
* Dropped by malware
* Leaves non-infected files on computer
Aliases
* NTRootKit-W
* Win32/Bagle.GY
Prevalence (1-5) 2
Description
Troj/Bagle-QQ is a Trojan for the Windows platform.
Advanced
Troj/Bagle-QQ is a Trojan for the Windows platform.
Troj/Bagle-QQ is usually dropped by variant of the W32/Bagle worm to
the following location:
<Current user>\Application Data\hidn\m_hook.sys.
The file m_hook.sys is registered as a new system driver service
named "m_hook", with a display name of "Empty". Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\m_hook\
Troj/Bagle-QQ is used to stealth a dropper from certain processes.
Name W32/Stratio-AW
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
W32/Stratio-AW is a worm for the Windows platform.
When run the worm will attempt to copy itself to <Windows>\serv.exe
and download
components from a remote website which it will then run.
Advanced
W32/Stratio-AW is a worm for the Windows platform.
When run the worm will attempt to copy itself to <Windows>\serv.exe
and download
components from a remote website which it will then run.
W32/Stratio-AW creates the following files:
<Windows>\serrv.wax(Can be removed safely)
<System>\e1.dll
<System>\<random>.exe(Detected as W32/Stratio-AW)
The following registry entry is created to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
serrv
<Windows>\serrv.exe s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll
The emails may have the following subject line:
Mail server report.
Server Report
test
Error
hello
picture
Mail Transaction Failed
Status
Mail Delivery System
Good day
The message body may have the following text:
Mail server report.
Our firewall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer
unnoticeably.
After the penetrating into the computer the virus harvests all the
e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
The message contains Unicode characters and has been sent
as a binary attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
The attachments may have the following filenames with the extensions
of .zip, .cmd, .exe, .pif, .bat, .elm, .pdf:
Update-KB<random 4 numbers>-x86
body
data
docs
file
docs
body
message
test
document
test
test
file
readme
Name Troj/Haxdoor-DI
Type
* Spyware Trojan
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Installs itself in the Registry
Aliases
* Trojan-Spy.Win32.Haxspy.ax
* Win32/Spy.Goldun.HP
Prevalence (1-5) 2
Description
Troj/Haxdoor-DI is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-DI includes functionality to:
- stealth its files, processes and registry entries
- inject its code into other processes
Advanced
Troj/Haxdoor-DI is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-DI includes functionality to:
- stealth its files, processes and registry entries
- inject its code into other processes
When Troj/Haxdoor-DI is installed the following files are created:
<System>\arprmdg0.dll
<System>\arprmdg5.sys
<System>\ksl48.bin
The following registry entries are created to run code exported by
arprmdg0.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arprmdg0
DllName
arprmdg0.dll
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arprmdg0
Startup
arprmdg0
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\arprmdg0
Impersonate
1
Name W32/Tilebot-HN
Type
* Spyware Worm
How it spreads
* Network shares
* Chat programs
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Steals information
* Downloads code from the internet
* Reduces system security
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Used in DOS attacks
* Scans network for weak passwords
* Scans network for open ports
Aliases
* Backdoor.Win32.SdBot.aad
* PAK_Generic.001
Prevalence (1-5) 2
Description
W32/Tilebot-HN is a worm for the Windows platform.
W32/Tilebot-HN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm
may also spreads via network shares protected by weak passwords.
W32/Tilebot-HN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HN includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
Advanced
W32/Tilebot-HN is a worm for the Windows platform.
W32/Tilebot-HN spreads to other network computers by exploiting
common buffer overflow vulnerabilities, including: LSASS (MS04-011),
RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007). The worm
may also spreads via network shares protected by weak passwords.
W32/Tilebot-HN runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer via IRC channels.
W32/Tilebot-HN includes functionality to:
- set up an FTP server
- set up a proxy server
- spread via AOL Instant Messager by sending messages automatically
- set or remove network shares
- port scanning
- packet sniffing
- start a remote shell (RLOGIN)
- access the internet and communicate with a remote server via HTTP
- harvest information from clipboard
- take part in Distributed Denial of Service (DDoS) attacks
When first run W32/Tilebot-HN copies itself to <System>\lsiss.exe.
The file lsiss.exe is registered as a new system driver service named
"System Restore Services", with a display name of "System Restore
Services" and a startup type of automatic, so that it is started
automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\System Restore Services\
W32/Tilebot-HN sets the following registry entries, disabling the
automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
4
Additional registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
0
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareWks
0
HKLM\SYSTEM\CurrentControlSet\Control\
WaitToKillServiceTimeout
7000
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
Name W32/Stratio-AY
Type
* Worm
How it spreads
* Email attachments
* Web downloads
Affected operating systems
* Windows
Side effects
* Turns off anti-virus applications
* Allows others to access the computer
* Sends itself to email addresses found on the infected computer
* Forges the sender's email address
* Uses its own emailing engine
* Downloads code from the internet
* Installs itself in the Registry
* Leaves non-infected files on computer
Prevalence (1-5) 2
Description
W32/Stratio-AY is a mass-mailing worm for the Windows platform.
When run the worm will attempt to download components from a remote
website which it will then run.
Advanced
W32/Stratio-AY is a mass-mailing worm for the Windows platform.
When run the worm will attempt to download components from a remote
website which it will then run.
W32/Stratio-AY creates the following files:
<Windows>\sserrvv.wax(Can be removed safely)
<System>\e1.dll
<Windows>\sserrvv.exe
The following registry entry is created to run the worm on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sserrvv
<Windows>\sserrvv.exe s
The following registry entry is set:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
e1.dll
The emails may have the following subject line:
Mail server report.
Server Report
test
Error
hello
picture
Mail Transaction Failed
Status
Mail Delivery System
Good day
The message body may have the following text:
Mail server report.
Our firewall determined the e-mails containing worm copies are being
sent from your computer.
Nowadays it happens from many computers, because this is a new virus
type (Network Worms).
Using the new bug in the Windows, these viruses infect the computer
unnoticeably.
After the penetrating into the computer the virus harvests all the
e-mail addresses and sends the copies of itself to these e-mail
addresses
Please install updates for worm elimination and your computer
restoring.
Best regards,
Customers support service
The message contains Unicode characters and has been sent
as a binary attachment.
Mail transaction failed. Partial message is available.
The message cannot be represented in 7-bit ASCII encoding and has
been sent as a binary attachment.
The attachments may have the following filenames with the extensions
of .zip, .cmd, .exe, .pif, .bat, .elm, .pdf:
Update-KB<random 4 numbers>-x86
body
data
docs
file
docs
body
message
test
document
test
test
file
readme
Name Troj/BankDl-BK
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Trojan-Downloader.Win32.Banload.adw
Prevalence (1-5) 2
Description
Troj/BankDl-BK ia an downloader Trojan for the Windows platform.
Troj/BankDl-BK includes functionality to access the internet and
communicate with a remote server via HTTP.
The downloaded file was detected as Mal/DelpBanc-A.
Name W32/Tilebot-HO
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
Prevalence (1-5) 2
Description
W32/Tilebot-HO is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-HO attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812),
ASN.1 (MS04-007).
Advanced
W32/Tilebot-HO is a worm and IRC backdoor Trojan for the Windows
platform.
W32/Tilebot-HO attempts to spread by copying itself to remote network
shares or by exploiting any of the following vulnerabilities: SRVSVC
(MS06-040), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812),
ASN.1 (MS04-007).
When first run W32/Tilebot-HO copies itself to <System>\cpstorage.exe
and creates the file <Temp>\sysremove.bat.
The file cpstorage.exe is registered as a new system driver service
named "CryptProtectedService", with a display name of "Cryptic
Protected Storage" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are
created under:
HKLM\SYSTEM\CurrentControlSet\Services\CryptProtectedService\
Name W32/Looked-AL
Type
* Virus
How it spreads
* Network shares
* Infected files
* Peer-to-peer
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
Aliases
* Worm.Win32.Viking.ax
* W32/HLLP.Philis.dll
* Win32/Viking.BC
Prevalence (1-5) 2
Description
W32/Looked-AL is a worm and prepending virus for the Windows platform.
W32/Looked-AL spreads via file sharing on P2P networks.
W32/Looked-AL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AL includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
W32/Looked-AL is a worm and prepending virus for the Windows platform.
W32/Looked-AL spreads via file sharing on P2P networks.
W32/Looked-AL runs continuously in the background, providing a
backdoor server which allows a remote intruder to gain access and
control over the computer.
W32/Looked-AL includes functionality to access the internet and
communicate with a remote server via HTTP.
When W32/Looked-AL is installed the following files are created:
<Windows>\Logo1_.exe
<Windows>\rundl132.exe
Both of these are detected as W32/Looked-AL.
The worm changes the following registry entry in order to be run
automatically on startup:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load
C:\WINDOWS\rundl132.exe
Name W32/Rbot-FSK
Type
* Worm
How it spreads
* Network shares
Affected operating systems
* Windows
Side effects
* Allows others to access the computer
* Installs itself in the Registry
* Exploits system or software vulnerabilities
* Enables remote access
Aliases
* Backdoor.Win32.EggDrop.v
Prevalence (1-5) 2
Description
W32/Rbot-E is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-E spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and
ASN.1 (MS04-007).
W32/Rbot-E runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
Advanced
W32/Rbot-E is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-E spreads to other network computers by exploiting common
buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012) and
ASN.1 (MS04-007).
W32/Rbot-E runs continuously in the background, providing a backdoor
server which allows a remote intruder to gain access and control over
the computer via IRC channels.
When first run W32/Rbot-E copies itself to <Windows>\SystemDebug.exe.
The following registry entries are created to run SystemDebug.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Debugger
SystemDebug.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Debugger
SystemDebug.exe
The following registry entry is set:
HKCU\Software\Microsoft\OLE
System Debugger
SystemDebug.exe
Name W32/Stration-BC
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
Aliases
* Email-Worm.Win32.Warezov.do
* TROJ_STRAT.DR
Prevalence (1-5) 2
Description
W32/Stration-BC is a worm for the Windows platform.
W32/Stration-BC includes functionality to download, install and run
new software.
Name W32/Bagle-QR
Type
* Worm
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Aliases
* IM-Worm.Win32.Qucan.b
Prevalence (1-5) 2
Description
W32/Bagle-QR is a worm for the Windows platform.
W32/Bagle-QR includes functionality to download, install and run new
software.
Advanced
W32/Bagle-QR is a worm for the Windows platform.
W32/Bagle-QR includes functionality to download, install and run new
software.
W32/Bagle-QR changes the Start Page for Microsoft Internet Explorer
by setting the registry entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entries are set, disabling the registry editor
(regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
The following registry entry is set:
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Homepage
1
Registry entries are created under:
HKCU\Software\Yahoo\Pager\View\YMSGR_Launchcast\
HKCU\Software\Yahoo\Pager\View\YMSGR_buzz\
Name Troj/Sufia-A
Type
* Trojan
Affected operating systems
* Windows
Side effects
* Downloads code from the internet
* Installs itself in the Registry
Prevalence (1-5) 2
Description
Troj/Sufia-A is a Trojan for the Windows platform.
Troj/Sufia-A includes functionality to access the internet and
communicate with a remote server via HTTP.
Advanced
Troj/Sufia-A is a Trojan for the Windows platform.
Troj/Sufia-A includes functionality to access the internet and
communicate with a remote server via HTTP.
When first run Troj/Sufia-A copies itself to:
<Windows>\csrss.exe
<Windows>\smss.exe
<System>\explorer.exe
The following registry entries are created to run Troj/Sufia-A on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001
ClientServerRuntimeProcess
<Windows>\csrss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0002
ClientServerRuntimeProcess
<Windows>\smss.exe
--- MultiMail/Win32 v0.43
* Origin: Try Our Web Based QWK: DOCSPLACE.ORG (1:123/140)
|